New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document usage #5
Comments
I have the same issue it says api starting on port 6060 , but when I do a curl to the api as per the document it says connection refused on the port vagrant@mesos:~$ docker logs 0a785dea594f
2015-11-14 17:28:07.227145 I | database: database at clairdata does not exist yet, creating it
2015-11-14 17:28:07.233576 I | api: starting Health API on port 6061.
2015-11-14 17:28:07.233685 I | api: starting API on port 6060.
2015-11-14 17:28:07.234212 I | updater: updater service started. lock identifier: 6ab22788-2a28-46b6-a9ad-157b6335aa23
2015-11-14 17:28:07.235608 I | updater: updating vulnerabilities
2015-11-14 17:28:07.235658 I | updater/fetchers: fetching Ubuntu vulneratibilities
2015-11-14 17:28:07.236212 I | updater/fetchers: fetching Debian vulneratibilities
2015-11-14 17:28:07.237239 I | updater/fetchers: fetching Red Hat vulneratibilities
2015-11-14 19:49:08.468191 E | updater/fetchers: could not download RHEL's update file: Get https://www.redhat.com/security/data/oval/com.redhat.rhsa-20110346.xml: EOF
2015-11-14 19:49:08.468214 E | updater: an error occured when fetching update 'Red Hat': could not download requested ressource.
2015-11-14 19:57:25.382972 N | database: Ignoring 15628 notifications
2015-11-14 19:57:25.400741 I | updater: update finished
2015-11-14 22:43:07.802206 I | api: starting Health API on port 6061.
2015-11-14 22:43:07.802432 I | api: starting API on port 6060.
2015-11-14 22:43:07.802608 I | updater: updater service started. lock identifier: 88365c0e-0f1d-4d9c-bffb-540e2c0aba1a
2015-11-14 22:43:07.818753 I | updater: updating vulnerabilities
2015-11-14 22:43:07.818829 I | updater/fetchers: fetching Red Hat vulneratibilities
2015-11-14 22:43:07.819124 I | updater/fetchers: fetching Ubuntu vulneratibilities
2015-11-14 22:43:07.820977 I | updater/fetchers: fetching Debian vulneratibilities
vagrant@mesos:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0a785dea594f clair "clair --db-type=bolt" 5 hours ago Up 35 seconds 6060-6061/tcp focused_leakey
8aef6bfcd3a7 saidimu/cayley:v0.4.0 "/bin/sh -c 'cayley i" 5 hours ago Up 5 hours 0.0.0.0:11555->64210/tcp stupefied_jepsen
vagrant@mesos:~$ curl -v localhost:6060
* Rebuilt URL to: localhost:6060/
* Hostname was NOT found in DNS cache
* Trying ::1...
* connect to ::1 port 6060 failed: Connection refused
* Trying 127.0.0.1...
* connect to 127.0.0.1 port 6060 failed: Connection refused
* Failed to connect to localhost port 6060: Connection refused
* Closing connection 0
curl: (7) Failed to connect to localhost port 6060: Connection refused |
I got it working when I exposed the ports to the host from the vagrant vm i was running in |
Hi, @bracki You are almost there. Clair is simply a service, you now have to submit the layers of your images to it using this API Call, in the proper order. There is currently no one-liner tool to actually do it. I believe that it would be pretty easy script though: it would have to download every tarballs from the specific image you want to scan and call the HTTP API properly. Note that as you run Clair in a Docker container, you whether have to specify an URL to the tarballs or store the layers in a Docker volume that Clair can access and pass it an absolute path. Also, for now, the tarballs that have to be given are the ones that contains the filesystem diffs - not the enclosing ones containing the JSON metadata. @amitmawkin I think that the ports are not mapped or the IP address is invalid. |
yups that was the thing, @Quentin-M one quick question does it has to be tar or it can inspect local docker images ? |
@amitmawkin For the moment, Clair only supports tarballs input - the ones that contain the filesystem diffs and they have to be accessible from Clair (absolute/relative path or HTTP URL). Basically, to inspect a local image, you have to Hope it helps. I will try to write a script to ease analyzing local images next week. |
Cool. But no matter what I try:
|
You are using boot2docker/DockerMachine, right ? I think that your environment is not set. What does it say when you simply run
Also, I believe that |
I've tried running analyze-local-images against a few images, including images that were deliberately vulnerable to heartbleed, but it just says the images are safe, any idea why that would be? |
@dmwoods38 Did you wait for the updater to finish its initialization? In other words, did the logs say |
@Quentin-M thanks, that must be the issue, seems to be stuck on the initialization. |
@dmwoods38 The first update takes a long time, it downloads from Internet and inserts in the database a lot of data. The recent 46f356e and 46fffdf makes it slightly faster. You can increase the log level to know when it finishes to fetch vulnerabilities and start to insert them in the database. |
@Quentin-M Why is it even possible to analyze images as long as the updates haven’t finished? I think it would be a better user experience if the analysis would fail with a corresponding error message until it can provide meaningful results. |
For me, all my images are SAFE also, in the log, I see
And the result:
And I use the Dockerfile shown on the Readme of Clair. I've also tried with
Response: {
Vulnerabilities: [ ]
} |
It is maybe not abnormal. You can verify a bunch of things with:
|
Bravo to you @Quentin-M. After installing analyze-local-images and making sure I ran Clair with -v /tmp:/tmp it worked just fine to tell me all of our images are safe. Do you happen to have an unsafe image lying around so I could load it and make sure I'm not getting all false positives? Maybe it is a matter of creating my own CVE that falsely records a good image as unsafe? Ideas on how to do that? |
@candita In my experience, you should start 'clair' and wait for a while until you find there are enough CVE files in /tmp/. |
@liangchenye - aerospike 3.7.0.2 also gave me the result that the image was safe, so I'll open up a new discussion. |
Can I ask - if we add layers of an image using the api, what is the secret to making sure that the layers are inserted in the correct historical order? docker history shows very approximate dates, and if all layers were from the same day, what is the correct way to determine the order to post them into clair? |
@candita Layers shows in the order when you do |
I actually had reviewed the history method in the tool and was wondering if it was correct because I couldn't get that algorithm to work using the curl commands directly, see below for a selected summary. docker cp layer.tar mycontainer:/tmp/aero/c950d63587be10331540688387593721eb728628b75cdaf1dcf266188dfc6e6b docker exec -it mycontainer ls /tmp/aero/c950d63587be10331540688387593721eb728628b75cdaf1dcf266188dfc6e6b/ curl -X POST -H "Content-Type: application/json" http://192.168.99.101:6060/v1/layers -d '{"ID":"c950dd63587be10331540688387593721eb728628b75cdaf1dcf266188dfc6e6b", "Path":"/tmp/aero/c950d63587be10331540688387593721eb728628b75cdaf1dcf266188dfc6e6b/layer.tar","ParentID":""}' The log showed: curl 192.168.99.101:6060/v1/layers/c950d63587be10331540688387593721eb728628b75cdaf1dcf266188dfc6e6b/os curl 192.168.99.101:6060/v1/health curl 192.168.99.101:6060/v1/versions |
How do I actually run clair against an image pushed to a registry?
When I start it, it basically sits and does nothing:
How can I get it to check a container's flaws?
The text was updated successfully, but these errors were encountered: