https://rancher.com/ logo
Title
r

rough-farmer-49135

02/22/2023, 7:32 PM
I'm trying to use k3d to run an application on some shared lab (read "wild west with nearly everyone having root") machines. The owners of the machines are required to do some vulnerability scans that are finding things inside /var/lib/docker/volumes , overlay2 , etc and are sending out "hey guys, fix these" e-mails. they took a pass at trying to translate from the location to the image container and some of them were definite offenders but others were unrelated. I think the method they used was just with the docker command. I just spent an hour or two poking around trying to get at the internals of which container were what using docker & ctr commands with a k3d cluster running and wasn't having a lot of luck. Anyone know if I could've gotten to things if I'd just used nerdctl or crictl or checked the right spot in kubectl or some other tool? I didn't spot anything on k3d.io and thought I'd ask if anyone knows before I go experimenting with the different tools or even spelunking through odd spots in Linux.
c

creamy-pencil-82913

02/22/2023, 7:36 PM
I would give up on trying to reverse engineer that entirely and exclude the image filesystem (the location where docker/containerd stores container layers) from your scans. If you want to do vuln scanning on container images, use a tool that scans container images.
r

rough-farmer-49135

02/22/2023, 9:30 PM
That's the right answer, but it's not the answer that the security people who the system owner has to appease will accept. If I don't do it, he will and from a combo of me having a bit more skin the game and not wanting to be a pest to someone whose computers I'm basically squatting on anyway, that's where I'm sadly going to have to poke around and find some answers.
c

creamy-pencil-82913

02/22/2023, 9:34 PM
I think you’d have to poke around in the bbolt database file and try to engineer a reverse lookup of directory to image layer to image. It is going to be a huge waste of everyones time and even if you do it there will be no actionable outcome. “Yes its from an old tag of an image that something is dependent on. Yes I’ll get around to updating it eventually. No you can’t delete it, I still need to use it now.”
It’s frustrating, but trying to go in circles with a security team using non-container-aware tools to scan containerized applications is a recipe for failure.
r

rough-farmer-49135

02/22/2023, 9:38 PM
My problem is a bit weirder, so I might get something useful. This morning I spent a few hours where one of the vulnerabilities was an image I knew what it was from the directory naming and a coworker had deleted it yesterday and there was no trace of it that I saw but the directory was still there.
docker container prune
,
docker image prune -a
, &
docker system prune -a
didn't get rid of the directory. K3d was still running and it wasn't in a running pod, but after killing my k3d cluster and doing another image prune -a it was finally gone...along with a couple hundred other images and I only had two left in the systems' local cache. So I'm trying to get something to let me match what's what so I can at least know how things are targetted scan-wise and go around pulling strings to find out what needs to let go for specific items to be able to get rid of them.
It's certainly not good, but we do have partners for whom some of the containers are their problems (like the one from this morning, which we've got the code for but only a busted & ignored CI pipeline for building). So attribution is still potentially enough at times.
Still, I'm not going to argue that time couldn't be spent in a much better way.