clair-scanner icon indicating copy to clipboard operation
clair-scanner copied to clipboard

Published 20 hours ago verified publisher icon arminc

[CRIT] ▶ Could not analyze layer: Clair responded with a failure: Got response 400 with message {"Error":{"Message":"could not find layer"}}

Open elntagka opened this issue 7 years ago • 16 comments
trafficstars

Hi,

I'm using a docker container with the clair-scanner installed and the docker daemon of the host available to it, so that it can access the images and containers of the host.

So in order to do a scan for example I'm using the below: docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v /lib64/libdevmapper.so.1.02:/usr/lib/x86_64-linux-gnu/libdevmapper.so.1.02 -v /lib64/libudev.so.0:/usr/lib/x86_64-linux-gnu/libudev.so.0 --privileged=true myorg/clairscan ./clair-scanner --clair="http://$myip:6060" --ip=$myip $animage

However, I keep getting the below:

2018/01/24 09:50:57 [INFO] ▶ Start clair-scanner
2018/01/24 09:51:27 [INFO] ▶ Server listening on port 9279
2018/01/24 09:51:27 [INFO] ▶ Analyzing efd75b67cb976df08013762c6dc86092f41c07ca62f90d41291185703336d55d
2018/01/24 09:51:27 [CRIT] ▶ Could not analyze layer: Clair responded with a failure: Got response 400 with message {"Error":{"Message":"could not find layer"}}

Any suggestions?

elntagka avatar Jan 24 '18 09:01 elntagka

the host run clair-scanner need to open TCP 9279 port for Clair server to connect and download the docker image

debu99 avatar Feb 16 '18 16:02 debu99

I have the same issue. @debu99 could you elaborate? Not sure what you're saying there.

ghost avatar Mar 07 '18 05:03 ghost

Hey @d-j-c I've resolved the above issue by changing the " --ip=$myip " with the ip assigned to the clair scanner container.

To find this ip Iim using the below:

docker build -f Dockerfile.clairscan -t clairscan .
scanner_ip = `docker run --rm clairscan hostname -i`

and then did the docker run on my initial message with " --ip=$scanner_ip "

elntagka avatar Mar 08 '18 10:03 elntagka

Hi, I've got the same problem, running clair-scanner locally and the "clair-local-scan" docker container. @elntagka Is there something special with your "clairscan" image or is this just the packaged executable in an docker image?

ckotzbauer avatar Mar 21 '18 08:03 ckotzbauer

hey @code-chris, nothing special. On golang:1.9 base image, I've cloned the repo and followed the instruction e.g. make ensure & build and exposed port 9279. Let me know if you need more info.

elntagka avatar Mar 21 '18 09:03 elntagka

thanks @elntagka for your quick response, but it still doesn't work:

  • I've started the database and the "clair-local-scan" image as described.
  • I built the image for the scanner with this Dockerfile:
FROM golang:1.9

RUN git clone https://github.com/arminc/clair-scanner.git /go/src/clair

WORKDIR /go/src/clair

RUN curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh; \
    make ensure; \
    make build

EXPOSE 9279

ENTRYPOINT ["./clair"]
  • Then I started this container with the same commands as you mentioned above (including the IP workaround) Both ports (9279, 6060) are opened in the firewall.

Is it correct, that the "clair-local-scan" container does not have further access to the docker instance and only responds back to the scanner?

Thanks!

ckotzbauer avatar Mar 21 '18 11:03 ckotzbauer

Here's my Dockerfile:

FROM golang:1.9
RUN go get -u github.com/golang/dep/cmd/dep
RUN  git clone https://github.com/arminc/clair-scanner.git src/clair-scanner/
RUN cd src/clair-scanner/ &&  make ensure && make build
WORKDIR /go/src/clair-scanner
COPY ./install-docker.sh /opt/
RUN sh /opt/install-docker.sh
ENV DOCKER_API_VERSION=1.24
EXPOSE 9279

with instal-docker.sh:

#!/bin/bash
# compiled from https://docs.docker.com/engine/installation/linux/debian/#/debian-jessie-80-64-bit
apt-get update
apt-get dist-upgrade -y
apt-get install apt-transport-https ca-certificates -y
sh -c "echo deb https://apt.dockerproject.org/repo debian-jessie main > /etc/apt/sources.list.d/docker.list"
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
apt-get update
apt-cache policy docker-engine
apt-get install docker-engine -y

elntagka avatar Mar 21 '18 11:03 elntagka

I've got it partially working now. There are images where this message still occurs, and others were the vulnerabilities are listed correctly. This weird behavior seems to be there since multiple hours and I only tried the scanner with the "wrong" image. 😆 Thanks again @elntagka for your help!

ckotzbauer avatar Mar 21 '18 12:03 ckotzbauer

I got this working. My setup is one of running coreos/clair:latest as a container on my host, so I set the ip to the docker0 interface IP.

sudo ./clair-scanner --ip 172.17.0.1 httpd:latest

ghost avatar Mar 27 '18 00:03 ghost

Took me somestime to resolve this issue, so reckon I'll put some notes down:

  • First: The ip on which the clair-scanner is running must be reachable from the clair container (not 127.0.0.1, typically the ip of the docker0 interface). Or you can "login" to the the clair container and see its IP, then figure out the correct network
docker exec -it clair sh && ifconfig

-Second: Check out the docker network firewall. That was the issue in my case. To verify if it's the issue, just turn off the firewall. In my case, it was firewalld on Centos 7:

sudo systemctl stop firewalld

After confirming it's a firewall issue, you can configure the firewall to allow clair-scanner.

tvdinh avatar Aug 20 '18 01:08 tvdinh

See https://github.com/arminc/clair-scanner/issues/63#issuecomment-516791930 and https://github.com/arminc/clair-scanner/issues/63#issuecomment-516810971 how I resolved it on Mac and Linux.

lghakamo-paf avatar Jul 31 '19 11:07 lghakamo-paf

I got this working. My setup is one of running coreos/clair:latest as a container on my host, so I set the ip to the docker0 interface IP.

sudo ./clair-scanner --ip 172.17.0.1 httpd:latest

why sudo? clair-scanner can (and arguably should) be run under standard user

mirekphd avatar Dec 09 '19 15:12 mirekphd

Please be aware that the current instructions from https://github.com/arminc/clair-scanner open Clair's port 6060 (docker run -p 6060:6060) to the whole internet (which can be verified with curl to your external IP:6060 from another server returning "404 page not found"). @arminc : a safer solution would be docker run -p 127.0.0.1:6060:6060 expose Clair's port only internally (curl would then return correctly "Connection refused" and Clair would work locally with both local and external IP).

mirekphd avatar Dec 09 '19 15:12 mirekphd

If you want to run everything fully as containers you can also do something like this that runs both clair and clair-scanner in the same networking namespace so they can reference each other as localhost:

docker run -d --name db arminc/clair-db:latest
docker run -d --link db:postgres --name clair arminc/clair-local-scan:v2.0.6
docker run --rm  -v /var/run/docker.sock:/var/run/docker.sock --network=container:clair ovotech/clair-scanner clair-scanner alpine

travisghansen avatar Feb 14 '20 16:02 travisghansen

Hi, I've got the same kind of issue : 2020/03/30 09:02:27 [INFO] ▶ Analyzing 485d7306187faf0cc9b77fc210e8def9d67b1953f0669e675877e90e6542cb6d 2020/03/30 09:02:27 [CRIT] ▶ Could not analyze layer: POST to Clair failed Post http://clair:6060/v1/layers: dial tcp: lookup clair on 127.0.0.11:53: no such host

This occurs not only when istio injection is enabled (so I can turn off before scan and turn back on after) but each time one deployment in the namespace have istio injection enable. If I disable istio injection, restart all pods with no sidecars, it works fine.

ochamber avatar Mar 30 '20 09:03 ochamber

I got this working. My setup is one of running coreos/clair:latest as a container on my host, so I set the ip to the docker0 interface IP.

sudo ./clair-scanner --ip 172.17.0.1 httpd:latest

This worked for me. Thanks alot

josebeo2016 avatar Apr 07 '20 04:04 josebeo2016