openscap icon indicating copy to clipboard operation
openscap copied to clipboard
verified publisher icon OpenSCAP

oscap-docker traceback when scanning ubuntu 22.04 image

Open jan-cerny opened this issue 2 years ago • 1 comments

Description of Problem:

When scanning an Ubuntu 22.04 image using oscap-docker, a traceback happens

This problem has been discovered during a review of https://github.com/OpenSCAP/openscap/pull/1931 but isn't caused by that PR.

OpenSCAP Version:

openscap-1.3.7-1.fc37.x86_64 podman-4.3.1-1.fc37.x86_64

Operating System & Version:

F 37

Steps to Reproduce:

  1. sudo systemctl start podman
  2. sudo podman pull ubuntu:22.04
  3. sudo oscap-podman ubuntu:22.04 xccdf eval --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml

Actual Results:

[jcerny@thinkpad ~]$ sudo oscap-docker image ubuntu:22.04 xccdf eval --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 
Failed to import "Atomic.mount.DockerMount". It seems Atomic has not been installed.
Using native Docker API
Running given image in a temporary container ...
Cannot run image docker.io/library/ubuntu:22.04, docker.io/library/ubuntu:latest.
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/docker/api/client.py", line 268, in _raise_for_status
    response.raise_for_status()
  File "/usr/lib/python3.11/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: http+docker://localhost/v1.41/containers/create?name=tmp_oscap_be3fb2ac-b742-11ed-a139-0050b6b42c2c

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/oscap-docker", line 111, in <module>
    ODS = OscapDockerScan(args.scan_target, args.is_image, args.oscap_binary)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/oscap_docker_python/oscap_docker_util_noatomic.py", line 78, in __init__
    raise e
  File "/usr/lib/python3.11/site-packages/oscap_docker_python/oscap_docker_util_noatomic.py", line 66, in __init__
    tmp_cont = self.client.create_container(
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/docker/api/container.py", line 428, in create_container
    return self.create_container_from_config(config, name)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/docker/api/container.py", line 439, in create_container_from_config
    return self._result(res, True)
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/docker/api/client.py", line 274, in _result
    self._raise_for_status(response)
  File "/usr/lib/python3.11/site-packages/docker/api/client.py", line 270, in _raise_for_status
    raise create_api_error_from_http_exception(e)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/docker/errors.py", line 31, in create_api_error_from_http_exception
    raise cls(e, response=response, explanation=explanation)
docker.errors.APIError: 500 Server Error for http+docker://localhost/v1.41/containers/create?name=tmp_oscap_be3fb2ac-b742-11ed-a139-0050b6b42c2c: Internal Server Error ("normalizing image: normalizing name for compat API: invalid reference format")
!!! WARNING !!! This software has crashed, so you should check that no temporary container is still running

Expected Results:

no traceback, a scan of the given image is successfully completed

Additional Information / Debugging Steps:

[jcerny@thinkpad ~]$ sudo podman images ubuntu:22.04
REPOSITORY                TAG         IMAGE ID      CREATED      SIZE
docker.io/library/ubuntu  22.04       58db3edaf2be  4 weeks ago  80.3 MB
docker.io/library/ubuntu  latest      58db3edaf2be  4 weeks ago  80.3 MB
  • When doing the same thing with an Ubuntu 20.04, the traceback doesn't happen and a scan is succesfully completed. Therefore, the problem might be related to the specific image.
  • When using oscap-podman, the traceback doesn't happen and a scan is succesfully completed.

This problem is also reproducible on Ubuntu 22.04 server virtual machine with docker.io 20.10.12-0ubuntu4 with OpenSCAP from current upstream maint-1.3 branch as of 2023-02-28 as of HEAD 71110111114475568d4d9a4b65337b3a520d9bf0, see below:

user@ubuntu:~/openscap$ sudo docker pull ubuntu:22.04
22.04: Pulling from library/ubuntu
Digest: sha256:9a0bdde4188b896a372804be2384015e90e3f84906b750c1a53539b585fbbe7f
Status: Image is up to date for ubuntu:22.04
docker.io/library/ubuntu:22.04
user@ubuntu:~/openscap$ sudo docker images ubuntu:22.04
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
ubuntu       22.04     58db3edaf2be   4 weeks ago   77.8MB
user@ubuntu:~/openscap$ sudo python3 utils/oscap-docker.in --oscap build/oscap_wrapper image 58db3edaf2be xccdf eval --profile ospp ~/ssg-ubuntu2204-ds.xml 
Failed to import "Atomic.mount.DockerMount". It seems Atomic has not been installed.
Using native Docker API
Running given image in a temporary container ...
Cannot run image ubuntu:22.04, ubuntu:latest.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 268, in _raise_for_status
    response.raise_for_status()
  File "/usr/lib/python3/dist-packages/requests/models.py", line 943, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: http+docker://localhost/v1.41/containers/create?name=tmp_oscap_77d31770-b745-11ed-9cc1-e16587d04d59

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/openscap/utils/oscap-docker.in", line 111, in <module>
    ODS = OscapDockerScan(args.scan_target, args.is_image, args.oscap_binary)
  File "/home/user/openscap/utils/oscap_docker_python/oscap_docker_util_noatomic.py", line 78, in __init__
    raise e
  File "/home/user/openscap/utils/oscap_docker_python/oscap_docker_util_noatomic.py", line 66, in __init__
    tmp_cont = self.client.create_container(
  File "/usr/lib/python3/dist-packages/docker/api/container.py", line 428, in create_container
    return self.create_container_from_config(config, name)
  File "/usr/lib/python3/dist-packages/docker/api/container.py", line 439, in create_container_from_config
    return self._result(res, True)
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 274, in _result
    self._raise_for_status(response)
  File "/usr/lib/python3/dist-packages/docker/api/client.py", line 270, in _raise_for_status
    raise create_api_error_from_http_exception(e)
  File "/usr/lib/python3/dist-packages/docker/errors.py", line 31, in create_api_error_from_http_exception
    raise cls(e, response=response, explanation=explanation)
docker.errors.APIError: 400 Client Error for http+docker://localhost/v1.41/containers/create?name=tmp_oscap_77d31770-b745-11ed-9cc1-e16587d04d59: Bad Request ("invalid reference format")
!!! WARNING !!! This software has crashed, so you should check that no temporary container is still running

jan-cerny avatar Feb 28 '23 08:02 jan-cerny

I can't reproduce this issue.

I'm using fedora 37.

$ rpm -q openscap
openscap-1.3.7-1.fc37.x86_64
$ rpm -q podman
podman-4.4.2-2.fc37.x86_64

I notice that I'm using a later version of podman, perhaps that's important?

candrews avatar Mar 03 '23 19:03 candrews