Scan local image with Anchore
05 Nov 2018 - Christopher McArthur
Today’s mission: Scan a modified image.
In order to do this using anchore, I worst went on the adventure of modifying and commiting a new image… for my first test I opt’ed for installing ping. from my container i was able too ping -c 2 google.ca
following which i made my docker commit
Next i tried scanning the image with anchore but it could not be found with the sha. so i commited the image again with a meaningful name ping-test
. scanning was unable to pick up the image.
With a little bit of help from the --debug
flag i noticed it was looking on the docker.io repository.
I then installed and now host my own private repository! I have pushed my ping test image as my-tests
on the registry. deleting it locally i was able to pull it again.
currently trying to add the repository to anchore but im getting stuck with it not finding a manifest
running curl -X GET http://localhost:5000/v2/catalog
as well as curl -X GET http://localhost:5000/v2/my-tests/tag/latest
produces what looks like correct results.
cmcarthur@docker-engine-one:~/aevolume$ anchore-cli --debug --insecure image add localhost:5000/my-tests
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1 HTTP/1.1" 200 0
DEBUG:anchorecli.clients.apiexternal:POST url=http://localhost:8228/v1/images?autosubscribe=True
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "POST /v1/images?autosubscribe=True HTTP/1.1" 400 593
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 400
Error: cannot fetch image digest/manifest from registry
HTTP Code: 400
Detail: {u'raw_exception_message': u'could not get manifest/digest for image (localhost:5000/my-tests:latest) from registry (https://localhost:5000) - error: Error encountered in skopeo operation. cmd=/bin/sh -c skopeo inspect --raw --tls-verify=false docker://localhost:5000/my-tests:latest, rc=1, stdout=None, stderr=time="2018-11-06T04:54:47Z" level=fatal msg="pinging docker registry returned: Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: getsockopt: connection refused"'}
I think I found my problem anchore is trying to use HTTPS but thats not configured on my local repo…
freaking painful CLI
cmcarthur@docker-engine-one:~/aevolume$ anchore-cli --debug registry add --insecure --skip-validate localhost:5000 user pass
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1 HTTP/1.1" 200 0
DEBUG:anchorecli.clients.apiexternal:POST url=http://localhost:8228/v1/registries?validate=False
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "POST /v1/registries?validate=False HTTP/1.1" 200 253
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 200
Registry: localhost:5000
User: user
Type: docker_v2
Verify TLS: False
Created: 2018-11-06T05:35:16Z
Updated: 2018-11-06T05:35:16Z
Finally got it to work…
trying to add image….
cmcarthur@docker-engine-one:~$ anchore-cli --debug --json image add localhost:5000/my-tests:latest
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "GET /v1 HTTP/1.1" 200 0
DEBUG:anchorecli.clients.apiexternal:POST url=http://localhost:8228/v1/images?autosubscribe=True
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): localhost:8228
DEBUG:urllib3.connectionpool:http://localhost:8228 "POST /v1/images?autosubscribe=True HTTP/1.1" 400 632
DEBUG:anchorecli.cli.utils:fetched httpcode from response: 400
{
"detail": {
"raw_exception_message": "could not get manifest/digest for image (localhost:5000/my-tests:latest) from registry (https://localhost:5000) - error: Error encountered in skopeo operation. cmd=/bin/sh -c skopeo inspect --raw --tls-verify=false --creds \"${SKOPUSER}\":\"${SKOPPASS}\" docker://localhost:5000/my-tests:latest, rc=1, stdout=None, stderr=time=\"2018-11-06T05:48:53Z\" level=fatal msg=\"pinging docker registry returned: Get http://localhost:5000/v2/: dial tcp 127.0.0.1:5000: getsockopt: connection refused\""
},
"httpcode": 400,
"message": "cannot fetch image digest/manifest from registry"
}