trivy
trivy copied to clipboard
aquasecurity
Support for rootless podman
Rootful podman has it's socket at:
/run/podman/podman.sock
But rootless podman has it's socket at:
/run/user/1000/podman/podman.sock
So it errors out.
Edit:
Probably using
export CONTAINERD_ADDRESS=/run/user/1000/podman/podman.sock
works.
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been labeled with inactivity.
We've added --docker-host in https://github.com/aquasecurity/trivy/pull/3599. Adding --podman-host may help. I'm unsure if the difference from rootless is the socket path only.
@knqyf263 any reproducible example would be appreciated enabling us to scan an image (preferably an unpushed one or one from a local insecure registry at the very least) under a non-root user would be fine.
It worked beautifully under Clair, but the architecture was different there: it was a RESTful API client (such as clair-scanner).
Here's my reproduction using a public image ackstorm/debian-postfix:latest:
2023-08-18T21:56:03.246Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-18T21:56:03.248Z DEBUG Ignore statuses {"statuses": null}
2023-08-18T21:56:03.259Z DEBUG cache dir: /root/.cache/trivy
2023-08-18T21:56:03.259Z DEBUG There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2023-08-18T21:56:03.260Z INFO Need to update DB
2023-08-18T21:56:03.260Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-08-18T21:56:03.260Z INFO Downloading DB...
2023-08-18T21:56:03.260Z DEBUG no metadata file
192.00 KiB / 38.99 MiB [>____________________________________________________________] 0.48% ? p/s ?1.00 MiB / 38.99 MiB [->_____________________________________________________________] 2.56% ? p/s ?4.24 MiB / 38.99 MiB [------>_______________________________________________________] 10.89% ? p/s ?10.52 MiB / 38.99 MiB [------------>___________________________________] 26.97% 17.19 MiB p/s ETA 1s16.87 MiB / 38.99 MiB [-------------------->___________________________] 43.26% 17.19 MiB p/s ETA 1s23.32 MiB / 38.99 MiB [---------------------------->___________________] 59.83% 17.19 MiB p/s ETA 0s28.94 MiB / 38.99 MiB [----------------------------------->____________] 74.22% 18.07 MiB p/s ETA 0s35.95 MiB / 38.99 MiB [-------------------------------------------->___] 92.21% 18.07 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 18.07 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 17.98 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 17.98 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 17.98 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 16.82 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 16.82 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 16.82 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 15.74 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 15.74 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 15.74 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 14.72 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 14.72 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 14.72 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 13.77 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 13.77 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 13.77 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 12.88 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 12.88 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 12.88 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [--------------------------------------------------] 100.00% 7.45 MiB p/s 5.4s2023-08-18T21:56:15.164Z DEBUG Updating database metadata...
2023-08-18T21:56:15.165Z DEBUG DB Schema: 2, UpdatedAt: 2023-08-18 18:11:06.823178853 +0000 UTC, NextUpdate: 2023-08-19 00:11:06.823178453 +0000 UTC, DownloadedAt: 2023-08-18 21:56:15.164911959 +0000 UTC
2023-08-18T21:56:15.165Z INFO Vulnerability scanning is enabled
2023-08-18T21:56:15.165Z DEBUG Vulnerability type: [os library]
2023-08-18T21:56:15.165Z INFO Secret scanning is enabled
2023-08-18T21:56:15.165Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-18T21:56:15.165Z INFO Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2023-08-18T21:56:16.582Z FATAL image scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:426
- scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:268
- unable to initialize a scanner:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:681
- unable to initialize a docker scanner:
github.com/aquasecurity/trivy/pkg/commands/artifact.imageStandaloneScanner
/home/runner/work/trivy/trivy/pkg/commands/artifact/scanner.go:17
- 4 errors occurred:
* unable to inspect the image (ackstorm/debian-postfix:latest): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
* containerd socket not found: /run/containerd/containerd.sock
* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* GET https://index.docker.io/v2/ackstorm/debian-postfix/manifests/latest: MANIFEST_UNKNOWN: manifest unknown; unknown tag=latest```
Tested running Trivy 0.49.1 using podman rootless and it works using --docker-host or env variable DOCKER_HOST. It would be nice to have an option as mentioned above --podman-host for the same variable or at minimum somewhere in the docs that mentions a workaround for this use case. Trivy output trimmed for brevity, can provide full output if needed.
╚ $ echo $XDG_RUNTIME_DIR
/run/user/1000
╚ $ file /run/user/1000/podman/podman.sock
/run/user/1000/podman/podman.sock: socket
╚ $ podman info| yq '.store.runRoot'
"/run/user/1000/containers"
╚ $ podman --version
podman version 3.4.4
╚ $ podman run -e DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock \
-v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock \
--rm docker.io/aquasec/trivy:0.49.1 image localhost/trivy-image-scan-local
localhost/trivy-image-scan-local (debian 12.4)
==============================================
Total: 96 (UNKNOWN: 0, LOW: 65, MEDIUM: 25, HIGH: 5, CRITICAL: 1)
╚ $ podman run -v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock \
--rm docker.io/aquasec/trivy:0.49.1 image --docker-host=unix://$XDG_RUNTIME_DIR/podman/podman.sock \
localhost/trivy-image-scan-local
localhost/trivy-image-scan-local (debian 12.4)
==============================================
Total: 96 (UNKNOWN: 0, LOW: 65, MEDIUM: 25, HIGH: 5, CRITICAL: 1)
I believe adding --podman-host is easy to implement.
https://github.com/aquasecurity/trivy/blob/c107e1af29b6f855d92684f518669efa3280c6de/pkg/fanal/types/image.go#L62-L64
Reference: https://github.com/aquasecurity/trivy/pull/3599