search

optiopay / klar

Integration of Clair and Docker Registry
MIT License
506 stars 138 forks source link

dial tcp [::1]:6060: getsockopt: connection refused #38

Closed xueshanf closed 7 years ago

xueshanf commented 7 years ago

I have a clair container running locally and this works:

curl http://localhost:6060/v1/namespaces/debian%3A8/vulnerabilities?limit=2
{
  "Vulnerabilities": [
    {
      "Name": "CVE-2011-3887",
      "NamespaceName": "debian:8",
      "Description": "Google Chrome before 15.0.874.102 does not properly handle javascript: URLs, which allows remote attackers to bypass intended access restrictions and read cookies via unspecified vectors.",
      "Link": "https://security-tracker.debian.org/tracker/CVE-2011-3887",
      "Severity": "Medium",
      "Metadata": {
        "NVD": {
          "CVSSv2": {
            "Score": 5,
            "Vectors": "AV:N/AC:L/Au:N/C:P/I:N"
          }
        }
      }
    },

...

However, when I run klar container:

CLAIR_ADDR=http://localhost:6060
CLAIR_OUTPUT=High
CLAIR_THRESHOLD=10
DOCKER_USER=xxxxxxx
DOCKER_PASSWORD=xxxxxx
docker run --env-file=envvars my-klar registry
Analysing 10 layers
Push layer 4 failed: Can't push layer to Clair: Post http://localhost:6060/v1/layers: dial tcp [::1]:6060: getsockopt: connection refused
Push layer 3 failed: Can't push layer to Clair: Post http://localhost:6060/v1/layers: dial tcp [::1]:6060: getsockopt: connection refused
Push layer 2 failed: Can't push layer to Clair: Post http://localhost:6060/v1/layers: dial tcp [::1]:6060: getsockopt: connection refused
Push layer 1 failed: Can't push layer to Clair: Post http://localhost:6060/v1/layers: dial tcp [::1]:6060: getsockopt: connection refused
Push layer 0 failed: Can't push layer to Clair: Post http://localhost:6060/v1/layers: dial tcp [::1]:6060: getsockopt: connection refused
Analyse image https://registry-1.docker.io/v2/library/registry:latest failed: Get http://localhost:6060/v1/layers/sha256:154ef19ddee64edd702ab722c0bee283cf34eab32dde16243bc98adef65b2b52?vulnerabilities: dial tcp [::1]:6060: getsockopt: connection refused
Found 0 vulnerabilities

The clair container log doesn't show any connections. Any ideas?

xueshanf commented 7 years ago

Okay, if I go through an ELB, which has private IP, such as http://clair.cluster.local, then it works. Not sure why localhost won't work (but curl works)...

hashmap commented 7 years ago

You run Clair in a container, but port 6060 is exposed on a host. curl (local binary) can connect to it, localhost means the local interface on the same host. However, when you run Klar in a container localhost means local interface inside a container, not on your host. 2 most approachable solutions - use host names if possible (as you did) or use docker links to expose Clair ip to Klar.

xueshanf commented 7 years ago

@hashmap yup of course! they aren't in the same pod! Thanks a lot!