Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Offline vulnerabilities check #70
Hello, I recently used Anchore service and Anchore REST API to check image vulnerabilities.
At first time I ran Anchore for using docker-compose on public GCE and It worked well.
Then I copied 'db' directory to my local pc in order to re-test in my local offline Environment.
But this time, Anchore did not work properly. I could get the manifest / digest value through the API, but the image was not analyzed.
I would like to test the Anchore service in offline environment.
hi @bluefriday - I think we'll need a little bit more information, but we can start by sharing some context about the meaning of this state.
When an image is first 'added' to anchore-engine, its initial state will be 'not_analyzed' (which is an OK state for an image to be in). If there is an analyzer service that is successfully up and running, and the rest of the anchore services are also up and running, then the analyzer will wake up and see if there are any new images in queue to be analyzed (i.e. in not_analyzed state), and it should then pull the job and move the image to 'analyzing' state. From there, the image will either be successfully analyzed (moving it to 'analyzed' state) or if something goes wrong, will put the image in 'analysis_failed' state).
WIth that being said - you should always see an image enter the 'not_analyzed' state when it is first added, but if all is going well, you should see it next go to 'analyzing', if you were to query the image (say, using
If an analyzer is not up and running, that would be the situation to try and diagnose (you should see startup failures when you bring up the service in
@nurmi Thanks for your answer.
I took your advice and analyzed the anchore log.
Below is the log in the catalog.
The api request (/v1/system/services) for the engine is also shown below.
I think this problem occurs because the policy-engine is not running properly.
I would like to ask if there are any additional settings I can set.
Hi @bluefriday, the Anchore Engine currently has an issue that prevents it from running properly in a fully offline mode where it has no network internet access. The issue is that the policy engine component expects to be able to connect to an external feed service endpoint (by default https://ancho.re) in order to sync vulnerability data to keep image analyses up-to-date with the latest cve sources. There is another issue, #54, that is a request for this same feature: disable the feed sync cleanly in the config.yaml to enable the policy engine to run without any feed updates. For now, progress on the enhancement to disable the feed-sync will be primarily done in #54, so watch that issue. We're planning on addressing it soon, but currently do not have a specific ETA for that change.
I should mention that our Enterprise version of Anchore Engine does have a local feed service that you configure the policy-engine to connect to so with Enterprise it is possible to run in a fully offline mode. If you're interested in trying that let me know and we can discuss further.
update on the ability to disable feed syncs in anchore-engine - we've added a new configuration parameter that allows feed syncs to be disabled in commit 'd61f643d3652579d105b4500e6da6bf804cbf073', which is also available in the latest unstable container build (docker.io/anchore/anchore-engine:dev), for from-scratch testing purposes.
The new parameter is called 'sync_enabled: <True|False>', inside the 'feeds' section of config.yaml.
That functionality should allow for the engine to come up, in the use case described in the original report!