search

OpenSCAP / openscap-daemon

Manages continuous scans of your infrastructure
https://www.open-scap.org/tools/openscap-daemon
GNU Lesser General Public License v2.1
106 stars 32 forks source link

error fixes #60

Closed ybznek closed 8 years ago

ybznek commented 8 years ago

In this PR are many things, because it is lot of easier to manage / test if one fix doesn't incompatible with some other.

I am still testing/working on it. But you can review the changes.

This PL:

  1. "Fix" problem with unknown container/image id.
    • It cause slower scanning now.
    • If somebody delete container during scan, issue will occur again
    • It should be quick&dirty solution, until we gen some beter
  2. Fix python 2 issue with bad type of json output
  3. Fix ID issue with new docker ID form "sha256:..."
  4. Print traceback - helps me a lot. Do you know any better form of the output? (output from journalctl)
ERROR:Action 'Evaluate CVE Scanner Worker '<openscap_daemon.cve_scanner.cve_scanner.Worker object at 0x7fc498083668>'' threw an exception that hasn't been caught. This is most likely a bug, pleasereport it. Unable to associate sha256:e0cd0 with any image or container
  File "/usr/lib/python3.5/site-packages/openscap_daemon/async.py", line 100, in _worker_main
    action.run()
  File "/usr/lib/python3.5/site-packages/openscap_daemon/system.py", line 644, in run
    json_result = self.worker.start_application()
  File "/usr/lib/python3.5/site-packages/openscap_daemon/cve_scanner/cve_scanner.py", line 452, in start_application
    image_list = self._check_input(self.args.scan)
  File "/usr/lib/python3.5/site-packages/openscap_daemon/cve_scanner/cve_scanner.py", line 344, in _check_input
    raise ImageScannerClientError(error)
jan-cerny commented 8 years ago

Hello @ybznek, I have been playing with the atomic scan with deamon with patches from this PR. It looks working well for me. I use updated Fedora 23 minimal virtual machine, Python 3, openscap-1.2.8-1.fc23.x86_64, docker-1.9.1-6.git6ec29ef.fc23.x86_64, atomic-1.8-3.gitcc5997a.fc23.x86_64 I have 6 images and 2 running containers, I have tried atomic scan --images and atomic scan --containers and atomic scan --all several times. No exception or error occured. Also I haven't found anything suspicious in the journalctl. Overall it looks good to me. Thank you.

ybznek commented 8 years ago

Yes, but we still should find better solution. I don't know if we should merge it. After merge nobody will fix it later.

ybznek commented 8 years ago

Seems to be working with rhel7 and fedora23. Possible issues with Rawhide we can fix later.

jan-cerny commented 8 years ago

@ybznek Great! Thank you.

isimluk commented 8 years ago

Ok, guys. I think it will be a step forward if we merge it.

I have heard well the reasons against having this temporary solution. The argument (from @mpreisler , @jan-cerny, and @myself) against have more merits in my view. However, we are in situation when this functionality is in a spotlight right now, so I think it will help us to merge this and have the atomic scan working in Fedora.