Trivy-action fails on local images in self hosted GHA runners dind mode - EKS

[rolandfuszenecker-seon]

Hi,

I would like to raise an issue with trivy-action running in self-hosted runners hosted in EKS with docker in docker mode.

When I try to run trivy scan in these runners I'm always getting the following error message:
docker error: unable to inspect the image (testimage): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
My workflow works well with Github provided ubuntu runners.

I think the problem is somewhere with the docker sockets, because everything else works with docker only trivy is not able to see the locally builded images. If I try to scan an image from a remote repository that works fine. I also tried to use the docker cli to run the trivy against the builded image with docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image <image> without any success.

If you have any idea what could be wrong please don't hesitate to share your thoughts.

[simar7]

I've never tried running Trivy-action with self hosted runners so I can't comment much. It might be very well the case that it isn't supported today to run on self hosted runners. We can keep this issue for the community to share any insight with us.

[lrstanley]

I am confident as well that it is an issue with docker sockets. We use runnersets using actions-runner-controller in kubernetes, and use docker-in-docker for each runner that gets spun up. The recommendation for dind with ARC is to use unix:///run/docker/docker.sock, or at least that is what our configuration is.

Can't use docker-host to specify this however, because this is a container based action, and there is no way with ARC as far as I'm aware (containerMode == docker or kubernetes) to auto-mount the docker socket inside of the dind container. If this action wasn't container based, I don't think it'd be an issue.

One thing I haven't tried is to use TCP based docker sockets, which may then be accessible regardless of the filesystem being mounted (and only the necessary environment variable or configuration).

A temporary workaround which we are using, however, is to export the image using docker save right before trivy runs, and have trivy scan that file instead. Not perfect, but works for now.

[gfrid]

Hi,

I would like to raise an issue with trivy-action running in self-hosted runners hosted in EKS with docker in docker mode.

When I try to run trivy scan in these runners I'm always getting the following error message: docker error: unable to inspect the image (testimage): Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running? My workflow works well with Github provided ubuntu runners.

I think the problem is somewhere with the docker sockets, because everything else works with docker only trivy is not able to see the locally builded images. If I try to scan an image from a remote repository that works fine. I also tried to use the docker cli to run the trivy against the builded image with docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image <image> without any success.

If you have any idea what could be wrong please don't hesitate to share your thoughts.

I use dind with Github Action runners (the new action-runner-set), everything works fine.

[lrstanley]

@gfrid would you mind sharing your configuration (with all the sensitive bits stripped) for how you deploy the runnerset that works, along with how you invoke the trivy action?

[gfrid]

@gfrid would you mind sharing your configuration (with all the sensitive bits stripped) for how you deploy the runnerset that works, along with how you invoke the trivy action?

you need to use the lates arc-runner-set not the old project and set your own values in the arc-runners-set
arc-set-runner-values.yaml (use helm to install)

in the values file enable DIND:

containerMode:
type: "dind"

then if you want configure additional setting like dockerhub login credentials you can do like this:

    securityContext:
      fsGroup: 1000
    imagePullSecrets:
      - name: regcred
    containers:
      - name: runner
        image: ghcr.io/actions/actions-runner:latest
        command: ["/bin/bash","-c","sudo apt-get update && sudo apt-get install curl unzip jq wget python3-pip git-all -y && /home/runner/run.sh"]
        resources:
          requests:
            memory: 2Gi
            cpu: 1.0
          limits:
            cpu: 4.0
            memory: 8Gi
        volumeMounts:
          - name: docker-secret
            mountPath: /home/runner/config.json
            subPath: config.json
          - name: docker-config-volume
            mountPath: /home/runner/.docker
    initContainers:
      - name: dockerconfigwriter
        image: alpine
        command:
          - sh
          - -c
          - cat /home/runner/config.json > /home/runner/.docker/config.json
        volumeMounts:
          - name: docker-secret
            mountPath: /home/runner/config.json
            subPath: config.json
          - name: docker-config-volume
            mountPath: /home/runner/.docker
    volumes:
      - name: docker-secret
        secret:
          secretName: regcred
          items:
            - key: .dockerconfigjson
              path: config.json
      - name: docker-config-volume
        emptyDir: {}```