The problem:
Clair cannot scan a Docker image built from Photon OS on VMware vSphere platform. In turn, this prevents properly completing a vulnerability scan on vSphere, which prevents any subsequent container deployment.**
Background:
I am building a Photon image with Docker from a Windows Server and pushing to a VMware VCH hosted on vSphere. Everything builds fine and I am able to push the image to the VCH / vSphere, without any issues.
Dockerfile:
FROM photon:3.0
RUN tdnf remove toybox -y
RUN tdnf install -y build-essential python3-setuptools python3-tools python3-pip python3-devel git
RUN pip3 install --upgrade pip
RUN pip install --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org flask
RUN pip install --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org flask_restful
COPY . /app
WORKDIR /app
CMD ["python", "app.py"]
Powershell:
# Build the image
docker build -t vchregistry.../myimage:latest .
# Push Image back to VIC (Registry)
docker push vchregistry.../myimage:latest
When I check out the repository on vSphere, I see the following in the Vulnerability log, indicating that the scan failed.
[INFO] Scanning Layer: xxxxx, path: http://registry:5000/..../photon-iso/blobs/sha256:xxxxx
[ERROR] [clair_job.go:101]: Failed to scan xxxxx: xxxxx, error: Unexpected status code: 422, text: {"Error":{"Message":"worker: OS and/or package manager are not supported"}}
This error has been unique to Photon images. Many others, including Alpine, scan and finish just fine. It's strange, considering that VMware developed both vSphere and Photon.
Question:
Does anyone in this world know how I can enable the Clair Vulnerability scan for Photon images?
The answer is that Clair doesn't support scanning Photon images. While this is readily apparent in the error message, it's hard to wrap my head around from a VMware perspective - I couldn't see VMware creating a platform like vSphere without having some workaround for scanning an image that is built on an OS that they themselves created. Unfortunately, this is the case...