search

aquasecurity / cloudsploit

Cloud Security Posture Management (CSPM)
https://cloud.aquasec.com/signup
GNU General Public License v3.0
3.36k stars 675 forks source link

Docker Container Run Fails #1118

Open pasanchamikara opened 2 years ago

pasanchamikara commented 2 years ago

While executing the docker container, the following error were observed.

‹master*› » docker run -it -e AWS_SECRET_ACCESS_KEY_ID=xxxxxxxxxxxx -e AWS_SECRET_ACCESS_KEY=yyyyyyyyyyyyyyyy cloudsploitc    
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "cloudsploit-scan": executable file not found in $PATH: unknown.

This seems to be because of improper linking of the node modules which skipped the bin to not to be set properly to cloudsploit-scan

pasanchamikara commented 2 years ago

PR created https://github.com/aquasecurity/cloudsploit/pull/1119

asdrubalos commented 2 years ago

hi @pasanchamikara, by any chance are you using mac? i solved this problem in Dockerfile (using npm link, chmod, added workdir and change entrypoint): now work without $PATH error

Dockerfile: FROM node:lts-alpine3.12

ARG PACKAGENAME=cloudsploit

COPY . /var/scan/cloudsploit/

RUN cd /var/scan \ && mkdir reports \ && npm init --yes \ && npm install ${PACKAGENAME}

ENV PATH "$PATH:/var/scan/node_modules/.bin"

WORKDIR /var/scan/cloudsploit

RUN npm link index.js \ && chmod +x /var/scan/cloudsploit/index.js

WORKDIR /var/scan/

ENTRYPOINT ["./cloudsploit/index.js","--config=/var/scan/cloudsploit/config.js"] CMD []

Now the problem is the next error node_modules/async/dist/async.js:966 https://github.com/aquasecurity/cloudsploit/issues/1158

pasanchamikara commented 2 years ago

Hi @asdrubalos , no I was using ubuntu in my case, believe it was the missing npm link to fix the linking of the bin file afterall. So no need of a separate ./cloudsploit/index.js in that case.

s-vx commented 2 years ago

Greetings! I think I found why there's a problem with the docker build here

TL;DR ARG PACKAGENAME=cloudsploit/ (note the trailing slash) fixes it.

The long explanation The value for the docker entrypoint appears to have been set to cloudsploitscan on 29 Jul 2019 in Pull 198

Then it was changed again to cloudsploit-scan in Pull 366 on 10 Oct

As of 4 May 2022, the file package.json from master contains the following directive (which makes sense with the current value in master):

"bin": {
    "cloudsploit-scan": "./index.js"
  }

But when the app is built on a fresh copy of master using docker build without any build args, only the binary cloudsploitscan is present in the container. This issue is also referred to here: Issue 946

This appears to be caused by the in-docker commands

ARG PACKAGENAME=cloudsploit
RUN [...] 
  && npm install ${PACKAGENAME}

which reach out to the NPM registry and load the outdated cloudsploit-0.0.1-dev1 package.

This is observable in the generated package-lock.json in the following snippet:

    "node_modules/cloudsploit": {
      "version": "0.0.1-dev1",
      "resolved": "https://registry.npmjs.org/cloudsploit/-/cloudsploit-0.0.1-dev1.tgz",
//[...]
      },
      "bin": {
        "cloudsploitscan": "index.js"
      }
    }
//[...]

and matches the content of package.json in the cloudsploit-0.0.1-dev1.tgz archive at the resolved url above.

All this to say that changing

ARG PACKAGENAME=cloudsploit to ARG PACKAGENAME=cloudsploit/ (note the trailing slash)

will ensure npm install considers the newly-copied folder ./cloudsploit/ and installs it instead of the old package.

I don't have a mean to test the docker --build-arg PACKAGENAME=@myscope/cloudsploit use case, so maybe the issue is there too.

johndekroon commented 1 year ago

In the master repo it does seem to be broken once again. > docker run cloudsploit:0.0.1 -h docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "cloudsploit-scan": executable file not found in $PATH: unknown. ERRO[0000] error waiting for container: context canceled

dickc-sg commented 1 year ago

Can confirm @johndekroon's report:

➜  cloudsploit git:(master) podman build . -t cloudsploit:2.0.0                                                                                    <aws:sg-dev>
STEP 1/7: FROM node:lts-alpine3.12
Resolved "node" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull docker.io/library/node:lts-alpine3.12...
Getting image source signatures
Copying blob sha256:145ebd4dc8233806b32022558ce27626b7deb8e835b5547db1c4f79689add0f8
Copying blob sha256:8c28cc2212ffeecd224e6ac2336baf880f2958f01d082bf60c0bb8156fbb1701
Copying blob sha256:443533a34df51b083af73537d57294a35788b74cbe7eb435d54f95c4bde36c03
Copying blob sha256:21b3cd301f8d7751101e1bbd98f9c268f1c0a24ccb33702d703a07ecf2ec8100
Copying config sha256:bda5a170dead6dc843712c624486af7cae423bb5935506fa9dd0f7e8e3fad1ac
Writing manifest to image destination
Storing signatures
STEP 2/7: ARG PACKAGENAME=cloudsploit
--> 889b98a999c
STEP 3/7: COPY . /var/scan/cloudsploit/
--> 3de9a6fb653
STEP 4/7: RUN cd /var/scan && npm init --yes && npm install ${PACKAGENAME}
Wrote to /var/scan/package.json:

{
  "name": "scan",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}

npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated jssha@2.4.2: jsSHA versions < 3.0.0 will no longer receive feature updates
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated azure-arm-storage@6.3.0: This package is deprecated in favor of @azure/arm-storage whick works both on node.js and browsers
npm WARN deprecated azure-arm-monitor@5.4.0: This package is deprecated in favor of @azure/arm-monitor which works both on node.js and browsers
npm WARN deprecated azure-storage@2.10.7: Please note: newer packages @azure/storage-blob, @azure/storage-queue and @azure/storage-file are available as of November 2019 and @azure/data-tables is available as of June 2021. While the legacy azure-storage package will continue to receive critical bug fixes, we strongly encourage you to upgrade. Migration guide can be found: https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/storage/MigrationGuide.md
npm WARN deprecated azure-arm-resource@7.4.0: This package is deprecated in favor of @azure/arm-resources which works both on node.js and browsers
npm WARN deprecated azure-arm-compute@9.1.0: This package is deprecated in favor of @azure/arm-compute whick works both on node.js and browsers

added 204 packages, and audited 205 packages in 11s

18 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
npm notice 
npm notice New major version of npm available! 8.1.2 -> 9.1.2
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v9.1.2>
npm notice Run `npm install -g npm@9.1.2` to update!
npm notice 
--> 52b932b0b61
STEP 5/7: ENV PATH "$PATH:/var/scan/node_modules/.bin"
--> a900cb211fb
STEP 6/7: ENTRYPOINT ["cloudsploit-scan"]
--> 0e10eab53b0
STEP 7/7: CMD []
COMMIT cloudsploit:2.0.0
--> 0b9250f4267
Successfully tagged localhost/cloudsploit:2.0.0
0b9250f4267c024de5388614dbae99772a11d352e1868d46ef43f871ec58e4af
➜  cloudsploit git:(master) podman run cloudsploit:2.0.0 -h                                                                                        <aws:sg-dev>
Error: preparing container ebc0e34b2a495a6f3a6cab19465816bc71ba3b15e4fe8999bf1840063afbc1b7 for attach: crun: executable file `cloudsploit-scan` not found in $PATH: No such file or directory: OCI runtime attempted to invoke a command that was not found

MacOS v12.6.1 Podman v4.3.1 (via Homebrew)

Replacing ENTRYPOINT ["cloudsploit-scan"] with ENTRYPOINT ["cloudsploitscan"] in the Dockerfile seems to resolve issue.