-
Bug
-
Resolution: Done
-
Critical
-
None
-
False
-
False
-
Quay Enterprise
-
Image in question is library/openjdk:latest on Docker Hub. When copied to Quay 3.6.0, the scanning appears to crash:
{"level":"info","component":"internal/indexer/layerscannner/layerScanner.scan","kind":"package","layer":"sha256:67a9c63ed3ba0226d765a092dd6fcc06fe5ece8a2dd0fd11e1add9c0ddee488e","manifest":"sha256:ba0fc847b43cb8756be4497758863d7b51003efcb9b861211a8d5d3afe6c9fa2","scanner":"rpm","state":"ScanLayers","error":"context canceled","time":"2021-10-28T11:06:27Z"}
{"level":"debug","component":"internal/indexer/layerscannner/layerScanner.scan","kind":"package","layer":"sha256:67a9c63ed3ba0226d765a092dd6fcc06fe5ece8a2dd0fd11e1add9c0ddee488e","manifest":"sha256:ba0fc847b43cb8756be4497758863d7b51003efcb9b861211a8d5d3afe6c9fa2","scanner":"rpm","state":"ScanLayers","time":"2021-10-28T11:06:27Z","message":"scan done"}
{"level":"info","component":"internal/indexer/controller/Controller.Index","manifest":"sha256:ba0fc847b43cb8756be4497758863d7b51003efcb9b861211a8d5d3afe6c9fa2","state":"ScanLayers","time":"2021-10-28T11:06:27Z","message":"layers scan done"}
{"level":"error","component":"internal/indexer/controller/Controller.Index","manifest":"sha256:ba0fc847b43cb8756be4497758863d7b51003efcb9b861211a8d5d3afe6c9fa2","state":"ScanLayers","error":"failed to scan all layer contents: jar: unidentified jar: jrt-fs.jar","time":"2021-10-28T11:06:27Z","message":"error during scan"}
{"level":"info","component":"libindex/Libindex.Index","manifest":"sha256:ba0fc847b43cb8756be4497758863d7b51003efcb9b861211a8d5d3afe6c9fa2","time":"2021-10-28T11:06:27Z","message":"index request done"}
{"level":"info","component":"httptransport/New","remote_addr":"172.17.0.1:49172","method":"POST","request_uri":"/indexer/api/v1/index_report","status":500,"time":"2021-10-28T11:06:27Z","message":"handled HTTP request"}
In certain cases the following is also reported:
10:16AM INF error="signal: killed" component=internal/indexer/layerscannner/layerScanner.scan kind=package layer=sha256:f420596490555ff89c8ec7d6b74b4e46c2b3b98dc775c9d19494d8afeb475852 manifest=sha256:ba0fc847b43cb8756be4497758863d7b51003efcb9b861211a8d5d3afe6c9fa2 scanner=rpm state=ScanLayers
The outcome is the following Quay trace:
securityworker stdout | 2021-10-28 10:22:56,356 [95] [DEBUG] [urllib3.connectionpool] http://172.24.10.50:8080 "POST /indexer/api/v1/index_report HTTP/1.1" 500 125 securityworker stdout | 2021-10-28 10:22:56,356 [95] [ERROR] [util.secscan.v4.api] Security scanner endpoint responded with non-200 HTTP status code: 500 securityworker stdout | NoneType: None securityworker stdout | 2021-10-28 10:22:56,356 [95] [ERROR] [data.secscan_model.secscan_v4_model] Failed to perform indexing, security scanner API error securityworker stdout | Traceback (most recent call last): securityworker stdout | File "/quay-registry/util/secscan/v4/api.py", line 204, in index securityworker stdout | resp = self._perform(actions["Index"](body)) securityworker stdout | File "/quay-registry/util/secscan/v4/api.py", line 296, in _perform securityworker stdout | raise Non200ResponseException(resp) securityworker stdout | util.secscan.v4.api.Non200ResponseException securityworker stdout | During handling of the above exception, another exception occurred: securityworker stdout | Traceback (most recent call last): securityworker stdout | File "/quay-registry/data/secscan_model/secscan_v4_model.py", line 288, in perform_indexing securityworker stdout | (report, state) = self._secscan_api.index(manifest, layers) securityworker stdout | File "/quay-registry/util/secscan/v4/api.py", line 208, in index securityworker stdout | raise APIRequestFailure(ex) securityworker stdout | util.secscan.v4.api.APIRequestFailure
The image ends up in the queued state and is always queued and sent again for rescanning to Clair. When full openjdk image is copied over (the Windows variants as well, which are 2.7 GB and 6 GB in size), all subsequent images pushed to Quay end up in queued status for a long time, until the indexer fails with a 500. At that point, they start to get queued, until the openjdk image is hit again which, again, slows down scanning.
Can you please take a look at this? Thanks!
