Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clairctl produces unauthorized URLs from private registries with s3 backend when generating a manifest #1264

Closed
hectorhuertas opened this issue May 11, 2021 · 0 comments · Fixed by #1266 · May be fixed by utilitywarehouse/clair#1
Closed

clairctl produces unauthorized URLs from private registries with s3 backend when generating a manifest #1264

hectorhuertas opened this issue May 11, 2021 · 0 comments · Fixed by #1266 · May be fixed by utilitywarehouse/clair#1

Comments

@hectorhuertas
Copy link
Contributor

Description of Problem / Feature Request

When generating a manifest from an image in a private registry backed by s3, the URIs of the layers are wrongly signed and thus cannot be fetched from clair when generating a report.

The issue seems produced by the fact that clairctl does a HEAD request and then uses the generated URLs as valid to access the layers (https://github.com/quay/clair/blob/main/cmd/clairctl/manifest.go#L139-L154), but in the case of private s3 registries, the signed URLs generated are only valid for HEAD requests, and the GET requests done by clair later to fetch the layers result in 403 Forbidden

To confirm that this is the issue, I've built clairctl using http.MethodGet in https://github.com/quay/clair/blob/main/cmd/clairctl/manifest.go#L139z, and the generated URLs in this case do work later in clair, since they are signed for GET requests

Expected Outcome

clairctl manifest <repo>'s URIs can be used to fetch the layers

clairctl report <repo> ends with <repo> ok

Actual Outcome

clairctl manifest <repo>'s URIs produce (redacted):

<Error>
  <Code>SignatureDoesNotMatch</Code>
  <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
  <AWSAccessKeyId>AKIAIVQ4DXXXXXXXXXXQ</AWSAccessKeyId>
  <StringToSign>AWS4-HMAC-SHA256 20210511T120713Z 20210511/eu-west-1/s3/aws4_request 2db458f424fa85064bd6c4430dce0b89b4db223a19662a9061edd4d9c5bcc429</StringToSign>
  <SignatureProvided>c9003cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX622ca</SignatureProvided>
  <StringToSignBytes> 32 XXXXXX 39</StringToSignBytes>
  <CanonicalRequest>GET /docker/registry/v2/blobs/sha256/54/54fec2fa59d0a0de9cd2dec9850b36c43de451f1fd1c0a5bf8f1cf26a61a5da4/data X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXXXXXXXXXXXXZQ%XXXXXXXXXXXX11%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20210511T120713Z&X-Amz-Expires=1200&X-Amz-SignedHeaders=host host:registry.s3.eu-west-1.amazonaws.com host UNSIGNED-PAYLOAD</CanonicalRequest>
  <CanonicalRequestBytes>47 4 4c XXXXXXXXXXXXXX 4f 41 44</CanonicalRequestBytes>
  <RequestId>15XXXXXXXXXX12</RequestId>
  <HostId>XMCXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXWKc=</HostId>
</Error>

clairctl -D manifest <repo>'s URIs produce (redacted):

debug: 2021/05/11 13:15:59 myregistry.com/system/clair-test:random: fetching
debug: 2021/05/11 13:15:59 using text output
debug: 2021/05/11 13:16:00 myregistry.com/system/clair-test:random: manifest: sha256:a11b0718fc0087c227335a0bf8b99371ef41921e1d3dc5c252819f9f11aa1afb
debug: 2021/05/11 13:16:00 GET /indexer/api/v1/index_report/sha256:a11b0718fc0087c227335a0bf8b99371ef41921e1d3dc5c252819f9f11aa1afb: 404 Not Found
debug: 2021/05/11 13:16:00 need to post manifest sha256:a11b0718fc0087c227335a0bf8b99371ef41921e1d3dc5c252819f9f11aa1afb
debug: 2021/05/11 13:16:00 don't have needed manifest sha256:a11b0718fc0087c227335a0bf8b99371ef41921e1d3dc5c252819f9f11aa1afb
debug: 2021/05/11 13:16:00 myregistry.com/system/clair-test:random: found manifest sha256:a11b0718fc0087c227335a0bf8b99371ef41921e1d3dc5c252819f9f11aa1afb
debug: 2021/05/11 13:16:00 myregistry.com/system/clair-test:random: found 1 layers
debug: 2021/05/11 13:16:01 GET /indexer/api/v1/index_report/sha256:a11b0718fc0087c227335a0bf8b99371ef41921e1d3dc5c252819f9f11aa1afb: 404 Not Found
debug: 2021/05/11 13:16:01 need to post manifest sha256:a11b0718fc0087c227335a0bf8b99371ef41921e1d3dc5c252819f9f11aa1afb
debug: 2021/05/11 13:16:01 POST /indexer/api/v1/index_report: 201 Created
debug: 2021/05/11 13:16:01 myregistry.com/system/clair-test:random: index error: indexer error: failed to fetch layers: encountered error while fetching a layer: fetcher: unexpected status code: 403 403 Forbidden
2021/05/11 13:16:01 indexer error: failed to fetch layers: encountered error while fetching a layer: fetcher: unexpected status code: 403 403 Forbidden

Environment

  • Clair version/image: v4.0.5
  • Clair client name/version: clairctl v4.0.5
  • Host OS: Flatcar Container Linux by Kinvolk stable (2765.2.3)
  • Kernel (e.g. uname -a): 5.10.32-flatcar
  • Kubernetes version (use kubectl version): v1.21.0
  • Network/Firewall setup: -
hectorhuertas added a commit to utilitywarehouse/clair that referenced this issue May 11, 2021
@hectorhuertas
clairctl: add support for s3 registries using V4
97cdbd7 
S3 signature V4 includes the http method on the signature. To create
URLs that clair can use to fetch layers, clairctl needs to make GET
calls instead of HEAD ones

Fixes quay#1264
This was referenced May 11, 2021
Open
Merged
hectorhuertas added a commit to utilitywarehouse/clair that referenced this issue May 11, 2021
@hectorhuertas
clairctl: add support for s3 registries using V4
e534873 
S3 signature V4 includes the http method on the signature. To create
URLs that clair can use to fetch layers, clairctl needs to make GET
calls instead of HEAD ones

Fixes quay#1264

Signed-off-by: Hector Huertas <hectorhuertas@gmail.com>
hectorhuertas added a commit to utilitywarehouse/clair that referenced this issue May 12, 2021
@hectorhuertas
Use a GET requests for our private registry
77dd90c 
To avoid wrongly signed URLs, more info
in quay#1264
hectorhuertas added a commit to utilitywarehouse/clair that referenced this issue May 12, 2021
@hectorhuertas
Use a GET requests for our private registry
d34d44d 
To avoid wrongly signed URLs, more info
in quay#1264
hectorhuertas added a commit to utilitywarehouse/clair that referenced this issue May 13, 2021
@hectorhuertas
Use a GET requests for our private registry
1f6f402 
To avoid wrongly signed URLs, more info
in quay#1264
This was referenced May 13, 2021
Closed
Merged
hectorhuertas added a commit to utilitywarehouse/clair that referenced this issue May 13, 2021
@hectorhuertas
clairctl: add support for s3 registries using V4
a97a02b 
S3 signature V4 includes the http method on the signature. To create
URLs that clair can use to fetch layers, clairctl needs to make GET
calls instead of HEAD ones

Fixes quay#1264

Signed-off-by: Hector Huertas <hectorhuertas@gmail.com>
hectorhuertas added a commit to utilitywarehouse/clair that referenced this issue May 13, 2021
@hectorhuertas
clairctl: add support for s3 registries using V4
8a8707b 
S3 signature V4 includes the http method on the signature. To create
URLs that clair can use to fetch layers, clairctl needs to make GET
calls instead of HEAD ones

Fixes quay#1264

Signed-off-by: Hector Huertas <hectorhuertas@gmail.com>
hectorhuertas added a commit to utilitywarehouse/clair that referenced this issue May 14, 2021
@hectorhuertas
clairctl: add support for s3 registries using V4
8b4064b 
S3 signature V4 includes the http method on the signature. To create
URLs that clair can use to fetch layers, clairctl needs to make GET
calls instead of HEAD ones

Fixes quay#1264

Signed-off-by: Hector Huertas <hectorhuertas@gmail.com>
hdonnay pushed a commit that referenced this issue May 14, 2021
@hectorhuertas @hdonnay
clairctl: add support for s3 registries using V4
45538e0 
S3 signature V4 includes the http method on the signature. To create
URLs that clair can use to fetch layers, clairctl needs to make GET
calls instead of HEAD ones

Fixes #1264

Signed-off-by: Hector Huertas <hectorhuertas@gmail.com>
hdonnay pushed a commit to hdonnay/clair that referenced this issue Jun 1, 2021
@hectorhuertas @hdonnay
clairctl: add support for s3 registries using V4
f745d45 
S3 signature V4 includes the http method on the signature. To create
URLs that clair can use to fetch layers, clairctl needs to make GET
calls instead of HEAD ones

Fixes quay#1264

Signed-off-by: Hector Huertas <hectorhuertas@gmail.com>
hdonnay pushed a commit to hdonnay/clair that referenced this issue Jun 1, 2021
@hectorhuertas @hdonnay
clairctl: add support for s3 registries using V4
343e7da 
S3 signature V4 includes the http method on the signature. To create
URLs that clair can use to fetch layers, clairctl needs to make GET
calls instead of HEAD ones

Fixes quay#1264

Signed-off-by: Hector Huertas <hectorhuertas@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
1 participant
@hectorhuertas