Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
a
aloof-motorcycle-79468
06/28/2022, 5:36 PMHi Team,
I am building an image it is vulnerability free if I directly pull it from repo but when I use it in my Dockerfile it somehow takes vulnerabilities from the rancher env. I have removed all the pre-existing docker images/storage/network but still somehow it gets appended ? I have reset rancher as well
w
wide-mechanic-33041
06/28/2022, 5:45 PMand the on in your image registry was built with the exact same dependencies? No latests or EXECs that could be adding different results to the union?
a
aloof-motorcycle-79468
06/28/2022, 5:46 PMnothing, works good on my colleagues laptop. I faced this issue a month back as well but in that case I removed my existing docker images as it used to take existing layer after that it got resolved.
w
wide-mechanic-33041
06/28/2022, 5:47 PMwell if teh hash is the exact same it would take the existing layer?
a
aloof-motorcycle-79468
06/28/2022, 5:48 PMbut currently I do not have any existing layer I deleted all the previous one and reset rancher as well to be sure.
starting a fresh docker build
w
wide-mechanic-33041
06/28/2022, 5:49 PMand docker manifest for the image you build local and the one you pull from your registry are equal
a
aloof-motorcycle-79468
06/28/2022, 5:49 PMditto, I just use it in FROM layer
FROM BaseImagePath
w
wide-mechanic-33041
06/28/2022, 5:51 PMjust seems odd to me that a manifest result from one image that trivvy or some tool is saying contains a flaw is the same as a manifest from another image where the same tool says there is no flaw
a
aloof-motorcycle-79468
06/28/2022, 5:52 PMindeed as per me there is still some cache stored which is causing this
w
wide-mechanic-33041
06/28/2022, 5:52 PMthats not how docker works though
unless you are doing something runtime that is not in the image
a
aloof-motorcycle-79468
06/28/2022, 5:53 PMok but it does fetches the existing layers and maybe somewhere residue is left, just a random guess cause can’t think of anything else
w
wide-mechanic-33041
06/28/2022, 5:53 PMnope it would only fetch layers with a hash match
a
aloof-motorcycle-79468
06/28/2022, 5:54 PMi’m clueless then, if not rancher then what
w
wide-mechanic-33041
06/28/2022, 5:55 PMrancher just orchestrates docker or containerd so this is out of their scope. this is something in your dockerfile most likely. without the dockerfile its hard to know what could be introducing the ambiguity you are talking about
a
aloof-motorcycle-79468
06/28/2022, 5:56 PMone liner Dockerfile-
FROM base-images/alpine_node-14:latest
w
wide-mechanic-33041
06/28/2022, 5:57 PMwell latest is an ambiguous statement
a
aloof-motorcycle-79468
06/28/2022, 5:58 PMwell if I use the same latest tag to pull directly from the dockerhub, no vulnerability then
w
wide-mechanic-33041
06/28/2022, 5:58 PMyour registry image may have a different version than the one you are pulling at this moment, but the manifest would show a different hash
a
aloof-motorcycle-79468
06/28/2022, 5:58 PMdocker pull *
what if I tell you that I use a specific version instead of latest then also I get the same number of vulnerabilities.
w
wide-mechanic-33041
06/28/2022, 6:02 PMand that image in your registry that has zero vulns is using the same verison (hash compare)
a
aloof-motorcycle-79468
06/28/2022, 6:03 PMgive me sometime to compare, I guess hash won’t be same when I’m building it in my local.
w
wide-mechanic-33041
06/28/2022, 6:04 PMand looks like you are using images by https://github.com/mhart/alpine-node as opposed to the nodejs generated options https://github.com/nodejs/docker-node
a
aloof-motorcycle-79468
06/28/2022, 6:04 PMignore that these are from my organisations registry
w
wide-mechanic-33041
06/28/2022, 6:07 PMwell trying to figure out why you are getting ambiguous results. images are just collections of zip files so vuln scanners tend to provide the same results for the same image
and if your internal base has a mess of vulns well I would work with that upstream to rebuild
a
aloof-motorcycle-79468
06/28/2022, 6:08 PMit is vulnerability free, give me a moment. will get back to you with results.
sorry to kill your time, it was an honest mistake if I use the absolute image name it works earlier it was taking vulnerability from some other registry when I was partially using the image name in my Dockerfile
👍 1
when I used to login to my companys docker registry it used to fetch the complete name and fetch image from there but now the behaviour isn’t the same. I thought just like last time maybe some rancher cleanup would help.
thanks anyways.
w
wide-mechanic-33041
06/28/2022, 6:17 PMyeah thats where manifest inspect is your friend. the hashes shouldn’t lie
a
aloof-motorcycle-79468
06/28/2022, 6:17 PMIndeed.
hey actually the issue was not that. I created dockerfile in a new folder then it started fetching from correct registry.
In my older folder there were already 10dockerfiles and whenever I create my build from there it fetches from docker.io registry by default.
w
wide-mechanic-33041
06/29/2022, 11:51 AMyou can definitely use your .docker/config to override the default registry, but definitely recommend fully qualifying your image URL and not just allowing dockerd to inject it in. Helps to avoid these type of issues.