clairctl
clairctl copied to clipboard
jgsqware
Got permission denied while trying to connect to the Docker daemon socket
In the clairctl service, I executed the commands:
$ clairctl pull ubuntu:16.04
$ clairctl --log-level debug push ubuntu:16.04 --local
The pull request works fine, but the push request fails and produces the following error message:
2017-07-06 19:15:21.850610 C | cmd: retrieving manifest for "ubuntu:16.04": cannot save image ubuntu:16.04: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/get?names=ubuntu%3A16.04: dial unix /var/run/docker.sock: connect: permission denied
I get a similar error if, in the clairctl service, I execute the command docker run hello-world; not a good sign. Clairctl needs to add user(s) to the docker group to avoid this error.
Are you on Mac? We already had this issue, you can fixed it by setting the gid to 50 in your compose file.
Le jeu. 6 juil. 2017 21:32, Frank J. Lhota [email protected] a écrit :
In the clairctl service, I executed the commands:
clairctl pull ubuntu:16.04'clairctl --log-level debug push ubuntu:16.04 --local`
The pull request works fine, but the push request fails and produces the following error message:
2017-07-06 19:15:21.850610 C | cmd: retrieving manifest for "ubuntu:16.04": cannot save image ubuntu:16.04: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/images/get?names=ubuntu%3A16.04: dial unix /var/run/docker.sock: connect: permission denied
I get a similar error if, in the clairctl service, I execute the command docker run hello-world; not a good sign. Clairctl needs to add user(s) to the docker group to avoid this error.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jgsqware/clairctl/issues/60, or mute the thread https://github.com/notifications/unsubscribe-auth/ADJrq6TkCBvf5wiMxkGfU01mzhVlJ1Kbks5sLTYwgaJpZM4OQFTz .
I am on Ubuntu Linux. I guess I can try setting the gid and see if it fixes the problem.
@FrankJLhota : run the doker compose out of the box, then from the clairctl container do a:
ls -alh /var/run/docker.sock
You should be able to see the group name or the group ID you have to set in the docker-compose.yml
Running ls -alh /var/run/docker.sock from the clairctl container produces:
rw-rw---- 1 root ping 0 Jul 7 15:24 /var/run/docker.sock
So I added group_add: ping to the docker-compose.yml file. Now when I run the command clairctl --log-level debug analyze --local ubuntu:16.04 from the clairctl container, I get these errors:
2017-07-07 19:02:14.425426 D | dockercli: docker image to save: ubuntu:16.04
2017-07-07 19:02:14.425440 D | dockercli: saving in: /tmp/ubuntu/blobs
client quit unexpectedly
2017-07-07 19:02:14.426505 C | cmd: retrieving manifest for "ubuntu:16.04": cannot save image ubuntu:16.04: Error response from daemon: reference does not exist
Please advise.
It says Ubuntu:16.04 does not exist.
That means the image is not a existing.
Do you see it with docker images ?
When I run docker images from the clairctl container, it displays
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/coreos/clair-git latest 5224c7d72fa2 10 days ago 422MB
postgres 9.6 f8d91fbcfa35 13 days ago 269MB
postgres latest f8d91fbcfa35 13 days ago 269MB
ubuntu latest d355ed3537e9 2 weeks ago 119MB
jgsqware/clairctl latest 0a13af3e97a0 3 weeks ago 43.8MB
hello-world latest 1815c82652c0 3 weeks ago 1.84kB
quay.io/coreos/clair v2.0.0 c5ec68ce85d5 7 weeks ago 387MB
I am not sure why we got ubuntu:latest when I pulled ubuntu:16.04.
I don't know why but that's the error. You can try with ubuntu:latest
Le mar. 11 juil. 2017 16:01, Frank J. Lhota [email protected] a écrit :
When I run docker images from the clairctl container, it displays
REPOSITORY TAG IMAGE ID CREATED SIZEquay.io/coreos/clair-git latest 5224c7d72fa2 10 days ago 422MB postgres 9.6 f8d91fbcfa35 13 days ago 269MB postgres latest f8d91fbcfa35 13 days ago 269MB ubuntu latest d355ed3537e9 2 weeks ago 119MB jgsqware/clairctl latest 0a13af3e97a0 3 weeks ago 43.8MB hello-world latest 1815c82652c0 3 weeks ago 1.84kBquay.io/coreos/clair v2.0.0 c5ec68ce85d5 7 weeks ago 387MB
I am not sure why we got ubuntu:latest when I pulled ubuntu:16.04.
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/jgsqware/clairctl/issues/60#issuecomment-314453141, or mute the thread https://github.com/notifications/unsubscribe-auth/ADJrq5U781OZj2wupu0qfe_xOSaFjIppks5sM4AsgaJpZM4OQFTz .
To be clear, I first executed clairctl pull ubuntu:16.04 in the clairctl container. This command produced the following output:
Image: docker.io/library/ubuntu:16.04
5 layers found
➜ sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c
➜ sha256:c6ff40b6d658359b7b428e76db4b9f6f921e47dda0a9a25537c09cc0f031c206
➜ sha256:a7050fc1f338be18d965236f3bf937073e82d3846e362b4525815be483984ffb
➜ sha256:f0ffb5cf6ba990b18c314f5758f6e68609f1e32b3d35769b74264150d317b728
➜ sha256:be232718519c940b04bc576366a58df53418d8e8bdb605f4e3ca66775735fdca
It was after this that I attempted the push command.
I think I see the problem: If I execute clairctl version from the clairctl container, it returns
Clairctl version v1.2.7-4d36dcd
I was expecting Clairctl version 1.2.8. How did an older version of clairctl end up in the clairctl container?
@FrankJLhota clairctl pull is not the same as a docker pull. It won't actually pull the image.
regarding the version, which version did you run with your docker run ? the tag latest is actually v1.2.7, i never tagged v1.2.8 as latest (I will do that now)
I am running the docker-compose.yml containers, then I use docker-compose exec clairctl sh to run commands from the clairctl container.
I tried running both docker pull ubuntu:16.04 and clairctl pull ubuntu:16.04 from the clairctl container. Those commands work fine, but clairctl analyze ubuntu:16.04 gives me the "pull from clair is unauthorized" error.
that is because you are trying to analyze an official docker hub image. In order to do that, you need to do a docker login first.
I logged into the docker.io/library registry, then executed clairctl --log-level debug analyze ubuntu:16.04 in the clairctl container. The analyze command failed, producing this output:
2017-07-12 16:41:23.030297 D | config: Using config file: /home/clairctl/clairctl.yml
2017-07-12 16:41:23.030404 D | dockerdist: Downloading manifest for ubuntu:16.04
2017-07-12 16:41:23.030507 D | dockerdist: Retrieving repository client
2017-07-12 16:41:23.030578 D | dockerdist: endpoint.TLSConfig.InsecureSkipVerify: true
2017-07-12 16:41:23.654175 D | dockerdist: manifest type: *schema2.DeserializedManifest
2017-07-12 16:41:23.654219 D | dockerdist: retrieved schema2 manifest, no verification
2017-07-12 16:41:23.654317 I | config: retrieving interface for local IP
2017-07-12 16:41:23.654336 D | config: no interface provided, looking for docker0
2017-07-12 16:41:23.654490 D | config: docker0 not found, looking for first connected broadcast interface
2017-07-12 16:41:23.654713 I | clair: Pushing Layer 1/5 [sha256:75c41]
2017-07-12 16:41:23.654841 D | clair: Saving sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c[https://registry-1.docker.io/v2]
2017-07-12 16:41:23.654950 D | clair: auth.insecureSkipVerify: true
2017-07-12 16:41:23.654981 D | clair: request.URL.String(): https://registry-1.docker.io/v2/library/ubuntu/blobs/sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c
2017-07-12 16:41:23.784312 I | clair: pull from clair is unauthorized
2017-07-12 16:41:24.032574 I | clair: adding layer 1/5 [sha256:75c41]: receiving http error: 400
client quit unexpectedly
2017-07-12 16:41:24.032633 C | cmd: pushing image "ubuntu:16.04": receiving http error: 400
Error 400 means clair cannot download the layers. Do you have your Clair log?
Le mer. 12 juil. 2017 18:43, Frank J. Lhota [email protected] a écrit :
I logged into the docker.io/library registry, then executed clairctl --log-level debug analyze ubuntu:16.04 in the clairctl container. The analyze command failed, producing this output:
2017-07-12 16:41:23.030297 D | config: Using config file: /home/clairctl/clairctl.yml 2017-07-12 16:41:23.030404 D | dockerdist: Downloading manifest for ubuntu:16.04 2017-07-12 16:41:23.030507 D | dockerdist: Retrieving repository client 2017-07-12 16:41:23.030578 D | dockerdist: endpoint.TLSConfig.InsecureSkipVerify: true 2017-07-12 16:41:23.654175 D | dockerdist: manifest type: *schema2.DeserializedManifest 2017-07-12 16:41:23.654219 D | dockerdist: retrieved schema2 manifest, no verification 2017-07-12 16:41:23.654317 I | config: retrieving interface for local IP 2017-07-12 16:41:23.654336 D | config: no interface provided, looking for docker0 2017-07-12 16:41:23.654490 D | config: docker0 not found, looking for first connected broadcast interface 2017-07-12 16:41:23.654713 I | clair: Pushing Layer 1/5 [sha256:75c41] 2017-07-12 16:41:23.654841 D | clair: Saving sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c[https://registry-1.docker.io/v2] 2017-07-12 16:41:23.654950 D | clair: auth.insecureSkipVerify: true 2017-07-12 16:41:23.654981 D | clair: request.URL.String(): https://registry-1.docker.io/v2/library/ubuntu/blobs/sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c 2017-07-12 https://registry-1.docker.io/v2/library/ubuntu/blobs/sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c2017-07-12 16:41:23.784312 I | clair: pull from clair is unauthorized 2017-07-12 16:41:24.032574 I | clair: adding layer 1/5 [sha256:75c41]: receiving http error: 400 client quit unexpectedly 2017-07-12 16:41:24.032633 C | cmd: pushing image "ubuntu:16.04": receiving http error: 400
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/jgsqware/clairctl/issues/60#issuecomment-314827679, or mute the thread https://github.com/notifications/unsubscribe-auth/ADJrq2NpqDOEbzjLkmatBFnQcTCxZNzaks5sNPe_gaJpZM4OQFTz .
I just tried it again, here is the log:
Attaching to clairctl_clair_1
clair_1 | {"Event":"pgsql: could not open database: dial tcp 172.21.0.3:5432: getsockopt: connection refused","Level":"fatal","Location":"main.go:96","Time":"2017-07-12 17:17:16.662062"}
clair_1 | {"Event":"pgsql: could not open database: dial tcp 172.21.0.3:5432: getsockopt: connection refused","Level":"fatal","Location":"main.go:96","Time":"2017-07-12 17:17:17.383478"}
clair_1 | {"Event":"pgsql: could not open database: dial tcp 172.21.0.3:5432: getsockopt: connection refused","Level":"fatal","Location":"main.go:96","Time":"2017-07-12 17:17:17.922015"}
clair_1 | {"Event":"pgsql: could not open database: dial tcp 172.21.0.3:5432: getsockopt: connection refused","Level":"fatal","Location":"main.go:96","Time":"2017-07-12 17:17:18.809751"}
clair_1 | {"Event":"pgsql: could not open database: dial tcp 172.21.0.3:5432: getsockopt: connection refused","Level":"fatal","Location":"main.go:96","Time":"2017-07-12 17:17:20.021687"}
clair_1 | {"Event":"running database migrations","Level":"info","Location":"pgsql.go:216","Time":"2017-07-12 17:17:22.027483"}
clair_1 | {"Event":"database migration ran successfully","Level":"info","Location":"pgsql.go:223","Time":"2017-07-12 17:17:22.322331"}
clair_1 | {"Event":"notifier service is disabled","Level":"info","Location":"notifier.go:77","Time":"2017-07-12 17:17:22.322648"}
clair_1 | {"Event":"starting health API","Level":"info","Location":"api.go:85","Time":"2017-07-12 17:17:22.322682","port":6061}
clair_1 | {"Event":"updater service started","Level":"info","Location":"updater.go:80","Time":"2017-07-12 17:17:22.322779","lock identifier":"776e5aa6-5e22-436a-afb7-2df2e91ab031"}
clair_1 | {"Event":"starting main API","Level":"info","Location":"api.go:52","Time":"2017-07-12 17:17:22.322862","port":6060}
clair_1 | {"Event":"attempting to obtain update lock","Level":"debug","Location":"updater.go:99","Time":"2017-07-12 17:17:22.324874"}
clair_1 | {"Event":"updating vulnerabilities","Level":"info","Location":"updater.go:167","Time":"2017-07-12 17:17:22.329173"}
clair_1 | {"Event":"fetching vulnerability updates","Level":"info","Location":"updater.go:213","Time":"2017-07-12 17:17:22.329275"}
clair_1 | {"Event":"Start fetching vulnerabilities","Level":"info","Location":"rhel.go:92","Time":"2017-07-12 17:17:22.329429","package":"RHEL"}
clair_1 | {"Event":"Start fetching vulnerabilities","Level":"info","Location":"ubuntu.go:88","Time":"2017-07-12 17:17:22.329635","package":"Ubuntu"}
clair_1 | {"Event":"Start fetching vulnerabilities","Level":"info","Location":"debian.go:63","Time":"2017-07-12 17:17:22.330225","package":"Debian"}
clair_1 | {"Event":"Start fetching vulnerabilities","Level":"info","Location":"oracle.go:119","Time":"2017-07-12 17:17:22.331063","package":"Oracle Linux"}
clair_1 | {"Event":"Start fetching vulnerabilities","Level":"info","Location":"alpine.go:52","Time":"2017-07-12 17:17:22.331418","package":"Alpine"}
clair_1 | {"Event":"Debian buster is not mapped to any version number (eg. Jessie-\u003e8). Please update me.","Level":"warning","Location":"debian.go:128","Time":"2017-07-12 17:17:26.439521"}
clair_1 | {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-12 17:17:26.439564","updater name":"debian"}
clair_1 | {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-12 17:17:34.013289","updater name":"alpine"}
clair_1 | {"Event":"processing layer","Level":"debug","Location":"worker.go:73","Time":"2017-07-12 17:17:52.555521","engine version":3,"format":"Docker","layer":"sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c","parent layer":"","path":"https://registry-1.docker.io/v2/library/ubuntu/blobs/sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c"}
clair_1 | {"Event":"could not download layer: expected 2XX","Level":"warning","Location":"driver.go:135","Time":"2017-07-12 17:17:52.682826","status code":401}
clair_1 | {"Event":"failed to extract data from path","Level":"error","Location":"worker.go:122","Time":"2017-07-12 17:17:52.682953","error":"could not find layer","layer":"sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c","path":"https://registry-1.docker.io/v2/library/ubuntu/blobs/sha256:75c416ea735c42a4a0b2c8f31946a1918adc7853373c411abbec424391fb989c"}
clair_1 | {"Event":"Handled HTTP request","Level":"info","Location":"router.go:57","Time":"2017-07-12 17:17:52.685017","elapsed time":128955947,"method":"POST","remote addr":"172.21.0.4:39752","request uri":"/v1/layers","status":"400"}
clair_1 | {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-12 17:21:45.835012","updater name":"ubuntu"}
Another experiment: I deployed a local registry with the command
docker run -d -p 5000:5000 --restart=always --name registry registry:2
Then I did the following commands to push the container to this local registry:
docker pull ubuntu:16.04
docker tag ubuntu:16.04 localhost:5000/my-ubuntu
docker push localhost:5000/my-ubuntu
After this, I executed the command clairctl --log-level debug analyze localhost:5000/my-ubuntu -l. The log messages produces was:
2017-07-12 18:47:41.367364 D | config: Using config file: /home/clairctl/clairctl.yml
2017-07-12 18:47:41.367579 D | dockercli: docker image to save: localhost:5000/my-ubuntu:latest
2017-07-12 18:47:41.367587 D | dockercli: saving in: /tmp/localhost/blobs
2017-07-12 18:47:42.291445 I | config: retrieving interface for local IP
2017-07-12 18:47:42.291458 D | config: no interface provided, looking for docker0
2017-07-12 18:47:42.291506 D | config: docker0 not found, looking for first connected broadcast interface
2017-07-12 18:47:42.291743 I | server: Starting Server on 172.21.0.2:44480
2017-07-12 18:47:42.296673 I | config: retrieving interface for local IP
2017-07-12 18:47:42.296680 D | config: no interface provided, looking for docker0
2017-07-12 18:47:42.296776 D | config: docker0 not found, looking for first connected broadcast interface
2017-07-12 18:47:42.296842 I | clair: using http://172.21.0.2:44480/local as local url
2017-07-12 18:47:42.296869 I | clair: Pushing Layer 1/5 [0cfd9cb2ea20]
2017-07-12 18:47:42.296946 D | clair: Saving 0cfd9cb2ea20b891dad7b2c5e46b18686848e692d49f9cad3261f3428bbfbfc9[https:///v2]
2017-07-12 18:47:42.300598 I | clair: adding layer 1/5 [0cfd9cb2ea20]: receiving http error: 400
client quit unexpectedly
2017-07-12 18:47:42.300669 C | cmd: pushing image "localhost:5000/my-ubuntu:latest": receiving http error: 400
@FrankJLhota: If you want me to help, you need to answer my questions. Copy pasting the same error messages without context is not going to help.
It looks like your registry, clair and clairctl containers can't communicate. Make them communicate with --link or put your registry in the docker-compose.yml
My apologies, somehow I missed your question before I hit the "comment" button. Sorry for the inconvenience.
In answer to your question, my docker-compose.yml file did not have a link to the registry container. My docker-compose.yml file was using was the one from the clairctl repository, with one modification: I added the following item to the clairctl service to fix the /var/run/docker.sock permissions problem.
group_add:
- ping
I found the source of my problems: the clairctl analyze --local command has a parsing problem with an images that has a colon (':') in its name. So if I perform clairctl analyze localhost:5000/my-ubuntu --local, I will get the 400 error, but if I run clairctl analyze my-regis/my-ubuntu --local, that command runs fine.
I find as well that I can run
$ docker-compose exec clairctl clairctl analyze nginx -l
Image: /nginx:latest
3 layers found
➜ Analysis [50e1755fce44] found 46 vulnerabilities.
➜ Analysis [d294b139a05e] found 46 vulnerabilities.
➜ Analysis [1aa0a35a3417] found 25 vulnerabilities.
But with a colon in the image name:
$ docker-compose exec clairctl clairctl analyze nginx:stable-alpine -l
client quit unexpectedly
2017-07-24 22:48:42.694477 C | cmd: pushing image "nginx:stable-alpine": receiving http error: 400
$ docker-compose exec clairctl clairctl analyze nginx:stable-alpine -l --log-level debug
2017-07-24 22:49:01.077846 D | config: Using config file: /home/clairctl/clairctl.yml
2017-07-24 22:49:01.078056 D | dockercli: docker image to save: nginx:stable-alpine
2017-07-24 22:49:01.078064 D | dockercli: saving in: /tmp/nginx/blobs
2017-07-24 22:49:01.303681 I | config: retrieving interface for local IP
2017-07-24 22:49:01.303700 D | config: no interface provided, looking for docker0
2017-07-24 22:49:01.303770 D | config: docker0 not found, looking for first connected broadcast interface
2017-07-24 22:49:01.303984 I | server: Starting Server on 172.18.0.4:44480
2017-07-24 22:49:01.308925 I | config: retrieving interface for local IP
2017-07-24 22:49:01.308934 D | config: no interface provided, looking for docker0
2017-07-24 22:49:01.308977 D | config: docker0 not found, looking for first connected broadcast interface
2017-07-24 22:49:01.309043 I | clair: using http://172.18.0.4:44480/local as local url
2017-07-24 22:49:01.309054 I | clair: Pushing Layer 1/4 [d831b16adf84]
2017-07-24 22:49:01.309091 D | clair: Saving d831b16adf846838fa53902157a3e12beb9f5195df98e2c18ee1b18218163f61[https://registry-1.docker.io/v2]
2017-07-24 22:49:01.311376 I | clair: adding layer 1/4 [d831b16adf84]: receiving http error: 400
client quit unexpectedly
2017-07-24 22:49:01.311397 C | cmd: pushing image "nginx:stable-alpine": receiving http error: 400
I got the same issue on Ubuntu 17.10. The fix was simple: add yourself to the docker group:
sudo usermod -aG docker [your_user_name]
Then, you need to reboot, because group membership is somehow cached on linux.
Right. Closing it because it not linked to clairctl project. Thanks
On Sun, 26 Nov 2017, 12:12 Jeroen De Swaef, [email protected] wrote:
I got the same issue on Ubuntu 17.10. The fix was simple: add yourself to the docker group:
sudo usermod -aG docker [your_user_name]
Then, you need to reboot, because group membership is somehow cached on linux.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jgsqware/clairctl/issues/60#issuecomment-347000868, or mute the thread https://github.com/notifications/unsubscribe-auth/ADJrq4gpSOTZuTmzRvcpYBd4TMbDytvNks5s6Ue3gaJpZM4OQFTz .
seems you are running docker on user mode than root. I had faced the same problem earlier.
Run chmod for /var/run/docker.sock. for ex chmod 777 /var/run/docker.sock. This should solve ur problem .
This work for me on Ubuntu 17.10. sudo usermod -aG docker vagrant exit and again ssh vagrant ssh docker version Client: Version: 18.01.0-ce API version: 1.35 Go version: go1.9.2 Git commit: 03596f5 Built: Wed Jan 10 20:13:21 2018 OS/Arch: linux/amd64 Experimental: false Orchestrator: swarm
Server: Engine: Version: 18.01.0-ce API version: 1.35 (minimum version 1.12) Go version: go1.9.2 Git commit: 03596f5 Built: Wed Jan 10 20:11:47 2018 OS/Arch: linux/amd64 Experimental: false
You need to relogin after add user to group. sudo usermod -aG docker vagrant (relogin) exit and again ssh as @Laxman-SM mentioned before
If relogin after adding to docker group was unsuccessful, its not necessary to reboot your system or changing /var/run/docker.sock file mod, try sudo service docker restart to restart docker service
