configuring alternative solutions for ssh connection requirement

[westlifezs]

Hello,

It appears to me that clair needs not only http connection but ssh to the internet.
However, it is difficult to meet this requirement (ssh internet connection) under many production environments. Is there a way to config clair to only require http proxy to work?

The reason that I am saying clair needs ssh because it uses bzr to create reps which will trigger ssh connection. details can be found at: https://github.com/coreos/clair/blob/f0642bb47f4ebe23194b3ea736a20dc8661c1d7a/updater/fetchers/ubuntu/ubuntu.go#L252

thanks

[Quentin-M]

Hi,

exec.go#L24 passes the environment variables (i.e. HTTP_PROXY and HTTPS_PROXY) that are provided to Clair, to the child processes (i.e. bzr). See golang.org/os/exec/exec.go.

I believe that replacing lp:ubuntu-cve-tracker by https://launchpad.net/ubuntu-cve-tracker in https://github.com/coreos/clair/blob/f0642bb47f4ebe23194b3ea736a20dc8661c1d7a/updater/fetchers/ubuntu/ubuntu.go#L39 might help forcing bzr to use HTTPS instead of SSH, in which case, the proxy will be used. Can you give it a try?

`bzr``s configuration docs might also help:

• http://doc.bazaar.canonical.com/latest/en/user-reference/configuration-help.html
• http://doc.bazaar.canonical.com/beta/en/user-reference/authentication-help.html

[databus23]

I also ran into this problem. Our whole corporate network only allows access via http/https/ftp via proxy servers.
@Quentin-M I tried your suggestion and it indeed fixes the problem:

root@0896e380c0fe:/# env |grep proxy
http_proxy=http://proxy.wdf.sap.corp:8080
https_proxy=http://proxy.wdf.sap.corp:8080
root@0896e380c0fe:/# bzr branch https://launchpad.net/ubuntu-cve-tracker test
Branched 11066 revisions.
root@0896e380c0fe:/# cd test/
root@0896e380c0fe:/test# bzr pull --overwrite
Using saved parent location: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/
No revisions or tags to pull.

So 👍 from my side for switching to https for the ubuntu CVE tracker.

[westlifezs]

@Quentin-M @databus23 thanks for both of you for the information. I am currently using "docker" way to spin up clair as suggested in the main documentation. If I use the docker way, then I will not be able to change the source code and test it out on my end, right? Shall I have to use build from source to work this particular issue around?

[Quentin-M]

Awesome, thanks @databus23 for the feedback on that. Your snippet doesn't show it but I assume that using ubuntu-cve-tracker doesn't work. I'll make the change, except if you want to do it?
@westlifezs: You don't need to do anything, we'll patch it.

[Quentin-M]

Clair 1.2.2 created to include this patch : https://github.com/coreos/clair/releases/tag/v1.2.2

[westlifezs]

I think my error still remains even with the latest image. I can still see the same error as last time. Could you please let me know how can I verify if I am running the correct code?

Here is the error snippet:
updater/fetchers/ubuntu: could not branch Ubuntu repository: exit status 3. output: bzr: ERROR: Connection error: while sending POST /ubuntu-cve-tracker/.bzr/smart: [Errno 110] Connection timed out

Anyone any suggestions?

[Quentin-M]

Hi,

I just pushed v1.2.2 on Quay.io. Sorry for the delay.
I also have another upcoming PR to improve the error management within the Ubuntu fetcher.

[westlifezs]

thanks. It seems like the ubuntu fetcher issue goes way but another error shows up as mentioned in #192. also just as a reminder you updated https://raw.githubusercontent.com/coreos/clair/master/config.example.yaml but it is not compatible with v1.2.2