These are chat archives for ManageIQ/manageiq/containers

7th
Sep 2017
nik
@supernoodz
Sep 07 2017 12:58
@/all We're seeing a certificate error when attempting to download the CVE files for OpenSCAP. Curl doesn't produce the error. Any idea why this might be happening?
And is it possible to ignore verification?
nik
@supernoodz
Sep 07 2017 13:10
Unable to scan image: Unable to run OpenSCAP: Unable to retreive the CVE file: Could not download file https://www.redhat.com/security/data/metrics/ds/com.redhat.rhsa-RHEL7.ds.xml.bz2: Get https://www.redhat.com/security/data/metrics/ds/com.redhat.rhsa-RHEL7.ds.xml.bz2: x509: certificate signed by unknown authority
Erez Freiberger
@enoodle
Sep 07 2017 13:26
@supernoodz do you mean that when running curl from the openshift machine you don't get this error?
nik
@supernoodz
Sep 07 2017 13:29
@enoodle Not from the node but I guess this error is produced from the image-inspector container itself. When we curl from there, we do get the same error, so I think we need to be able to configure ssl verification in the same way we configure a proxy.
Is that possible? Like we pass proxy as provider custom attributes.
Erez Freiberger
@enoodle
Sep 07 2017 13:30
@supernoodz It is possible to pass a proxy that image-inspector will use to download the CVE file with
@supernoodz I am not sure if this is what you were asking
nik
@supernoodz
Sep 07 2017 13:31
We're successfully passing proxy. We need to specify ssl verification too.
We're getting this error right now - x509: certificate signed by unknown authority
Erez Freiberger
@enoodle
Sep 07 2017 13:32
@supernoodz currently it is not possible. I really don't understand why this fails. I feel like it is failing to access you proxy
nik
@supernoodz
Sep 07 2017 13:36
Initially, we were unable to access the CVE url but have configured proxy and now we're hitting the error 'x509: certificate signed by unknown authority'
Erez Freiberger
@enoodle
Sep 07 2017 13:43
@supernoodz I think that the proxy is signed with a certificate that can't be authenticated by the pod. I thought that a docker container takes the certificates from the host, but maybe this is not the case. we can try to run the pod manually with this https://stackoverflow.com/questions/26028971/docker-container-ssl-certificates and see if it fixes it.
do you need help doing this?
nik
@supernoodz
Sep 07 2017 13:43
Help would be appreciated.
this is a json file of an image-inspector pod
can you download it and try to run in from the management-infra namespace please?
@supernoodz use oc create -f <FILENAME> to create the pod
nik
@supernoodz
Sep 07 2017 13:47
Trying now, thanks.
Erez Freiberger
@enoodle
Sep 07 2017 13:48
this suppose to fail the same way
nik
@supernoodz
Sep 07 2017 13:49
Ok. Not sure we'll have access to your repo though. Trying anyway.
Erez Freiberger
@enoodle
Sep 07 2017 13:49
we will then add a mount for /etc/ssl/certs and see if it helps
nik
@supernoodz
Sep 07 2017 13:53
How?
Erez Freiberger
@enoodle
Sep 07 2017 13:55
did you try to run the pod as is and it failed? on line 46 it is defining a mount volume, you need to copy it (lines 47-49) and change the mount path and name
add a comma after the first mount
@supernoodz ^
nik
@supernoodz
Sep 07 2017 13:56
Ok, thanks.
Failed to launch:
oc create -f special_inspector.json
Error from server: error when creating "special_inspector.json": pods "manageiq-img-scan-special" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]
Erez Freiberger
@enoodle
Sep 07 2017 13:57
you have to run it from a system:admin user or a different user that has scc privileges
nik
@supernoodz
Sep 07 2017 13:58
Ok. We're out of time today...
Thanks for your help @enoodle