Does klar support Azure ACK?

[daxin09pp]

Does klar support Azure ACK?

[antonin-g]

I work with Azure Cloud but I dont know Azure ACK. What is this ?
You think maybe at ACR (Azure Container Registry) or AKS (Azure Kubernetes Service) ?

[daxin09pp]

I am sorry. I mean ACR.

[antonin-g]

No problem.
It works well with ACR. 👍

[daxin09pp]

How do you add Registry? How to fill in DOCKER_USER and DOCKER_PASSWORD?

[antonin-g]

You can use environment variables to use klar.

Personnaly for my tests I created a Docker image that launches klar.

Dockerfile :

FROM alpine:3.10.2
WORKDIR /bin
COPY klar-2.4.0-linux-amd64 klar
ENTRYPOINT ["klar"]

And I use environment variables and arguments to use it :

docker run -e CLAIR_ADDR='https://clair_server:6060' -e DOCKER_USER='myuser' -e DOCKER_PASSWORD='mypassword' your_registry.azurecr.io/your_image:your_tag

The DOCKER_USER value and DOCKER_PASSWORD value are defined in your ACR ressource on Portal Azure in access key tab.

Everything is indicated in the README.md.

[daxin09pp]

Thank you very much.

[daxin09pp]

Can I use klar if I only have a pull permission account?

[antonin-g]

I don't know this particularity, you have enabled the admin user ?

[andershermansen]

I managed to get klar to work using the admin user, but I want to use it with our regular logins instead to avoid exposing the admin user.
I'm able to get a ACR access token using this command:
ACRTOKEN=$(az acr login --name MYACRSERVER --expose-token --out tsv --query '[accessToken]')
as explained here:
https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication#az-acr-login-with---expose-token

This could be used together with username 00000000-0000-0000-0000-000000000000

but when I try the output with klar and use the acrtoken as password and the 000 username Then I get error:
Can't pull image: Token request returned 401

Logging at the klar trace output I see that the 401 respons with header:
Www-Authenticate: Bearer realm="https://MYACRSERVER.azurecr.io/oauth2/token",service="intop.azurecr.io",scope="repository:MYIMAGE:pull"
It seems klar does not know how to handle this response?

If I manully call the token endpoint with 000 user name and the ACRTOKEN as password using basic auth as describe here https://docs.microsoft.com/en-us/rest/api/containerregistry/accesstokens/getfromlogin like using this url:
https://MYACRSERVER.azurecr.io/oauth2/token?service=MYACRSERVER.azurecr.io&scope=repository:MYIMAGE:pull
then I get back an access_token, with this access token I am able to retrieve then manifest file using Authorization header with Bearer and the access_token like this:
curl --header "Authorization: Bearer MYACCESSTOKEN" https://MYACRSERVER.azurecr.io/v2/MYIMAGE/manifests/MYTAG

But using DOCKER_TOKEN environment variable directly towards klar seems to send that with Basic in the first header, so also not working since it needs to be a Bearer token.

Not sure how to solve this in klar since I don't know go very well.

[elstak]

@andershermansen, thanks for the explanation. This project seems dead unfortunately. Quite a lot PRs waiting and no changes for 2 years! I'm sure it is not so difficult to change the authentication header to Bearer when DOCKER_TOKEN is provided.

Did you find an alternative? Another Clair client perhaps?

[elstak]

@andershermansen I've solved the problem by changing a few lines. Apparently response with token could not be marshalled because of the expected name of the field token. Now it accepts/expects also access_token to support Azure ACR. This has been tested in AWS ECR and Azure ACR, but it should work in Docker Hub too.

diff --git a/docker/docker.go b/docker/docker.go
index e6d4c9a..c4f97f4 100644
--- a/docker/docker.go
+++ b/docker/docker.go
@@ -351,15 +351,20 @@ func (i *Image) requestToken(resp *http.Response) (string, error) {
                io.Copy(ioutil.Discard, tResp.Body)
                return "", fmt.Errorf("Token request returned %d", tResp.StatusCode)
        }
-       var tokenEnv struct {
-               Token string
-       }

+       var tokenEnv map[string]interface{}
        if err = json.NewDecoder(tResp.Body).Decode(&tokenEnv); err != nil {
                fmt.Fprintln(os.Stderr, "Token response decode error")
                return "", err
        }
-       return fmt.Sprintf("Bearer %s", tokenEnv.Token), nil
+       if token, ok := tokenEnv["token"]; ok {
+               return fmt.Sprintf("Bearer %s", token), nil
+       }
+       if token, ok := tokenEnv["access_token"]; ok {
+               return fmt.Sprintf("Bearer %s", token), nil
+       }
+       fmt.Fprintln(os.Stderr, "Token response decode error, no token or access_token found")
+       return "", err
 }

 func (i *Image) pullReq() (*http.Response, error) {

[andershermansen]

@elstak Great. Personally I did not move forward with klar so did not use more time on the issue. As you say the project seems unmaintained.

[elstak]

@andershermansen I raised the PR anyways :/

May I ask which alternative did you choose? Official Clair docs point to klar as the only standalone client, while the rest of alternatives are either libraries or integrations with Docker registry solutions.

[andershermansen]

@elstak Did not move forward with using Klar/Clair.