scout-cli icon indicating copy to clipboard operation
scout-cli copied to clipboard

Published 20 hours ago verified publisher icon docker

Permission denied on Docker scout cli image

Open CorneliaS opened this issue 1 year ago • 3 comments

Since version 1.8 I get "permission denied errors" when I run the Docker scout-cli from a Docker image. I have made several attempts to solve this problem, but without success.

Background: I have a local image which i want to scan for vulnerabilities without installing docker scout-cli (using the docker image of docker scout-cli).

My original call was as follows: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -e DOCKER_SCOUT_HUB_USER=<user> -e DOCKER_SCOUT_HUB_PASSWORD=<pat> docker/scout-cli:latest cves testimage:latest Since version 1.8 i get following error:

...Pulling ✗ Pull failed ERROR Status: failed to get image testimage:latest: failed to pull image testimage:latest: GET https://index.docker.io/v2/library/testimage/manifests/latest: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/testimage Type:repository]], Code: 1

After some research on Google and several failed calls, these two approaches were the closest to a solution (but still fails): docker run -u <uid>:<gid> --rm -v /var/run/docker.sock:/var/run/docker.sock --mount type=bind,source=<somepath>,target=/tmp -e DOCKER_SCOUT_CACHE_DIR=/tmp -e DOCKER_SCOUT_HUB_USER=<user> -e DOCKER_SCOUT_HUB_PASSWORD=<pat> docker/scout-cli:latest cves local://testimage:latest

...Storing image for indexing ✓ Image stored for indexing ...Indexing ERROR Status: failed to index image: failed to initialize cache: failed to create cache dir: mkdir /home: permission denied, Code: 1

docker run -u <uid>:<gid> --rm -v /var/run/docker.sock:/var/run/docker.sock -e DOCKER_SCOUT_NO_CACHE=true -e DOCKER_SCOUT_HUB_USER=<user> -e DOCKER_SCOUT_HUB_PASSWORD=<pat> docker/scout-cli:latest cves local://testimage:latest

ERROR Status: failed to create cache directory: mkdir /tmp: permission denied, Code: 1

I guess that changing the user (uid) and the group (gid) is not the right way to solve it. But how else do I get access to the var/run/docker.sock file to load the local image?

CorneliaS avatar May 06 '24 08:05 CorneliaS

I'm able to re-create this issue. We'll provide a fix asap.

cdupuis avatar May 06 '24 13:05 cdupuis

Could you give the following command a try?

docker run --rm -it -u root \
   -v /var/run/docker.sock:/var/run/docker.sock \
   -e DOCKER_SCOUT_HUB_USER=<user> \
   -e DOCKER_SCOUT_HUB_PASSWORD=<pat> \
   docker/scout-cli:77c55cf cves testimage:latest

cdupuis avatar May 06 '24 14:05 cdupuis

@cdupuis Yes, the command works :)

CorneliaS avatar May 06 '24 15:05 CorneliaS

The fix was released.

cdupuis avatar Jun 04 '24 16:06 cdupuis