Git Product home page Git Product logo

Comments (11)

jessfraz avatar jessfraz commented on May 25, 2024

from reg.

fmaturel avatar fmaturel commented on May 25, 2024

My clair is not secured, my docker registry container is.
And if i tweak some code like in vulns.go

// NewClairLayer will form a layer struct required for a clar scan
func (c *Clair) NewClairLayer(r *registry.Registry, image string, fsLayers []schema1.FSLayer, index int) (*Layer, error) {
    var parentName string
    if index < len(fsLayers)-1 {
        parentName = fsLayers[index+1].BlobSum.String()
    }

    // form the path
    p := strings.Join([]string{r.URL, "v2", image, "blobs", fsLayers[index].BlobSum.String()}, "/")

    return &Layer{
        Name:       fsLayers[index].BlobSum.String(),
        Path:       p,
        ParentName: parentName,
        Format:     "Docker",
        Headers:    map[string]string{
            "Authorization": fmt.Sprintf("Basic %s", "XXX"), // <- FORCED BASIC AUTHENTICATION
        },
    }, nil
}

Then I get an answer from clair:

$ ./reg -d -r registry.example.com vulns --clair http://localhost:6060 organization/imagename1
2017/06/14 14:10:38 registry.ping url=https://registry.example.com/v2/
2017/06/14 14:10:38 registry.manifests uri=https://registry.example.com/v2/organization/imagename1/manifests/latest repository=organization/imagename1 ref=latest
2017/06/14 14:10:38 clair.layers.post url=http://localhost:6060/v1/layers name=sha256:b7...cf
...
Found XX vulnerabilities 
CVE-2016-xxx: [Medium] 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-xxx

So it is a matter of registry authentication here i guess?

from reg.

jessfraz avatar jessfraz commented on May 25, 2024

from reg.

jessfraz avatar jessfraz commented on May 25, 2024

from reg.

fmaturel avatar fmaturel commented on May 25, 2024

Not sure how I can get a Registry type of auth in this method

from reg.

jessfraz avatar jessfraz commented on May 25, 2024

ah gotcha I can make a PR

from reg.

jessfraz avatar jessfraz commented on May 25, 2024

@fmaturel can you verify that my latest commit fixed it

from reg.

eyenx avatar eyenx commented on May 25, 2024

Hi

I think my issue is related to this.

When starting reg to check for vulns on my own clair instance I get:

~ reg -d -r registry.example.com -u [email protected] -p <pw> vulns --clair http://clair.example.com <image_name>
2018/01/18 12:49:10 registry.ping url=https://registry.example.com/v2/
2018/01/18 12:49:10 registry.manifests uri=https://registry.example.com/v2/<image_name>/manifests/latest repository=<image_name> ref=latest
2018/01/18 12:49:11 registry.token url=https://registry.example.com/v2/<image_name>/blobs/sha256:ff3..8
2018/01/18 12:49:11 registry.token authService=nil
2018/01/18 12:49:11 clair.layers.post url=http://clair.example.com/v1/layers name=sha256:ff3..8
FATA[0000] clair error: could not find layer

I tcpdumped the request from reg (reg-server) to clair:

User-Agent: Go-http-client/1.1
Content-Length: 229
Content-Type: application/json
Accept-Encoding: gzip

{"Layer":{"Name":"sha256:ff3..8","Path":"https://registry.example.com/v2/<image_name>/blobs/sha256:ff3..8","Format":"Docker"}}

There is no auth header or token sent to Clair.

What am I doing wrong? Sending the auth headers manually (Basic Auth) to my Clair instance works.

The reg-server works perfectly, I only can't get the vulns to work.

Curl to my docker registry without auth header returns:

< HTTP/2 401
< content-type: application/json; charset=utf-8
< date: Thu, 18 Jan 2018 11:56:16 GMT
< www-authenticate: Basic realm="Registry Realm"

As I read in this issue, this should be sending basic auth headers information to Clair, or am I wrong?

from reg.

jessfraz avatar jessfraz commented on May 25, 2024

from reg.

eyenx avatar eyenx commented on May 25, 2024

Thanks for the fast reply. Sorry, perhaps I wasn't clear enough about the issue being not clair, but the request sent by reg / reg-server.

Clair doesn't need basic auth and isn't set up with it (just internal docker container):

~ curl clair.example.com/v1/namespaces
{"Namespaces":[{"Name":"alpine:v3.7","VersionFormat":"dpkg"},...

The problem is that after receiving the /v1/layers POST request from reg-server, clair doesn't have the info needed (Registry Credentials, Token or Basic Auth) to get the image from our registry. Clair gets a 401 from our registry (Obviously, because it doesn't provides any credentials).

I can see this in the logs:


Jan 18 13:11:14 hostname reg-server.1.hjja8yj7i8zct6qe2gcohc6uz[1218]: time="2018-01-18T12:11:14Z" level=info msg="fetching tags" URL=/repo/<image_name>/tags func=tags method=GET
Jan 18 13:11:15 hostname reg-server.1.hjja8yj7i8zct6qe2gcohc6uz[1218]: time="2018-01-18T12:11:15Z" level=info msg="fetching vulnerabilities" URL=/repo/<image_name>/tag/latest/vulns.json func=vulnerabilities method=GET
Jan 18 13:11:15 hostname clair.1.bks0djvuycpw15fpi1f5rg7zi[1218]: {"Event":"could not download layer: expected 2XX","Level":"warning","Location":"driver.go:135","Time":"2018-01-18 12:11:15.644187","status code":401}
Jan 18 13:11:15 hostname clair.1.bks0djvuycpw15fpi1f5rg7zi[1218]: {"Event":"failed to extract data from path","Level":"error","Location":"worker.go:122","Time":"2018-01-18 12:11:15.644306","error":"could not find layer","layer":"sha256:ff3..8","path":"https://registry.example.com/v2/<image_name>/blobs/sha256:ff3..8"}
Jan 18 13:11:15 hostname clair.1.bks0djvuycpw15fpi1f5rg7zi[1218]: {"Event":"Handled HTTP request","Level":"info","Location":"router.go:57","Time":"2018-01-18 12:11:15.644792","elapsed time":170847763,"method":"POST","remote addr":"10.0.0.25:60512","request uri":"/v1/layers","status":"400"}
Jan 18 13:11:15 hostname reg-server.1.hjja8yj7i8zct6qe2gcohc6uz[1218]: time="2018-01-18T12:11:15Z" level=error msg="vulnerability scanning for <image_name>:latest failed: clair error: could not find layer" URL=/repo/<image_name>/tag/latest/vulns.json func=vulnerabilities method=GET

Doing the POST request manually to v1/layers like this works:

{"Layer":{
"Name":"sha256:ff3..8",
"Path":"https://registry.example.com/v2/alpine/blobs/sha256:ff3..8",
"Headers":{
	"Authorization":"Basic Z..do"
},
"Format":"Docker"
}}

I still tried putting our registry credentials into the clair url as you suggested, but it didn't work. Reg just sends the same Request to clair with a basic auth header but without an "Headers":{"Authorization"} snippet in the json request.

from reg.

eyenx avatar eyenx commented on May 25, 2024

I temporarly built our own reg-server with useBasicAuth := true hard coded in it.

We think our registry server is handling the whole TokenTransport thingy kinda wrong.

It works with the hard coded useBasicAuth variable. Thanks anyway.

from reg.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.