Search code examples
dockervmwarevspherephoton-os

VMware Photon - Clair cannot scan Photon container vulnerability on vSphere


The problem:
Clair cannot scan a Docker image built from Photon OS on VMware vSphere platform. In turn, this prevents properly completing a vulnerability scan on vSphere, which prevents any subsequent container deployment.**

Background:
I am building a Photon image with Docker from a Windows Server and pushing to a VMware VCH hosted on vSphere. Everything builds fine and I am able to push the image to the VCH / vSphere, without any issues.

Dockerfile:

FROM photon:3.0
RUN tdnf remove toybox -y
RUN tdnf install -y build-essential python3-setuptools python3-tools python3-pip python3-devel git 
RUN pip3 install --upgrade pip
RUN pip install --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org flask
RUN pip install --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org flask_restful
COPY . /app
WORKDIR /app
CMD ["python", "app.py"]

Powershell:

# Build the image
docker build -t vchregistry.../myimage:latest .

# Push Image back to VIC (Registry)
docker push vchregistry.../myimage:latest

When I check out the repository on vSphere, I see the following in the Vulnerability log, indicating that the scan failed.

[INFO] Scanning Layer: xxxxx, path: http://registry:5000/..../photon-iso/blobs/sha256:xxxxx
[ERROR] [clair_job.go:101]: Failed to scan xxxxx: xxxxx, error: Unexpected status code: 422, text: {"Error":{"Message":"worker: OS and/or package manager are not supported"}}

This error has been unique to Photon images. Many others, including Alpine, scan and finish just fine. It's strange, considering that VMware developed both vSphere and Photon.

Question:
Does anyone in this world know how I can enable the Clair Vulnerability scan for Photon images?


Solution

  • The answer is that Clair doesn't support scanning Photon images. While this is readily apparent in the error message, it's hard to wrap my head around from a VMware perspective - I couldn't see VMware creating a platform like vSphere without having some workaround for scanning an image that is built on an OS that they themselves created. Unfortunately, this is the case...