def scan(self, image, scan_args):
'''
Wrapper function for basic security scans using
openscap
'''
mnt_dir = self._ensure_mnt_dir()
# Mount the temporary image/container to the dir
DM = DockerMount(mnt_dir, mnt_mkdir=True)
try:
_tmp_mnt_dir = DM.mount(image)
except MountError as e:
sys.stderr.write(str(e) + "\n")
return None
try:
chroot = self._find_chroot_path(_tmp_mnt_dir)
# Scan the chroot
scan_result = self.helper._scan(chroot, image, scan_args)
print(scan_result.stdout)
print(scan_result.stderr, file=sys.stderr)
finally:
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir, DM)
self._remove_mnt_dir(mnt_dir)
return scan_result.returncode
def build_rpm_for_docker_backend(image, name, temp_dir, labels):
"""
build rpm package for specified docker image
:param image, instance of Atomic.objects.image.Image
:param name, str, name of the associated container
:param temp_dir: str, directory where all the data will be processed
:param labels: dict, these labels come from container image
:return: instance of StandaloneContainerInstallation
"""
from Atomic.mount import DockerMount, MountContextManager
mount_path = os.path.join(temp_dir, "mountpoint")
destination = os.path.join(temp_dir, "system_rpm")
os.makedirs(destination)
os.makedirs(mount_path)
dm = DockerMount(mount_path)
cm = MountContextManager(dm, image.id)
with cm:
# if we are on devicemapper, the path to container is <mount_point>/hostfs/
dm_candidate_path = os.path.join(cm.mnt_path, "rootfs")
if os.path.exists(dm_candidate_path):
exports_dir = os.path.join(dm_candidate_path, "exports")
else:
exports_dir = os.path.join(cm.mnt_path, "exports")
r = RPMHostInstall.generate_rpm(
name, image.id, labels, exports_dir, destination)
return ContainerInstallation(r[0], r[1], r[2])
def scan_cve(self, image, scan_args):
'''
Wrapper function for scanning a container or image
'''
# Mount the temporary image/container to the dir
DM = DockerMount(self.mnt_dir, mnt_mkdir=True)
_tmp_mnt_dir = DM.mount(image)
# Remeber actual mounted fs in 'rootfs'
chroot = os.path.join(_tmp_mnt_dir, 'rootfs')
# Figure out which RHEL dist is in the chroot
dist = self.helper._get_dist(chroot)
# Fetch the CVE input data for the dist
fetch = getInputCVE(self.tmp_dir)
# TODO
# This should probably be in a try/except
fetch._fetch_single(dist)
# Scan the chroot
sys.stdout.write(self.helper._scan_cve(chroot, dist, scan_args))
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir)
def scan(self, image, scan_args):
'''
Wrapper function for basic security scans using
openscap
'''
mnt_dir = self._ensure_mnt_dir()
# Mount the temporary image/container to the dir
DM = DockerMount(mnt_dir, mnt_mkdir=True)
try:
_tmp_mnt_dir = DM.mount(image)
except MountError as e:
sys.stderr.write(str(e) + "\n")
return None
# Remeber actual mounted fs in 'rootfs'
chroot = os.path.join(_tmp_mnt_dir, 'rootfs')
# Scan the chroot
sys.stdout.write(self.helper._scan(chroot, scan_args))
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir)
self._remove_mnt_dir(mnt_dir)
def scan(self, image, scan_args):
'''
Wrapper function for basic security scans using
openscap
'''
# Mount the temporary image/container to the dir
DM = DockerMount(self.mnt_dir, mnt_mkdir=True)
_tmp_mnt_dir = DM.mount(image)
# Remeber actual mounted fs in 'rootfs'
chroot = os.path.join(_tmp_mnt_dir, 'rootfs')
# Scan the chroot
sys.stdout.write(self.helper._scan(chroot, scan_args))
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir)
def _cleanup_by_path(self, path):
'''
Cleans up the mounted chroot by umounting it and
removing the temporary directory
'''
# Sometimes when this def is called, path will have 'rootfs'
# appended. If it does, strip it and proceed
_no_rootfs = os.path.dirname(path) if os.path.basename(path) == \
'rootfs' else path
DM = DockerMount("/tmp")
# umount chroot
DM.unmount_path(_no_rootfs)
# clean up temporary container
DM._clean_temp_container_by_path(_no_rootfs)
os.rmdir(_no_rootfs)
def scan_cve(self, image, scan_args):
'''
Wrapper function for scanning a container or image
'''
mnt_dir = self._ensure_mnt_dir()
# Mount the temporary image/container to the dir
DM = DockerMount(mnt_dir, mnt_mkdir=True)
try:
_tmp_mnt_dir = DM.mount(image)
except MountError as e:
sys.stderr.write(str(e) + "\n")
return None
try:
chroot = self._find_chroot_path(_tmp_mnt_dir)
# Figure out which RHEL dist is in the chroot
name, conf = self.helper._get_target_name_and_config(image)
dist = get_dist(chroot, self.helper.oscap_binary,
conf.get("Env", []) or [])
if dist is None:
sys.stderr.write("{0} is not based on RHEL\n".format(image))
return None
# Fetch the CVE input data for the dist
fetch = getInputCVE(self.tmp_dir)
fetch._fetch_single(dist)
# Scan the chroot
scan_result = self.helper._scan_cve(chroot, image, dist, scan_args)
print(scan_result.stdout)
print(scan_result.stderr, file=sys.stderr)
finally:
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir, DM)
self._remove_mnt_dir(mnt_dir)
return scan_result.returncode
def __init__(self, image_uuid, con_uuids, output, appc):
self.image_name = image_uuid
self.ac = appc
self.CVEs = collections.namedtuple(
'CVEs', 'title, severity,'
'cve_ref_id, cve_ref_url,'
'rhsa_ref_id, rhsa_ref_url')
self.list_of_CVEs = []
self.con_uuids = con_uuids
self.output = output
self.report_dir = os.path.join(self.ac.workdir, "reports")
if not os.path.exists(self.report_dir):
os.mkdir(self.report_dir)
start = time.time()
self.DM = DockerMount("/tmp", mnt_mkdir=True)
self.dm_results = self.DM.mount(image_uuid)
logging.debug("Created scanning chroot in {0}"
" seconds".format(time.time() - start))
self.dest = self.dm_results
def scan_cve(self, image, scan_args):
'''
Wrapper function for scanning a container or image
'''
mnt_dir = self._ensure_mnt_dir()
# Mount the temporary image/container to the dir
DM = DockerMount(mnt_dir, mnt_mkdir=True)
try:
_tmp_mnt_dir = DM.mount(image)
except MountError as e:
sys.stderr.write(str(e) + "\n")
return None
# Remeber actual mounted fs in 'rootfs'
chroot = os.path.join(_tmp_mnt_dir, 'rootfs')
try:
# Figure out which RHEL dist is in the chroot
dist = self.helper._get_dist(chroot)
if dist is None:
sys.stderr.write("{0} is not based on RHEL\n".format(image))
return None
# Fetch the CVE input data for the dist
fetch = getInputCVE(self.tmp_dir)
fetch._fetch_single(dist)
# Scan the chroot
sys.stdout.write(self.helper._scan_cve(chroot, dist, scan_args))
finally:
# Clean up
self.helper._cleanup_by_path(_tmp_mnt_dir)
self._remove_mnt_dir(mnt_dir)
