clair-local-scan container fails to scan & crashes: fatal: unable to access 'https://git.launchpad.net/ubuntu-cve-tracker/': The requested URL returned error: 503

[phil2k]

Hi,

Since today (using it since 1 year or more), I've noticed that the clar-scanner (clair-scanner_linux_amd64) is not working anymore, getting the following error:

 $ docker run -d --name clair-db arminc/clair-db:latest
 $ docker run -p 6060:6060 --link clair-db:postgres -d --name clair arminc/clair-local-scan:latest
 $ ./clair-scanner_linux_amd64 --ip 172.17.0.1 registry.access.redhat.com/ubi8/ubi
...
Could not analyze layer: POST to Clair failed Post http://127.0.0.1:6060/v1/layers: dial tcp 127.0.0.1:6060: getsockopt: connection refused

After some diggings, I noticed the container was stopped immediately after the scan with a fatal erorr (which I guess that's why the previous erorr with "connection refused" was shown, maybe after a retry after the container crash):

$ docker logs clair
...
.{"Event":"could not determine a valid package from criterions","Level":"warning","Location":"rhel.go:304","Time":"2021-04-21 09:12:41.809076","criterions":"[{kernel version 0:4.18.0-193.19.1.el8_2 is set to boot up on next boot} {kpatch-patch not installed for 0:4.18.0-193.19.1.el8_2} {kernel version equals 0:4.18.0-193.19.1.el8_2} {Red Hat Enterprise Linux 8 is installed}]"}
panic: runtime error: slice bounds out of range [25:24

But If look before this error in the container log (even before scanning when the container is up & running), I noticed this error, which might be the root cause of that container crash "panic : runtime error: ...":

$ docker logs clair
...
2021-04-21T09:12:40.4501447Z {"Event":"could not pull ubuntu-cve-tracker repository","Level":"error","Location":"ubuntu.go:174","Time":"2021-04-21 09:12:38.463262","error":"exit status 128","output":"Cloning into '.'...\nfatal: unable to access 'https://git.launchpad.net/ubuntu-cve-tracker/': The requested URL returned error: 503\n"}

When I try to locally do a "git clone on https://git.launchpad.net/ubuntu-cve-tracker/" I get the same error:

git clone https://git.launchpad.net/ubuntu-cve-tracker/
Cloning into 'ubuntu-cve-tracker'...
fatal: unable to access 'https://git.launchpad.net/ubuntu-cve-tracker/': The requested URL returned error: 503

But If I do a web-browse on this one https://git.launchpad.net/ubuntu-cve-tracker/ it works, where also I noticed that there are other way of mirroring this git repository for ubuntu-cve-tracker: git://git.launchpad.net/ubuntu-cve-tracker , which works:

git clone git://git.launchpad.net/ubuntu-cve-tracker
Cloning into 'ubuntu-cve-tracker'...
remote: Enumerating objects: 682122, done.
remote: Counting objects: 100% (682122/682122), done.
remote: Compressing objects: 100% (69081/69081), done.
Receiving objects: 100% (682122/682122), 105.11 MiB | 1.37 MiB/s, done.
remote: Total 682122 (delta 620026), reused 673859 (delta 612686)
Resolving deltas: 100% (620026/620026), done.
Updating files: 100% (39942/39942), done.

Because of this it seems that the scanner is not working (even when I tried with different versions/tags of clair-local-scan). Can this remote repository for ubuntu-cve-tracker be changed to the above one which works, until Ubuntu will fix their issue with the https one? If there's another issue, can you please have a look into it ?

Thank you in advance.

Kind regards, Bogdan Velcea

[phil2k]

This root-cause issue was reported here: https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1925337

[phil2k]

Reported here as well: https://github.com/arminc/clair-local-scan/issues/57 Closing this one.