klar icon indicating copy to clipboard operation
klar copied to clipboard

Published 20 hours ago verified publisher icon optiopay

Does klar support Azure ACK?

Open daxin09pp opened this issue 5 years ago • 14 comments

Does klar support Azure ACK?

daxin09pp avatar Sep 20 '19 02:09 daxin09pp

I work with Azure Cloud but I dont know Azure ACK. What is this ? You think maybe at ACR (Azure Container Registry) or AKS (Azure Kubernetes Service) ?

antonin-g avatar Sep 23 '19 22:09 antonin-g

I am sorry. I mean ACR.

daxin09pp avatar Sep 25 '19 14:09 daxin09pp

No problem. It works well with ACR. 👍

antonin-g avatar Sep 25 '19 15:09 antonin-g

How do you add Registry? How to fill in DOCKER_USER and DOCKER_PASSWORD?

daxin09pp avatar Sep 27 '19 05:09 daxin09pp

You can use environment variables to use klar.

Personnaly for my tests I created a Docker image that launches klar.

Dockerfile :

FROM alpine:3.10.2
WORKDIR /bin
COPY klar-2.4.0-linux-amd64 klar
ENTRYPOINT ["klar"]

And I use environment variables and arguments to use it :

docker run -e CLAIR_ADDR='https://clair_server:6060' -e DOCKER_USER='myuser' -e DOCKER_PASSWORD='mypassword' your_registry.azurecr.io/your_image:your_tag

The DOCKER_USER value and DOCKER_PASSWORD value are defined in your ACR ressource on Portal Azure in access key tab.

Everything is indicated in the README.md.

image

antonin-g avatar Sep 27 '19 06:09 antonin-g

Thank you very much.

daxin09pp avatar Sep 30 '19 01:09 daxin09pp

Can I use klar if I only have a pull permission account?

daxin09pp avatar Sep 30 '19 01:09 daxin09pp

I don't know this particularity, you have enabled the admin user ?

image

antonin-g avatar Sep 30 '19 08:09 antonin-g

I managed to get klar to work using the admin user, but I want to use it with our regular logins instead to avoid exposing the admin user. I'm able to get a ACR access token using this command: ACRTOKEN=$(az acr login --name MYACRSERVER --expose-token --out tsv --query '[accessToken]') as explained here: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#az-acr-login-with---expose-token

This could be used together with username 00000000-0000-0000-0000-000000000000

but when I try the output with klar and use the acrtoken as password and the 000 username Then I get error: Can't pull image: Token request returned 401

Logging at the klar trace output I see that the 401 respons with header: Www-Authenticate: Bearer realm="https://MYACRSERVER.azurecr.io/oauth2/token",service="intop.azurecr.io",scope="repository:MYIMAGE:pull" It seems klar does not know how to handle this response?

If I manully call the token endpoint with 000 user name and the ACRTOKEN as password using basic auth as describe here https://docs.microsoft.com/en-us/rest/api/containerregistry/accesstokens/getfromlogin like using this url: https://MYACRSERVER.azurecr.io/oauth2/token?service=MYACRSERVER.azurecr.io&scope=repository:MYIMAGE:pull then I get back an access_token, with this access token I am able to retrieve then manifest file using Authorization header with Bearer and the access_token like this: curl --header "Authorization: Bearer MYACCESSTOKEN" https://MYACRSERVER.azurecr.io/v2/MYIMAGE/manifests/MYTAG

But using DOCKER_TOKEN environment variable directly towards klar seems to send that with Basic in the first header, so also not working since it needs to be a Bearer token.

Not sure how to solve this in klar since I don't know go very well.

andershermansen avatar Aug 10 '20 13:08 andershermansen

@andershermansen, thanks for the explanation. This project seems dead unfortunately. Quite a lot PRs waiting and no changes for 2 years! I'm sure it is not so difficult to change the authentication header to Bearer when DOCKER_TOKEN is provided.

Did you find an alternative? Another Clair client perhaps?

elstak avatar Nov 23 '20 17:11 elstak

@andershermansen I've solved the problem by changing a few lines. Apparently response with token could not be marshalled because of the expected name of the field token. Now it accepts/expects also access_token to support Azure ACR. This has been tested in AWS ECR and Azure ACR, but it should work in Docker Hub too.

diff --git a/docker/docker.go b/docker/docker.go
index e6d4c9a..c4f97f4 100644
--- a/docker/docker.go
+++ b/docker/docker.go
@@ -351,15 +351,20 @@ func (i *Image) requestToken(resp *http.Response) (string, error) {
                io.Copy(ioutil.Discard, tResp.Body)
                return "", fmt.Errorf("Token request returned %d", tResp.StatusCode)
        }
-       var tokenEnv struct {
-               Token string
-       }

+       var tokenEnv map[string]interface{}
        if err = json.NewDecoder(tResp.Body).Decode(&tokenEnv); err != nil {
                fmt.Fprintln(os.Stderr, "Token response decode error")
                return "", err
        }
-       return fmt.Sprintf("Bearer %s", tokenEnv.Token), nil
+       if token, ok := tokenEnv["token"]; ok {
+               return fmt.Sprintf("Bearer %s", token), nil
+       }
+       if token, ok := tokenEnv["access_token"]; ok {
+               return fmt.Sprintf("Bearer %s", token), nil
+       }
+       fmt.Fprintln(os.Stderr, "Token response decode error, no token or access_token found")
+       return "", err
 }

 func (i *Image) pullReq() (*http.Response, error) {

elstak avatar Nov 23 '20 21:11 elstak

@elstak Great. Personally I did not move forward with klar so did not use more time on the issue. As you say the project seems unmaintained.

andershermansen avatar Nov 24 '20 10:11 andershermansen

@andershermansen I raised the PR anyways :/

May I ask which alternative did you choose? Official Clair docs point to klar as the only standalone client, while the rest of alternatives are either libraries or integrations with Docker registry solutions.

elstak avatar Nov 25 '20 15:11 elstak

@elstak Did not move forward with using Klar/Clair.

andershermansen avatar Nov 25 '20 19:11 andershermansen