-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clair: updater can't finish his work #275
Comments
I also hit such issue when tried to run with docker https://github.com/coreos/clair#docker It seems it is too slow. and always hang that status. Is it possible to fix such slow issue ? |
Hi, When On a specific Clair instance, the first run of some vulnerability/metadata fetchers (i.e. Ubuntu, NVD) takes a relatively long time because the data for every years must be checked out. Subsequent loops only fetch the difference (if any). More generally, the first update run takes a while because every available vulnerabilities have to be inserted into the database. If the updater appears to never end - which we never encountered before, I'd monitor the network. You'd either see one/some fetchers running or Clair communicating with the database. |
First of all, thanks for your quick reply. I think i understood log meaning (approximately)
At this point i took your advice and i tried to check if Clair and the database were in communication.
I caught with tcpdump this pcap file, where i can see that the 2 container (172.18.0.2=postgres; 172.18.0.3=clair) are in communication. Then i tried to understand what were they saying with WireShark, but i'm not very good with it, so i didn't get nothing more. I guess it's all working and the problem can be my slow connection. I will try again to start Clair at my university tomorrow, but i tried once without results. |
According to the pcap file, it looks like it was still inserting in the database. |
Yes, this morning i tried at my university and finally i got the "update finished" logs in about 2 hours. then i tried again and in about 1 hour and half i got the same. I think now all is working as expected, just i was wondering a method to improve the update routing. As i understand the only way is to have a fast connection, right? PS: Anyway, thank you for your help. I will follow the development of clair with great interest. |
When you reached Thanks, glad to hear that! |
@Quentin-M I got many errors during that insert into database steps as below:
|
@HackToday Issue was #238, fixed by #263. Please update to include this patch. |
OK @Quentin-M I will try that new version. It seems this new fix was to ignore duplicated errors in DB, and trust DB unique constraints. Right ? |
@HackToday That's pretty much the idea. There's no error anymore, we simply try to create or retrieve the Vulnerability_FixedIn_Feature record, instead of only trying to create it. Then, if it already existed, we skip the Vulnerability_Affects_FeatureVersion linkage. |
Hi,
I'm a student who is looking to do some "testing" with clair to understand a little more of container's security.
I'm able to boot up a Clair instance through docker-compose based approach mentioned in the main README file and I also successfully setup "analyze-local-images" tool and make it working.
When i start with "docker-compose up" command, i see these logs:
STDOUTS stops here.
All seems working, but if i use the "analyze-local-images" tool on a local image, clair says "image is safe" (i'm testing on images that i know have some vulnerabilities)
So, at this point, i wait because in clair's logs seems the updater has not finished(not mentioned anywhere).
In about 13/15 minutes appears a new log, this one:
If i try again when this appears, the same image i analyzed before is now finding vulnerabilities and all works. The problem is that i never see the "updater: finished" log(also if a wait for hours), so i miss some vulnerabilities and my analysis are incomplete.
I read in OTHER issues that perhaps my connection is too slow, so I tried with the university connection, which is very good, but I did not get results.
I tried to use the local tool with the clair image on quay.io to do some confrontations with "the clair instance" that as i understood, is working and scanning for quay registry.
With this last test i found about 112 vulnerabilities, meanwhile quay finds about 130. So i guess that i'm missing only the NVD vulnerabilities.
PS: I'm using the last versions of clair, docker, and docker-compose.
The text was updated successfully, but these errors were encountered: