NEXUS AUTHENTICATION ISSUE: Clairctl v4.7.2 (claircore v1.5.19) How to scan private nexus repository images

108 views
Skip to first unread message

Ahmed Mohamed

unread,
Feb 23, 2024, 10:55:12 AM2/23/24
to quay-sig
I found that if i want to scan images with clairctl inside the pod i need to specify the
auth:
    psk:
       key: "tara=.."
       iss:
            - "clairctl"

The "iss" name is "clairctl" - In order to not provide every time the issuer value.

And it worked now I am able to perform scans but only for public repos without authentication.

For example:
- clairctl -D report alpine:latest

is working without any issue, but when I am trying to scan a image from my local repo (nexus repository manager by SonaType)

It throws me "UNAUTHORIZED" error.
Screenshot 2024-02-23 175051.png
How and where should I provide the credentials ?

The SSL is already imported into the Clair by the (SSL_CERT_DIR)

Does anyone know hot to fix this issue ?

Daniel Messer

unread,
Feb 26, 2024, 9:56:30 AM2/26/24
to Ahmed Mohamed, quay-sig
Hi Ahmed,

Clair itself isn't authentication to a registry, it just receives a data structure that describes the images and the location of the layer blobs to be pulled for indexing. The auth section you quoted is for the authentication to Clair itself, which is used by Quay, for instance, to notify Clair about new images to be analyzed.
clairctl actually authenticates to the registry you provide the image URL for, and it will use your local docker / podman configuration to retrieve credentials for this. So you need to be "logged in" to the Sonatype Nexus Repository you are handing over to clairctl via docker or podman. It will look for the credentials in the default configuration locations (e.g. ~/.docker/config.json).

Hope this helps,
Daniel


--
You received this message because you are subscribed to the Google Groups "quay-sig" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quay-sig+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quay-sig/6962bf6e-8a24-4d9c-9c36-81565cc42f76n%40googlegroups.com.


--
Daniel Messer

Product Management

Red Hat OpenShift

Ahmed Mohamed

unread,
Feb 27, 2024, 9:41:45 AM2/27/24
to quay-sig
Hello Daniel,

In my case clairctl is located on a machine without docker instance.
I have tried to manually map the volume ~/.docker with proper configuration file, but clairctl doesn't know how to operate with it.

I have found the solution and it is to compile new clairctl application with authentication support.
Now everything is working as expected, I can authenticate and pull from my private repo with defined in variables credentials.

It is also working for private docker repositories.

--
Akhmed Mokhamed
DevOps Engineer

Daniel Messer

unread,
Feb 28, 2024, 10:47:12 AM2/28/24
to Ahmed Mohamed, quay-sig
Can you elaborate on recompiling the clairctl with support for authentication? This is not something that's needed, that support is already there.

To view this discussion on the web visit https://groups.google.com/d/msgid/quay-sig/a8abd5fd-6ebf-472f-b32c-9983ebaa5c86n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages