So I am having an issue:
I have a running container of jenkins which does some CI steps
I downloaded on that jenkins container trivy inside it.
In the CI pipeline if I wish to scan a docker image with trivy it says:
FATAL scan error: image scan failed: failed analysis: analyze error: timeout: context deadline exceeded
OR
trivy image trivy:test
2023-01-27T13:45:57.711Z INFO Need to update DB
2023-01-27T13:45:57.711Z INFO Downloading DB...
31.14 MiB / 31.14 MiB [----------] 100.00% 1.70 MiB p/s 18s
and than stuck after that
I diagnosed the problem like that - the docker images are stored on my pc and the steps I'm running in my CI pipeline is commands that are being executed from withing my jenkins container and trivy does not recognises the image from outside the jenkins container.
so again - How the command trivy image test:test which runs from inside the jenkins container can have access to my local docker images?
Help will be appreciated:)
Try to use --timeout argument and see if it works.
Related
When attempting to pull public images (e.g. python:3.6, node:latest) from Docker, our GitLab runner failed with the following error message:
Running with gitlab-runner 12.2.0 (a987417a)
on GitLab Runner XYZ
Using Docker executor with image python:3.6 ... 00:17
Starting service python:3.6 ...
Pulling docker image python:3.6 ...
ERROR: Preparation failed: Error: No such image: python:3.6 (executor_docker.go:199:0s)
The cause was we exceeded Dockers pull rate limit:
Free plan – anonymous users: 100 pulls per 6 hours
Free plan – authenticated users: 200 pulls per 6
How can I check my current rate?
See https://docs.docker.com/docker-hub/download-rate-limit/#how-can-i-check-my-current-rate
How to increase the rate limit?
Authenticate with Docker Hub to increase to 200 pulls per 6 hours:
docker login
Alternatively you can cache Docker images to reduce the number of calls to DockerHub from your CI/CD infrastructure.
We have two stages one to build the docker image and another one to scan it with prisma pluging.
build image :
stage('Build Docker image preproduction') {
steps {
script {
dockerImage = docker.build("${env.docker_image_name}")
}
}
}
stage('Prisma Cloud Scan') {
steps {
prismaCloudScanImage dockerAddress: "$DOCKER_HOST", image: "${env.docker_image_name}:latest", logLevel: 'debug', resultsFile: 'prisma-cloud-scan-results.json'
}
}
This works fine most of the time, but in some situation almost ( 1 over 20 ) the job failled and we get this error:
[PRISMACLOUD] Scanning images remotely on default-5mn8k
[PRISMACLOUD] Waiting for scanner to complete
[PRISMACLOUD] /home/jenkins/agent/workspace/ild_chore_add-prisma-to-pipeline/twistcli6275500796561372150 images scan otherimagename:1234 --docker-address tcp://localhost:2375 --min-scan-time 1611048549280 --ci --publish --details --address https://XXXXXXXXXprisma_host_hereXXXXX --ci-results-file prisma-cloud-scan-results.json
[ild_chore_add-prisma-to-pipeline] $ /home/jenkins/agent/workspace/ild_chore_add-prisma-to-pipeline/twistcli6275500796561372150 images scan otherimagename:1234 --docker-address tcp://localhost:2375 --min-scan-time 1611048549280 --ci --publish --details --address https://XXXXXXXXXprisma_host_hereXXXX --ci-results-file prisma-cloud-scan-results.json
[PRISMACLOUD] failed to find image otherimagename:1234
[PRISMACLOUD] Scanner failed to run properly. Status: 1
and before this message we can see in the console that the image is already present in the docker host:
+ docker build -t otherimagename:1234 .
Sending build context to Docker daemon 20.54MB
Step 1/2 : FROM nginx:stable
---> b9e1dc12387a
Step 2/2 : COPY docs /usr/share/nginx/html
---> Using cache
---> 09787d1a562e
Successfully built 09787d1a562e
Successfully tagged otherimagename:1234
Can you help me figure out what's going on? we also set up one sleep time between the two steps, but still facing the issue.
Thanks, #EFOE, this hint of the docker config helped. I ran into the same problem via Jenkins. The scans were running on Jenkins EC2 Jenkins agents, both Win and Linux for respective images. While there were no issues with the Linux image scans, the Windows scans failed to find the docker images.
I debugged the docker daemon logs on the windows EC2 agents and found that the images were actually accessible locally on those agents, but the Prisma plugin was unable to access the Docker API for the image details.
Since my agent never had any browsers installed (IE was broken), once I installed chrome as a browser, the Prisma plugin was able to access the docker images as well as perform the scans. So basically my agent needed a client to access the Docker API.
There were no issues when accessing the twistcli binaries by Prisma. Just had issues with only the Prisma Jenkins plugin for Windows.
Hopefully, this will help if someone runs into similar issues.
$ docker pull oraclelinux
Using default tag: latest
latest: Pulling from library/oraclelinux
c93adbd5ca8c: Downloading [==================================================>] 85.96MB/85.96MB
unexpected EOF
$ docker --version
Docker version 18.09.2, build 6247962
I notice that docker pull continously retries with back-off for a few times and eventually fails with unexpected EOF. Same issue observed if pulling centos, debian image.
The docker pull of this image from a repository in local network succeeds. I'm trying to figure out the failure for pulls from github.io.
docker pull for smaller size images (ex: alpine, helloworld) succeeds.
Running Docker Desktop Version 2.0.0.3 (31259) on MacOS High Sierra. Restarting Docker did not resolve the issue.
Any pointers are greatly appreciated.
Found an answer. I had to use Manual Proxy Configuration within Docker Desktop to point to an internal corp proxy for this to work.
I am using Jenkins Custom Build Environment Plugin (1.6.5) to build images from a Dockerfile inside the slave container checked in along with the source code.
Slaves running on Docker version 1.9.1, build ab77bde/1.9.1
My Dockerfile is as below which is able to pull from official ubuntu image but fails to pull from official node.js image -
FROM node:boron
# Create app directory
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/app
On Jenkins job execution I get below failure -
$ docker build --file /data/name-jenkins/workspace/TestJobs/BuildFromSCM/Dockerfile /data/name-jenkins/workspace/TestJobs/BuildFromSCM
Sending build context to Docker daemon 149.5 kB
Sending build context to Docker daemon 149.5 kB
Step 1 : FROM node:boron
Trying to pull repository registry.access.redhat.com/node ... failed
Trying to pull repository docker.io/library/node ... failed
Authentication is required.
FATAL: Failed to build docker image from project Dockerfile
java.lang.RuntimeException: Failed to build docker image from project Dockerfile
at com.cloudbees.jenkins.plugins.docker_build_env.Docker.buildImage(Docker.java:134)
at com.cloudbees.jenkins.plugins.docker_build_env.DockerfileImageSelector.prepareDockerImage(DockerfileImageSelector.java:46)
at com.cloudbees.jenkins.plugins.docker_build_env.DockerBuildWrapper.setUp(DockerBuildWrapper.java:169)
at hudson.model.Build$BuildExecution.doRun(Build.java:156)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)
at hudson.model.Run.execute(Run.java:1741)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:410)
Finished: FAILURE
I am able to build the Docker image on my local machine though. I confirmed that the Jenkins slave user has sudo permissions.
I found an issue in .docker/config.json on my slave machine where I accidentally set my dockerhub credentials which caused in failure in pulling public images with a generic user I was using to build Jenkins job.
{
"ServerURL": "https://index.docker.io/v1",
"Username": "myusername",
"Secret": "passw0rd1"
}
You may need a certificate of the docker-hub, which is a ca.crt file put in:
/etc/docker/certs.d/
I am using Jenkins to make build of project, but now my client wants to make builds inside of a Docker image. i have installed docker on server and its running on 172.0.0.1:PORT. I have installed Docker plugin and assigned this TCP URL to Docker URL. I have also created an image with the name jenkins-1
In configure project I use Build environment Build with Docker Container and provide image name. and then in Build in put Execute Shell and then Build it
But it gives the Error:
Pull Docker image jenkins-1 from repository ...`
$ docker pull jenkins-1`
Failed to pull Docker image jenkins-1`
FATAL: Failed to pull Docker image jenkins-1`
java.io.IOException: Failed to pull Docker image jenkins-1``
at com.cloudbees.jenkins.plugins.docker_build_env.PullDockerImageSelector.prepare DockerImage(PullDockerImageSelector.java:34)`
at com.cloudbees.jenkins.plugins.docker_build_env.DockerBuildWrapper.setUp(DockerB`uildWrapper.java:169)`
at hudson.model.Build$BuildExecution.doRun(Build.java:156)`
at `hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:534)`
at hudson.model.Run.execute(Run.java:1720)`
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)`
at hudson.model.ResourceController.execute(ResourceController.java:98)`
at hudson.model.Executor.run(Executor.java:404)`
Finished: FAILURE`
I just have run into the same issue. There is a 'Verbose' check-box in the configuration of build environment after selecting 'Advanced...' link to expand on the error details:
CloudBees plug-in Verbose option
In my case I ran out of space downloading the build Docker images. Expanding ec2 volume has resolved the issue.
But there is an ongoing trouble with space as docker does not auto cleans images and I have ended up adding a manual cleanup step into the build:
docker volume ls -qf dangling=true | xargs -r docker volume rm
Complete build script:
https://bitbucket.org/vk-smith/dotnetcore-api/src/master/ci-build.sh?fileviewer=file-view-default