atomic scan is not respecting fully-qualified image names

[miabbott]

Seen on the following CAHC version:

# atomic host status
State: idle
Deployments:
● centos-atomic-continuous:centos-atomic-host/7/x86_64/devel/continuous
       Version: 7.2016.1192 (2016-12-12 15:37:20)
        Commit: 19cf5ddbfecf80c16602ea53c46e3cd49eae569292b2d38b76c1621d22854232
        OSName: centos-atomic-host

After pulling and installing the registry.access.redhat.com/rhel7/openscap image, the attempt to scan the image causes the atomic stack to go hunting for a version of the image on docker.io

# rpm -q atomic docker skopeo
atomic-1.13.8.50-8bfeae47e765f6ed775ddbdf8858d4819cd4179c.008b0012cb69d4dcb5b57cab83487e255a3feb67.el7.centos.x86_64
docker-1.10.3-46.el7.14.x86_64
skopeo-1.14-dd6441b5468f8f6d1b94cfe1d54cd628dbea914c.a8622550b28e564c396d659b08a84becf4a81e27.el7.centos.x86_64
# docker images -a
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
# atomic pull registry.access.redhat.com/rhel7/openscap
Image registry.access.redhat.com/rhel7/openscap is being pulled to docker ...
Pulling registry.access.redhat.com/rhel7/openscap:latest ...
Copying blob sha256:f9ab7164e76a8a165fce660638966566d3a4cb9dc8b63892f784acd4d1c7b9f3
 68.72 MB / ? [---------=-----------------------------------------------------] 
Copying blob sha256:d77ab047cab88f266864ed80af55249d37a06379b4bd1afef555996259bc819f
 0 B / ? [--------------------------------------------------------------------=]
Copying blob sha256:2835dc81b6c25e8e35cc217df7c04e5eb2586158c7b9b6a48e02311c14c29f9a
 30.54 MB / ? [---------------=-----------------------------------------------] 
Copying config sha256:e5b47a50e62783a7e7e02708239b1ba895d61db817bef1af3c3c95e88c199903
 0 B / 4.51 KB [---------------------------------------------------------------]
Writing manifest to image destination
Storing signatures
 4.51 KB / 4.51 KB [===========================================================]
# atomic --debug scan --scanner openscap registry.access.redhat.com/rhel7/openscap
Created /run/atomic/2016-12-12-16-48-20-382126
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-12-12-16-48-20-382126:/scanin -v /var/lib/atomic/openscap/2016-12-12-16-48-20-382126:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
Created /run/atomic/2016-12-12-16-48-20-382126/e5b47a50e62783a7e7e02708239b1ba895d61db817bef1af3c3c95e88c199903
Mounted {u'Created': 1480610345, u'Labels': {u'io.k8s.description': u'OpenSCAP is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a standard way of expressing checklist content and defines security checklists.', u'Version': u'7.3', u'INSTALL': u'docker run --rm --privileged -v /:/host/ IMAGE sh /root/install.sh', u'vendor': u'Red Hat, Inc.', u'description': u'OpenSCAP is an auditing tool that utilizes the Extensible Configuration Checklist Description Format (XCCDF). XCCDF is a standard way of expressing checklist content and defines security checklists.', u'authoritative-source-url': u'registry.access.redhat.com', u'io.k8s.display-name': u'OpenSCAP', u'version': u'7.3', u'vcs-ref': u'd5c0945d13878de30bf8375c704d36cf8ef458d3', u'com.redhat.component': u'openscap-docker', u'distribution-scope': u'public', u'run': u'docker run -it --rm -v /:/host/ IMAGE sh /root/run.sh', u'Name': u'rhel7/openscap', u'vcs-type': u'git', u'Architecture': u'x86_64', u'Release': u'31', u'BZComponent': u'openscap-docker', u'build-date': u'2016-12-01T11:37:05.074621', u'RUN': u'docker run -it --rm -v /:/host/ IMAGE sh /root/run.sh', u'name': u'rhel7/openscap', u'summary': u"OpenSCAP container image that provides security/compliance scanning capabilities for 'atomic scan'", u'architecture': u'x86_64', u'install': u'docker run --rm --privileged -v /:/host/ IMAGE sh /root/install.sh', u'release': u'31', u'io.openshift.tags': u'security openscap scan', u'com.redhat.build-host': u'ip-10-29-120-149.ec2.internal'}, 'ImageId': u'e5b47a50e62783a7e7e02708239b1ba895d61db817bef1af3c3c95e88c199903', u'VirtualSize': 361171140, u'ParentId': u'', 'input': 'registry.access.redhat.com/rhel7/openscap', u'RepoTags': [u'registry.access.redhat.com/rhel7/openscap:latest'], u'RepoDigests': None, u'Id': u'e5b47a50e62783a7e7e02708239b1ba895d61db817bef1af3c3c95e88c199903', 'ImageType': 'Docker', u'Size': 361171140} to /run/atomic/2016-12-12-16-48-20-382126/e5b47a50e62783a7e7e02708239b1ba895d61db817bef1af3c3c95e88c199903
Creating the output dir at /var/lib/atomic/openscap/2016-12-12-16-48-20-382126
Unable to find image 'rhel7/openscap:latest' locally
Trying to pull repository docker.io/rhel7/openscap ... 
Pulling repository docker.io/rhel7/openscap
47a9a9057e1b: Already exists 
7c155bf348e9: Already exists 
aaf348b623dd: Already exists 
Status: Image is up to date for docker.io/rhel7/openscap:latest
docker.io/rhel7/openscap: this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.
...

Afterwards, it fails because of a docker issue, but that appears to be separate from this one.

[rhatdan]

@baude PTAL

[miabbott]

I ran this test again and it looks like it is not a matter of fully-qualified domains, but that atomic doesn't believe that the openscap container is installed. See the example below where I have pulled the rhel7/openscap image but use it to scan the registry.access.redhat.com/rhel7 image.

The atomic scan operation pulls in docker.io/rhel7/openscap and then runs the scan using that container.

# docker images
REPOSITORY                                  TAG                 IMAGE ID            CREATED             SIZE
registry.access.redhat.com/rhel7/openscap   latest              801c79256460        3 days ago          397.1 MB
registry.access.redhat.com/rhel7            latest              e8e3aaf82af5        2 weeks ago         192.5 MB
# atomic --debug scan --scanner openscap registry.access.redhat.com/rhel7
Created /run/atomic/2016-12-16-17-06-20-826841
docker run -t --rm -v /etc/localtime:/etc/localtime -v /run/atomic/2016-12-16-17-06-20-826841:/scanin -v /var/lib/atomic/openscap/2016-12-16-17-06-20-826841:/scanout:rw,Z -v /etc/oscapd:/etc/oscapd:ro rhel7/openscap oscapd-evaluate scan --no-standard-compliance --targets chroots-in-dir:///scanin --output /scanout
Created /run/atomic/2016-12-16-17-06-20-826841/e8e3aaf82af53563382e4079d833ebeda12f65a7afb9ab98345decbceece7e20
Mounted {u'Created': 1480544201, u'Labels': {u'com.redhat.component': u'rhel-server-docker', u'authoritative-source-url': u'registry.access.redhat.com', u'distribution-scope': u'public', u'vendor': u'Red Hat, Inc.', u'Name': u'rhel7/rhel', u'io.k8s.display-name': u'Red Hat Enterprise Linux 7', u'description': u'The Red Hat Enterprise Linux Base image is designed to be a fully supported foundation for your containerized applications.  This base image provides your operations and application teams with the packages, language runtimes and tools necessary to run, maintain, and troubleshoot all of your applications. This image is maintained by Red Hat and updated regularly. It is designed and engineered to be the base layer for all of your containerized applications, middleware and utilites. When used as the source for all of your containers, only one copy will ever be downloaded and cached in your production environment. Use this image just like you would a regular Red Hat Enterprise Linux distribution. Tools like yum, gzip, and bash are provided by default. For further information on how this image was built look at the /root/anacanda-ks.cfg file.', u'summary': u'Provides the latest release of Red Hat Enterprise Linux 7 in a fully featured and supported base image.', u'vcs-type': u'git', u'name': u'rhel7/rhel', u'vcs-ref': u'2e1957f01637c3bc7d95937709f31a300832dbef', u'release': u'53', u'Version': u'7.3', u'architecture': u'x86_64', u'version': u'7.3', u'Release': u'53', u'BZComponent': u'rhel-server-docker', u'build-date': u'2016-11-30T17:09:04.798882', u'io.openshift.tags': u'base rhel7', u'com.redhat.build-host': u'ip-10-29-120-149.ec2.internal'}, 'ImageId': u'e8e3aaf82af53563382e4079d833ebeda12f65a7afb9ab98345decbceece7e20', u'VirtualSize': 192528719, u'ParentId': u'', 'input': 'registry.access.redhat.com/rhel7', u'RepoTags': [u'registry.access.redhat.com/rhel7:latest'], u'RepoDigests': None, u'Id': u'e8e3aaf82af53563382e4079d833ebeda12f65a7afb9ab98345decbceece7e20', 'ImageType': 'Docker', u'Size': 192528719} to /run/atomic/2016-12-16-17-06-20-826841/e8e3aaf82af53563382e4079d833ebeda12f65a7afb9ab98345decbceece7e20
Creating the output dir at /var/lib/atomic/openscap/2016-12-16-17-06-20-826841
Unable to find image 'rhel7/openscap:latest' locally
Trying to pull repository docker.io/rhel7/openscap ... 
Pulling repository docker.io/rhel7/openscap
db013fc759ae: Pull complete 
7c155bf348e9: Pull complete 
aaf348b623dd: Pull complete 
ac7651230217: Pull complete 
Status: Downloaded newer image for docker.io/rhel7/openscap:latest
docker.io/rhel7/openscap: this image was pulled from a legacy registry.  Important: This registry version will not be supported in future versions of docker.
INFO:OpenSCAP Daemon one-off evaluator 0.1.6
WARNING:Can't import the 'docker' package. Container scanning functionality will be disabled.
INFO:Creating tasks directory at '/var/lib/oscapd/tasks' because it didn't exist.
INFO:Creating results directory at '/var/lib/oscapd/results' because it didn't exist.
INFO:Creating results work in progress directory at '/var/lib/oscapd/work_in_progress' because it didn't exist.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:Evaluated EvaluationSpec, exit_code=0.
INFO:[100.00%] Scanned target 'chroot:///scanin/e8e3aaf82af53563382e4079d833ebeda12f65a7afb9ab98345decbceece7e20'

registry.access.redhat.com/rhel7 (e8e3aaf82af5356)

registry.access.redhat.com/rhel7 passed the scan

Files associated with this scan are in /var/lib/atomic/openscap/2016-12-16-17-06-20-826841.

Unmounted /run/atomic/2016-12-16-17-06-20-826841/e8e3aaf82af53563382e4079d833ebeda12f65a7afb9ab98345decbceece7e20

[baude]

#857

[miabbott]

The root cause of this was actually the scanner config file in /etc/atomic.d is using an unqualified image name.

# cat /etc/atomic.d/openscap 
type: scanner
scanner_name: openscap
image_name: rhel7/openscap
default_scan: cve
custom_args: ['-v', '/etc/oscapd:/etc/oscapd:ro']
scans: [ 
      { name: cve,
        args: ['oscapd-evaluate', 'scan',  '--no-standard-compliance', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout'],
        description: "Performs a CVE scan based on known CVE data"},
      { name: standards_compliance,
        args: ['oscapd-evaluate', 'scan', '--targets', 'chroots-in-dir:///scanin',  '--output', '/scanout', '--no-cve-scan'],
        description: "Performs a standard scan"
      }
]

I've filed a downstream bug for this: RHBZ 1418464

As general rule, we should be encouraging scanner providers to use the fully-qualified image name in the config files.