Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan host images running containerd #851

Closed
DrissiReda opened this issue Feb 18, 2021 · 11 comments · Fixed by aquasecurity/fanal#348 or #2305
Closed

Scan host images running containerd #851

DrissiReda opened this issue Feb 18, 2021 · 11 comments · Fixed by aquasecurity/fanal#348 or #2305
Assignees
@AndreyLevchenko @knqyf263
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@DrissiReda
Copy link

I've read in the doc that if I'm running a docker container I can bind /var/run/docker.socket to the container, it'll detect host images. I've tried doing this with containerd instead of docker, I bound /var/run/containerd/ (the whole folder just to be sure) and it still cannot detect containerd's local images. I don't have docker on this machine and want to use trivy with containerd, is this possible?
@DrissiReda DrissiReda added the kind/bug Categorizes issue or PR as related to a bug. label Feb 18, 2021
@knqyf263 knqyf263 added triage/support Indicates an issue that is a support question. and removed kind/bug Categorizes issue or PR as related to a bug. labels Feb 21, 2021
@knqyf263
Copy link
Collaborator

Trivy doesn't support the socket of containerd as of today.

@knqyf263 knqyf263 mentioned this issue Feb 26, 2021
Closed
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Apr 23, 2021
@deuch
Copy link

deuch commented Apr 26, 2021

Any plan to be compatible with containerd to check image on a host ? AKS in Azure fo to containerd with 1.19 version, so this compatibility will be a big plus !

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Apr 27, 2021
@github-actions
Copy link

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jun 27, 2021
@knqyf263 knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. triage/support Indicates an issue that is a support question. labels Jun 27, 2021
@kaz-33
Copy link

kaz-33 commented Dec 14, 2021

Hello all,
no progress in this topic?
Br

@survivant
Copy link

I which Trivy had containerd support for my cluster. Would had been useful to scan for CVE-2021-44228.

@knqyf263 knqyf263 added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Dec 15, 2021
@mowangdk
Copy link
Contributor

I would be happy to have some guidance to take this issue. @knqyf263

@knqyf263
Copy link
Collaborator

knqyf263 commented Dec 16, 2021
edited
Loading

Trivy depends on fanal which is a core library communicating with container runtime. Inside of fanal, it calls the API provided by container runtime. You can find two examples.

What the above examples do is calling API to export a container image. They are a bit different as we use github.com/docker/docker/client to talk with Docker Engine, while we directly call the socket of Podman without the Podman library for some reasons.

Once the image is exported, the format is basically the same regardless of container runtime since it is defined as OCI Image Spec.

So, what we have to do is

  1. Search how the containerd API works
  2. Check if we can use the library of containerd to call the API like Docker Engine
  3. If it is not the case, we may need to call the socket directly like Podman
  4. Create a function like func ContainerdImage(ref name.Reference) (Image, func(), error) {
  5. Call it like this.

@knqyf263
Copy link
Collaborator

@mowangdk Please feel free to ask any questions!

@mowangdk
Copy link
Contributor

ok, gotcha

@mowangdk mowangdk mentioned this issue Dec 22, 2021
Merged
@knqyf263 knqyf263 mentioned this issue Apr 25, 2022
Closed
@knqyf263 knqyf263 mentioned this issue Jun 12, 2022
Merged
7 tasks
@youwalther65
Copy link

youwalther65 commented Jul 18, 2022
edited
Loading

See new issue https://github.com/aquasecurity/trivy/issues/2540

@erikgb erikgb mentioned this issue Oct 9, 2022
Open
@jandubois jandubois mentioned this issue Oct 14, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AndreyLevchenko AndreyLevchenko

@knqyf263 knqyf263

Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
No milestone
8 participants
@survivant @AndreyLevchenko @deuch @knqyf263 @mowangdk @DrissiReda @youwalther65 @kaz-33