Cannot use trivy image command

mgnk · July 30, 2024, 3:10pm

I cound not use trivy image command in Labs - Trivy (CKS Course).

How can I use it?

controlplane ~ ➜  crictl pull python:3.10.0a4-alpine
Image is up to date for sha256:22e7339ee459415bf3d1100ee3977b882f0243e13b630f17384825b6ee645553

controlplane ~ ➜  trivy image --output /root/python_alpine.txt python:3.10.0a4-alpine
2024-07-30T11:09:45-04:00       INFO    Need to update DB
2024-07-30T11:09:45-04:00       INFO    Downloading DB...       repository="ghcr.io/aquasecurity/trivy-db:2"
50.29 MiB / 50.29 MiB [-----------------------------------------------------------------------------------------------------------------------------------] 100.00% 23.95 MiB p/s 2.3s
2024-07-30T11:09:47-04:00       INFO    Vulnerability scanning is enabled
2024-07-30T11:09:47-04:00       INFO    Secret scanning is enabled
2024-07-30T11:09:47-04:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-30T11:09:47-04:00       INFO    Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-30T11:09:47-04:00       FATAL   Fatal error     image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: unable to find the specified image "python:3.10.0a4-alpine" in ["docker" "containerd" "podman" "remote"]: 4 errors occurred:
        * docker error: unable to inspect the image (python:3.10.0a4-alpine): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
        * containerd error: image not found in containerd store: python:3.10.0a4-alpine
        * podman error: unable to initialize Podman client: no podman socket found: stat /run/user/0/podman/podman.sock: no such file or directory
        * remote error: GET https://index.docker.io/v2/library/python/manifests/sha256:0d1ae455589e18577f007f4700f40accde8618a337f421e925d25b26d3e8272e: TOOMANYREQUESTS: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

rob_kodekloud · July 31, 2024, 12:28pm

This was probably due to a problem with our using DockerHub. If so, this has now been fixed. Try it again and see if it works.

rob_kodekloud · July 31, 2024, 11:36pm

For now, trying doing the following before using trivy image:

export CONTAINERD_ADDRESS=/var/run/containerd/containerd.sock

mgnk · August 1, 2024, 1:21pm

I scan successfully at first time, but I couldn’t at second time.

controlplane ~ ➜  export CONTAINERD_ADDRESS=/var/run/containerd/containerd.sock

controlplane ~ ➜  trivy image docker.io/library/python:3.6.12-alpine3.11 -o python.txt --severity HIGH
2024-08-01T09:11:44-04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-01T09:11:44-04:00       INFO    [secret] Secret scanning is enabled
2024-08-01T09:11:44-04:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-01T09:11:44-04:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-01T09:11:44-04:00       FATAL   Fatal error     image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: unable to find the specified image "docker.io/library/python:3.6.12-alpine3.11" in ["docker" "containerd" "podman" "remote"]: 4 errors occurred:
        * docker error: unable to inspect the image (docker.io/library/python:3.6.12-alpine3.11): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
        * containerd error: image not found in containerd store: docker.io/library/python:3.6.12-alpine3.11
        * podman error: unable to initialize Podman client: no podman socket found: stat /run/user/0/podman/podman.sock: no such file or directory
        * remote error: GET https://index.docker.io/v2/library/python/manifests/sha256:81c6b5d59c496ede0adb8894ac6546a8a708a0948e8ee4123b2ec47975bea18f: TOOMANYREQUESTS: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

rob_kodekloud · August 2, 2024, 1:40am

Just to make sure we are monitoring the correct lab, please give me a link to this lab; I’ll make sure it’s being tracked.

mgnk · August 2, 2024, 3:08pm

Thanks!
This is the link to the lab.
https://learn.kodekloud.com/user/courses/certified-kubernetes-security-specialist-cks/module/e4511664-185f-4204-9aa2-b4250cbadf84/lesson/43e9d2a7-8f3a-447d-ba9e-586ab14d165b

And there are same errors in mock exam 1 in CKS.
https://learn.kodekloud.com/user/courses/certified-kubernetes-security-specialist-cks/module/8d7f7d5b-47ad-496b-9a30-49eedc61f7fa/lesson/561a4ee8-06cb-4969-acd5-b974f25393ed

rob_kodekloud · August 2, 2024, 8:02pm

The first one appears to be fixed. The second is not fixed, but we know about it.

A work-around for now is to “pre-load” the images into your local store, by doing something like this

crictl pull IMAGE

for an image you want trivy to be able to find.

mgnk · August 3, 2024, 8:42am

I completed Labs successfully! Thank you for helping me!
https://learn.kodekloud.com/user/courses/certified-kubernetes-security-specialist-cks/module/e4511664-185f-4204-9aa2-b4250cbadf84/lesson/43e9d2a7-8f3a-447d-ba9e-586ab14d165b

mgnk · August 3, 2024, 9:55am

This Lab is not fixed yet. Could you fix it?
https://learn.kodekloud.com/user/courses/certified-kubernetes-security-specialist-cks/module/8d7f7d5b-47ad-496b-9a30-49eedc61f7fa/lesson/561a4ee8-06cb-4969-acd5-b974f25393ed

root@controlplane ~ ✖ env |grep CONTA
CONTAINERD_ADDRESS=//run/containerd/containerd.sock

root@controlplane ~ ➜  crictl pull docker.io/kodekloud/webapp-delayed-start:latest
Image is up to date for sha256:a292f6cde2ced3cd6787310481aeaffd1b77a14217c9c6c4086f2da1b3cb9725

root@controlplane ~ ➜  trivy image --severity CRITICAL docker.io/kodekloud/webapp-delayed-start:latest
2024-08-03T05:54:26-04:00       INFO    Vulnerability scanning is enabled
2024-08-03T05:54:26-04:00       INFO    Secret scanning is enabled
2024-08-03T05:54:26-04:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-03T05:54:26-04:00       INFO    Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-08-03T05:54:27-04:00       FATAL   Fatal error     image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: 4 errors occurred:
        * docker error: unable to inspect the image (docker.io/kodekloud/webapp-delayed-start:latest): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
        * containerd error: image not found in containerd store: docker.io/kodekloud/webapp-delayed-start:latest
        * podman error: unable to initialize Podman client: no podman socket found: stat /run/user/0/podman/podman.sock: no such file or directory
        * remote error: GET https://index.docker.io/v2/kodekloud/webapp-delayed-start/manifests/latest: TOOMANYREQUESTS: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit