clairctl icon indicating copy to clipboard operation
clairctl copied to clipboard
verified publisher icon jgsqware

using clairctl and clair with a registry that requires basic auth credentials

Open ChrisCGH opened this issue 8 years ago • 4 comments

I'm trying to use clairctl + clair running as containers to scan an image in a docker registry which needs basic auth. I've got clairctl using basic auth by mounting a .docker/config.json with the basic auth credentials, but when clairctl pushes the image to clair, clair fails because it gets HTTP 401 back when it tries to download a layer - how do I get clair to use the basic auth credentials?

Chris

ChrisCGH avatar Aug 29 '17 12:08 ChrisCGH

+1 I'm have the same problem.

I've mounted the credential file into both clair and clairctl containers, but I get:

alinar@secbatch2-uswest2adevc:~$ sudo docker exec --user root -i -t clairctl-clairctl clairctl push --log-level debug <my_image>
2017-09-06 16:06:13.157829 D | config: Using config file: /home/clairctl/clairctl.yml
2017-09-06 16:06:13.159171 D | dockerdist: Downloading manifest for <my_image>
2017-09-06 16:06:13.159380 D | dockerdist: Retrieving repository client
2017-09-06 16:06:13.465685 D | dockerdist: endpoint.TLSConfig.InsecureSkipVerify: true
2017-09-06 16:06:14.571979 D | dockerdist: manifest type: *schema1.SignedManifest
2017-09-06 16:06:14.572887 I | config: retrieving interface for local IP
2017-09-06 16:06:14.572915 D | config: no interface provided, looking for docker0
2017-09-06 16:06:14.573035 D | config: docker0 not found, looking for first connected broadcast interface
2017-09-06 16:06:14.573181 I | clair: Pushing Layer 1/32 [sha256:a3ed9]
2017-09-06 16:06:14.575005 D | clair: Saving sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4[https://<my_registry>/v2]
2017-09-06 16:06:14.576447 D | clair: auth.insecureSkipVerify: true
2017-09-06 16:06:14.576491 D | clair: request.URL.String(): https://<my_registry>/v2/<my_image_name_without_tag>/blobs/sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
2017-09-06 16:06:14.699191 I | clair: pull from clair is unauthorized
2017-09-06 16:06:14.907697 I | clair: adding layer 1/32 [sha256:a3ed9]: receiving http error: 400
client quit unexpectedly
2017-09-06 16:06:14.907736 C | cmd: pushing image "<my_image>": receiving http error: 400

I've tried pulling the image from the docker registry that need authentication manually and then pass it to clair as a local image, but that still doesn't work:

sudo docker exec --user root -i -t clairctl-clairctl clairctl push --log-level debug --local <my_image>
2017-09-06 14:53:24.037499 D | config: Using config file: /home/clairctl/clairctl.yml
2017-09-06 14:53:24.037872 I | config: retrieving interface for local IP
2017-09-06 14:53:24.037901 D | config: no interface provided, looking for docker0
2017-09-06 14:53:24.038046 D | config: docker0 not found, looking for first connected broadcast interface
2017-09-06 14:53:24.038472 D | server: Update local server port from "0" to "60243"
2017-09-06 14:53:24.038503 I | server: Starting Server on 169.254.0.3:60243
2017-09-06 14:53:24.044068 D | dockercli: docker image to save: <my_image>
2017-09-06 14:53:24.044106 D | dockercli: saving in: /tmp/clairctl/<private_registry_name>/blobs
client quit unexpectedly
2017-09-06 14:53:24.045378 C | cmd: retrieving manifest for "<my_image>": cannot save image <my_image>: Error response from daemon: reference does not exist

transcedentalia avatar Sep 06 '17 15:09 transcedentalia

Hi guys, sorry I'm not very present lately, but I'll try to go around the issues before next week.

In the meantime, as a workaround, you can try doing a docker pull of that image you need to have analyzed, and push it to clair as a local image with the -l switch.

Let me know how this works out.

jdel avatar Sep 07 '17 10:09 jdel

when -l (clairctl push --local hello-world) is used the output is as follows:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x518490]

goroutine 1 [running]:
net/url.(*URL).String(0x0, 0x0, 0x0)
	/home/travis/.gimme/versions/go1.8.linux.amd64/src/net/url/url.go:726 +0x40
github.com/jgsqware/clairctl/clair.insertRegistryMapping(0xc420231ae7, 0x40, 0x0, 0x0)
	/home/travis/gopath/src/github.com/jgsqware/clairctl/clair/push.go:129 +0x7a
github.com/jgsqware/clairctl/clair.(*layering).pushAll(0xc420231b30, 0x0, 0x0)
	/home/travis/gopath/src/github.com/jgsqware/clairctl/clair/layering.go:53 +0x2d0
github.com/jgsqware/clairctl/clair.Push(0x21ffe60, 0xc4202eba30, 0x21f4c40, 0xc4200a16b0, 0xc4202eba30, 0x21f4c40)
	/home/travis/gopath/src/github.com/jgsqware/clairctl/clair/push.go:39 +0x40f
github.com/jgsqware/clairctl/cmd.glob..func9(0x21dd920, 0xc4204da480, 0x1, 0x2)
	/home/travis/gopath/src/github.com/jgsqware/clairctl/cmd/push.go:34 +0x258
github.com/jgsqware/clairctl/vendor/github.com/spf13/cobra.(*Command).execute(0x21dd920, 0xc4204da260, 0x2, 0x2, 0x21dd920, 0xc4204da260)
	/home/travis/gopath/src/github.com/jgsqware/clairctl/vendor/github.com/spf13/cobra/command.go:636 +0x231
github.com/jgsqware/clairctl/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x21ddd60, 0xc42055df78, 0x40677c, 0xc420064058)
	/home/travis/gopath/src/github.com/jgsqware/clairctl/vendor/github.com/spf13/cobra/command.go:722 +0x339
github.com/jgsqware/clairctl/vendor/github.com/spf13/cobra.(*Command).Execute(0x21ddd60, 0x0, 0x0)
	/home/travis/gopath/src/github.com/jgsqware/clairctl/vendor/github.com/spf13/cobra/command.go:681 +0x2b
github.com/jgsqware/clairctl/cmd.Execute()
	/home/travis/gopath/src/github.com/jgsqware/clairctl/cmd/root.go:32 +0x31
main.main()
	/home/travis/gopath/src/github.com/jgsqware/clairctl/main.go:20 +0x20

030 avatar Sep 12 '17 15:09 030

Any update on this issue?

ggulati2 avatar Jan 16 '18 17:01 ggulati2