0

I am trying to use a plugin in my eks based k8s cluster, I am using a Github Action controller that spawns on demand Container as Self Hosted runner When the Github action start this plugin or any other that needs to build itself as a docker image fails with below error, any thoughts or ideas ? This is my self hosted runner image Link

FYI : If i run a standalone alpine container in the cluster all typical cmd works, and this also works with default ubuntu based self hosted runner, so i dont think its the cluster

/usr/local/bin/docker build -t 60e226:1b6fc15462134e6fb8520b7df48cf7fd -f  "/runner/_work/_actions/aquasecurity/trivy-action/master/Dockerfile"      "/runner/_work/_actions/aquasecurity/trivy-action/master"
Sending build context to Docker daemon  644.6kB

Step 1/5 : FROM ghcr.io/aquasecurity/trivy:0.[3](https://github.com//docker-images/actions/runs/4134005760/jobs/7147011143#step:3:3)7.1
0.37.1: Pulling from aquasecurity/trivy
c158987b0551: Pulling fs layer
67a7d067ef7d: Pulling fs layer[6]Download complete
67a7d067ef7d: Pull complete
2ec1cdd48f38: Verifying Checksum
2ec1cdd48f38: Download complete
2ec1cdd48f38: Pull complete
fe56e6aa700e: Pull complete
Digest: sha256:7c[16](https://github.com//docker-images/actions/runs/4134005760/jobs/7147011143#step:3:16)7f7f3002948f1ec099555aa968bd8b8b097780603a38cc801fe965da0a69
Status: Downloaded newer image for ghcr.io/aquasecurity/trivy:0.37.1
 ---> c3e68408cd24
Step 2/5 : COPY entrypoint.sh /
 ---> 1f1da443ea86
Step 3/5 : RUN apk --no-cache add bash curl npm
 ---> Running in 647f7f479cac
fetch https://dl-cdn.alpinelinux.org/alpine/v3.[17](https://github.com//docker-images/actions/runs/4134005760/jobs/7147011143#step:3:17)/main/x86_64/APKINDEX.tar.gz
48ABC73BEB7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:[18](https://github.com//docker-images/actions/runs/4134005760/jobs/7147011143#step:3:18)89:
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: Permission denied
fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
48ABC73BEB7F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889:
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/community: Permission denied
ERROR: unable to select packages:
  bash (no such package):
    required by: world[bash]
  curl (no such package):
    required by: world[curl]
  npm (no such package):
    required by: world[npm]
The command '/bin/sh -c apk --no-cache add bash curl npm' returned a non-zero code: 3
Warning: Docker build failed with exit code 3, back off 6.807 seconds before retry.

It was expected to build the docker image and proceed with the github action workflow

Tried different flavors of image and nothing worked except for ubunut-latest

the plugin in question

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: 'test:latest'
        format: 'table'
        exit-code: '1'
        ignore-unfixed: true
        vuln-type: 'os,library'
        severity: 'CRITICAL,HIGH'
Ali
  • 33
  • 6
  • Please include your Dockerfile in your question. Thanks! – Azeem Feb 09 '23 at 16:54
  • Does this answer your question? [Docker: How to use bash with an Alpine based docker image?](https://stackoverflow.com/questions/40944479/docker-how-to-use-bash-with-an-alpine-based-docker-image) – Azeem Feb 09 '23 at 17:04
  • this is actually the plugin itself, we dont deploy or build it its like u add this to ur github action workflow and that trigggers a docker build, – Ali Feb 09 '23 at 17:09
  • one more thing i am not trying to target this specific brand , its for any plugin that u add to workflow, faces same issue – Ali Feb 09 '23 at 17:12
  • Right. It's using `ghcr.io/aquasecurity/trivy:0.37.1` which uses an older alpine version. I tried to reproduce the scenario with it and it failed with the same error i.e. `ERROR [2/2] RUN apk add --nocache bash curl npm`. Then, I added `apk update && apk add bash curl npm` and it built. From your perspective, it's a transitive dependency. You need to create an issue on the respective repo to get this fixed. Alternatively, you can build it on your own and plug that instead. – Azeem Feb 09 '23 at 17:21
  • Here's the Dockerfile that worked: `FROM ghcr.io/aquasecurity/trivy:0.37.1`, `RUN apk update && apk add bash curl npm`, and `CMD ["bash"]`. – Azeem Feb 09 '23 at 17:22
  • Here's their Dockerfile that fails: https://github.com/aquasecurity/trivy-action/blob/master/Dockerfile. – Azeem Feb 09 '23 at 17:26
  • Just tested it with GHA and `ubuntu-latest`. It worked fine. See https://github.com/iamazeem/test/actions/runs/4136896033/jobs/7151369290. Seems like it's something to do with your self-hosted runner itself. – Azeem Feb 09 '23 at 17:40
  • it always works fine with the ubuntu-latest on github, but when we introduce our images as self hosted one, it fails, although they are like ubuntu 22. I also tried with the 3rd party image that has latest ubuntu https://hub.docker.com/r/summerwind/actions-runner/tags – Ali Feb 09 '23 at 17:54
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/251767/discussion-between-ali-and-azeem). – Ali Feb 09 '23 at 17:56
  • Right. Observe those "permission denied" warnings for CDN and "packages not found errors". Looks like your self-hosted runner needs to update its repositories. See https://stackoverflow.com/questions/53710206/docker-cant-build-because-of-alpine-error and https://github.com/gliderlabs/docker-alpine/issues/386. – Azeem Feb 10 '23 at 06:21

0 Answers0