Unable to scan with Clair

Latest response

I have followed the process for a quay/clair basic test install:
https://access.redhat.com/documentation/en-us/red_hat_quay/3.3/html/deploy_red_hat_quay_-_basic/preparing_for_red_hat_quay_basic#starting_up_the_supporting_services

But after many tries I constantly get the following error in the quay logs:

Jun 9 12:39:17 quay journal: securityworker stdout | 2020-06-09 18:39:17,462 [115] [ERROR] [util.secscan.api] Failed to decode JSON when analyzing layer 3ae32e8da6aa771c98e947640b4718928153191df7ca93b3c8cc699278b05f8c.0ba96b23-42e6-45a7-912c-8964cbd85c66
Jun 9 12:39:17 quay journal: Traceback (most recent call last):
Jun 9 12:39:17 quay journal: File "util/secscan/api.py", line 392, in _response_json
Jun 9 12:39:17 quay journal: return response.json()
Jun 9 12:39:17 quay journal: File "/opt/rh/python27/root/usr/lib/python2.7/site-packages/requests/models.py", line 897, in json
Jun 9 12:39:17 quay journal: return complexjson.loads(self.text, **kwargs)
Jun 9 12:39:17 quay journal: File "/opt/rh/python27/root/usr/lib64/python2.7/site-packages/simplejson/__init__.py", line 488, in loads
Jun 9 12:39:17 quay journal: return _default_decoder.decode(s)
Jun 9 12:39:17 quay journal: File "/opt/rh/python27/root/usr/lib64/python2.7/site-packages/simplejson/decoder.py", line 374, in decode
Jun 9 12:39:17 quay journal: obj, end = self.raw_decode(s)
Jun 9 12:39:17 quay journal: File "/opt/rh/python27/root/usr/lib64/python2.7/site-packages/simplejson/decoder.py", line 397, in raw_decode
Jun 9 12:39:17 quay journal: return self.scan_once(s, idx=_w(s, idx).end())
Jun 9 12:39:17 quay journal: JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Jun 9 12:39:17 quay journal: 2020-06-09 18:39:17,462 [115] [ERROR] [util.secscan.analyzer] Got exception when trying to analyze layer 8 via security scanner
Jun 9 12:39:17 quay journal: Traceback (most recent call last):
Jun 9 12:39:17 quay journal: File "util/secscan/analyzer.py", line 64, in _analyze_recursively_and_check
Jun 9 12:39:17 quay journal: self._analyze_recursively(layer, force_parents=force_parents)
Jun 9 12:39:17 quay journal: File "util/secscan/analyzer.py", line 102, in _analyze_recursively
Jun 9 12:39:17 quay journal: self._analyze(layer, force_parents=force_parents)
Jun 9 12:39:17 quay journal: File "util/secscan/analyzer.py", line 139, in _analyze
Jun 9 12:39:17 quay journal: analyzed_version = self._api.analyze_layer(layer)
Jun 9 12:39:17 quay journal: File "util/secscan/api.py", line 419, in analyze_layer
Jun 9 12:39:17 quay journal: message = _response_json(request, ex.response).get("Error").get("Message", "")
Jun 9 12:39:17 quay journal: File "util/secscan/api.py", line 397, in _response_json
Jun 9 12:39:17 quay journal: raise AnalyzeLayerException
Jun 9 12:39:17 quay journal: AnalyzeLayerException
Jun 9 12:39:17 quay journal: securityworker stdout | 2020-06-09 18:39:17,475 [115] [INFO] [util.migrate.allocator] Marking id range as completed: 6-9
Jun 9 12:39:17 quay journal: 2020-06-09 18:39:17,475 [115] [INFO] [util.migrate.allocator] No more work
Jun 9 12:39:17 quay journal: 2020-06-09 18:39:17,475 [115] [INFO] [apscheduler.executors.default] Job "_index_in_scanner (trigger: interval[0:00:30], next run at: 2020-06-09 18:39:44 UTC)" executed successfully

I have tried numerous standard images pulled from quay.io and they all fail for the same reason. Anybody else seeing this or have a solution?

Responses

Hi Brian,

Just curious, I've seen odd messages such as above when someone attempts installation when they are not in the root account. You may indeed be in the root account, but that's one thing I'm wondering about here.

Forgive the questions here, we do not know your scenario here.

  • At which step did the process you were following in the link you are providing did this produce the errors you posted?
  • What steps worked, and at what step or steps did you encounter the failures?
  • Is the system properly subscribed to Red Hat (or a functioning Satellite server)? (maybe you did this, we just do not know, and it's in that link you provided)
  • What happens when you run yum clean all and yum repolist - do you get expected output or does it fail? (Remember to run those commands as root)
  • How did the other steps in the link you provided go?

Please let us know what point (and what specific command you were doing when) you reached those errors. I suspect this is a supported product, you can also open a case directly with Red Hat.

Regards,
RJ

Thanks for the reply RJ.

I am root. The system is registered with our IBM account and is also under management in our data center. I have it configured for local filesystem storage and have XFS configure with ftype=1 (per docker docs)

[root@quay ~]# yum repolist Loaded plugins: product-id, search-disabled-repos, subscription-manager repo id repo name status rhel-7-server-extras-rpms/x86_64 Red Hat Enterprise Linux 7 Server - Extras (RPMs) 1,285 rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs) 29,117 rhel7-updates-FDC Red Hat Enterprise Linux 7Server - x86_64 - Updates 5,475

This is a test install using a temporary 90 day license so we can evaluate the products. The other steps have been successful except I do see the same nginx setpriority error that is seen in the logs from this discussion: https://access.redhat.com/discussions/5065071

From what I can tell quay is working fine as a an image registry from a push pull perspective and it's only the image scan portion that is failing. I've got clair in debug mode but don't see any activity in the logs for scanning so I don't think quay ever gets to the point of asking for a scan.

Thanks again! Brian

Hi Brian, Quay doesnt supports local storage although push/pull will work ,If you want scanning to work aswell you would have to shift to any S3 object storage to get Clair working, After that you can requeue [1] the image for scanning or push a new image and check if scanning works

Thanks, Dixit [1]https://access.redhat.com/solutions/3516081

Dixit, Thanks for the information. It's disappointing that this is not mentioned anywhere in the documentation for a Basic install.

Followup: I setup my test system with a supported object storage (google cloud) and have exactly the same issue. Images can be pushed and pulled and I can see the data in my cloud storage bucket but I still get the exact same error about failing to decode json.