search

project-copacetic / copacetic

🧵 CLI tool for directly patching container images using reports from vulnerability scanners
https://project-copacetic.github.io/copacetic/
Apache License 2.0
843 stars 57 forks source link

[BUG] Failure resolving proxy #680

Open 0xDagal opened 1 week ago

0xDagal commented 1 week ago

Version of copa

v0.6.1-81-g2335453

Expected Behavior

Patching nginx:1.21.6 with a proxy should work.

Actual Behavior

The patch does not work:

[+] Building 12.6s (4/8)
 => resolve image config for docker-image://docker.io/library/nginx:1.21.6          7.4s
 => CACHED docker-image://docker.io/library/debian:11-slim                          4.7s
 => => resolve docker.io/library/debian:11-slim                                     4.7s
 => CACHED docker-image://docker.io/library/nginx:1.21.6                            1.4s
 => => resolve docker.io/library/nginx:1.21.6                                       1.4s
 => apt update                                                                      0.4s
 => apt install busybox-static                                                      0.1s
 => => # WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
Error: process "apt install busybox-static" did not complete successfully: exit code: 100
exit status 1

Running in debug, I saw:

[debug-adapter stderr] #4 0.130 WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
#4 0.130 
#4 0.248 Err:1 http://deb.debian.org/debian bullseye InRelease
#4 0.248   Temporary failure resolving 'my-super-proxy.com'
#4 0.323 Err:2 http://deb.debian.org/debian-security bullseye-security InRelease
#4 0.323   Temporary failure resolving 'my-super-proxy.com'
#4 0.390 Err:3 http://deb.debian.org/debian bullseye-updates InRelease
#4 0.390   Temporary failure resolving 'my-super-proxy.com'
#4 0.394 Reading package lists...
#4 0.414 Building dependency tree...
#4 0.416 Reading state information...
#4 0.423 All packages are up to date.
#4 0.424 W: Failed to fetch http://deb.debian.org/debian/dists/bullseye/InRelease  Temporary failure resolving 'my-super-proxy.com'
#4 0.424 W: Failed to fetch http://deb.debian.org/debian-security/dists/bullseye-security/InRelease  Temporary failure resolving 'my-super-proxy.com'
#4 0.424 W: Failed to fetch http://deb.debian.org/debian/dists/bullseye-updates/InRelease  Temporary failure resolving 'my-super-proxy.com'
#4 0.424 W: Some index files failed to download. They have been ignored, or old ones used instead.
 buildkit.ExtractFileFromState buildkit.go:80
 pkgmgr.(*dpkgManager).probeDPKGStatus dpkg.go:225
 pkgmgr.(*dpkgManager).InstallUpdates dpkg.go:118

Steps To Reproduce

Run trivy on nginx:1.21.6 and name the report nginx.1.21.6.json then run a moby/buildkitd container and finally run copa patch -i nginx:1.21.6 -r nginx.1.21.6.json --addr docker-container://copa-buildkitd-1.

Are you willing to submit PRs to contribute to this bug fix?

ashnamehrotra commented 5 days ago

@0xDagal would you be able to share your setup steps for your buildkit container?

0xDagal commented 2 days ago

Yes, I run it in a docker-compose like so:

services:
  buildkitd:
    image: moby/buildkit:latest
    privileged: true
    entrypoint: buildkitd
    volumes:
      - ./buildkitd.toml:/etc/buildkit/buildkitd.toml

in my buildkitd.toml, there are only registry mirrors like for example:

[registry."quay.io"]
  mirrors = ["my-quay-mirror.lan"]