At present the plugin throws error messages when it is used to connect to a distroless container, which has no shell to use for most of the InSpec resources. However, the error is a general ConnectionError and isn't descriptive enough. Current integration-tests workflow, during Test distroless container job:
echo "Testing distroless container (no shell)..."
# Distroless containers have no shell, so detect should still work
# but will report limited capabilities
cinc-auditor detect -t k8s-container:///test-distroless/test-distroless || echo "Expected: distroless detection may have limited results"
# Test that we get appropriate error for complex commands on distroless
echo "Testing error handling for complex commands on distroless..."
if cinc-auditor shell -t k8s-container:///test-distroless/test-distroless --command "command('whoami').stdout" 2>&1; then
echo "Note: Simple command may work if binary exists"
else
echo "Expected: distroless container may not support shell commands"
fi
shell: /usr/bin/bash -e {0}
env:
RUBY_VERSION_DEFAULT: 3.3
Testing distroless container (no shell)...
/tmp/train-k8s-container/lib/train/k8s/container/connection.rb:26:in 'Train::K8s::Container::Connection#connect': command terminated with exit code 127 (Train::K8s::Container::ConnectionError)
from /tmp/train-k8s-container/lib/train/k8s/container/connection.rb:20:in 'Train::K8s::Container::Connection#initialize'
from /tmp/train-k8s-container/lib/train/k8s/container/transport.rb:14:in 'Class#new'
from /tmp/train-k8s-container/lib/train/k8s/container/transport.rb:14:in 'Train::K8s::Container::Transport#connection'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/backend.rb:40:in 'Inspec::Backend.create'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/runner.rb:95:in 'Inspec::Runner#configure_transport'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/runner.rb:87:in 'Inspec::Runner#initialize'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/cli.rb:593:in 'Class#new'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/cli.rb:593:in 'Inspec::InspecCLI#run_command'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/cli.rb:434:in 'block in Inspec::InspecCLI#detect'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/feature/runner.rb:24:in 'Inspec::Feature::Runner.with_feature'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/feature.rb:6:in 'Inspec.with_feature'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/cli.rb:426:in 'Inspec::InspecCLI#detect'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/thor-1.4.0/lib/thor/command.rb:28:in 'Thor::Command#run'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/thor-1.4.0/lib/thor/invocation.rb:127:in 'Thor::Invocation#invoke_command'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/thor-1.4.0/lib/thor.rb:538:in 'Thor.dispatch'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/thor-1.4.0/lib/thor/base.rb:584:in 'Thor::Base::ClassMethods#start'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/base_cli.rb:40:in 'Inspec::BaseCLI.start'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/cinc-auditor-bin-7.0.95/bin/cinc-auditor:14:in '<top (required)>'
from /usr/bin/cinc-auditor:299:in 'Kernel.load'
from /usr/bin/cinc-auditor:299:in '<main>'
Expected: distroless detection may have limited results
Testing error handling for complex commands on distroless...
/tmp/train-k8s-container/lib/train/k8s/container/connection.rb:26:in 'Train::K8s::Container::Connection#connect': command terminated with exit code 127 (Train::K8s::Container::ConnectionError)
from /tmp/train-k8s-container/lib/train/k8s/container/connection.rb:20:in 'Train::K8s::Container::Connection#initialize'
from /tmp/train-k8s-container/lib/train/k8s/container/transport.rb:14:in 'Class#new'
from /tmp/train-k8s-container/lib/train/k8s/container/transport.rb:14:in 'Train::K8s::Container::Transport#connection'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/backend.rb:40:in 'Inspec::Backend.create'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/runner.rb:95:in 'Inspec::Runner#configure_transport'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/runner.rb:87:in 'Inspec::Runner#initialize'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/cli.rb:593:in 'Class#new'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/cli.rb:593:in 'Inspec::InspecCLI#run_command'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/cli.rb:495:in 'block in Inspec::InspecCLI#shell_func'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/feature/runner.rb:24:in 'Inspec::Feature::Runner.with_feature'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/feature.rb:6:in 'Inspec.with_feature'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/cli.rb:474:in 'Inspec::InspecCLI#shell_func'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/thor-1.4.0/lib/thor/command.rb:28:in 'Thor::Command#run'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/thor-1.4.0/lib/thor/invocation.rb:127:in 'Thor::Invocation#invoke_command'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/thor-1.4.0/lib/thor.rb:538:in 'Thor.dispatch'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/thor-1.4.0/lib/thor/base.rb:584:in 'Thor::Base::ClassMethods#start'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/inspec-core-7.0.95/lib/inspec/base_cli.rb:40:in 'Inspec::BaseCLI.start'
from /opt/cinc-auditor/embedded/lib/ruby/gems/3.4.0/gems/cinc-auditor-bin-7.0.95/bin/cinc-auditor:14:in '<top (required)>'
from /usr/bin/cinc-auditor:299:in 'Kernel.load'
from /usr/bin/cinc-auditor:299:in '<main>'
Expected: distroless container may not support shell commands
Note that the CI job had to add in the string "distroless container may not support shell commands" so that we would know what was happening in the pipeline.
We should improve the error message to better describe why the ConnectionError occurred.
At present the plugin throws error messages when it is used to connect to a distroless container, which has no shell to use for most of the InSpec resources. However, the error is a general ConnectionError and isn't descriptive enough. Current integration-tests workflow, during Test distroless container job:
Note that the CI job had to add in the string "distroless container may not support shell commands" so that we would know what was happening in the pipeline.
We should improve the error message to better describe why the ConnectionError occurred.