Cannot analyze image using analyze-local-images about clair HOT 8 CLOSED

Hi,

I believe that it could be related to #27, fixed this morning by 9391417. Do you have the latest version of the tool ?

from clair.

@Quentin-M I ran this to install the tool:

go get -u github.com/coreos/clair/contrib/analyze-local-images

but I'm not mounting /tmp. Should I?

from clair.

@Quentin-M after adding -v /tmp:/tmp to the way the clair contained is created, everything works as expected. Sorry for the duplicate, but it would be nice if this is documented somewhere (or if the webserver is always launched no matter the endpoint configuration).

Anyhow, thanks for the tip.

from clair.

My pleasure. I just improved the README.

from clair.

@Quentin-M when I launch clair, I see this

2015-11-24 21:34:37.511696 I | updater/fetchers: fetching Debian vulneratibilities
2015-11-24 21:34:37.511802 I | updater/fetchers: fetching Red Hat vulneratibilities
2015-11-24 21:34:37.511894 I | updater/fetchers: fetching Ubuntu vulneratibilities

but it does not seem to finish. I took a quick look at the container with docker exec -ti container_id ps aux and this is what I see:

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  1.8  0.2 479912 43404 ?        Ssl+ 21:34   0:01 clair --db-type=bolt --db-path=/db/database --log-level=debug
root        13 42.8  3.1 585080 508000 ?       R+   21:34   0:38 /usr/bin/python /usr/bin/bzr branch lp:ubuntu-cve-tracker /tmp/ubuntu-cve-tracker508522274/repository
root        16  0.0  0.0  20232  1996 ?        Ss   21:35   0:00 bash
root        25  0.0  0.0  17484  1120 ?        R+   21:36   0:00 ps aux

so I have two questions:

• Will there be a message saying that the update process is done?
• Why isn't there an update process for RedHat?

Sorry to ask in the same ticket, if there is a mailing list for Clair, I will be more than happy to send an email there.

from clair.

Eventually the python process will go away (I assume because it finishes successfully, thought there is no log entry suggesting that) and all I see is this:

ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  3.9  0.6 541988 109560 ?       Ssl+ 21:34   0:11 clair --db-type=bolt --db-path=/db/database --log-level=debug
root        16  0.0  0.0  20232  1996 ?        Ss   21:35   0:00 bash
root        28  0.0  0.0  17484  1132 ?        R+   21:39   0:00 ps aux

which is fine I guess. My problem here is that I am analyzing an image which is based on CentOS:6.6 and when I run the tool it just says BRAVO :). Not that I'm not happy for such a message but I just find it strange, so I want to make sure that everything is in place before telling myself that clair does not detect any security vulnerability.

from clair.

There is currently no mailing list.

• Yes, a message is printed at the end of the update. You can also increase the log level with --log-level=trace.
• Both Debian and Red Hat vulnerabilities are fetched directly in pure Go, there are just some go routines for that. However, as you noticed, Clair needs to clone a bzr repository and uses an external tool for that.
• The initial update can be quite long, especially because the Ubuntu repository is pretty big (~200MB), needs to be entirely cloned and has a poor bandwidth.

Edit: The fact that the python process is finished doesn't mean that the update is finished. It still needs to parse the Ubuntu vulnerabilities and then insert everything in the database.

from clair.

@Quentin-M all right. I will keep an eye on it and wait until it's done. Some more information will be nice though just to keep the impatient user (like me) on the loop.

from clair.