claircore: open /tmp: operation not supported - Githubissues

quay / clair

Vulnerability Static Analysis for Containers

https://quay.github.io/clair/

Apache License 2.0

10.36k stars 1.16k forks source link

claircore: open /tmp: operation not supported #2009

Closed kamalpreetSec closed 2 days ago

kamalpreetSec commented 8 months ago

Description of Problem / Feature Request

We are running Clair in Combo mode. It is running fine with version 4.7.1, but when we upgraded to 4.7.3, getting the 500 internal server error.

Expected Outcome

Scan should run successfully, currently it is failing with 500 internal server error.

Actual Outcome

he scan is failing with 500 internal server error.

2024-03-14T08:58:52Z DBG index error error="unexpected return status: 500" digest=sha256:xxxxxxxxxx ref=/postgres:12.1 2024-03-14T08:58:52Z ERR error="unexpected return status: 500"

Environment

Clair version/image: 4.7.3 / image: quay.io/projectquay/clair:4.7.3
Clair client name/version: clairctl 4.7.3
Host OS: Oracle Linux 7
Kernel (e.g. uname -a): 5.4.17-2136.304.4.1.el7uek.x86_64
Kubernetes version (use kubectl version): Docker Version: 19.03.11-ol
Network/Firewall setup: Corporate proxy

hdonnay commented 8 months ago

Clair 4.7.3 and later require wherever it's configured to write temporary files to support the O_TMPFILE open(2) flag. This has been in the kernel and most in-tree filesystems for over a decade.

What filesystem is mounted at $TMPDIR (or /tmp if that's unset)?

kamalpreetSec commented 8 months ago

Its xfs filesystem. It has been mounted to an attached block volume.

/random/tmp /tmp xfs bind,defaults,noatime,_netdev 0 2

where /dev/mapper/datavg-random--lv /random xfs defaults,noatime,nofail,_netdev 0 2

hdonnay commented 8 months ago

Is the dependency on that mount expressed in the service manager?

kamalpreetSec commented 8 months ago

yes, the above entries are in /etc/fstab

kamalpreetSec commented 8 months ago

We checked in logs that open with O_TMPFILE fails.

[~] docksh clairv4 bash-4.4$ /tmp/tmp_file /tmp Error opening temporary file in /tmp: Operation not supported

Is it possible to place the fix where fall back happens to a non-O_TMPFILE path if the open() fails.

kamalpreetSec commented 8 months ago

Also, from logs the permissions are 0644, will increasing the permissions help?

openat(AT_FDCWD, "/tmp", O_WRONLY|O_CLOEXEC|O_TMPFILE, 0644

glebsts commented 8 months ago

I believe it should move under quay/claircore , there is similar PR https://github.com/quay/claircore/pull/1140 Created https://github.com/quay/claircore/issues/1289

Struggling with same, tmpfs in our cluster and nfsfs for pvc do not support this operation. Tried also permissions and non-rootless container, overriding TMPDIR etc. Problem is specifically in flag not supported by docker kernel.

Can there be a patch in clair core similarly to this? https://github.com/libvips/libvips/pull/1155/files (original thread with same problem in libvips: https://github.com/libvips/libvips/issues/1151)

glebsts commented 7 months ago

fixed with https://github.com/quay/claircore/pull/1292 , waiting for merge and release of https://github.com/quay/clair/pull/2020

crozzy commented 2 days ago

This was completed a while ago, closing