OpenSCAP Not Working?


#1

Hello,

I have some OpenShift containers assigned to an OpenSCAP policy and details are appearing but nothing showing on any of the OpenSCAP results.

I am up-to-date from git on the master branch.

Have I missed something in the setup ?

Thanks


#2

@simon3z Can you help out here?


#3

Hi @PsychoSid,
I understand the problem is that there are zero OpenSCAP results.
That is a prerequisite to most of the policy related bits - we can check those parts later.

Has there been a successful smart state analysis on that container image?
What distribution Is that container image based on?
If the answer to the first questions is yes your evm.log will be helpful in understanding this issue.


#4

Hi @moolitayer,

Thanks for coming back to me.

Looks as though there is a problem with the SmartState analysis here:-
[root@ukvadevmiq001 log]# grep anfr *
grep: apache: Is a directory
evm.log:[----] E, [2016-07-12T08:49:07.736819 #3176:9fd990] ERROR – : Q-task_id([9135cd8c-4804-11e6-af7b-0050568f44eb]) MIQ(ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job#analyze) cannot analyze image 172.30.25.186:5000/pret-apps/anfr@sha256:90c951d585f00962d5cf3d82a2f923342eac73b37b2d7c844568cbb87caadd39 with id sha256:32a0dea83c46baf7a95b37358d014b68ef1ad0f7bef87aaaaf016e39e549a517: detected id was sha256:ee23cb34bdd3fafe5ceb814f823ec7d37d83394c8a95bba8f3ecbf27d5579536
evm.log:[----] E, [2016-07-12T08:49:13.155392 #3176:9fd990] ERROR – : Q-task_id([9135cd8c-4804-11e6-af7b-0050568f44eb]) MIQ(ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job#process_abort) job aborting, cannot analyze image 172.30.25.186:5000/pret-apps/anfr@sha256:90c951d585f00962d5cf3d82a2f923342eac73b37b2d7c844568cbb87caadd39 with id sha256:32a0d: detected id was sha256:ee23c
evm.log:[----] E, [2016-07-12T09:08:22.443399 #3176:9fd990] ERROR – : Q-task_id([6e0de9ce-4805-11e6-af7b-0050568f44eb]) MIQ(ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job#analyze) cannot analyze image 172.30.25.186:5000/pret-apps/anfr@sha256:90c951d585f00962d5cf3d82a2f923342eac73b37b2d7c844568cbb87caadd39 with id sha256:32a0dea83c46baf7a95b37358d014b68ef1ad0f7bef87aaaaf016e39e549a517: detected id was sha256:d69ed87efaca3ca6f7981d23754c957865414ee9368783b57e1a0d2f2582d449
evm.log:[----] E, [2016-07-12T09:08:28.841932 #3176:9fd990] ERROR – : Q-task_id([6e0de9ce-4805-11e6-af7b-0050568f44eb]) MIQ(ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job#process_abort) job aborting, cannot analyze image 172.30.25.186:5000/pret-apps/anfr@sha256:90c951d585f00962d5cf3d82a2f923342eac73b37b2d7c844568cbb87caadd39 with id sha256:32a0d: detected id was sha256:d69ed
policy.log:[----] I, [2016-07-12T08:44:14.041946 #3273:127afc8] INFO – : MIQ(policy-enforce_policy): Event: [containerimage_compliance_check], To: [pret-apps/anfr]
policy.log:[----] I, [2016-07-12T08:44:20.535737 #3166:9fd990] INFO – : MIQ(policy-enforce_policy): Event: [containerimage_compliance_passed], To: [pret-apps/anfr]
policy.log:[----] I, [2016-07-12T08:49:17.961115 #3144:9fd990] INFO – : MIQ(policy-enforce_policy): Event: [containerimage_scan_complete], To: [pret-apps/anfr]
policy.log:[----] I, [2016-07-12T08:49:18.082386 #3144:9fd990] INFO – : MIQ(action-invoke) Invoking action [Check Host or VM Compliance] for successful policy [Schedule compliance after smart state analysis], event: [Container Image Analysis Complete], entity name: [pret-apps/anfr], entity type: [Image], sequence: [1], synchronous? [true]
policy.log:[----] I, [2016-07-12T08:49:18.082514 #3144:9fd990] INFO – : MIQ(action_check_compliance): Now executing [Check Host or VM Compliance] of ContainerImage [pret-apps/anfr]
policy.log:[----] I, [2016-07-12T08:49:18.083474 #3144:9fd990] INFO – : MIQ(policy-enforce_policy): Event: [containerimage_compliance_check], To: [pret-apps/anfr]
policy.log:[----] I, [2016-07-12T08:49:30.924614 #3166:9fd990] INFO – : MIQ(policy-enforce_policy): Event: [containerimage_compliance_passed], To: [pret-apps/anfr]
policy.log:[----] I, [2016-07-12T09:08:34.139189 #3166:9fd990] INFO – : MIQ(policy-enforce_policy): Event: [containerimage_scan_complete], To: [pret-apps/anfr]
policy.log:[----] I, [2016-07-12T09:08:34.213966 #3166:9fd990] INFO – : MIQ(action-invoke) Invoking action [Check Host or VM Compliance] for successful policy [Schedule compliance after smart state analysis], event: [Container Image Analysis Complete], entity name: [pret-apps/anfr], entity type: [Image], sequence: [1], synchronous? [true]
policy.log:[----] I, [2016-07-12T09:08:34.214086 #3166:9fd990] INFO – : MIQ(action_check_compliance): Now executing [Check Host or VM Compliance] of ContainerImage [pret-apps/anfr]
policy.log:[----] I, [2016-07-12T09:08:34.214917 #3166:9fd990] INFO – : MIQ(policy-enforce_policy): Event: [containerimage_compliance_check], To: [pret-apps/anfr]
policy.log:[----] I, [2016-07-12T09:08:46.579033 #3166:9fd990] INFO – : MIQ(policy-enforce_policy): Event: [containerimage_compliance_passed], To: [pret-apps/anfr]

Not sure why that would be the case perhaps permissions on the OpenShift end but those are set via the docs and it can see 4xx packages in the configuration as per the screenshot.

The image is based on a standard RHEL7 one.

My ManageIQ is up to date with the current master branch.

git branch --list

capablanca
darga

  • master

Any help would be much appreciated.

Thanks


#5

evm.log:[----] E, [2016-07-12T09:08:52.387196 #3176:9fd990] ERROR – : Q-task_id([6e3232de-4805-11e6-af7b-0050568f44eb]) MIQ(ManageIQ::Providers::Kubernetes::ContainerManager::Scanning::Job#process_abort) job aborting, unknown access error to pod management-infra/manageiq-img-scan-6e323: #Net::HTTPForbidden:0x0000000c9e1d38


#6

OK we can reclassify this as a general container smart state issue - unrelated to OpenSCAP.

The error message you are seeing guards us from performing SSA on an image that is different from what we expect it to be:
cannot analyze image 172.30.25.186:5000/pret-apps/anfr@sha256:90c951d585f00962d5cf3d82a2f923342eac73b37b2d7c844568cbb87caadd39 with id sha256:32a0dea83c46baf7a95b37358d014b68ef1ad0f7bef87aaaaf016e39e549a517: detected id was sha256:ee23cb34bdd3fafe5ceb814f823ec7d37d83394c8a95bba8f3ecbf27d5579536

Since we get images from docker based on names and not on sha the name of the image could change to point on a different image from the one we want to scan. Could that be the case?


#7

I am not the OpenShift guy around here and that is in POC right now and this is one of the important aspects of MIQ that we want around all this so would be nice to get it going !.

But that sounds very plausible to me.

Anything we can do ?

Thanks


#8

How reproducible is this issue?
If you try to ssa the the same image now does it happen?
Can you paste the entire container image page (like you did with the OpenSCAP & compliance bits)?


#9

Hi,
Sure. It’s across all our images (we have 40+ currently)