Comments (11)
from reg.
My clair is not secured, my docker registry container is.
And if i tweak some code like in vulns.go
// NewClairLayer will form a layer struct required for a clar scan
func (c *Clair) NewClairLayer(r *registry.Registry, image string, fsLayers []schema1.FSLayer, index int) (*Layer, error) {
var parentName string
if index < len(fsLayers)-1 {
parentName = fsLayers[index+1].BlobSum.String()
}
// form the path
p := strings.Join([]string{r.URL, "v2", image, "blobs", fsLayers[index].BlobSum.String()}, "/")
return &Layer{
Name: fsLayers[index].BlobSum.String(),
Path: p,
ParentName: parentName,
Format: "Docker",
Headers: map[string]string{
"Authorization": fmt.Sprintf("Basic %s", "XXX"), // <- FORCED BASIC AUTHENTICATION
},
}, nil
}
Then I get an answer from clair:
$ ./reg -d -r registry.example.com vulns --clair http://localhost:6060 organization/imagename1
2017/06/14 14:10:38 registry.ping url=https://registry.example.com/v2/
2017/06/14 14:10:38 registry.manifests uri=https://registry.example.com/v2/organization/imagename1/manifests/latest repository=organization/imagename1 ref=latest
2017/06/14 14:10:38 clair.layers.post url=http://localhost:6060/v1/layers name=sha256:b7...cf
...
Found XX vulnerabilities
CVE-2016-xxx: [Medium]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-xxx
So it is a matter of registry authentication here i guess?
from reg.
from reg.
from reg.
Not sure how I can get a Registry type of auth in this method
from reg.
ah gotcha I can make a PR
from reg.
@fmaturel can you verify that my latest commit fixed it
from reg.
Hi
I think my issue is related to this.
When starting reg to check for vulns on my own clair instance I get:
~ reg -d -r registry.example.com -u [email protected] -p <pw> vulns --clair http://clair.example.com <image_name>
2018/01/18 12:49:10 registry.ping url=https://registry.example.com/v2/
2018/01/18 12:49:10 registry.manifests uri=https://registry.example.com/v2/<image_name>/manifests/latest repository=<image_name> ref=latest
2018/01/18 12:49:11 registry.token url=https://registry.example.com/v2/<image_name>/blobs/sha256:ff3..8
2018/01/18 12:49:11 registry.token authService=nil
2018/01/18 12:49:11 clair.layers.post url=http://clair.example.com/v1/layers name=sha256:ff3..8
FATA[0000] clair error: could not find layer
I tcpdumped the request from reg (reg-server) to clair:
User-Agent: Go-http-client/1.1
Content-Length: 229
Content-Type: application/json
Accept-Encoding: gzip
{"Layer":{"Name":"sha256:ff3..8","Path":"https://registry.example.com/v2/<image_name>/blobs/sha256:ff3..8","Format":"Docker"}}
There is no auth header or token sent to Clair.
What am I doing wrong? Sending the auth headers manually (Basic Auth) to my Clair instance works.
The reg-server works perfectly, I only can't get the vulns to work.
Curl to my docker registry without auth header returns:
< HTTP/2 401
< content-type: application/json; charset=utf-8
< date: Thu, 18 Jan 2018 11:56:16 GMT
< www-authenticate: Basic realm="Registry Realm"
As I read in this issue, this should be sending basic auth headers information to Clair, or am I wrong?
from reg.
from reg.
Thanks for the fast reply. Sorry, perhaps I wasn't clear enough about the issue being not clair, but the request sent by reg / reg-server.
Clair doesn't need basic auth and isn't set up with it (just internal docker container):
~ curl clair.example.com/v1/namespaces
{"Namespaces":[{"Name":"alpine:v3.7","VersionFormat":"dpkg"},...
The problem is that after receiving the /v1/layers POST request from reg-server, clair doesn't have the info needed (Registry Credentials, Token or Basic Auth) to get the image from our registry. Clair gets a 401 from our registry (Obviously, because it doesn't provides any credentials).
I can see this in the logs:
Jan 18 13:11:14 hostname reg-server.1.hjja8yj7i8zct6qe2gcohc6uz[1218]: time="2018-01-18T12:11:14Z" level=info msg="fetching tags" URL=/repo/<image_name>/tags func=tags method=GET
Jan 18 13:11:15 hostname reg-server.1.hjja8yj7i8zct6qe2gcohc6uz[1218]: time="2018-01-18T12:11:15Z" level=info msg="fetching vulnerabilities" URL=/repo/<image_name>/tag/latest/vulns.json func=vulnerabilities method=GET
Jan 18 13:11:15 hostname clair.1.bks0djvuycpw15fpi1f5rg7zi[1218]: {"Event":"could not download layer: expected 2XX","Level":"warning","Location":"driver.go:135","Time":"2018-01-18 12:11:15.644187","status code":401}
Jan 18 13:11:15 hostname clair.1.bks0djvuycpw15fpi1f5rg7zi[1218]: {"Event":"failed to extract data from path","Level":"error","Location":"worker.go:122","Time":"2018-01-18 12:11:15.644306","error":"could not find layer","layer":"sha256:ff3..8","path":"https://registry.example.com/v2/<image_name>/blobs/sha256:ff3..8"}
Jan 18 13:11:15 hostname clair.1.bks0djvuycpw15fpi1f5rg7zi[1218]: {"Event":"Handled HTTP request","Level":"info","Location":"router.go:57","Time":"2018-01-18 12:11:15.644792","elapsed time":170847763,"method":"POST","remote addr":"10.0.0.25:60512","request uri":"/v1/layers","status":"400"}
Jan 18 13:11:15 hostname reg-server.1.hjja8yj7i8zct6qe2gcohc6uz[1218]: time="2018-01-18T12:11:15Z" level=error msg="vulnerability scanning for <image_name>:latest failed: clair error: could not find layer" URL=/repo/<image_name>/tag/latest/vulns.json func=vulnerabilities method=GET
Doing the POST request manually to v1/layers like this works:
{"Layer":{
"Name":"sha256:ff3..8",
"Path":"https://registry.example.com/v2/alpine/blobs/sha256:ff3..8",
"Headers":{
"Authorization":"Basic Z..do"
},
"Format":"Docker"
}}
I still tried putting our registry credentials into the clair url as you suggested, but it didn't work. Reg just sends the same Request to clair with a basic auth header but without an "Headers":{"Authorization"} snippet in the json request.
from reg.
I temporarly built our own reg-server with useBasicAuth := true
hard coded in it.
We think our registry server is handling the whole TokenTransport thingy kinda wrong.
It works with the hard coded useBasicAuth variable. Thanks anyway.
from reg.
Related Issues (20)
- Please tag a new release HOT 2
- Tests don't pass after cloning and running make test HOT 3
- Support to pass Client CERT/Key and CA CERT HOT 2
- Manifest Lists incorrectly queried from Docker Hub HOT 1
- Can't run clean install using go modules HOT 2
- registry type HOT 2
- Reg leaving lot of openfiles on the registry HOT 1
- behavior of ping is against Docker v2 API Spec HOT 2
- reg server update interval HOT 1
- `reg rm` deletes more than just the specified tag HOT 5
- Add pagination support for tag listing
- clair.layer400 Bad Request: "vulnerability scanning for <image> failed: clair error: could not find layer" HOT 2
- vulns return invalid character '<' HOT 1
- Docs don't explain how to manage insecure private registry HOT 3
- Why this project has no documents about how to use its API (import) ?
- Add option to map digest to tag
- RSS or Atom feed for repository tags
- go install gives error
- reg dont use /etc/hosts
- `reg rm` irritatingly states "docker.io" for image deleted from GitLab registry HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from reg.