Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for rootless podman #3098

Closed
MartinX3 opened this issue Oct 31, 2022 · 10 comments · Fixed by #6256
Closed

Support for rootless podman #3098

MartinX3 opened this issue Oct 31, 2022 · 10 comments · Fixed by #6256
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@MartinX3
Copy link

MartinX3 commented Oct 31, 2022
edited
Loading

Rootful podman has it's socket at:
/run/podman/podman.sock

But rootless podman has it's socket at:
/run/user/1000/podman/podman.sock

So it errors out.

Edit:
Probably using
export CONTAINERD_ADDRESS=/run/user/1000/podman/podman.sock
works.
@MartinX3 MartinX3 added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 31, 2022
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Dec 31, 2022
@MartinX3
Copy link
Author

/remove stale

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jan 1, 2023
@github-actions
Copy link

github-actions bot commented Mar 3, 2023

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Mar 3, 2023
@knqyf263 knqyf263 added priority/backlog Higher priority than priority/awaiting-more-evidence. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. labels Mar 3, 2023
@knqyf263 knqyf263 added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label May 14, 2023
@knqyf263
Copy link
Collaborator

We've added --docker-host in #3599. Adding --podman-host may help. I'm unsure if the difference from rootless is the socket path only.

@mirekphd
Copy link

mirekphd commented Aug 4, 2023

@knqyf263 any reproducible example would be appreciated enabling us to scan an image (preferably an unpushed one or one from a local insecure registry at the very least) under a non-root user would be fine.

It worked beautifully under Clair, but the architecture was different there: it was a RESTful API client (such as clair-scanner).

@mirekphd mirekphd mentioned this issue Aug 4, 2023
Closed
@knqyf263
Copy link
Collaborator

knqyf263 commented Aug 6, 2023

@mirekphd Do you mean rootless podman?

@arcsector
Copy link

arcsector commented Aug 18, 2023
edited
Loading

Here's my reproduction using a public image ackstorm/debian-postfix:latest:

2023-08-18T21:56:03.246Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-18T21:56:03.248Z        DEBUG   Ignore statuses {"statuses": null}
2023-08-18T21:56:03.259Z        DEBUG   cache dir:  /root/.cache/trivy
2023-08-18T21:56:03.259Z        DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2023-08-18T21:56:03.260Z        INFO    Need to update DB
2023-08-18T21:56:03.260Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-08-18T21:56:03.260Z        INFO    Downloading DB...
2023-08-18T21:56:03.260Z        DEBUG   no metadata file
192.00 KiB / 38.99 MiB [>____________________________________________________________] 0.48% ? p/s ?1.00 MiB / 38.99 MiB [->_____________________________________________________________] 2.56% ? p/s ?4.24 MiB / 38.99 MiB [------>_______________________________________________________] 10.89% ? p/s ?10.52 MiB / 38.99 MiB [------------>___________________________________] 26.97% 17.19 MiB p/s ETA 1s16.87 MiB / 38.99 MiB [-------------------->___________________________] 43.26% 17.19 MiB p/s ETA 1s23.32 MiB / 38.99 MiB [---------------------------->___________________] 59.83% 17.19 MiB p/s ETA 0s28.94 MiB / 38.99 MiB [----------------------------------->____________] 74.22% 18.07 MiB p/s ETA 0s35.95 MiB / 38.99 MiB [-------------------------------------------->___] 92.21% 18.07 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 18.07 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 17.98 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 17.98 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 17.98 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 16.82 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 16.82 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 16.82 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 15.74 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 15.74 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 15.74 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 14.72 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 14.72 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 14.72 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 13.77 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 13.77 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 13.77 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 12.88 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 12.88 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [---------------------------------------------->] 100.00% 12.88 MiB p/s ETA 0s38.99 MiB / 38.99 MiB [--------------------------------------------------] 100.00% 7.45 MiB p/s 5.4s2023-08-18T21:56:15.164Z        DEBUG   Updating database metadata...
2023-08-18T21:56:15.165Z        DEBUG   DB Schema: 2, UpdatedAt: 2023-08-18 18:11:06.823178853 +0000 UTC, NextUpdate: 2023-08-19 00:11:06.823178453 +0000 UTC, DownloadedAt: 2023-08-18 21:56:15.164911959 +0000 UTC
2023-08-18T21:56:15.165Z        INFO    Vulnerability scanning is enabled
2023-08-18T21:56:15.165Z        DEBUG   Vulnerability type:  [os library]
2023-08-18T21:56:15.165Z        INFO    Secret scanning is enabled
2023-08-18T21:56:15.165Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-18T21:56:15.165Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2023-08-18T21:56:16.582Z        FATAL   image scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:426
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:268
  - unable to initialize a scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:681
  - unable to initialize a docker scanner:
    github.com/aquasecurity/trivy/pkg/commands/artifact.imageStandaloneScanner
        /home/runner/work/trivy/trivy/pkg/commands/artifact/scanner.go:17
  - 4 errors occurred:
        * unable to inspect the image (ackstorm/debian-postfix:latest): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
        * containerd socket not found: /run/containerd/containerd.sock
        * unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
        * GET https://index.docker.io/v2/ackstorm/debian-postfix/manifests/latest: MANIFEST_UNKNOWN: manifest unknown; unknown tag=latest```

@jmeza-xyz
Copy link

jmeza-xyz commented Feb 12, 2024
edited
Loading

Tested running Trivy 0.49.1 using podman rootless and it works using --docker-host or env variable DOCKER_HOST. It would be nice to have an option as mentioned above --podman-host for the same variable or at minimum somewhere in the docs that mentions a workaround for this use case. Trivy output trimmed for brevity, can provide full output if needed.

╚ $ echo $XDG_RUNTIME_DIR
/run/user/1000

╚ $ file /run/user/1000/podman/podman.sock
/run/user/1000/podman/podman.sock: socket

╚ $ podman info| yq '.store.runRoot'
"/run/user/1000/containers"

╚ $ podman --version
podman version 3.4.4

╚ $ podman run -e DOCKER_HOST=unix://$XDG_RUNTIME_DIR/podman/podman.sock  \
-v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock  \
--rm docker.io/aquasec/trivy:0.49.1 image localhost/trivy-image-scan-local

localhost/trivy-image-scan-local (debian 12.4)
==============================================
Total: 96 (UNKNOWN: 0, LOW: 65, MEDIUM: 25, HIGH: 5, CRITICAL: 1)

╚ $ podman run -v $XDG_RUNTIME_DIR/podman/podman.sock:$XDG_RUNTIME_DIR/podman/podman.sock  \
--rm docker.io/aquasec/trivy:0.49.1 image --docker-host=unix://$XDG_RUNTIME_DIR/podman/podman.sock  \
localhost/trivy-image-scan-local

localhost/trivy-image-scan-local (debian 12.4)
==============================================
Total: 96 (UNKNOWN: 0, LOW: 65, MEDIUM: 25, HIGH: 5, CRITICAL: 1)

@knqyf263
Copy link
Collaborator

@jmeza-xyz Thanks for testing!

@knqyf263
Copy link
Collaborator

I believe adding --podman-host is easy to implement.

trivy/pkg/fanal/types/image.go

Lines 62 to 64 in c107e1a

type PodmanOptions struct {
// Add Podman-specific options
}

Reference: #3599

@knqyf263 knqyf263 added the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label Feb 13, 2024
parvez0 added a commit to parvez0/trivy that referenced this issue Mar 2, 2024
@parvez0
feat(image): customer podman host or socket option (aquasecurity#3098)
b324a87
@parvez0 parvez0 mentioned this issue Mar 2, 2024
Merged
7 tasks
@MartinX3 MartinX3 mentioned this issue Mar 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
Trivy Roadmap
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(image): customer podman host or socket option parvez0/trivy
6 participants
@AndreyLevchenko @knqyf263 @MartinX3 @arcsector @mirekphd @jmeza-xyz