search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967 stars 188 forks source link

Running tern with podman returns cert error #1087

Closed muzammil786 closed 2 years ago

muzammil786 commented 2 years ago

How can we run turnd analysis using podman. I tried by creating the podman socket and using the command below:

sudo podman run --privileged --device /dev/fuse -v /run/podman/podman.sock:/var/run/docker.sock:z --rm ternd report -i python:3.9-slim-buster > output.txt But it got errors like:

2021-11-23 18:19:10,954 - DEBUG - rootfs - Running command: unshare -pf --mount-proc=/root/.tern/temp/mergedir/proc chroot /root/.tern/temp/mergedir  -c export PYTHON_GET_PIP_SHA256="c518250e91a70d7b20cceb15272209a4ded2a0c263ae5776f129e0d9b5674309" && export PYTHON_GET_PIP_URL="https://github.com/pypa/get-pip/raw/3cb8888cc2869620f57d5d2da64da38f516078c7/public/get-pip.py" && export PYTHON_SETUPTOOLS_VERSION="57.5.0" && export PYTHON_PIP_VERSION="21.2.4" && export PYTHON_VERSION="3.9.9" && export GPG_KEY="E3FF2839C048B25C084DEBE9B26995E310250568" && export LANG="C.UTF-8" && export PATH="/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" && pkgs=`dpkg-query -W -f '${Package}
'` && for p in $pkgs; do /bin/cat /usr/share/doc/$p/copyright; echo LICF; done
2021-11-23 18:19:10,973 - ERROR - rootfs - Command failed. chroot: failed to run command ‘’: No such file or directory
nishakm commented 2 years ago

At this time, tern relies on docker to pull images, but we are moving away from that. Meanwhile, you can try using the --live option on a running podman container like this:

mnt=`podman mount <container>`
tern report --live $mnt

I have a reference of how this works here: https://github.com/vmware-samples/containers-with-sboms/blob/main/base_container.sh

nishakm commented 2 years ago

@muzammil786 We made a release recently that removed docker as a dependency for analyzing container images. Try: sudo podman run --rm ternd report -i python:3.9-slim-buster > output.txt after rebuilding the new Dockerfile

muzammil786 commented 2 years ago

@nishakm I have got certificate validation error:

2022-01-06 11:27:58,117 - ERROR - skopeo - Error when downloading image: "b'time="2022-01-06T11:27:58Z" level=fatal msg="Error initializing source docker://<redact>: error pinging docker registry <private registry>: Get \\"https://<private registry>/v2/\\": x509: certificate signed by unknown authority"\n'" How to send src-tls-verify=false option to skopeo or mount the cert dir? Is there any env variable I can pass to ignore cert validation?

nishakm commented 2 years ago

@muzammil786 not at this time. We can probably modify the Dockerfile to create a volume mount. Or podman perhaps has some way of enabling this. I will take a look.

muzammil786 commented 2 years ago

@nishakm Thanks. I have sorted this out by adding my registry into the base image.

COPY registries.conf /etc/containers/registries.conf

This line in the docker/Dockerfile helped me sail for now :-)

nishakm commented 2 years ago

I am not able to reproduce this error when running sudo podman run --privileged --rm tern report -i python:3.9-slim-buster. At this time, running podman as root and using --privileged is the only way to get around the permission issues when creating device nodes (see #1115 ). I will close this issue.