search

quay / clair

Vulnerability Static Analysis for Containers
https://quay.github.io/clair/
Apache License 2.0
10.36k stars 1.16k forks source link

Clair returns 404 for every endpoint #2078

Closed sakarozone closed 4 months ago

sakarozone commented 4 months ago

Hey, Im facing an issue where I get a 404 for every endpoint. A bit of background:

I have used the docker compose file that is present in the main branch of the clair repository to get my containers up.

As you can see in the screenshot below, all the services are up and running:

Screenshot 2024-06-19 at 21 07 55

The traefik dashboard is also up and running:

Screenshot 2024-06-19 at 21 08 53

But the issue I'm facing is that the endpoints give a 404. Even when I try to scan an image using klar, I get the same issue which is:

docker run -e CLAIR_ADDR=localhost:6060 -e KLAR_TRACE=true -e CLAIR_OUTPUT=High -it --rm myklarimage:version alpine:latest 

----> HTTP REQUEST:
GET /v2/library/alpine/manifests/latest HTTP/1.1
Host: registry-1.docker.io
Accept: application/vnd.docker.distribution.manifest.v2+json

<---- HTTP RESPONSE:
HTTP/1.1 401 Unauthorized
Content-Length: 157
Content-Type: application/json
Date: Wed, 19 Jun 2024 15:42:46 GMT
Docker-Distribution-Api-Version: registry/2.0
Docker-Ratelimit-Source: 49.207.213.133
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/alpine:pull"

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/alpine","Action":"pull"}]}]}

----> HTTP REQUEST:
GET /v2/library/alpine/manifests/latest HTTP/1.1
Host: registry-1.docker.io
Accept: application/vnd.docker.distribution.manifest.v2+json
Authorization: Bearer.Token

<---- HTTP RESPONSE:
HTTP/1.1 200 OK
Content-Length: 528
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Date: Wed, 19 Jun 2024 15:42:48 GMT
Docker-Content-Digest: sha256:216266c86fc4dcef5619930bd394245824c2af52fd21ba7c6fa0e618657d4c3b
Docker-Distribution-Api-Version: registry/2.0
Docker-Ratelimit-Source: 49.207.213.133
Etag: "sha256:216266c86fc4dcef5619930bd394245824c2af52fd21ba7c6fa0e618657d4c3b"
Ratelimit-Limit: 100;w=21600
Ratelimit-Remaining: 98;w=21600
Strict-Transport-Security: max-age=31536000

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 1472,
      "digest": "sha256:1d34ffeaf190be23d3de5a8de0a436676b758f48f835c3a2d4768b798c15a7f1"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 3622094,
         "digest": "sha256:d25f557d7f31bf7acfac935859b5153da41d13c41f2b468d16f729a5b883634f"
      }
   ]
}
Analysing 1 layers
----> HTTP REQUEST:
POST /v1/layers HTTP/1.1
Host: localhost:6060
Content-Type: application/json

{"Layer":{"Name":"1d34ffeaf190be23d3de5a8de0a436676b758f48f835c3a2d4768b798c15a7f1d25f557d7f31bf7acfac935859b5153da41d13c41f2b468d16f729a5b883634f","Path":"https://registry-1.docker.io/v2/library/alpine/blobs/sha256:d25f557d7f31bf7acfac935859b5153da41d13c41f2b468d16f729a5b883634f","ParentName":"","Format":"Docker","Features":null,"Headers":{"Authorization":"Bearer.Token"}}}
Failed to analyze using API v1: push image https://registry-1.docker.io/v2/library/alpine:latest to Clair failed: can't push layer to Clair: Post http://localhost:6060/v1/layers: dial tcp 127.0.0.1:6060: getsockopt: connection refused

Failed to analyze using API v3: push image https://registry-1.docker.io/v2/library/alpine:latest to Clair failed: rpc error: code = Unavailable desc = all SubConns are in TransientFailure

Failed to analyze, exiting

It is getting a valid response from docker with all the layers that the image has, but it gets a 404 response when trying to POST v1/layers

This is happening for any image I scan, even if it is a docker repository that I have access to or any image whatsoever. And this is also not an issue with the klar image, as I've tried with clairctl as well for which I get the same response.

If I directly try to access it from my browser which means it is trying a GET call, it ideally says Method Not Allowed as I've seen from other places, but in my installation, all it says is 404 page not found

Screenshot 2024-06-19 at 21 14 16

Environment: Docker version 24.0.5 Clair: Latest master ( so upwards of v4.7.3 but with v4.7.4 unreleased) Host OS: MacOS Sonoma

Been stuck on this for a while so any help would be really appreciated. Thank you!

hdonnay commented 4 months ago

That's not a valid API endpoint, please consult the OpenAPI spec for the HTTP API documentation. I'm not sure what klar is, but that path seems like it may be a Clair v2 endpoint.

sakarozone commented 4 months ago

Klar is an integration of Clair and Docker which I was using, it allows me to analyze the images,it supports v1 and v3 This is the url - https://github.com/optiopay/klar

But regardless of that, I also tried clairctl from https://github.com/jgsqware/clairctl With that also I get the same issue of
adding layer 1/2 [sha256:6f821]: pushing layer to clair: Post http://localhost:6060/v1/layers: dial tcp 127.0.0.1:6060: getsockopt: connection refused

Screenshot 2024-06-24 at 13 15 30

My goal is to run a scan on clair and generate a report.

Is this approach right? Or am I doing something wrong?

sakarozone commented 4 months ago

Closing this issue as I was getting an error because I was using https://github.com/jgsqware/clairctl rather than the clairctl which is present in the clair repository itself. Thanks @hdonnay !