Remove atomic dependency from oscap-docker script and fix to work on Fedora 32

[matusmarhefka]

Description of Problem:

Scan on Fedora 32 using oscap-docker results in following:

Using Atomic API
Traceback (most recent call last):
  File "/usr/bin/oscap-docker", line 101, in <module>
    rc = OscapAtomicScan.scan(OS, args.scan_target, leftover_args)
  File "/usr/lib/python3.9/site-packages/oscap_docker_python/oscap_docker_util.py", line 288, in scan
    DM = DockerMount(mnt_dir, mnt_mkdir=True)
NameError: name 'DockerMount' is not defined
Failed to import "Atomic.mount.DockerMount". It seems Atomic has not been installed.

As atomic package no longer exists in Fedora (it is discontinued project) we should remove dependency on it from oscap-docker.

Also there is issue when running oscap-docker --disable-atomic:

Failed to import "Atomic.mount.DockerMount". It seems Atomic has not been installed.
Using native Docker API
Runing given image in a temporary container ...
Cannot run image registry.access.redhat.com/rhel7:latest.
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/docker/api/client.py", line 261, in _raise_for_status
    response.raise_for_status()
  File "/usr/lib/python3.8/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: http+docker://localhost/v1.35/containers/055565be97ebaaf6ad68e1c89e3dc910a5c66fe1e318deed256525934992f10e/start

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/oscap-docker", line 112, in <module>
    ODS = OscapDockerScan(args.scan_target, args.is_image, args.oscap_binary)
  File "/usr/lib/python3.8/site-packages/oscap_docker_python/oscap_docker_util_noatomic.py", line 78, in __init__
    raise e
  File "/usr/lib/python3.8/site-packages/oscap_docker_python/oscap_docker_util_noatomic.py", line 69, in __init__
    self.client.start(container=tmp_cont.get('Id'))
  File "/usr/lib/python3.8/site-packages/docker/utils/decorators.py", line 19, in wrapped
    return f(self, resource_id, *args, **kwargs)
  File "/usr/lib/python3.8/site-packages/docker/api/container.py", line 1095, in start
    self._raise_for_status(res)
  File "/usr/lib/python3.8/site-packages/docker/api/client.py", line 263, in _raise_for_status
    raise create_api_error_from_http_exception(e)
  File "/usr/lib/python3.8/site-packages/docker/errors.py", line 31, in create_api_error_from_http_exception
    raise cls(e, response=response, explanation=explanation)
docker.errors.APIError: 500 Server Error: Internal Server Error ("OCI runtime create failed: this version of runc doesn't work on cgroups v2: unknown")

OpenSCAP Version:

1.3.3 (but most likely the same for maint-1.3)

Operating System & Version:

Fedora

Steps to Reproduce:

1. docker pull registry.access.redhat.com/rhel7
2. oscap-docker --disable-atomic image registry.access.redhat.com/rhel7 oval eval /usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml

[jan-cerny]

On Fedora, the preferred way of using containers is Podman and users use oscap-podman, so I think that fixing the Docker backend on Fedora is a stretch goal. But I agree with sun-setting the Atomic backend. Moreover, I envision that oscap-docker will be a tool for other Linux distributions that still prefer Docker over Podman.

[evgenyz]

It seems that the Docker itself is broken.

[evgenyz]

https://github.com/docker/for-linux/issues/841. TLDR; Workarounds are about forcing cgroups v1 or using podman :)

[evgenyz]

Maybe extract Atomic removal out of this bug?