Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-2306

Quay 3.6.0 Clair was unable to scan image vulnerability with certificate error

    XMLWordPrintable

Details

    • 0

    Description

      Description:

      This is an issue found when deploy Quay 3.6.0 with Quay Operator, with managed Clair Component, after push image to quay, Clair was unable to scan image vulnerability, checked Clair App POD logs, get certificate error message "x509: certificate is valid for *.apps.quay-731.qe.devcluster.openshift.com, not quayregistry-quay-quay-enterprise.router-default.apps.quay-731.qe.devcluster.openshift.com","time":"2021-07-28T10:56:45Z","message":"layers fetch failure"", see detailed Clair App POD logs.

      Note: Clair image is quay-clair-container-v3.6.0-27

      https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1676152 

      Quay is unable to show image vulnerability

      oc get pod
NAME                                               READY   STATUS      RESTARTS   AGE
quay-operator.v3.6.0-7495d9cd8f-b9vzt              1/1     Running     0          8h
quayregistry-clair-app-6574f7777-gl6j7             1/1     Running     0          8h
quayregistry-clair-app-6574f7777-png9s             1/1     Running     0          8h
quayregistry-clair-postgres-6486dc45b7-hrgk8       1/1     Running     1          8h
quayregistry-quay-app-5ccb4c9d4f-hqc4q             0/1     Running     1          8h
quayregistry-quay-app-5ccb4c9d4f-mrvwd             1/1     Running     1          8h
quayregistry-quay-app-upgrade-bnkz2                0/1     Completed   0          8h
quayregistry-quay-config-editor-86cc686c68-k5r4r   1/1     Running     0          8h
quayregistry-quay-database-bfd9c6fcc-wr9nx         1/1     Running     1          8h
quayregistry-quay-mirror-5958f59567-9mdmq          0/1     Running     91         8h
quayregistry-quay-mirror-5958f59567-l5jm4          0/1     Running     91         8h
quayregistry-quay-postgres-init-k8t96              0/1     Completed   0          8h
quayregistry-quay-redis-9999b6b5b-xtkdf            1/1     Running     0          8h

oc get pod quayregistry-clair-app-6574f7777-png9s -o json | jq '.spec.containers[0].image'
"registry.redhat.io/quay/clair-rhel8@sha256:cc1a862fd82109fb98dd93cf75a02ed9a2fcb60b906fa1f97160013fd16e5ef4"

      {"level":"warn","component":"internal/indexer/controller/Controller.Index","manifest":"sha256:1e48201ccc2ab83afc435394b3bf70af0fa0055215c1e26a5da9b50a1ae367c9","state":"FetchLayers","error":"encountered error while fetching a layer: fetcher: request failed: Get \"https://quayregistry-quay-quay-enterprise.router-default.apps.quay-731.qe.devcluster.openshift.com/_storage_proxy/ZXlKMGVYQWlPaUpLVjFRaUxDSmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJbXN4U1ZSSU9VRlFjbk42Tm1sSlpUTjZhWFIyWVVSWlJuUnZjekJ0YVU5eWNVWldhVkZmY0dGbmRVa2lmUS5leUpwYzNNaU9pSnhkV0Y1SWl3aVlYVmtJam9pY1hWaGVYSmxaMmx6ZEhKNUxYRjFZWGt0Y1hWaGVTMWxiblJsY25CeWFYTmxMbkp2ZFhSbGNpMWtaV1poZFd4MExtRndjSE11Y1hWaGVTMDNNekV1Y1dVdVpHVjJZMngxYzNSbGNpNXZjR1Z1YzJocFpuUXVZMjl0SWl3aWJtSm1Jam94TmpJM05EWTVPREExTENKcFlYUWlPakUyTWpjME5qazRNRFVzSW1WNGNDSTZNVFl5TnpRMk9UZ3pOU3dpYzNWaUlqb2ljM1J2Y21GblpYQnliM2g1SWl3aVlXTmpaWE56SWpwYmV5SjBlWEJsSWpvaWMzUnZjbUZuWlhCeWIzaDVJaXdpZFhKcElqb2ljWFZoZVdGM2N6RTBNall3Tmk5a1lYUmhabWxzWlM5emFHRXlOVFl2TVRZdk1UWmxZek15WXpJeE16SmlORE0wT1RRNE16SmhNRFZtTW1Jd01tWTNZVGd5TWpRM09XWTRNalV3WXpFM00yUXdZV0l5TjJJelpHVTNPR0l5WmpBMU9EOVlMVUZ0ZWkxQmJHZHZjbWwwYUcwOVFWZFROQzFJVFVGRExWTklRVEkxTmlaWUxVRnRlaTFEY21Wa1pXNTBhV0ZzUFVGTFNVRlZUVkZCU0VOS1QwNHlOelZUV0VaYUpUSkdNakF5TVRBM01qZ2xNa1oxY3kxbFlYTjBMVElsTWtaek15VXlSbUYzY3pSZmNtVnhkV1Z6ZENaWUxVRnRlaTFFWVhSbFBUSXdNakV3TnpJNFZERXdOVFkwTlZvbVdDMUJiWG90Ulhod2FYSmxjejAyTURBbVdDMUJiWG90VTJsbmJtVmtTR1ZoWkdWeWN6MW9iM04wSmxndFFXMTZMVk5wWjI1aGRIVnlaVDAyWTJabFlURm1OelUwWldJd01qZ3lOMkk1T0dNMVlqQTRORE13TVRZNU5tRTJZekpsTldZM1lqQmxaalprTTJVMk1HUTRNVGd3WWpsalptWTBOalJoSWl3aWFHOXpkQ0k2SW5NekxuVnpMV1ZoYzNRdE1pNWhiV0Y2YjI1aGQzTXVZMjl0SWl3aWMyTm9aVzFsSWpvaWFIUjBjSE1pZlYwc0ltTnZiblJsZUhRaU9udDlmUS5YSHlLSnF1aXRLN3dWQVFraUdPbGpnVENfYWFEeUt1SEdXdUJUbEh4dEpoVVd6V18tRV9wbnVtOGFQOE1nR2VfdXNtY084SEhjU0hWQkxVSTFMMlRFTUJFOFB6TzkwR29SczNBTm5vX3NXX2hXS3d3OE9UejUtQUtUVmhYYm9kX1l2YVlWcXNQV0R6SG80WmxjTVNYY3Z2YzZodm51ZHhNVUFCSDBzcGZWSHRQNDl4MVlvc1c0cGlRbEJpaVROOWJfVmt4RkhzeF81bGJYRnJUT0RMTllzWXFaQURqMnV3T1NWZlJwSGZ4dVRHa3FDMGdNTFZRRUlhaTdqbjNTZy1kUk1WaGwteGxhd1V6SlE2V3V2eDROd1U2SUJMLXNtSVk3VFl5MC1makxBRFJjMi1kWXV5T2RkVkYyM1VCNlhDd2tULWppNVhMeElfa2lWZ2piejFhNVE=/https/s3.us-east-2.amazonaws.com/quayaws142606/datafile/sha256/16/16ec32c2132b43494832a05f2b02f7a822479f8250c173d0ab27b3de78b2f058?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAUMQAHCJON275SXFZ%2F20210728%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20210728T105645Z&X-Amz-Expires=600&X-Amz-SignedHeaders=host&X-Amz-Signature=6cfea1f754eb02827b98c5b084301696a6c2e5f7b0ef6d3e60d8180b9cff464a\": x509: certificate is valid for *.apps.quay-731.qe.devcluster.openshift.com, not quayregistry-quay-quay-enterprise.router-default.apps.quay-731.qe.devcluster.openshift.com","time":"2021-07-28T10:56:45Z","message":"layers fetch failure"}

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-2413 Mirror Job can't trust quay managed TLS cert

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. PROJQUAY-2921 Quay App route hostname is changed when upgrade from 3.4.7 to 3.6.2

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jonathankingfc Jonathan King
              lzha1981 luffy zhang
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: