Having issues with running clair report - receiving 401 not authorized from index api
brenguy opened this issue · comments
Description of Problem / Feature Request
Receiving not authorized http responses when running clairctl. The docker-compose up for clair was used to install the services. Used from branch 4.4 release.
Expected Outcome
should receive CVE report
Actual Outcome
clairctl -D report ubuntu:focal
2022-05-20T22:35:17Z DBG fetching ref=ubuntu:focal
2022-05-20T22:35:17Z DBG using text output
2022-05-20T22:35:17Z DBG found manifest digest=sha256:9d42d0e3e57bc067d10a75ee33bdd1a5298e95e5fc3c5d1fce98b455cb879249 ref=ubuntu:focal
2022-05-20T22:35:17Z DBG requesting index_report attempt=1 digest=sha256:9d42d0e3e57bc067d10a75ee33bdd1a5298e95e5fc3c5d1fce98b455cb879249 ref=ubuntu:focal
2022-05-20T22:35:17Z DBG digest=sha256:9d42d0e3e57bc067d10a75ee33bdd1a5298e95e5fc3c5d1fce98b455cb879249 method=GET path=/indexer/api/v1/index_report/sha256:9d42d0e3e57bc067d10a75ee33bdd1a5298e95e5fc3c5d1fce98b455cb879249 ref=ubuntu:focal status="401 Unauthorized"
2022-05-20T22:35:17Z DBG index error error="unexpected return status: 401" digest=sha256:9d42d0e3e57bc067d10a75ee33bdd1a5298e95e5fc3c5d1fce98b455cb879249 ref=ubuntu:focal
2022-05-20T22:35:17Z ERR error="unexpected return status: 401"
Environment
- Clair version/image: 4.4
- Clair client name/version: version 0.2.0 (built from the same release branch as 4.4)
- Host OS: Centos 7.4
- Kernel (e.g.
uname -a): 3.10.0-1160.59.1.el7.x86_64 - Network/Firewall setup: Open access to the internet
I noticed that the traefik settings may need adjustment?
time="2022-05-20T21:07:14Z" level=error msg="close tcp [::]:6060: use of closed network connection" entryPointName=clair
time="2022-05-20T21:07:14Z" level=error msg="close tcp [::]:8443: use of closed network connection" entryPointName=quay
time="2022-05-20T21:07:14Z" level=error msg="accept tcp [::]:8443: use of closed network connection" entryPointName=quay
time="2022-05-20T21:07:14Z" level=error msg="close tcp [::]:8080: use of closed network connection" entryPointName=traefik
time="2022-05-20T21:07:14Z" level=error msg="close tcp [::]:5432: use of closed network connection" entryPointName=postgresql
time="2022-05-20T21:07:14Z" level=error msg="accept tcp [::]:8080: use of closed network connection" entryPointName=traefik
time="2022-05-20T21:07:14Z" level=error msg="accept tcp [::]:6060: use of closed network connection" entryPointName=clair
time="2022-05-20T21:12:31Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yaml"
time="2022-05-20T21:12:31Z" level=error msg="server not found"
time="2022-05-20T21:12:31Z" level=error msg="server not found"```
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
aef0c9ad127a traefik:v2.2 "/entrypoint.sh trae…" 2 hours ago Up 2 hours 0.0.0.0:6060->6060/tcp, :::6060->6060/tcp, 80/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 0.0.0.0:49159->5432/tcp, :::49159->5432/tcp, 0.0.0.0:49158->8443/tcp, :::49158->8443/tcp clair-traefik
0feed8882430 quay.io/projectquay/golang:1.17 "go run -mod=vendor …" 2 hours ago Up 2 hours clair-matcher
184fe27f0af6 quay.io/projectquay/golang:1.17 "go run -mod=vendor …" 2 hours ago Up 2 hours clair-indexer
14798e9b2e7d postgres:12 "docker-entrypoint.s…" 2 hours ago Up 2 hours (healthy) 5432/tcp clair-database```
9:00PM DBG logging initialized component=initialize/Logging
9:00PM INF starting component=main version=v4.4.1
9:00PM INF component=main lint="automatically sizing number of concurrent requests (at $.indexer.index_report_request_concurrency)"
9:00PM DBG found cgroups v1 and cpu controller component=main
9:00PM DBG falling back to root hierarchy component=main
9:00PM ERR unable to guess GOMAXPROCS value error="open //sys/fs/cgroup/cpuacct,cpu/cpu.cfs_quota_us: no such file or directory" component=main
9:00PM INF ready component=main version=v4.4.1
9:00PM INF registered signal handler component=main
9:00PM INF launching introspection server component=main
9:00PM WRN no health check configured; unconditionally reporting OK component=introspection/New
9:00PM INF configuring prometheus component=introspection/Server.withPrometheus endpoint=/metrics server=:8089
9:00PM INF configuring jaeger exporter to push to agent component=introspection/New
9:00PM INF launching http transport component=main
9:00PM INF begin service initialization component=initialize/Services
9:00PM INF distributed tracing configured component=introspection/New
9:00PM INF created database connection component=libindex/New
9:00PM DBG set up component=internal/ctxlock/Locker.reconnect gen=1
9:00PM INF registered configured scanners component=libindex/New
9:00PM INF end service initialization component=initialize/Services
9:00PM INF openapi discovery configured component=httptransport/New path=/openapi/v1
9:12PM DBG logging initialized component=initialize/Logging
9:12PM INF starting component=main version=v4.4.1
9:12PM INF component=main lint="automatically sizing number of concurrent requests (at $.indexer.index_report_request_concurrency)"
9:12PM DBG found cgroups v1 and cpu controller component=main
9:12PM DBG falling back to root hierarchy component=main
9:12PM ERR unable to guess GOMAXPROCS value error="open //sys/fs/cgroup/cpuacct,cpu/cpu.cfs_quota_us: no such file or directory" component=main
9:12PM INF ready component=main version=v4.4.1
9:12PM INF registered signal handler component=main
9:12PM INF launching introspection server component=main
9:12PM INF launching http transport component=main
9:12PM INF begin service initialization component=initialize/Services
9:12PM WRN no health check configured; unconditionally reporting OK component=introspection/New
9:12PM INF configuring prometheus component=introspection/Server.withPrometheus endpoint=/metrics server=:8089
9:12PM INF configuring jaeger exporter to push to agent component=introspection/New
9:12PM INF distributed tracing configured component=introspection/New
9:12PM INF created database connection component=libindex/New
9:12PM DBG set up component=internal/ctxlock/Locker.reconnect gen=1
9:12PM INF registered configured scanners component=libindex/New
9:12PM INF end service initialization component=initialize/Services
9:12PM INF openapi discovery configured component=httptransport/New path=/openapi/v1
10:16PM DBG failed to retrieve jwt from header component=middleware/auth/PSK.Check
10:35PM DBG failed to parse jwt error="square/go-jose: error in cryptographic primitive" component=middleware/auth/PSK.Check
10:40PM DBG failed to parse jwt error="square/go-jose: error in cryptographic primitive" component=middleware/auth/PSK.Check
11:02PM DBG failed to retrieve jwt from header component=middleware/auth/PSK.Check
11:02PM DBG failed to retrieve jwt from header component=middleware/auth/PSK.Check
11:02PM DBG failed to retrieve jwt from header component=middleware/auth/PSK.Check```
It appears my requests are hitting the indexer service (so routing is working) but jwt tokens are missing. Not clear on how those are generated or configured and how to install them in the confines of the docker-compose file...
You'll need to use the same configuration file for clairctl when authentication is configured.
Will close shortly if there are no new updates.
For those looking for a quick guide on setting up clair using the local-dev environment on an ubuntu machine, see the below commands.
- Initial setup using docker-compose
git clone https://github.com/quay/clair.git && cd clair
docker-compose up
- in a separate terminal, download the clairctl and scan alpine:latest
curl -L https://github.com/quay/clair/releases/latest/download/clairctl-linux-amd64 -o clairctl && chmod +x clairctl
export CLAIR_CONF=/home/ubuntu/clair/local-dev/clair/config.yaml
./clairctl report alpine:latest
curl -L https://github.com/quay/clair/releases/latest/download/clairctl-linux-amd64 -o clairctl && chmod +x clairctl
export CLAIR_CONF=/home/ubuntu/clair/local-dev/clair/config.yaml
./clairctl report alpine:latest
I think you need to copy/edit this config so to replace 'clair-indexer' and 'clair-matcher' to your hostname(s) or 'localhost' in case of local-dev env.