search

projectatomic / atomic

Atomic Run Tool for installing/running/managing container images.
Other
526 stars 139 forks source link

Network is unreachable when scanning #1254

Closed ibaboo closed 5 years ago

ibaboo commented 5 years ago

Hi All

I am trying to run atomic scanner behind our corporate proxy but it fails with a "Network is unreachable" error. I have added our proxy details to the/etc/atomic.conf

/etc/atomic.conf

# Atomic CLI configuration file

default_scanner: openscap default_docker: docker registry_confdir: /etc/containers/registries.d/ discover_sigstores: true sigstore_metadata_image: sigstore

\ # Default storage backend [ostree, docker] # default_storage: docker # ostree_repository: /ostree/repo # checkout_path: /var/lib/containers/atomic #

# Default identity for signing images # default_signer: # Absolute path to GPG keyring. Value set as environment variable GNUPGHOME #gnupg_homedir: /home/USER/.gnupg # \ # To always use a proxy with atomic, you can uncomment and fill out # below. # http_proxy: http://server:80 https_proxy: http://server.com:80 no_proxy:

ERROR: atomic --debug scan myregistry/myimage:latest

docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2019-03-18-11-34-31-009787:/scanin -v /var/lib/atomic/openscap/2019-03-18-11-34-31-009787:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro registry.access.redhat.com/rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout -j1 Created /run/atomic/2019-03-18-11-34-31-009787/26aa6fc8812192182fd7b8a7555456f27ef889b1cc367d76ab5f584e112dd5e0 Mounted 26aa6fc8812192182fd7b8a7555456f27ef889b1cc367d76ab5f584e112dd5e0 to /run/atomic/2019-03-18-11-34-31-009787/26aa6fc8812192182fd7b8a7555456f27ef889b1cc367d76ab5f584e112dd5e0 Creating the output dir at /var/lib/atomic/openscap/2019-03-18-11-34-31-009787 INFO:OpenSCAP Daemon one-off evaluator 0.1.10 INFO:Autodetected "oscap" in path "/usr/bin/oscap". INFO:Autodetected "oscap-ssh" in path "/usr/bin/oscap-ssh". INFO:Autodetected "oscap-vm" in path "/usr/bin/oscap-vm". INFO:Autodetected "oscap-docker" in path "/usr/bin/oscap-docker". INFO:Autodetected "oscap-chroot" in path "/usr/bin/oscap-chroot". WARNING:Can't import the 'docker' package. Direct container scanning via oscap-docker will be disabled. INFO:Autodetected SCAP content at "/usr/share/openscap/cpe/openscap-cpe-oval.xml". INFO:Autodetected SCAP content in path "/usr/share/xml/scap/ssg/content". INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist. INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist. INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist. INFO:Evaluated EvaluationSpec, exit_code=0. ERROR:Failed to scan target 'chroot:///scanin/26aa6fc8812192182fd7b8a7555456f27ef889b1cc367d76ab5f584e112dd5e0' for vulnerabilities. Traceback (most recent call last): File "/usr/bin/oscapd-evaluate", line 146, in scan_worker es.evaluate(config) File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 521, in evaluate wip_result = self.evaluate_into_dir(config) File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 518, in evaluate_into_dir return oscap_helpers.evaluate(self, config) File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 323, in evaluate args = get_evaluation_args(spec, config) File "/usr/lib/python2.7/site-packages/openscap_daemon/oscap_helpers.py", line 298, in get_evaluation_args ret.extend(spec.get_oscap_arguments(config)) File "/usr/lib/python2.7/site-packages/openscap_daemon/evaluation_spec.py", line 482, in get_oscap_arguments ret.append(config.get_cve_feed(self.get_cpe_ids(config))) File "/usr/lib/python2.7/site-packages/openscap_daemon/config.py", line 460, in get_cve_feed return self.cve_feed_manager.get_cve_feed(cpe_ids) File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_feed_manager.py", line 212, in get_cve_feed return self.get_rhel_cve_feed(7) File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_feed_manager.py", line 168, in get_rhel_cve_feed if self._is_cache_same(local_file, remote_url): File "/usr/lib/python2.7/site-packages/openscap_daemon/cve_feed_manager.py", line 112, in _is_cache_same res = opener.open(CVEFeedManager.HeadRequest(remote_url)) File "/usr/lib64/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/usr/lib64/python2.7/urllib2.py", line 449, in _open '_open', req) File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/usr/lib64/python2.7/urllib2.py", line 1258, in https_open context=self._context, check_hostname=self._check_hostname) File "/usr/lib64/python2.7/urllib2.py", line 1214, in do_open raise URLError(err) URLError: <urlopen error [Errno 101] Network is unreachable>

ibaboo commented 5 years ago

I got this working by rebuilding the image registry.access.redhat.com/rhel7/openscap with proxy details as env vars.