Default Container Scanning job template fails - 401 Unauthorized
Summary
Container Scanning job consistently fails when using/including only default template
https://gitlab.com/greg/container-scanning/-/jobs/449818330
Steps to reproduce
-
Create a project minimal README.md and Dockerfile (example)
-
Add or include Container Scanning default job template
-
container_scanning
job fails
Example Project
https://gitlab.com/greg/container-scanning
Reproducible:
https://gitlab.com/greg/container-scanning/-/jobs/449818330 https://gitlab.com/greg/container-scanning/-/jobs/449948266
What is the current bug behavior?
Container Scanning Job fails with 401 Unauthorized
What is the expected correct behavior?
Container scanning job is successful:
https://gitlab.com/greg/container-scanning/-/jobs/449837798
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com (and self-managed running 12.6 and 12.7)
Results of container_scanning CI Job trace:
Expand for CI job trace
$ /container-scanner/start.sh [INFO] ▶ GitLab klar analyzer v2.2.0 [WARN] ▶ Whitelist file with path '/builds/greg/container-scanning/clair-whitelist.yml' does not exist, skipping [INFO] ▶ DOCKER_USER and DOCKER_PASSWORD environment variables have not been configured. Defaulting to DOCKER_USER=$CI_REGISTRY_USER and DOCKER_PASSWORD=$CI_REGISTRY_PASSWORD [INFO] ▶ Successfully connected to the vulnerabilities database [INFO] ▶ Started Clair server process with PID: 16 [INFO] ▶ Waiting for Clair API to start... [WARN] ▶ Clair API not ready, waiting 2s before retrying. Retry 1 of 10 [WARN] ▶ Clair log contents: {"Event":"running database migrations","Level":"info","Location":"pgsql.go:216","Time":"2020-02-25 18:43:11.196705"}
[WARN] ▶ Clair log contents: {"Event":"database migration ran successfully","Level":"info","Location":"pgsql.go:223","Time":"2020-02-25 18:43:11.265322"}
[WARN] ▶ Clair log contents: {"Event":"notifier service is disabled","Level":"info","Location":"notifier.go:77","Time":"2020-02-25 18:43:11.266020"}
[WARN] ▶ Clair log contents: {"Event":"starting main API","Level":"info","Location":"api.go:52","Time":"2020-02-25 18:43:11.266286","port":6060}
[INFO] ▶ Clair API started successfully. [INFO] ▶ Scanning container from registry 'registry.gitlab.com/greg/container-scanning/testbranch:8859b77ba6ec74ef8db412962af4afa7c6358edc' for vulnerabilities with severity level 'Unknown' or higher with klar '2.4.0' and clair 'v2.1.2' [INFO] ▶ Shutting down Clair server with PID: 16 [INFO] ▶ Clair server shut down successfully [ERRO] ▶ Error encountered while scanning container 'registry.gitlab.com/greg/container-scanning/testbranch:8859b77ba6ec74ef8db412962af4afa7c6358edc': ----> HTTP REQUEST: GET /v2/greg/container-scanning/testbranch/manifests/8859b77ba6ec74ef8db412962af4afa7c6358edc HTTP/1.1 Host: registry.gitlab.com Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws Authorization: [REDACTED] <---- HTTP RESPONSE: HTTP/1.1 401 Unauthorized Content-Length: 177 Content-Type: application/json; charset=utf-8 Date: Tue, 25 Feb 2020 18:43:13 GMT Docker-Distribution-Api-Version: registry/2.0 Www-Authenticate: Bearer realm="https://gitlab.com/jwt/auth",service="container_registry",scope="repository:greg/container-scanning/testbranch:pull" X-Content-Type-Options: nosniff {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"greg/container-scanning/testbranch","Action":"pull"}]}]} ----> HTTP REQUEST: GET /v2/greg/container-scanning/testbranch/manifests/8859b77ba6ec74ef8db412962af4afa7c6358edc HTTP/1.1 Host: registry.gitlab.com Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws Authorization: [REDACTED] <---- HTTP RESPONSE: HTTP/1.1 401 Unauthorized Content-Length: 177 Content-Type: application/json; charset=utf-8 Date: Tue, 25 Feb 2020 18:43:13 GMT Docker-Distribution-Api-Version: registry/2.0 Www-Authenticate: Bearer realm="https://gitlab.com/jwt/auth",service="container_registry",scope="repository:greg/container-scanning/testbranch:pull" X-Content-Type-Options: nosniff {"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"greg/container-scanning/testbranch","Action":"pull"}]}]} ----> HTTP REQUEST: GET /v2/greg/container-scanning/testbranch/manifests/8859b77ba6ec74ef8db412962af4afa7c6358edc HTTP/1.1 Host: registry.gitlab.com Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws Authorization: [REDACTED] <---- HTTP RESPONSE: HTTP/1.1 404 Not Found Content-Length: 130 Content-Type: application/json; charset=utf-8 Date: Tue, 25 Feb 2020 18:43:13 GMT Docker-Distribution-Api-Version: registry/2.0 X-Content-Type-Options: nosniff {"errors":[{"code":"MANIFEST_UNKNOWN","message":"manifest unknown","detail":{"Tag":"8859b77ba6ec74ef8db412962af4afa7c6358edc"}}]} Can't pull fsLayers exit status 2 Uploading artifacts... 00:02 WARNING: gl-container-scanning-report.json: no matching files ERROR: No files to upload
ERROR: Job failed: exit code 2
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)