Problem running clair as a container in docker swarm

[ChrisCGH]

I am trying to run clair as part of a docker swarm stack which runs clair, postgres and clairctl as services which can talk to each other over an overlay network.
The services all appear to run ok. The clair logs seems to show that it is running and I can see that the postgres database is populated. Requests to http://clair:6061/health from the clairctl container return HTTP 200.
But requests to http://clair:6060 are refused even though the clair container is exposing ports 6060 and 6061.
If I do "docker exec -it <container_id> sh" to see what's going on inside the clair container, I can see that it is listening on :::6060 for the health request but listening on localhost:6061 for the API.
Looking at the clair code in api/v3/server.go, I see this:

func Run(GrpcPort int, tlsConfig *tls.Config, CertFile, KeyFile string, store database.Datastore) { l, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", GrpcPort))

i.e. the clair API is explicitly listening on localhost, and there's no way to override that.
All this leads me to think that what I'm trying to do will never work - is that the case?

Chris

[jzelinskie]

Hey there, that was a bug on master which has a lot of changes.
I suggest trying a stable release or you could keep playing with master if you don't mind running into a few bugs and a brand new API.

[ChrisCGH]

Thanks, I did realise in the end that I was probably using the wrong version of the clair image, and I got clair:2.0.1 working.
I did notice something else, which is that the "grpcPort" key/value in the config file was ignored, unless it said "grpcport" (all lower case) instead.
Finally, just fyi, I just got a security scan working on clair-git:latest from Friday, and it found an "important" vulnerability in the git layer: "git 2.11.2-r0 - CVE-2017-1000117"

Chris

[jzelinskie]

Hey Chris,

I did notice something else, which is that the "grpcPort" key/value in the config file was ignored, unless it said "grpcport" (all lower case) instead.

That's because you probably got your sample config from the master git branch which has breaking (config) changes. You can find a sample config for a stable release on the release-2.0 branch.

I'm glad to see you got things working with HEAD, though. If you find any bugs, please let us know.

[ChrisCGH]

Yes, I just followed the instructions on https://github.com/coreos/clair/blob/master/Documentation/running-clair.md, to get a config file:
curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o $PWD/clair_config/config.yaml
I have got it working with clair:v2.0.1 and clairctl, though sometimes clair seems to hang and I have to kill the clairctl command and run it again.