2

We are running clair and clair-db containers in the same fargate task. Below is a snippet of our task definition.

{
    "family": "clair",
    "networkMode": "awsvpc",
    "containerDefinitions": [
        {
            "name": "db",
            "image": "<REPO_URL>/clairdb:v1.0",
            "essential": true,
            "command": [
                "sh",
                "-c",
                "echo clair db runs"
            ],
            "portMappings": [
                {
                    "containerPort": 5432,
                    "hostPort": 5432,
                    "protocol": "tcp"
                }
            ],
        },
        {
            "name": "clair",
            "image": "<REPO_URL>/clair:v1.0",
            "essential": true,
            "command": [
                "sh",
                "-c",
                "echo clair runs"
            ],
            "portMappings": [
                {
                    "containerPort": 6060,
                    "hostPort": 6060,
                    "protocol": "tcp"
                }
            ],

As per the AWS fargate docs, localhost can be used to communicate between these two containers of a single task in awsvpc mode. We have given the below option in Clair config.yaml

clair:
  database:
    type: pgsql
    options:
      source: host=localhost port=5432 user=postgres password=xxxx sslmode=disable statement_timeout=60000

So as per this, clair should ideally be able to link to the clair-db container running on localhost:5432 on the same network. Clair-db container is running fine in fargate, but clair container is failing with the below logs:

{"Event":"pgsql: could not open database: dial tcp 127.0.0.1:5432: connect: connection refused","Level":"fatal","Location":"main.go:97","Time":"2021-03-23 13:26:38.737437"}

In docker terms, this is how we link these two conatainers:

docker run -p 5432:5432 -d --name db arminc/clair-db:2017-05-05
docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.0-rc.0

Are we missing anything here? Any idea why connection to localhost isn't working in fargate containers for clair?

Meghana B Srinath
  • 75
  • 1
  • 3
  • 7
  • Could it be that you are overriding the Dockerfile `CMD` entry that starts the db with your `command` statement in the task def? – mreferre Mar 24 '21 at 08:29
  • Also, maybe you are not using ECR or maybe you are building something specific but [ECR supports image scanning](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) out of the box (and it uses `clair` to do so). – mreferre Mar 24 '21 at 08:31
  • Thanks @mreferre . We removed the `command` section from fargate task def. The `clair-db` pod is now giving correct logs. But `clair` pod is still not ble to establish connection to `clair-db` over `localhost`. Also, we are not using ECR for now. We are only using the official clair images and pushed them to our gitlab registry. – Meghana B Srinath Mar 26 '21 at 06:14
  • Interesting. Communicating over localhost should be (actually is) allowed so not sure where it's breaking. I suspect there is still something that gets in the way in your config but I can't tell why. I'd suggest to configure [ECS Exec](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html) and get a shell in your `clair` pod and try to debug it from there. – mreferre Mar 26 '21 at 08:15
  • Oh, of course the same comment re the `CMD` override would be true for the `clair` container. – mreferre Mar 26 '21 at 08:16
  • Thanks @mreferre. We are also looking at service discovery option to see if we can get this working. – Meghana B Srinath Apr 03 '21 at 06:57

0 Answers0