clairctl
clairctl copied to clipboard
jgsqware
Clairctl cannot pull from custom secure registry on CoreOS and RancherOS distro
I cannot clairctl pull anymore from my custom registry with build 5d7ae72.
Something must have broken it since it was working fine with the fix-pull branch a while ago.
I have tried multiple syntaxes
sf-clair ~ # clairctl pull --log-level debug registry.mydomain.net/core/custom-nginx:latest
DEBU[0000] Using config file: /root/clairctl.yml
DEBU[0000] hostDir: /etc/docker/certs.d/index.docker.io
DEBU[0000] attempting v2 login to registry endpoint https://registry-1.docker.io/v2/
DEBU[0001] hostDir: /etc/docker/certs.d/registry.mydomain.net
DEBU[0001] hostDir: /etc/docker/certs.d/registry.mydomain.net
client quit unexpectedly
FATA[0001] retrieving manifest for "registry.mydomain.net/core/custom-nginx:latest": Get http://registry.mydomain.net/v2/: dial tcp 172.16.1.8:80: getsockopt: connection refused
sf-clair ~ # clairctl pull --log-level debug registry.mydomain.net:443/core/custom-nginx:latest
DEBU[0000] Using config file: /root/clairctl.yml
DEBU[0000] hostDir: /etc/docker/certs.d/index.docker.io
DEBU[0000] attempting v2 login to registry endpoint https://registry-1.docker.io/v2/
DEBU[0001] hostDir: /etc/docker/certs.d/registry.mydomain.net:443
DEBU[0001] hostDir: /etc/docker/certs.d/registry.mydomain.net:443
client quit unexpectedly
FATA[0001] retrieving manifest for "registry.mydomain.net:443/core/custom-nginx:latest": Only V2 repository are supported
sf-clair ~ # clairctl pull --log-level debug https://registry.mydomain.net/core/custom-nginx:latest
DEBU[0000] Using config file: /root/clairctl.yml
client quit unexpectedly
FATA[0000] retrieving manifest for "https://registry.mydomain.net/core/custom-nginx:latest": Error parsing reference: "https://registry.mydomain.net/core/custom-nginx:latest" is not a valid repository/tag: invalid reference format
On my machine, /etc/docker/ contains a single key.json file.
Hi, thanks for reporting, could test with the last version? It should be corrected
I can successfully pull, push, analyze and report on my registry. However, I have to do it as root otherwise I get some access denied:
~ $ clairctl --log-level debug pull registry.mydomain.net/core/custom-nginx:latest
DEBU[0000] Using config file: /home/core/clairctl.yml
DEBU[0000] Downloading manifest for registry.mydomain.net/core/custom-nginx:latest
DEBU[0000] Retrieving repository client
DEBU[0000] hostDir: /etc/docker/certs.d/registry.mydomain.net
DEBU[0000] registry.LookupPullEndpoints error: open /etc/docker/certs.d/registry.mydomain.net: permission denied
client quit unexpectedly
FATA[0000] retrieving manifest for "registry.mydomain.net/core/custom-nginx:latest": open /etc/docker/certs.d/registry.mydomain.net: permission denied
If I just sudo the command it works fine. Not ideal but it works.
Ok thanks for reporting , I will add a issue for the sudo part.
It will use the cert.d folder generated by docker, so the user running clairctl should be in the docker group.
I will test on this distribution thanks
Le mer. 1 mars 2017 12:23, Julien Del-Piccolo [email protected] a écrit :
I am afraid /etc/docker/certs.d don't exist on both CoreOS and RancherOS.
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/jgsqware/clairctl/issues/11#issuecomment-283315339, or mute the thread https://github.com/notifications/unsubscribe-auth/ADJrqxLJU-QFHsvnBxJe97MCF3A41XJYks5rhVUigaJpZM4L_OCf .