Running tern with podman returns cert error

[muzammil786]

How can we run turnd analysis using podman. I tried by creating the podman socket and using the command below:

sudo podman run --privileged --device /dev/fuse -v /run/podman/podman.sock:/var/run/docker.sock:z --rm ternd report -i python:3.9-slim-buster > output.txt
But it got errors like:

2021-11-23 18:19:10,954 - DEBUG - rootfs - Running command: unshare -pf --mount-proc=/root/.tern/temp/mergedir/proc chroot /root/.tern/temp/mergedir  -c export PYTHON_GET_PIP_SHA256="c518250e91a70d7b20cceb15272209a4ded2a0c263ae5776f129e0d9b5674309" && export PYTHON_GET_PIP_URL="https://github.com/pypa/get-pip/raw/3cb8888cc2869620f57d5d2da64da38f516078c7/public/get-pip.py" && export PYTHON_SETUPTOOLS_VERSION="57.5.0" && export PYTHON_PIP_VERSION="21.2.4" && export PYTHON_VERSION="3.9.9" && export GPG_KEY="E3FF2839C048B25C084DEBE9B26995E310250568" && export LANG="C.UTF-8" && export PATH="/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" && pkgs=`dpkg-query -W -f '${Package}
'` && for p in $pkgs; do /bin/cat /usr/share/doc/$p/copyright; echo LICF; done
2021-11-23 18:19:10,973 - ERROR - rootfs - Command failed. chroot: failed to run command ‘’: No such file or directory

[nishakm]

At this time, tern relies on docker to pull images, but we are moving away from that. Meanwhile, you can try using the --live option on a running podman container like this:

mnt=`podman mount <container>`
tern report --live $mnt

I have a reference of how this works here: https://github.com/vmware-samples/containers-with-sboms/blob/main/base_container.sh

[nishakm]

@muzammil786 We made a release recently that removed docker as a dependency for analyzing container images. Try:
sudo podman run --rm ternd report -i python:3.9-slim-buster > output.txt after rebuilding the new Dockerfile

[muzammil786]

@nishakm
I have got certificate validation error:

2022-01-06 11:27:58,117 - ERROR - skopeo - Error when downloading image: "b'time="2022-01-06T11:27:58Z" level=fatal msg="Error initializing source docker://<redact>: error pinging docker registry <private registry>: Get \\"https://<private registry>/v2/\\": x509: certificate signed by unknown authority"\n'"
How to send src-tls-verify=false option to skopeo or mount the cert dir? Is there any env variable I can pass to ignore cert validation?

[nishakm]

@muzammil786 not at this time. We can probably modify the Dockerfile to create a volume mount. Or podman perhaps has some way of enabling this. I will take a look.

[muzammil786]

@nishakm Thanks. I have sorted this out by adding my registry into the base image.

COPY registries.conf /etc/containers/registries.conf

This line in the docker/Dockerfile helped me sail for now :-)

[nishakm]

I am not able to reproduce this error when running sudo podman run --privileged --rm tern report -i python:3.9-slim-buster. At this time, running podman as root and using --privileged is the only way to get around the permission issues when creating device nodes (see #1115 ). I will close this issue.