-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
analyze-local-image could not analyze layer: Got response 404 with message #69
Comments
Hi, I believe that's because you have to use the actual Image ID of the image instead of the repository name with that contrib tool. When you do PS: You should probably mount /db as well to avoid loosing the Clair database each time you restart the Docker container. |
Using the image ID doesn't help. But, I've dug a little bit more and I think the problem is because of changes with Docker 1.10 (moby/moby#20131 has similar symptoms). If I try to use the image ID I get the same error:
But I also see the missing image ID when I look at docker history (and this happens for all the containers I've tried)
Is clair or the analyze-local-images relying on this same history info? |
Really good catch. The contrib tool does rely on |
Clair is broken because of the content addressability inconsistencies in docker 1.10 (clair works fine till docker version 1.9.1); "docker history" command gives SHA256 layer IDs, while "docker save" command saves the layers.tar files in plain layer-UID directories. Not sure if clair is going to fix the issue or will it be taken care of when distribution/distribution#727 feature is supported by Docker. |
Clair is not broken per se. The contrib tool that helps analyzing local images is. |
Yes, only the contrib tool is affected. As a work around, would it work if the contrib tool for local image scanning is run inside a container with docker version 1.9.1 installed in the container and by mounting /var/lib/docker directory of host in the container? I guess not as the migration tools of docker 1.10 talks only of converting 1.9.x images to 1.10 compatible images and not the other way round. |
It won't. I believe that the solution would be to make the contrib tool read the manifests instead as they orderly point to the layers / blobs. I'll try to experiment and see how it goes asap. Just a lot of work with the new major version of Clair that will be released really soon. Any contributions are very welcomed. |
The saved manifest uses the struct in docker/image/tarexport/tarexport.go. |
@kuldeepb I cannot find the place to reply your last comment in github :( |
Sorry, I deleted my comment after seeing your reply to the first one. I
|
This issue was originally addressed in quay#69, but looks to have been reverted since then. As of right now, certain images that have missing layers or layers that are not in the docker save output will cause an error with the analyze_local_images command. Switching back to reading layers from manifest.json file from docker save of the image.
We have installed the latest version of Clair and still getting this issue. Do we still have to use Docker 1.9.1? Is this the conclusion of this issue? |
I've got clair running in a docker container:
But when I try to analyze-local-images debian:jessie, it is able to save the image, but errors during analyis:
If I look inside the container that's running clair, I do see the images in /tmp/
Any ideas?
The text was updated successfully, but these errors were encountered: