claircore: open /tmp: operation not supported

Question

claircore: open /tmp: operation not supported

kamalpreetSec opened this issue 4 months ago · comments

Description of Problem / Feature Request

We are running Clair in Combo mode. It is running fine with version 4.7.1, but when we upgraded to 4.7.3, getting the 500 internal server error.

Expected Outcome

Scan should run successfully, currently it is failing with 500 internal server error.

Actual Outcome

he scan is failing with 500 internal server error.

2024-03-14T08:58:52Z DBG index error error="unexpected return status: 500" digest=sha256:xxxxxxxxxx ref=/postgres:12.1
2024-03-14T08:58:52Z ERR error="unexpected return status: 500"

Environment

Clair version/image: 4.7.3 / image: quay.io/projectquay/clair:4.7.3
Clair client name/version: clairctl 4.7.3
Host OS: Oracle Linux 7
Kernel (e.g. uname -a): 5.4.17-2136.304.4.1.el7uek.x86_64
Kubernetes version (use kubectl version): Docker Version: 19.03.11-ol
Network/Firewall setup: Corporate proxy

Hank Donnay · Answer 1 · Thu Mar 14 2024 18:55:00 GMT+0800 (China Standard Time)

Clair 4.7.3 and later require wherever it's configured to write temporary files to support the O_TMPFILE open(2) flag. This has been in the kernel and most in-tree filesystems for over a decade.

What filesystem is mounted at $TMPDIR (or /tmp if that's unset)?

kamalpreetSec · Answer 2 · Thu Mar 14 2024 20:14:03 GMT+0800 (China Standard Time)

Its xfs filesystem. It has been mounted to an attached block volume.

/random/tmp /tmp xfs bind,defaults,noatime,_netdev 0 2

where
/dev/mapper/datavg-random--lv /random xfs defaults,noatime,nofail,_netdev 0 2

Hank Donnay · Answer 3 · Fri Mar 15 2024 06:56:27 GMT+0800 (China Standard Time)

Is the dependency on that mount expressed in the service manager?

kamalpreetSec · Answer 4 · Fri Mar 15 2024 13:55:28 GMT+0800 (China Standard Time)

yes, the above entries are in /etc/fstab

kamalpreetSec · Answer 5 · Fri Mar 15 2024 20:32:38 GMT+0800 (China Standard Time)

We checked in logs that open with O_TMPFILE fails.

[~] docksh clairv4
bash-4.4$ /tmp/tmp_file /tmp
Error opening temporary file in /tmp: Operation not supported

Is it possible to place the fix where fall back happens to a non-O_TMPFILE path if the open() fails.

kamalpreetSec · Answer 6 · Fri Mar 15 2024 20:37:04 GMT+0800 (China Standard Time)

Also, from logs the permissions are 0644, will increasing the permissions help?

openat(AT_FDCWD, "/tmp", O_WRONLY|O_CLOEXEC|O_TMPFILE, 0644

Gleb · Answer 7 · Mon Mar 18 2024 17:07:39 GMT+0800 (China Standard Time)

I believe it should move under quay/claircore , there is similar PR quay/claircore#1140
Created quay/claircore#1289

Struggling with same, tmpfs in our cluster and nfsfs for pvc do not support this operation.
Tried also permissions and non-rootless container, overriding TMPDIR etc.
Problem is specifically in flag not supported by docker kernel.

Can there be a patch in clair core similarly to this?
https://github.com/libvips/libvips/pull/1155/files
(original thread with same problem in libvips: libvips/libvips#1151)

Gleb · Answer 8 · Fri Apr 05 2024 16:02:33 GMT+0800 (China Standard Time)

fixed with quay/claircore#1292 , waiting for merge and release of #2020