search

rancher-sandbox / rancher-desktop

Container Management and Kubernetes on the Desktop
https://rancherdesktop.io
Apache License 2.0
6.02k stars 284 forks source link

RDX: snyk rancher desktop extension does not work with containerd backend #5061

Open l4zy0n3 opened 1 year ago

l4zy0n3 commented 1 year ago

Actual Behavior

The extension should work identically to dockerd backend

Steps to Reproduce

  1. Setup fresh Rancher Desktop with containerd backend
  2. Install the snyk extension rdctl extension install snyk/snyk-docker-desktop-extension
  3. Open the snyk extension tab in rancher desktop
  4. Configure your snyk token in Settings menu in the snyk tab
  5. Try to scan an image Eg: nginx:latest

Result

image
  1. Error Displayed ref attachment

Expected Behavior

  1. The extension should test the image for security vulnerabilities and display the results below
  2. The extension works with dockerd backend

Additional Information

No response

Rancher Desktop Version

latest build from https://github.com/rancher-sandbox/rancher-desktop/actions/workflows/package.yaml?query=branch%3Amain

Rancher Desktop K8s Version

n/a

Which container engine are you using?

containerd (nerdctl)

What operating system are you using?

macOS

Operating System / Build Version

Ventura 13.4 (22F66)

What CPU architecture are you using?

arm64 (Apple Silicon)

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

No response

nunix commented 1 year ago

Based on a discussion I had with @ericsmalling from Snyk, this error is "normal" as the Snyk Docker Desktop extension looks explicitly for docker scan command.

Therefore, this issue should be opened on their end as Rancher Desktop doesn't have an influence on the solution (update the Snyk Docker Desktop Extension)

ericsmalling commented 1 year ago

@nunix , actually, the dependence on the docker scan command was removed back in March. The current versions of the Docker Snyk extension pull the snyk/snyk:docker image and runs the snyk container test inside of a container.

nunix commented 1 year ago

thanks a lot for the input @ericsmalling.

I tested it and the potential issue comes from docker.sock not existing as Rancher Desktop will use containerd.sock instead:

image

The error message above comes from Rancher Desktop v1.9.0 on Windows.

Another important point is the way nerdctl and containerd work with namespaces. This can be seen on the images tab:

For example, k8s.io namespace will contain the K3s images and the installed apps:

image

Here's the list of the default namespaces:

image

Again, this is just a guess, the Snyk team and Rancher Desktop developers will definitively know best.

ericsmalling commented 1 year ago

Verified it works in Rancher Desktop 1.9.0 on Mac OS 13.4 (Intel) with dockerD

image

but not when running with containerD

The logic that will need to adapt is at: https://github.com/snyk/snyk-docker-desktop-extension/blob/df5e4f02bd81e68693a7075128af825c84acd1c4/ui/src/app-logic.ts#L79

ericsmalling commented 1 year ago

Made a test image ericsmalling/newsnykextension:rd with changes from https://github.com/snyk/snyk-docker-desktop-extension/blob/6dcce9c5fb206f073e96c8edccb4e2e2fa056dab/ui/src/app-logic.ts#L79

Change is that volume mount line now is:

          "/var/run/k3s/containerd/containerd.sock:/var/run/docker.sock",

... but I still see the same error. Any advice as to the correct socket mount path to use for the docker cli inside the container being run? (or will that even work?)

jandubois commented 1 year ago

Made a test image ericsmalling/newsnykextension:rd with changes from https://github.com/snyk/snyk-docker-desktop-extension/blob/6dcce9c5fb206f073e96c8edccb4e2e2fa056dab/ui/src/app-logic.ts#L79

I get a 404 on that link; maybe it is a private repo?

Change is that volume mount line now is:

          "/var/run/k3s/containerd/containerd.sock:/var/run/docker.sock",

... but I still see the same error. Any advice as to the correct socket mount path to use for the docker cli inside the container being run? (or will that even work?)

There is no docker.sock with containerd, just a containerd socket, but it is a different API. If you are using the Docker API over the socket, then the extension will only work with the moby engine (dockerd).

ericsmalling commented 1 year ago

I get a 404 on that link; maybe it is a private repo?

Awe, shoot - didn't notice it was private.

There is no docker.sock with containerd, just a containerd socket, but it is a different API. If you are using the Docker API over the socket, then the extension will only work with the moby engine (dockerd). That makes sense.

Snyk'c CLI works w/out a container runtime but the image to be scanned has to be available to it inside the container the extension is spinning up to do the test.

ericsmalling commented 1 year ago

Tangentially related finding in: https://github.com/rancher-sandbox/rancher-desktop/issues/5081#issuecomment-1614752822

It's not directly related but if I'm going to add any kind of detection logic for containerd, that will be in the same place.

jandubois commented 1 year ago

It's not directly related but if I'm going to add any kind of detection logic for containerd, that will be in the same place.

What kind of image formats does it support? I'm not sure if you can access the image through the containerd socket[^1], but the image storage could be mounted into the container.

[^1]: The reason nerdctl has to run inside the VM and not on the host is because it needs file-level access to the image store.