Closed hazcod closed 8 months ago
@hazcod I would try running the script with verbosity on to see if you can get more information as to what is going on around running docker login
.
bash -x falcon-container-sensor-pull.sh --region eu-1 --type falcon-sensor --list-tags --client-id REDACTED --client-secret REDACTED
I don't think this is an API key scope issue. This issue is with your ability to use docker to log into a registry. Are you able to log in to any registries? For example, for dockerhub you can just type in docker login
, enter your creds, and see what happens.
@carlosmmatos I was wondering, because .docker/config.json
only lists:
{
"auths": {},
"credsStore": "desktop",
....
}
Really odd, we're getting cases were sometimes it works and sometimes it just fails to fetch the tags...
% bash -x ./falcon-container-sensor-pull.sh --client-id d07c93fa7df9448bb21da64ad4cXXXX --client-secret REDACTDED --cid FE7DF61336C64D108D4CXXXXXX-EA --region eu-1 --type falcon-sensor --platform x86_64 --runtime docker --copy foo.dkr.ecr.eu-west-1.amazonaws.com/falcon-sensor/falcon:latest
...
+ case "${CONTAINER_TOOL}" in
++ echo '-u fc-XXX:XXX'
++ curl -s -L 'https://registry.crowdstrike.com/v2/token?=fc-XXX&scope=repository:falcon-sensor/eu-1/release/falcon-sensor:pull&service=registry.crowdstrike.com' -K-
++ json_value token
++ KEY=token
++ num=
++ sed 's/ *$//g'
++ awk '-F[,:}]' '{for(i=1;i<=NF;i++){if($i~/token\042/){print $(i+1)}}}'
++ sed 's/^ *//g'
++ tr -d '"'
++ sed -n p
+ REGISTRYBEARER=
++ curl_command '' https://registry.crowdstrike.com/v2/falcon-sensor/eu-1/release/falcon-sensor/tags/list
++ local token=
++ set -- '' https://registry.crowdstrike.com/v2/falcon-sensor/eu-1/release/falcon-sensor/tags/list
++ '[' 1 -eq 0 ']'
++ awk -v 'RS= ' '{print}'
++ echo 'Authorization: Bearer '
++ grep ''
++ curl -s -L -H @- '' https://registry.crowdstrike.com/v2/falcon-sensor/eu-1/release/falcon-sensor/tags/list
++ grep x86_64
++ grep -o '[0-9a-zA-Z_\.\-]*'
++ tail -1
+ LATESTSENSOR=
+ '[' '' ']'
+ FULLIMAGEPATH=registry.crowdstrike.com/falcon-sensor/eu-1/release/falcon-sensor:
+ grep -qw skopeo /usr/local/bin/docker
+ /usr/local/bin/docker pull registry.crowdstrike.com/falcon-sensor/eu-1/release/falcon-sensor:
invalid reference format
@hazcod you still seeing this issue? It does look weird from the output as to why it would be blank tag.. even stranger if it works sometimes but not all the times. I've seen strange glitches with API calls sometimes, but usually not for long.
We've not tried again because it was so unpredictable while debugging it got frustrating
Closing due to inactivity. If you are still facing an issue please reopen the issue or create a new one. Thanks.
Hi,
Trying to run this script. I created a clientid with permissions 'sensor download', 'image download', 'falcon container image download'. All read.