Container image shows configuration vulnerability with openssh server package - ibm-cloud

One of my images in registry shows this configuration issue:
Security Practice
SSH server package, openssh-server of version (none):7.4p1-21.el7, found.
How to Resolve
checking if ssh server is installed
But I am not sure what exactly does this mean? We do install 7.4p1-21.el7 version. Does this suggest ot upgrade? The resolution is not very clear.

The reason you are seeing this issue in the report is because it is not a good practice to install SSH in containers.
However, if you do require SSH you can create an exemption for this check so that this issue will no longer be flagged against the image in the report.
You can either do this with the IBM Cloud Container Registry(cr) command line with the command
ibmcloud cr exemption-add --help
or through the UI by clicking on the action menu (three vertical dots) next to the configuration issue --> Create exemption.
For more information on setting exemption policy, check the documentation here

Related

`gcloud run deploy` raises "Revision <revision_name> is not ready and cannot serve traffic."

Command
gcloud run deploy api --region=$REGION --image=$IMAGE
Logs
Deploying container to Cloud Run service [api] in project [[MASKED]] region [[MASKED]]
Deploying...
Creating Revision...........interrupted
Deployment failed
ERROR: (gcloud.run.deploy) Revision [[MASKED]] is not ready and cannot serve traffic.
I've tried to search Google Cloud documentation, but it does not mention such problem.
How to solve the "Revision is not ready and cannot serve traffic."?
Try to wait a few minutes and then just re-launch the procedure. The good old "let's retry without changing anything" worked for me! :)
EDIT: I talked with a Cloud Architect who works with me and he told me that this is the actual solution, because if you retry too quickly to restart the deploy, GCP may still have some pending operations from the previous one!
I faced the same error in Cloud Run after getting the container working correctly locally. In my case the revisions weren't showing as failing, they had a grey checkmark
and when hovering I got the message
The revision is healthy but not currently serving traffic.
I just needed to click Manage Traffic and set 100% of the traffic to a new revision
I faced this problem as well. In my case I checked "Cloud Run" section from hamburger menu of google cloud console. The "Logs" section should give you more idea about what went wrong. I was missing a python library, and adding correct python dependency in my requirements.txt solved the issue for me. Somehow my local testing went well without this issue. I hope this helps. :)
I faced with this problem, my problem is that my docker image is missing required dependency package at build stage, my Dockerfile missed some steps to copy required files for preparing to install package.
To find you problem if cloud build logs was not make sense for you, I think you should:
From gcloud console, go to service "Container Registry" > Images
Select your repository name
From the image version (maybe latest) that you want to check > more actions > show pull command > then copy that command ex: docker pull gcr.io/..
From gcloud console header > select activate cloud shell
At cloud shell terminal, pull docker images of your latest build by running "pull command" that you copied before.
Start your container from this image to see what exactly happens with your run revision

GCR Cloud Run says "Image [name] not found"

I'm trying to take my first baby steps with podman (instead of Docker) and Google Cloud Run. I've managed to build an image with a gcr.io tag and push it to Google. I then create a new service, and I can select the image in the "Select Image URL" pop-up dialog. But then the service fails to start, saying "Image [full name] not found".
I can't find anything on Google's support pages, or anywhere else. I can pull the image, I can push new versions, and they appear on the pop-up dialog. But the service still reports that they can't be found.
What am I doing wrong?
Edit in answer to DazWilkin's questions below:
Can you run the podman-created container locally using Docker?
I can't run Docker locally because it is not compatible with Fedora 31 (hence podman). But I can run it locally using podman run
Can you deploy a Docker-created container in Cloud Run?
As above: F31. However podman is supposed to be a drop-in replacement.
Is the container registry in the same project as Cloud Run?
Yes. I did have a problem with that, but I got a permissions message rather than "not found".
Have you tried deploying via gcloud rather than the console?
Yes.
$ podman push eu.gcr.io/my-project/hs-hello-world
Getting image source signatures
Copying blob c7f3d2e0289b done
Copying blob def7032cea8e done
Copying config f1c2e2615f done
Writing manifest to image destination
Storing signatures
$ gcloud run deploy --image eu.gcr.io/my-project/hs-hello-world --platform managed
Service name (hs-hello-world):
Deploying container to Cloud Run service [hs-hello-world] in project [my-project] region [europe-west1]
X Deploying... Image 'eu.gcr.io/my-project/hs-hello-world' not found.
X Creating Revision... Image 'eu.gcr.io/my-project/hs-hello-world' not found.
. Routing traffic...
Deployment failed
ERROR: (gcloud.run.deploy) Image 'eu.gcr.io/my-project/hs-hello-world' not found.
When I used a Google-built container it worked fine.
Update: 5 March 2020
In the end I just carried on with the Google build service, and it works fine. My initial wish for local builds was in large part because a build on Google was taking over half an hour (lots of Haskell libraries to import), but now I've figured out how to use staged builds and multi-processor VMs to avoid this. I appreciate the efforts of those who have tried to help, but right now it's not broke so I'm not going to try to fix it.
I had the same issue: it seems Cloud Run is picky about the kind of manifest it can pull.
By building my images with --format docker and pushing them with --remove-signatures (inspired by this issue), podman will create and push docker-style manifests to the Container Registry and everything ran smoothly!
Too bad I spent a lot of time thinking it was a lack of permissions problem
I had the same error. My issue was that I was using the docker/setup-buildx-action in a GitHub action. When this was removed, Cloud Run was happy with the resulting manifest / container image.
Thanks to #André-Breda for providing the direction.
I've been having the same issue today. I'm using buildah to create the new image. I realized that the image I used successfully yesterday was built as root. So I built the new one as root and pushed it successfully.
Wish I knew why. The images built as my username ran fine locally with rootless podman.

Does anyone have tried the HLF 2.0 feature "External Builders and Launchers" and wants to get in touch?

I'm getting my way through the HLF 2.0 docs and would love to discuss and try out the new features "External Builders and Launchers" and "Chaincode as an external service".
My goal is to run HLF2.0 on an K8s cluster (OpenShift). Does anyone wants to get in touch or has anyone already figured his way through?
Cheers from Germany
Also trying to use the ExternalBuilder. Setup core.yaml, rebuilt the containers to use it. I get an error that on "peer lifecycle chaincode install .tgz...", that the path to the scripts in core.yaml can not be found.
I've added volume bind commands in the peer-base.yaml, and in docker-compose-cli.yaml, and am using the first-network setup. Dropped out the part of the byfn.sh that would connect to the cli container, so that I do that part manually, do the create, join, update anchors successfully, and then try to do the install and fail. However, on the install, I'm failing on the /bin/detect, because it can't find that file to fork/exec it. To get that far, peer was able to read my external configuration, and read the core.yaml file. At the moment, trying the "mode: dev" in the core.yaml which seems to indicate that the scripts and the chaincode will be run "locally", which I think means it should run in the cli container. Otherwise, tried to walk the code to see how the docker containers are being created dynamically, and from what image, but haven't been able to nail that down yet.

Where can I download the OpenShift 4 CodeReady Containers VirtualBox crcbundle file?

I am trying to install Openshift4 locally on my computer and I am missing a file with the .crcbundle-extension. Could someone help me out on where to find this file or how to create it?
I am talking about the following project on github:
https://github.com/code-ready/crc#documentation
Cheers
You can download the latest crc binaries here
You also need a Red Hat developer account to run crc as it requires you to log in to https://cloud.redhat.com/openshift/install/crc/installer-provisioned to get a "pull secret" to deploy the cluster.
It appears that support for VirtualBox in CRC has been removed (Refs: 'crc setup -d virtualbox' - driver flag is ignored , https://github.com/code-ready/crc/issues/838 )
The link referenced by #nick doesn't provide the actual VirtualBox bundle file required. So far as I can tell, there does not appear to be any place to download the referenced VirtualBox bundle file.

Service 'MongoDB Server' (MongoDB) failed to start

I'm trying to install mongo DB on my local machine with the installer from the official website. But I'm continuously getting this message, can someone help?
I've tried the solution provided here but didn't help.
I suggest doing the following:
Hit Win+R to open up you run.exe then inside of it enter services.msc to open up services. Try locating the service under the name of MongoDB Server and set the Startup Type manually to Automatic - [In addition to that, you could set the username and password manually. If you get a message saying the user was granted login as a service right, try hitting retry on the MSI dialog and see if it starts].
Important:
Don't forget to save and close everything (services.msc) before continuing.
Also very important, you should (must) check your .NET framework version and update it to version 4.5 and above. You could download a software like eg Driver Booster to update all of your drivers and additional components that are outdated.
I ran into the same issue. My problem was the installation location. I was trying to install under C:\MongoDB. I resolved it by installing in the default MongoDb location which is C:\Program Files\MongoDB.
For me this is usually an issue with the configuration file %ProgramFiles%\MongoDB\Server\x.x\bin\mongod.cfg
At some time there was an invalid option "snmp" enabled (only valid in enterprise version).
Nowadays, although the installer asks for directories for data and logs it doesn't ALWAYS seem to use these, but defaults to %MONGO_DATA_PATH% or %MONGO_LOG_PATH%, respectively. I don't know where these should be defined, but the server fails at accessing c:\data\db (which doesn't exist). So you have to correct the paths.
I also faced this kind of error. But I just change the Network service to Local system in Log On As tab.
Follow my step-by-step below to resolve it:
Press Win+R, type: services.msc, then looking for MongoDB Server (MongoDB)
Double click on MongoDB Server (MongoDB).
Then it will open properties tab. On that tab click on Log On
After that check two items i.e. Local System account and Allow service to interact with desktop
After that press Apply and OK button. That's it, cheers!!
Open command prompt and copy the following command:-
"C:\Program Files\MongoDB\Server\4.2\bin\mongo.exe"
NOTE: This Tricks is work on my Windows 8.1 PC.
Comment out string with mp: in configuration file: %ProgramFiles%\MongoDB\Server\x.x\bin\mongod.cfg
Like this:
...
#snmp:
#mp:
Click Windows+r, type lusemgr.msc , Go to Groups and double click Administrators, Click Add, Click Advanced and click Find Now. Double click in Network Service (in bottom list) and click OK.
It worked for me.
Installing in the other locations other than the windows directory caused me this error. Reinstalling the setup with the recommended method of "complete" fixed it.
The problem occurs if you have Windows version previous to Windows 10.
Install the following update before installing MongoDB. Click on the link below.
https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows
It worked for me.
The problem occurs if you have Windows version previous to Windows 7. Install the following update by going to below link you have to download
Windows6.1-KB2999226-x64.msu
#You have to download and install then go to servies.msu and start MongoDB server by Start also go into log on and set to #local machine
https://support.microsoft.com/en-us/help/2999226/update-for-universal-c-runtime-in-windows