-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for rootless podman #3098
Comments
This issue is stale because it has been labeled with inactivity. |
/remove stale |
This issue is stale because it has been labeled with inactivity. |
We've added |
@knqyf263 any reproducible example would be appreciated enabling us to scan an image (preferably an unpushed one or one from a local insecure registry at the very least) under a non-root user would be fine. It worked beautifully under Clair, but the architecture was different there: it was a RESTful API client (such as |
@mirekphd Do you mean rootless podman? |
Here's my reproduction using a public image
|
Tested running ╚ $ echo $XDG_RUNTIME_DIR
/run/user/1000
╚ $ file /run/user/1000/podman/podman.sock
/run/user/1000/podman/podman.sock: socket
╚ $ podman info| yq '.store.runRoot'
"/run/user/1000/containers"
╚ $ podman --version
podman version 3.4.4
╚ $ podman run -e DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock \
-v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock \
--rm docker.io/aquasec/trivy:0.49.1 image localhost/trivy-image-scan-local
localhost/trivy-image-scan-local (debian 12.4)
==============================================
Total: 96 (UNKNOWN: 0, LOW: 65, MEDIUM: 25, HIGH: 5, CRITICAL: 1)
╚ $ podman run -v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock \
--rm docker.io/aquasec/trivy:0.49.1 image --docker-host=unix://$XDG_RUNTIME_DIR/podman/podman.sock \
localhost/trivy-image-scan-local
localhost/trivy-image-scan-local (debian 12.4)
==============================================
Total: 96 (UNKNOWN: 0, LOW: 65, MEDIUM: 25, HIGH: 5, CRITICAL: 1) |
@jmeza-xyz Thanks for testing! |
I believe adding trivy/pkg/fanal/types/image.go Lines 62 to 64 in c107e1a
Reference: #3599 |
Rootful podman has it's socket at:
/run/podman/podman.sock
But rootless podman has it's socket at:
/run/user/1000/podman/podman.sock
So it errors out.
Edit:
Probably using
export CONTAINERD_ADDRESS=/run/user/1000/podman/podman.sock
works.
The text was updated successfully, but these errors were encountered: