https://rancher.com/ logo
Title
b

better-nail-51710

10/14/2022, 8:02 AM
Hello again, I'm running Rancher Desktop 1.6.0 on MacBook. I want to scan an image that has been built locally (with nerdctl), but I receive the following error:
[31mFATAL[0m	image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
	* unable to inspect the image (nginx-helloworld:latest): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* failed to initialize a containerd client: failed to dial "/run/k3s/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/k3s/containerd/containerd.sock: connect: permission denied"
	* GET <https://index.docker.io/v2/library/nginx-helloworld/manifests/latest>: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:library/nginx-helloworld Type:repository]]
The same situation if I try to scan an image pulled from my company private registry:
[31mFATAL[0m	image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
	* unable to inspect the image (<http://artifactory.mycompany.com/images/hello-app:v0.0.1|artifactory.mycompany.com/images/hello-app:v0.0.1>): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* failed to initialize a containerd client: failed to dial "/run/k3s/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/k3s/containerd/containerd.sock: connect: permission denied"
	* GET <https://artifactory.mycompany.com/v2/images/hello-app/manifests/v0.0.1>: UNAUTHORIZED: The client does not have permission for manifest; map[manifest:hello-app/v0.0.1/manifest.json]
I found this issue (still open): https://github.com/rancher-sandbox/rancher-desktop/issues/539 Is there any possibility of scanning a locally built image with nerdctl and an image pulled from a private registry? If not, this is a severe blocker in the process of adopting Rancher Desktop as a local Kubernetes development. Thank you!
f

fast-garage-66093

10/14/2022, 3:48 PM
I think the main issue here is that Rancher Desktop is scanning by image id, and that will always pull the image from Dockerhub. It seems like scanning local images by name should work. And there may be further complication for scanning local images from containerd vs. moby; I found conflicting information about this in the Trivy Github issues. I've updated bug 539 with this information.
b

better-nail-51710

10/15/2022, 6:13 AM
Firstly, thank you for your answer. Secondly, how can I scan an image by name? Trivy cli isn't installed by Rancher Desktop, and if I install it using brew, then I try to scan an image built locally, I receive the same errors:
q

quick-keyboard-83126

10/16/2022, 7:01 AM
% trivy image python:3.4-alpine
2022-10-16T02:54:52.234-0400	INFO	Vulnerability scanning is enabled
2022-10-16T02:54:52.234-0400	INFO	Secret scanning is enabled
2022-10-16T02:54:52.234-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-16T02:54:52.234-0400	INFO	Please see also <https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation> for faster secret detection
2022-10-16T02:54:52.249-0400	FATAL	image scan error: scan error: unable to initialize a scanner: unable to initialize a docker scanner: 4 errors occurred:
	* unable to inspect the image (python:3.4-alpine): Error: No such image: python:3.4-alpine
	* unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
	* containerd socket not found: /run/containerd/containerd.sock
	* error getting credentials - err: docker-credential-osxkeychain resolves to executable in current directory (./docker-credential-osxkeychain), out: ``
...
% docker pull python:3.4-alpine
3.4-alpine: Pulling from library/python
3b00a3925ee4: Pull complete
a3cd3e3d08dd: Pull complete
bed9db30154f: Pull complete
d837e8e30360: Pull complete
f307ca8b43fd: Pull complete
Digest: sha256:c210b660e2ea553a7afa23b41a6ed112f85dbce25cbcb567c75dfe05342a4c4b
Status: Downloaded newer image for python:3.4-alpine
<http://docker.io/library/python:3.4-alpine|docker.io/library/python:3.4-alpine>
% trivy image python:3.4-alpine
2022-10-16T02:55:07.995-0400	INFO	Vulnerability scanning is enabled
2022-10-16T02:55:07.995-0400	INFO	Secret scanning is enabled
2022-10-16T02:55:07.995-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-16T02:55:07.995-0400	INFO	Please see also <https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation> for faster secret detection
2022-10-16T02:55:09.368-0400	INFO	Detected OS: alpine
2022-10-16T02:55:09.368-0400	INFO	Detecting Alpine vulnerabilities...
2022-10-16T02:55:09.369-0400	INFO	Number of language-specific files: 1
2022-10-16T02:55:09.369-0400	INFO	Detecting python-pkg vulnerabilities...
2022-10-16T02:55:09.376-0400	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2022-10-16T02:55:09.376-0400	WARN	The vulnerability detection may be insufficient because security updates are not provided

python:3.4-alpine (alpine 3.9.2)

Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)
...
...
% trivy image 99a53e6ad17e
2022-10-16T02:56:30.516-0400	INFO	Vulnerability scanning is enabled
2022-10-16T02:56:30.516-0400	INFO	Secret scanning is enabled
2022-10-16T02:56:30.516-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-16T02:56:30.516-0400	INFO	Please see also <https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation> for faster secret detection
2022-10-16T02:56:30.525-0400	INFO	Detected OS: alpine
2022-10-16T02:56:30.525-0400	INFO	Detecting Alpine vulnerabilities...
2022-10-16T02:56:30.525-0400	INFO	Number of language-specific files: 1
2022-10-16T02:56:30.525-0400	INFO	Detecting python-pkg vulnerabilities...
2022-10-16T02:56:30.526-0400	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2022-10-16T02:56:30.526-0400	WARN	The vulnerability detection may be insufficient because security updates are not provided

99a53e6ad17e (alpine 3.9.2)

Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)
...
...
% docker build . --tag mookas/junk:latest
Sending build context to Docker daemon  2.048kB
Step 1/1 : FROM python:3.4-alpine
 ---> 99a53e6ad17e
Successfully built 99a53e6ad17e
Successfully tagged mookas/junk:latest
% trivy image mookas/junk:latest
2022-10-16T02:57:55.764-0400	INFO	Vulnerability scanning is enabled
2022-10-16T02:57:55.764-0400	INFO	Secret scanning is enabled
2022-10-16T02:57:55.764-0400	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-16T02:57:55.764-0400	INFO	Please see also <https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation> for faster secret detection
2022-10-16T02:57:55.777-0400	INFO	Detected OS: alpine
2022-10-16T02:57:55.777-0400	INFO	Detecting Alpine vulnerabilities...
2022-10-16T02:57:55.778-0400	INFO	Number of language-specific files: 1
2022-10-16T02:57:55.778-0400	INFO	Detecting python-pkg vulnerabilities...
2022-10-16T02:57:55.779-0400	WARN	This OS version is no longer supported by the distribution: alpine 3.9.2
2022-10-16T02:57:55.779-0400	WARN	The vulnerability detection may be insufficient because security updates are not provided

mookas/junk:latest (alpine 3.9.2)

Total: 37 (UNKNOWN: 0, LOW: 4, MEDIUM: 16, HIGH: 13, CRITICAL: 4)
...
trivy seems to behave vaguely reasonably here (macOS, m1, rancher desktop 1.6.0, trivy installed via brew)
The gui is even yielding something nice and pretty:
(I'm using moby/dockerd fwiw, no kubernetes)
b

better-nail-51710

10/16/2022, 8:00 AM
Well, I assume that makes the difference: I use containerd and kubernetes
The only solution that I've found for scanning the locally built images: tag the image, push it in a public docker hub repository, then scan the image (from GUI or from cli, using the trivy command). It seems that there is no other way to scan a locally built image that is not pushed in the docker registry. Feel free to come up with other solutions.
q

quick-keyboard-83126

10/16/2022, 11:08 AM
Can you try switching to Moby to confirm that it works for you?
b

better-nail-51710

10/16/2022, 3:36 PM
I'll try in the next days. I'll come back with a result.
👍 1
q

quick-keyboard-83126

10/16/2022, 3:37 PM
I won't be back until Wednesday (I'm sick now and have a Holy Day coming up), but I am interested in the results 🙂
👍 1