klar icon indicating copy to clipboard operation
klar copied to clipboard

Published 20 hours ago verified publisher icon optiopay

Database error on run

Open jvervier opened this issue 6 years ago • 9 comments

I'm trying to use Clair with Klar but I'm getting a strange database error (found in postgres logs) :

ERROR: syntax error at or near "ON" at character 66 STATEMENT: INSERT INTO "namespace" ("name","version_format") VALUES ($1,$2) ON CONFLICT ON CONSTRAINT namespace_name_version_format_key DO NOTHING

When I'm running klar : CLAIR_ADDR=localhost CLAIR_OUPUT=High CLAIR_THRESHOLD=10 DOCKER_USER=<user> DOCKER_PASSWORD=<password> ./klar mysql

And I get : `clair timeout 1m0s docker timeout: 1m0s no whitelist file Analysing 12 layers Failed to analyze using API v1: push image https://registry-1.docker.io/v2/library/mysql:latest to Clair failed: can't even read an error message: invalid character 'N' looking for beginning of value

Failed to analyze using API v3: push image https://registry-1.docker.io/v2/library/mysql:latest to Clair failed: rpc error: code = Internal desc = ancestry is failed to be processed: database: an error occurred when querying the backend

Failed to analyze, exiting`

I installed clair and postgres on my station with Docker : `version: '2' services: postgres: container_name: clair_postgres image: postgres:9.4 restart: unless-stopped environment: POSTGRES_PASSWORD: password POSTGRES_USER: postgres networks: clair-network: aliases: - clairdb

clair: container_name: clair_clair image: quay.io/coreos/clair-git:latest restart: unless-stopped depends_on: - postgres ports: - "6060:6060" - "6061:6061" links: - postgres volumes: - /tmp:/tmp - ./clair_config:/config command: [-config, /config/config.yaml] networks: clair-network: aliases: - clairhost`

jvervier avatar Nov 29 '18 09:11 jvervier

@jvervier it seems you have a Clair issue, could be caused by Klar, but looks strange

hashmap avatar Dec 03 '18 13:12 hashmap

Hi all, I have a similar problem.

I have tried to install Clair in Azure AKS. I used Helm with below configuration file:

# Default values for clair.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
logLevel: info
insecureTls: false
image:
  repository: quay.io/coreos/clair-git
  tag: latest
  pullPolicy: Always
service:
  #type: ClusterIP
  type: LoadBalancer
  internalApiPort: 6060
  externalApiPort: 6060
  internalHealthPort: 6061
  externalHealthPort: 6061
ingress:
  enabled: false
  # Used to create Ingress record (should used with service.type: ClusterIP).
  hosts:
    - chart-example.local
  annotations:
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  tls:
    # Secrets must be manually created in the namespace.
    # - secretName: chart-example-tls
    #   hosts:
    #     - chart-example.local
resources:
  limits:
    cpu: 200m
    memory: 1500Mi
  requests:
    cpu: 100m
    memory: 500Mi
config:
  # postgresURI: "postgres://user:password@host:5432/postgres?sslmode=disable"
  paginationKey: "XxoPtCUzrUv4JV5dS+yQ+MdW7yLEJnRMwigVY/bpgtQ="
  updateInterval: 2h
  notificationWebhookEndpoint: https://example.com/notify/me
  enabledUpdaters:
  - debian
  - ubuntu
  - rhel
  - oracle
  - alpine
  enabledNamespaceDetectors:
  - os-release
  - lsb-release
  - apt-sources
  - alpine-release
  - redhat-release
  enabledFeatureListers:
  - apk
  - dpkg
  - rpm
nodeSelector: {}
tolerations: []

# Configuration values for the postgresql dependency.
# ref: https://github.com/kubernetes/charts/blob/master/stable/postgresql/README.md
postgresql:
# The dependant Postgres chart can be disabled, to connect to
# an existing database by defining config.postgresURI
  enabled: true

  imageTag: 9.6-alpine

  cpu: 1000m
  memory: 1Gi
# These values are hardcoded until Helm supports secrets.
# For more info see: https://github.com/kubernetes/helm/issues/2196
  postgresUser: clair
  postgresPassword: clair
  postgresDatabase: clair

  persistence:
    size: 10Gi

I have only inserted Load Balancer to expose services in Internet.

When I try to use Klar with this command:

CLAIR_ADDR=http://x.x.x.x:6060 CLAIR_OUTPUT=High klar-2.4.0-linux-amd64 postgres:9.5.1

I receive below error:

clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 22 layers
Failed to analyze using API v1: push image https://registry-1.docker.io/v2/library/postgres:9.5.1 to Clair failed: can't even read an error message: invalid character 'N' looking for beginning of value

Failed to analyze using API v3: push image https://registry-1.docker.io/v2/library/postgres:9.5.1 to Clair failed: rpc error: code = Internal desc = ancestry is failed to be processed: database: associated immutable entities are missing in the database

Failed to analyze, exiting

Same error is generated if I try with version 2.3.0 or 2.2.0 of Klar.

I have tried to run a local Docker version of Clair (below docker ps output)

CONTAINER ID        IMAGE                             COMMAND                  CREATED             STATUS              PORTS                    NAMES
fd15d3404614        quay.io/coreos/clair-git:latest   "/usr/bin/dumb-ini..."   40 minutes ago      Up 40 minutes                                naughty_clarke
50bd2d35d916        postgres:9.6                      "docker-entrypoint..."   41 minutes ago      Up 41 minutes       0.0.0.0:5432->5432/tcp   wonderful_curie

When I try to use Klar with this command:

CLAIR_ADDR=http://localhost:6060 CLAIR_OUTPUT=High klar-2.4.0-linux-amd64 postgres:9.5.1

I receive same error.

I have tried to interact with Clair with clairctl as well. After a pull, when I try to execute a push with this command:

clairctl push postgres:9.5.1 --config ./conf.yml

The result is:

client quit unexpectedly
2019-01-27 18:40:10.837822 C | cmd: pushing image "postgres:9.5.1": receiving http error: 404

Does this means that clairctl doesn't support last version of API?

If I enable Klar trace, the queue of out is:

Analysing 22 layers
----> HTTP REQUEST:
POST /v1/layers HTTP/1.1
Host: x.x.x.x:6060
Content-Type: application/json

{"Layer":{"Name":"fdd5d7827f33ef075f45262a0f74ac96ec8a5e687faeb40135319764963dcb42","Path":"https://registry-1.docker.io/v2/library/postgres/blobs/sha256:fdd5d7827f33ef075f45262a0f74ac96ec8a5e687faeb40135319764963dcb42","ParentName":"","Format":"Docker","Features":null,"Headers":{"Authorization":"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDK2pDQ0FwK2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXpzeVYwNVpPbFZMUzFJNlJFMUVVanBTU1U5Rk9reEhOa0U2UTFWWVZEcE5SbFZNT2tZelNFVTZOVkF5VlRwTFNqTkdPa05CTmxrNlNrbEVVVEFlRncweE9UQXhNVEl3TURJeU5EVmFGdzB5TURBeE1USXdNREl5TkRWYU1FWXhSREJDQmdOVkJBTVRPMUpMTkZNNlMwRkxVVHBEV0RWRk9rRTJSMVE2VTBwTVR6cFFNbEpMT2tOWlZVUTZTMEpEU0RwWFNVeE1Pa3hUU2xrNldscFFVVHBaVWxsRU1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcjY2bXkveXpHN21VUzF3eFQ3dFplS2pqRzcvNnBwZFNMY3JCcko5VytwcndzMGtIUDVwUHRkMUpkcFdEWU1OZWdqQXhpUWtRUUNvd25IUnN2ODVUalBUdE5wUkdKVTRkeHJkeXBvWGc4TVhYUEUzL2lRbHhPS2VNU0prNlRKbG5wNGFtWVBHQlhuQXRoQzJtTlR5ak1zdFh2ZmNWN3VFYWpRcnlOVUcyUVdXQ1k1Ujl0a2k5ZG54Z3dCSEF6bG8wTzJCczFmcm5JbmJxaCtic3ZSZ1FxU3BrMWhxYnhSU3AyRlNrL2tBL1gyeUFxZzJQSUJxWFFMaTVQQ3krWERYZElJczV6VG9ZbWJUK0pmbnZaMzRLcG5mSkpNalpIRW4xUVJtQldOZXJZcVdtNVhkQVhUMUJrQU9aditMNFVwSTk3NFZFZ2ppY1JINVdBeWV4b1BFclRRSURBUUFCbzRHeU1JR3ZNQTRHQTFVZER3RUIvd1FFQXdJSGdEQVBCZ05WSFNVRUNEQUdCZ1JWSFNVQU1FUUdBMVVkRGdROUJEdFNTelJUT2t0QlMxRTZRMWcxUlRwQk5rZFVPbE5LVEU4NlVESlNTenBEV1ZWRU9rdENRMGc2VjBsTVREcE1VMHBaT2xwYVVGRTZXVkpaUkRCR0JnTlZIU01FUHpBOWdEc3lWMDVaT2xWTFMxSTZSRTFFVWpwU1NVOUZPa3hITmtFNlExVllWRHBOUmxWTU9rWXpTRVU2TlZBeVZUcExTak5HT2tOQk5sazZTa2xFVVRBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQXFOSXEwMFdZTmM5Z2tDZGdSUzRSWUhtNTRZcDBTa05Rd2lyMm5hSWtGd3dDSVFEMjlYdUl5TmpTa1cvWmpQaFlWWFB6QW9TNFVkRXNvUUhyUVZHMDd1N3ZsUT09Il19.eyJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6ImxpYnJhcnkvcG9zdGdyZXMiLCJhY3Rpb25zIjpbInB1bGwiXX1dLCJhdWQiOiJyZWdpc3RyeS5kb2NrZXIuaW8iLCJleHAiOjE1NDg2MTQ4OTksImlhdCI6MTU0ODYxNDU5OSwiaXNzIjoiYXV0aC5kb2NrZXIuaW8iLCJqdGkiOiJ6WWcybkx3Q1RTQlRPUEhTVTBZVSIsIm5iZiI6MTU0ODYxNDI5OSwic3ViIjoiIn0.PpbPqubPaY1P3F2Dz7Gw7USHVjy_a3l2sjE-PTYxl9f7pUYeYFOlJrCOXwDrac7rkxuQaS1leis4HLFUweGyNnbPJ0M4iFD4gd3XEu-WEvcmfnHLcnm5ZHuijGmRiVAKD7ZR6HgsqNvWHS3owg0p54xv3BLenP7HfA7V6Fl1MLWb5HjRRo5XkjZxj3lO_qMQHiLODeQ47UeY6XHvCFwpruCOszWs5CLW0ZrcaV7BH5mxqHndNOVO1UvkwyvTvi2IOy7AeZqqITgSzAh0ZquvYnqd_piktWmSYn2Cp3H74YYMiQZcQ12fpKofh78XLL41yfPnfaiI3BdzWIYJVGTAmg"}}}
<---- HTTP RESPONSE:
HTTP/1.1 404 Not Found
Content-Length: 10
Content-Type: text/plain; charset=utf-8
Date: Sun, 27 Jan 2019 18:43:20 GMT
X-Content-Type-Options: nosniff

Not Found

Failed to analyze using API v1: push image https://registry-1.docker.io/v2/library/postgres:9.5.1 to Clair failed: can't even read an error message: invalid character 'N' looking for beginning of value

Failed to analyze using API v3: push image https://registry-1.docker.io/v2/library/postgres:9.5.1 to Clair failed: rpc error: code = Internal desc = ancestry is failed to be processed: database: associated immutable entities are missing in the database

Failed to analyze, exiting

In this condition I'm unable to use tool.

simonesavi avatar Jan 27 '19 18:01 simonesavi

I found a solution. The problem can be solved obtaining the last stable version (currently 2.0.7).

The tag latest now point to v.2.0.5.

To download the last one, for a local installation, this command must be used:

docker run --net=host -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair:v2.0.7 -config=/config/config.yaml

And after, executing Klar, I have below output:

CLAIR_ADDR=http://localhost:6060 CLAIR_OUTPUT=High klar-2.4.0-linux-amd64 postgres:9.5.1

clair timeout 1m0s
docker timeout: 1m0s
no whitelist file
Analysing 22 layers
Got results from Clair API v1
Found 0 vulnerabilities

I can obtain the same result with AKS, if I change below lines in config file:

image:
  repository: quay.io/coreos/clair
  tag: v2.0.7

simonesavi avatar Jan 27 '19 19:01 simonesavi

@simonesavi i tried the same with the command

./klar CLAIR_ADDR=http://localhost:6060 CLAIR_OUTPUT=Low CLAIR_THRESHOLD=10 klar docker.io/postgres:9.5.1

here i have renamed klar-2.4.0-linux-amd64 as klar and given executable permission and have not added to usr/etc/bin folder

i am using clair:v2.0.7

clair log says

{"Event":"running database migrations","Level":"info","Location":"pgsql.go:216","Time":"2019-02-10 19:20:48.012487"} {"Event":"database migration ran successfully","Level":"info","Location":"pgsql.go:223","Time":"2019-02-10 19:20:48.017801"} {"Event":"starting main API","Level":"info","Location":"api.go:52","Time":"2019-02-10 19:20:48.017919","port":6060} {"Event":"starting health API","Level":"info","Location":"api.go:85","Time":"2019-02-10 19:20:48.017945","port":6061} {"Event":"notifier service is disabled","Level":"info","Location":"notifier.go:77","Time":"2019-02-10 19:20:48.018127"} {"Event":"updater service started","Level":"info","Location":"updater.go:81","Time":"2019-02-10 19:20:48.018170","lock identifier":"5d1408b3-5d99-4bd6-957f-349c7b9bb6e8"}

am i doing something wrong?

poojatr avatar Feb 10 '19 11:02 poojatr

@poojatr Renaming klar isn't a problem. I believe that command syntax isn't correct, try:

CLAIR_ADDR=http://localhost:6060 CLAIR_OUTPUT=Low CLAIR_THRESHOLD=10 ./klar docker.io/postgres:9.5.1

klar command must be in current directoy. If you add klar to executable PATH you could use:

CLAIR_ADDR=http://localhost:6060 CLAIR_OUTPUT=Low CLAIR_THRESHOLD=10 klar docker.io/postgres:9.5.1

Also take a look to my comment with docker run command because I seen that there was an error (the version was 2.0.5 but now I have edited it with correct 2.0.7).

Remember that database require a little time to update its content.

simonesavi avatar Feb 10 '19 13:02 simonesavi

@simonesavi thank you so much! yess i interpreted the syntax wrong , thank you!!

Am even trying to implement klar as a docker container, (from the the dockerfile given in optiopay/klar)

docker run --env-file=env-file.env docker.io/poojatbabu/klar postgres:9.5.1

env-file.env is

KLAR_TRACE=true CLAIR_ADDR=http://127.0.0.1:6060 CLAIR_OUTPUT=High CLAIR_THRESHOLD=10 ~

Failed to analyze using API v1: push image https://registry-1.docker.io/v2/library/postgres:9.5.1 to Clair failed: can't push layer to Clair: Post http://127.0.0.1:6060/v1/layers: dial tcp 127.0.0.1:6060: getsockopt: connection refused

Failed to analyze using API v3: push image https://registry-1.docker.io/v2/library/postgres:9.5.1 to Clair failed: rpc error: code = Unavailable desc = all SubConns are in TransientFailure

Failed to analyze, exiting

and to run clair

docker run --net=host -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config:Z quay.io/coreos/clair-git:v2.0.7 -config=/config/config.yaml

Can you help me with this too..

poojatr avatar Feb 10 '19 13:02 poojatr

@poojatr I have noted an error in your docker run syntax, you are using quay.io/coreos/clair-git but the correct one is quay.io/coreos/clair.

You must be sure that your clair service is running before query it with klair, try to execute a docker ps to be sure that postgres service and clair are running. The instructions to install both are here, you need to substitute only the last instruction row.

Anyway I haven't experience with klair containerization, I suggest to you to open a specific issue. Before doing make sure that Clair is running correctly. Query clair with klar command must provide an output if Clair is running, and I believe that your Clair installation isn't working.

simonesavi avatar Feb 10 '19 13:02 simonesavi

Thank you , I will try with it!!

poojatr avatar Feb 10 '19 13:02 poojatr

@poojatr, Check whether Clair health by running below command.

curl -X GET -I http://localhost:6061/health

As @simonesavi mentioned above I used clair:v2.0.7 and now it is working without any issue :) @jvervier, and @poojatr let me know if you need any help. I tried everything today and it is working fine.

sureshthivanka avatar Mar 04 '20 06:03 sureshthivanka