clair-scanner

clair-scanner copied to clipboard

clair-scanner --ip=<host_ip_address> --threshold=Medium --report=filename.json nginx:latest 2018/12/07 01:38:13 [INFO] ▶ Start clair-scanner 2018/12/07 01:38:17 [INFO] ▶ Server listening on port 9279 2018/12/07 01:38:17 [INFO] ▶ Analyzing 5890f2d38d34ce375d44a098dc120817201a6903df1b9dfc70b3ea86e4ffb175 2018/12/07 01:38:18 [CRIT] ▶ Could not analyze layer: Clair responded with a failure: Got response 400 with message {"Error":{"Message":"could not find layer"}}

docker ps | grep clair 43b784d3d7d6 arminc/clair-db:latest "docker-entrypoint.s…" 27 minutes ago Up 27 minutes 0.0.0.0:5432->5432/tcp db e43ebdc7fc2c arminc/clair-local-scan:v2.0.1 "/clair -config=/con…" 2 hours ago Up 2 hours 0.0.0.0:6060->6060/tcp, 6061/tcp clair

docker logs e43ebdc7fc2c

{"Event":"could not download layer","Level":"warning","Location":"driver.go:129","Time":"2018-12-07 06:38:18.894778","error":"Get http://10.71.11.70:9279/5890f2d38d34ce375d44a098dc120817201a6903df1b9dfc70b3ea86e4ffb175/layer.tar: dial tcp 10.71.11.70:9279: getsockopt: no route to host"} {"Event":"failed to extract data from path","Level":"error","Location":"worker.go:122","Time":"2018-12-07 06:38:18.895004","error":"could not find layer","layer":"5890f2d38d34ce375d44a098dc120817201a6903df1b9dfc70b3ea86e4ffb175","path":"http://10.71.11.70:9279/5890f2d38d34ce375d44a098dc120817201a6903df1b9dfc70b3ea86e4ffb175/layer.tar"} {"Event":"Handled HTTP request","Level":"info","Location":"router.go:57","Time":"2018-12-07 06:38:18.896015","elapsed time":1013364278,"method":"POST","remote addr":"172.17.0.1:36072","request uri":"/v1/layers","status":"400"}

While running clair-scanner command, 9279 port is opened on the host machine and gets closed before download is started.

Can you please help on this.

What I suspect is happening is that Clair arminc/clair-local-scan:v2.0.1 can't access clair-scanner. Clair creates a connection back to clair-scanner to fetch the layer.

I'm seeing this message also when I try to scan alpine:edge, it was able to scan this image without any issues until alpine:edge was updated last night.

I get this same error running the commands in the documentation one by one:

docker run -p 5432:5432 -d --name db arminc/clair-db:2019-04-15
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.6
make ensure && make build
clair-scanner -w example-alpine.yaml --ip 127.0.0.1 alpine:3.5
2019/04/30 09:02:39 [INFO] ▶ Start clair-scanner
2019/04/30 09:02:39 [INFO] ▶ Server listening on port 9279
2019/04/30 09:02:39 [INFO] ▶ Analyzing e8f315b86d96a44e7466dd3780b212f2cfe918ea00d7847ea41b31064483e9a3
2019/04/30 09:02:39 [CRIT] ▶ Could not analyze layer: Clair responded with a failure: Got response 400 with message {"Error":{"Message":"could not find layer"}}

@arminc that is indeed the case that the process can't connect. The running clair-local-scan container can't connect to the clair-scanner process running on 9279. How can you run the clair-local-scan process standalone? I tried running clair-scanner in a container but then it can't connect to the docker host.

It would be helpful to have an image for how the components work together: Docker host, clair-local-scan, database, clair-scanner process.

Also the clair-local-scan by default looks at the host name postgres and your directions have --name db

I have same problem with alpine. Are there any solutions?

Seems, alpine isn`t supported now

Can you try to run with your ip (host running clair-scanner) address parameter

./clair-scanner --ip=192.168.1.133 vulnerables/web-dvwa

@arminc @gravis @plasticine @leucos @dzaporozhets I have a similar issue , In a linux server ,I use docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.6 to started clair-local-scan in container, I can run command to scan images in this server ,but when I use jenkins pipeline to execute the same command ,I'm getting below error

Could not analyze layer: Clair responded with a failure: Got response 400 with message {"Error":{"Message":"could not find layer"}}

Does any one have any solution for this , this is weird that I can run command in server ,but can not execute same command in jenkins pipeline code , may be the container is not publicly accessible ? If so ,how can I make the container publicly accessible. Docker ps details like below:

CONTAINER ID        IMAGE                            COMMAND                  CREATED             STATUS              PORTS                                   NAMES
b9da71380d16        arminc/clair-local-scan:v2.0.6   "/clair -config=/c..."   About an hour ago   Up About an hour    0.0.0.0:6060->6060/tcp, 6061/tcp       clair
697d97307acf        arminc/clair-db:latest           "docker-entrypoint..."   3 days ago          Up 3 days           0.0.0.0:5432->5432/tcp                  db

Also not working for me. Different error

2019/07/26 14:31:54 [INFO] ▶ Analyzing b7e513f1782880dddf7b47963f82673b3dbd5c2eeb337d0c96e1ab6d9f3b76bd 2019/07/26 14:31:54 [CRIT] ▶ Could not analyze layer: POST to Clair failed Post http://docker:6060/v1/layers: dial tcp: lookup docker on 172.31.0.2:53: no such host

I was running into the same issues locally on Mac (Docker Engine: 18.09.2). By setting --ip host.docker.internal I got it working. Support seems pending for Linux though: https://github.com/docker/for-linux/issues/264

Ran into the same issue in our Jenkins setup (running on Linux) and needed to fetch the host IP using HOST_IP=$(ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+') and then use --ip ${HOST_IP} when running the scan.

Indeed. Also had to change to the Docker inside DinD and then it works.

did anyone get a resolution for this?

HOST_IP=$(ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+') and then use --ip ${HOST_IP} when running the scan.

Using this HOST_IP, it works for me