Uploaded image for project: 'Clair'
  1. Clair
  2. CLAIRDEV-70

Clair 4.7.3 can't fetch image layer with error "open /tmp: operation not supported"

XMLWordPrintable

      Description:

      This is an issue found in Clair 4.7.3, when push images to Quay, found Clair can't scan the images, checked Clair APP POD, get error "open /tmp: operation not supported" with Clair 4.7.3, pls review this issue.

      Clair Image: 

      registry.redhat.io/quay/clair-rhel8@sha256:813b678ff3b1cfa7cde62f1131370534aebd02eef60cc47f139644249248a2e9 

      Clair Version:

      {"level":"info","component":"main","version":"v4.7.3 (user) (claircore v1.5.25)","time":"2024-03-20T06:37:45Z","message":"starting"}

      Clair Logs:

      {"level":"info","component":"indexer/controller/Controller.Index","state":"FetchLayers","manifest":"sha256:def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748","request_id":"434b8638a5c32a37","time":"2024-03-20T06:38:05Z","message":"layers fetch start"}
{"level":"warn","manifest":"sha256:def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748","request_id":"434b8638a5c32a37","component":"indexer/controller/Controller.Index","state":"FetchLayers","error":"fetcher: encountered errors: error realizing layer sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4: open /tmp: operation not supported","time":"2024-03-20T06:38:05Z","message":"layers fetch failure"}

      Clair APP Deployment:

      apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    cluster-service-ca: "30570885"
    cluster-trusted-ca: c69e7739
    deployment.kubernetes.io/revision: "2"
    quay-buildmanager-hostname: ""
    quay-component: clair
    quay-operator-service-endpoint: http://quay-operator.quay311.svc.cluster.local:7071
    quay-registry-hostname: quay3110-quay-quay311.apps.quaytest-2224.qe.devcluster.openshift.com
  creationTimestamp: "2024-03-20T06:31:04Z"
  generation: 7
  labels:
    quay-component: clair-app
    quay-operator/quayregistry: quay3110
  name: quay3110-clair-app
  namespace: quay311
  ownerReferences:
  - apiVersion: quay.redhat.com/v1
    kind: QuayRegistry
    name: quay3110
    uid: b15ed8da-b9b2-4c62-ad52-90a4500c123e
  resourceVersion: "147502"
  uid: 093c4e35-1268-4675-bd9b-ad5058317403
spec:
  progressDeadlineSeconds: 600
  replicas: 9
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      quay-component: clair-app
      quay-operator/quayregistry: quay3110
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        cluster-service-ca: "30570885"
        cluster-trusted-ca: c69e7739
        quay-buildmanager-hostname: ""
        quay-managed-fieldgroups: SecurityScanner,Database,Redis,HostSettings,RepoMirror
        quay-operator-service-endpoint: http://quay-operator.quay311.svc.cluster.local:7071
        quay-registry-hostname: quay3110-quay-quay311.apps.quaytest-2224.qe.devcluster.openshift.com
      creationTimestamp: null
      labels:
        quay-component: clair-app
        quay-operator/quayregistry: quay3110
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: quay-component
                  operator: In
                  values:
                  - clair-app
              topologyKey: kubernetes.io/hostname
            weight: 100
      containers:
      - env:
        - name: CLAIR_CONF
          value: /clair/config.yaml
        - name: CLAIR_MODE
          value: combo
        - name: HTTP_PROXY
          valueFrom:
            secretKeyRef:
              key: HTTP_PROXY
              name: quay3110-quay-proxy-config-62mmmd2t22
        - name: HTTPS_PROXY
          valueFrom:
            secretKeyRef:
              key: HTTPS_PROXY
              name: quay3110-quay-proxy-config-62mmmd2t22
        - name: NO_PROXY
          valueFrom:
            secretKeyRef:
              key: NO_PROXY
              name: quay3110-quay-proxy-config-62mmmd2t22
        image: registry.redhat.io/quay/clair-rhel8@sha256:813b678ff3b1cfa7cde62f1131370534aebd02eef60cc47f139644249248a2e9
        imagePullPolicy: IfNotPresent
        name: clair-app
        ports:
        - containerPort: 8080
          name: clair-http
          protocol: TCP
        - containerPort: 8089
          name: clair-intro
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          periodSeconds: 10
          successThreshold: 1
          tcpSocket:
            port: 8080
          timeoutSeconds: 1
        resources:
          limits:
            cpu: "4"
            memory: 16Gi
          requests:
            cpu: "2"
            memory: 2Gi
        startupProbe:
          failureThreshold: 300
          periodSeconds: 10
          successThreshold: 1
          tcpSocket:
            port: clair-intro
          timeoutSeconds: 1
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/pki/ca-trust/extracted/pem
          name: cluster-trusted-ca
          readOnly: true
        - mountPath: /clair/config.yaml
          name: config
          subPath: config.yaml
        - mountPath: /clair/config.yaml.d/01_user_config.yaml
          name: config
          subPath: 01_user_config.yaml
        - mountPath: /var/run/certs
          name: certificates
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: quay3110-clair-app
      serviceAccountName: quay3110-clair-app
      terminationGracePeriodSeconds: 30
      volumes:
      - configMap:
          defaultMode: 420
          items:
          - key: ca-bundle.crt
            path: tls-ca-bundle.pem
          name: quay3110-cluster-trusted-ca
        name: cluster-trusted-ca
      - name: config
        secret:
          defaultMode: 420
          secretName: quay3110-clair-config-secret-f6bb7g24h5
      - name: certificates
        projected:
          defaultMode: 420
          sources:
          - secret:
              name: quay3110-extra-ca-certs-46f8b28mk5
          - secret:
              name: quay3110-quay-config-tls-kcgg9hhdhd
          - configMap:
              name: quay3110-cluster-service-ca
          - configMap:
              name: quay3110-cluster-trusted-ca
status:
  availableReplicas: 9
  conditions:
  - lastTransitionTime: "2024-03-20T06:31:04Z"
    lastUpdateTime: "2024-03-20T06:38:04Z"
    message: ReplicaSet "quay3110-clair-app-785956c89c" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  - lastTransitionTime: "2024-03-20T06:43:59Z"
    lastUpdateTime: "2024-03-20T06:43:59Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  observedGeneration: 7
  readyReplicas: 9
  replicas: 9
  updatedReplicas: 9

        1. Clair473.logs
          3.22 MB

            hdonnay Henry Donnay
            lzha1981 luffy zhang
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: