Uploaded image for project: 'Clair'
  1. Clair
  2. CLAIRDEV-70

Clair 4.7.3 can't fetch image layer with error "open /tmp: operation not supported"

XMLWordPrintable

      Description:

      This is an issue found in Clair 4.7.3, when push images to Quay, found Clair can't scan the images, checked Clair APP POD, get error "open /tmp: operation not supported" with Clair 4.7.3, pls review this issue.

      Clair Image: 

      registry.redhat.io/quay/clair-rhel8@sha256:813b678ff3b1cfa7cde62f1131370534aebd02eef60cc47f139644249248a2e9 

      Clair Version:

      {"level":"info","component":"main","version":"v4.7.3 (user) (claircore v1.5.25)","time":"2024-03-20T06:37:45Z","message":"starting"} 

      Clair Logs:

      {"level":"info","component":"indexer/controller/Controller.Index","state":"FetchLayers","manifest":"sha256:def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748","request_id":"434b8638a5c32a37","time":"2024-03-20T06:38:05Z","message":"layers fetch start"}
      {"level":"warn","manifest":"sha256:def822f9851ca422481ec6fee59a9966f12b351c62ccb9aca841526ffaa9f748","request_id":"434b8638a5c32a37","component":"indexer/controller/Controller.Index","state":"FetchLayers","error":"fetcher: encountered errors: error realizing layer sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4: open /tmp: operation not supported","time":"2024-03-20T06:38:05Z","message":"layers fetch failure"} 

      Clair APP Deployment:

      apiVersion: apps/v1
      kind: Deployment
      metadata:
        annotations:
          cluster-service-ca: "30570885"
          cluster-trusted-ca: c69e7739
          deployment.kubernetes.io/revision: "2"
          quay-buildmanager-hostname: ""
          quay-component: clair
          quay-operator-service-endpoint: http://quay-operator.quay311.svc.cluster.local:7071
          quay-registry-hostname: quay3110-quay-quay311.apps.quaytest-2224.qe.devcluster.openshift.com
        creationTimestamp: "2024-03-20T06:31:04Z"
        generation: 7
        labels:
          quay-component: clair-app
          quay-operator/quayregistry: quay3110
        name: quay3110-clair-app
        namespace: quay311
        ownerReferences:
        - apiVersion: quay.redhat.com/v1
          kind: QuayRegistry
          name: quay3110
          uid: b15ed8da-b9b2-4c62-ad52-90a4500c123e
        resourceVersion: "147502"
        uid: 093c4e35-1268-4675-bd9b-ad5058317403
      spec:
        progressDeadlineSeconds: 600
        replicas: 9
        revisionHistoryLimit: 10
        selector:
          matchLabels:
            quay-component: clair-app
            quay-operator/quayregistry: quay3110
        strategy:
          rollingUpdate:
            maxSurge: 25%
            maxUnavailable: 25%
          type: RollingUpdate
        template:
          metadata:
            annotations:
              cluster-service-ca: "30570885"
              cluster-trusted-ca: c69e7739
              quay-buildmanager-hostname: ""
              quay-managed-fieldgroups: SecurityScanner,Database,Redis,HostSettings,RepoMirror
              quay-operator-service-endpoint: http://quay-operator.quay311.svc.cluster.local:7071
              quay-registry-hostname: quay3110-quay-quay311.apps.quaytest-2224.qe.devcluster.openshift.com
            creationTimestamp: null
            labels:
              quay-component: clair-app
              quay-operator/quayregistry: quay3110
          spec:
            affinity:
              podAntiAffinity:
                preferredDuringSchedulingIgnoredDuringExecution:
                - podAffinityTerm:
                    labelSelector:
                      matchExpressions:
                      - key: quay-component
                        operator: In
                        values:
                        - clair-app
                    topologyKey: kubernetes.io/hostname
                  weight: 100
            containers:
            - env:
              - name: CLAIR_CONF
                value: /clair/config.yaml
              - name: CLAIR_MODE
                value: combo
              - name: HTTP_PROXY
                valueFrom:
                  secretKeyRef:
                    key: HTTP_PROXY
                    name: quay3110-quay-proxy-config-62mmmd2t22
              - name: HTTPS_PROXY
                valueFrom:
                  secretKeyRef:
                    key: HTTPS_PROXY
                    name: quay3110-quay-proxy-config-62mmmd2t22
              - name: NO_PROXY
                valueFrom:
                  secretKeyRef:
                    key: NO_PROXY
                    name: quay3110-quay-proxy-config-62mmmd2t22
              image: registry.redhat.io/quay/clair-rhel8@sha256:813b678ff3b1cfa7cde62f1131370534aebd02eef60cc47f139644249248a2e9
              imagePullPolicy: IfNotPresent
              name: clair-app
              ports:
              - containerPort: 8080
                name: clair-http
                protocol: TCP
              - containerPort: 8089
                name: clair-intro
                protocol: TCP
              readinessProbe:
                failureThreshold: 3
                periodSeconds: 10
                successThreshold: 1
                tcpSocket:
                  port: 8080
                timeoutSeconds: 1
              resources:
                limits:
                  cpu: "4"
                  memory: 16Gi
                requests:
                  cpu: "2"
                  memory: 2Gi
              startupProbe:
                failureThreshold: 300
                periodSeconds: 10
                successThreshold: 1
                tcpSocket:
                  port: clair-intro
                timeoutSeconds: 1
              terminationMessagePath: /dev/termination-log
              terminationMessagePolicy: File
              volumeMounts:
              - mountPath: /etc/pki/ca-trust/extracted/pem
                name: cluster-trusted-ca
                readOnly: true
              - mountPath: /clair/config.yaml
                name: config
                subPath: config.yaml
              - mountPath: /clair/config.yaml.d/01_user_config.yaml
                name: config
                subPath: 01_user_config.yaml
              - mountPath: /var/run/certs
                name: certificates
            dnsPolicy: ClusterFirst
            restartPolicy: Always
            schedulerName: default-scheduler
            securityContext: {}
            serviceAccount: quay3110-clair-app
            serviceAccountName: quay3110-clair-app
            terminationGracePeriodSeconds: 30
            volumes:
            - configMap:
                defaultMode: 420
                items:
                - key: ca-bundle.crt
                  path: tls-ca-bundle.pem
                name: quay3110-cluster-trusted-ca
              name: cluster-trusted-ca
            - name: config
              secret:
                defaultMode: 420
                secretName: quay3110-clair-config-secret-f6bb7g24h5
            - name: certificates
              projected:
                defaultMode: 420
                sources:
                - secret:
                    name: quay3110-extra-ca-certs-46f8b28mk5
                - secret:
                    name: quay3110-quay-config-tls-kcgg9hhdhd
                - configMap:
                    name: quay3110-cluster-service-ca
                - configMap:
                    name: quay3110-cluster-trusted-ca
      status:
        availableReplicas: 9
        conditions:
        - lastTransitionTime: "2024-03-20T06:31:04Z"
          lastUpdateTime: "2024-03-20T06:38:04Z"
          message: ReplicaSet "quay3110-clair-app-785956c89c" has successfully progressed.
          reason: NewReplicaSetAvailable
          status: "True"
          type: Progressing
        - lastTransitionTime: "2024-03-20T06:43:59Z"
          lastUpdateTime: "2024-03-20T06:43:59Z"
          message: Deployment has minimum availability.
          reason: MinimumReplicasAvailable
          status: "True"
          type: Available
        observedGeneration: 7
        readyReplicas: 9
        replicas: 9
        updatedReplicas: 9 

              hdonnay Henry Donnay
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: