docker基础:私库系列:再探Harbor:(5)集成clair
Clair是CoreOS提供的一款根据CVE的信息确认镜像各层安全状况的开源工具,harbor集成了clair到其功能之中,这也是和其他同类工具相比一个突出的亮点,而在其集成的实现中,首先clair的功能依然是靠其官方镜像和postgres结合形成,而扫描之后的信息则通过harbor自身的数据库进行保存。
安装方式
在habor中集成clair的功能,方式非常简单,只需要在安装史指定with-clair选项即可
安装命令:sh install.sh –with-clair
而在harbor.cfg中与clair相关的设定信息如下:
设定项 | 说明 | 缺省值 |
---|---|---|
clair_db_host | clair数据库host,HA方式需要指定外部地址 | postgres |
clair_db_password | 数据库用户密码 | password |
clair_db_port | postgre服务端口 | 5432 |
clair_db | postgres数据库名 | postgres |
设定值使用如上缺省值,只是修改clair_db_password:password -> liumiaopw
[root@liumiao harbor]# grep clair_db_password harbor.cfg
clair_db_password = liumiaopw
[root@liumiao harbor]#
[root@liumiao harbor]# ./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@liumiao harbor]#
安装
[root@liumiao harbor]# sh install.sh --with-clair[Step 0]: checking installation environment ...Note: docker version: 1.13.1Note: docker-compose version: 1.13.0[Step 1]: loading Harbor images ...
Loaded image: vmware/registry-photon:v2.6.2-v1.5.2
Loaded image: vmware/photon:1.0
Loaded image: vmware/mariadb-photon:v1.5.2
Loaded image: vmware/harbor-log:v1.5.2
Loaded image: vmware/nginx-photon:v1.5.2
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.2
Loaded image: vmware/postgresql-photon:v1.5.2
Loaded image: vmware/harbor-db:v1.5.2
Loaded image: vmware/harbor-jobservice:v1.5.2
Loaded image: vmware/clair-photon:v2.0.4-v1.5.2
Loaded image: vmware/harbor-adminserver:v1.5.2
Loaded image: vmware/harbor-ui:v1.5.2
Loaded image: vmware/redis-photon:v1.5.2
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.2
Loaded image: vmware/harbor-migrator:v1.5.0[Step 2]: preparing environment ...
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
Generated configuration file: ./common/config/clair/postgres_env
Generated configuration file: ./common/config/clair/config.yaml
Generated configuration file: ./common/config/clair/clair_env
The configuration files are ready, please use docker-compose to start the service.[Step 3]: checking existing instance of Harbor ...[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating harbor-log ...
Creating harbor-log ... done
Creating harbor-adminserver ...
Creating registry ...
Creating clair-db ...
Creating harbor-db ...
Creating redis ...
Creating harbor-db
Creating harbor-adminserver
Creating clair-db
Creating registry
Creating redis ... done
Creating registry ... done
Creating clair
Creating harbor-ui ...
Creating harbor-ui ... done
Creating harbor-jobservice ...
Creating nginx ...
Creating harbor-jobservice
Creating nginx ... done✔ ----Harbor has been installed and started successfully.----Now you should be able to visit the admin portal at https://192.168.163.128:8848.
For more details, please visit https://github.com/vmware/harbor .[root@liumiao harbor]#
结果确认
[root@liumiao harbor]# docker-compose -f docker-compose.clair.yml -f docker-compose.yml psName Command State Ports
-------------------------------------------------------------------------------------------------------------------------------
clair /docker-entrypoint.sh Up 6060/tcp, 6061/tcp
clair-db /entrypoint.sh postgres Up 5432/tcp
harbor-adminserver /harbor/start.sh Up
harbor-db /usr/local/bin/docker-entr ... Up 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up
nginx nginx -g daemon off; Up 0.0.0.0:8848->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
[root@liumiao harbor]#
推送镜像
[root@liumiao harbor]# docker login -uroot -pliumiaopw 192.168.163.128:8848
Error response from daemon: Get https://192.168.163.128:8848/v2/: unauthorized: authentication required
[root@liumiao harbor]#
[root@liumiao harbor]# docker login -uadmin -pliumiaopw 192.168.163.128:8848
Login Succeeded
[root@liumiao harbor]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
be8881be8156: Pull complete
32d9726baeef: Pull complete
87e5e6f71297: Pull complete
Digest: sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
Status: Downloaded newer image for nginx:latest
[root@liumiao harbor]# docker tag nginx 192.168.163.128:8848/library/nginx:latest
[root@liumiao harbor]# docker push 192.168.163.128:8848/library/nginx:latest
The push refers to a repository [192.168.163.128:8848/library/nginx]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushed
cdb3f9544e4c: Pushed
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948
[root@liumiao harbor]#
镜像扫描
前面提到admin是有权限进行镜像扫描的,通过UI可以看到刚刚推送的镜像还是Not Scanned的状态
选中并进行扫描可以看到当前最新的nginx镜像是没有严重CVE问题的
注意:clair的根本在于CVE的比对,所以自身的数据库数据的更新是非常重要的,就如同病毒库需要更新一样请同样注意clair本身的CVE数据相关的更新是否完成。
数据库相关
与clair扫描相关的数据库表主要有如下几个:
[root@liumiao harbor]# docker exec -it harbor-db sh
sh-4.3# mysql -uroot -pliumiaopw
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 57
Server version: 10.2.14-MariaDB Source distributionCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]> use registry
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
MariaDB [registry]> show tables;
+-------------------------------+
| Tables_in_registry |
+-------------------------------+
| access |
| access_log |
| alembic_version |
| clair_vuln_timestamp |
| harbor_label |
| harbor_resource_label |
| img_scan_job |
| img_scan_overview |
| project |
| project_member |
| project_metadata |
| properties |
| replication_immediate_trigger |
| replication_job |
| replication_policy |
| replication_target |
| repository |
| role |
| user |
| user_group |
+-------------------------------+
20 rows in set (0.00 sec)MariaDB [registry]> desc clair_vuln_timestamp
-> ;
+-------------+--------------+------+-----+---------------------+-------------------------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------------+-------------------------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| namespace | varchar(128) | NO | UNI | NULL | |
| last_update | timestamp | NO | | current_timestamp() | on update current_timestamp() |
+-------------+--------------+------+-----+---------------------+-------------------------------+
3 rows in set (0.00 sec)MariaDB [registry]> desc img_scan_job
-> ;
+---------------+--------------+------+-----+---------------------+-------------------------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+--------------+------+-----+---------------------+-------------------------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| status | varchar(64) | NO | MUL | NULL | |
| repository | varchar(256) | NO | MUL | NULL | |
| tag | varchar(128) | NO | | NULL | |
| digest | varchar(128) | YES | MUL | NULL | |
| job_uuid | varchar(64) | YES | MUL | NULL | |
| creation_time | timestamp | NO | | current_timestamp() | |
| update_time | timestamp | NO | | current_timestamp() | on update current_timestamp() |
+---------------+--------------+------+-----+---------------------+-------------------------------+
8 rows in set (0.00 sec)MariaDB [registry]> desc img_scan_overview;
+---------------------+---------------+------+-----+---------------------+-------------------------------+
| Field | Type | Null | Key | Default | Extra |
+---------------------+---------------+------+-----+---------------------+-------------------------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| image_digest | varchar(128) | NO | UNI | NULL | |
| scan_job_id | int(11) | NO | | NULL | |
| severity | int(11) | NO | | 0 | |
| components_overview | varchar(2048) | YES | | NULL | |
| details_key | varchar(128) | YES | | NULL | |
| creation_time | timestamp | NO | | current_timestamp() | |
| update_time | timestamp | NO | | current_timestamp() | on update current_timestamp() |
+---------------------+---------------+------+-----+---------------------+-------------------------------+
8 rows in set (0.00 sec)MariaDB [registry]>
扫描信息和执行结果
MariaDB [registry]> select * from img_scan_overview;
+----+-------------------------------------------------------------------------+-------------+----------+----------------------------------------------------+------------------------------------------------------------------+---------------------+---------------------+
| id | image_digest | scan_job_id | severity | components_overview | details_key | creation_time | update_time |
+----+-------------------------------------------------------------------------+-------------+----------+----------------------------------------------------+------------------------------------------------------------------+---------------------+---------------------+
| 1 | sha256:19fca0f4a812d0ba4ad89a4c345ce660ecc7c14c1ce9a9c12ac9db1ca62b4602 | 1 | 0 | | | 2018-08-19 00:00:21 | 2018-08-19 00:00:21 |
| 2 | sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f | 2 | 1 | {"total":80,"summary":[{"severity":1,"count":80}]} | 6d33c67920b31f6dcea328762fe1a814de928a185d9397f61b15a278c17184f2 | 2018-08-19 03:16:33 | 2018-08-19 03:16:37 |
+----+-------------------------------------------------------------------------+-------------+----------+----------------------------------------------------+------------------------------------------------------------------+---------------------+---------------------+
2 rows in set (0.00 sec)MariaDB [registry]> select * from img_scan_job;
+----+----------+-----------------+--------+-------------------------------------------------------------------------+--------------------------+---------------------+---------------------+
| id | status | repository | tag | digest | job_uuid | creation_time | update_time |
+----+----------+-----------------+--------+-------------------------------------------------------------------------+--------------------------+---------------------+---------------------+
| 1 | error | library/busybox | latest | sha256:19fca0f4a812d0ba4ad89a4c345ce660ecc7c14c1ce9a9c12ac9db1ca62b4602 | 9ebbdf11f3436ac9ab82997b | 2018-08-19 00:00:21 | 2018-08-19 00:00:25 |
| 2 | finished | library/nginx | latest | sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f | ba4a0eca48b096ae41db07cf | 2018-08-19 03:16:33 | 2018-08-19 03:16:37 |
+----+----------+-----------------+--------+-------------------------------------------------------------------------+--------------------------+---------------------+---------------------+
2 rows in set (0.00 sec)MariaDB [registry]>
可以看到,里面有刚刚成功的nginx的扫描的结果,还有一个失败的信息,失败的则是之前http方式时push进去的busybox,在重新安装时因为数据库没有清空,所以信息保留了下来,由于操作不一致所导致的,再实际环境中如果有从http切换成https的话,需要考虑到旧有数据和私库中保存的镜像信息的一致性再进行移植。所以最好再最初的时候考虑清楚会省去很多麻烦。
docker基础:私库系列:再探Harbor:(5)集成clair相关推荐
- docker登录私库时提示 x509: certificate signed by unknown authority
docker登录私库时提示 x509: certificate signed by unknown authority 编辑daemon.json vim /etc/docker/daemon.jso ...
- 安装harbor私库
安装harbor harbor是容器镜像注册仓库 官方首页: https://goharbor.io/ 官方文档: 安装和配置文档(针对版本2.1) https://goharbor.io/docs/ ...
- 搭建docker私库
前面关于nexus的操作参考前面nexus的文章 1.新建私有私库 2.新建角色和用户 3.docker上传与下载 使用docker登录私库:密码******** docker login youst ...
- Docker学习3 - 阿里云个人镜像私库、本地私库registry
文章目录 私库 自建个人镜像并且推到阿里云私库上 阿里云 本地服务器的私库 registry - 私服镜像仓库(类似本地的DockerHub) 私库 自建个人镜像并且推到阿里云私库上 镜像云发布流程 ...
- Harbor集成Clair镜像安全扫描并手动导入漏洞数据
通过这篇文章,你会了解到: harbor启停方法 clair镜像扫描原理 harbor数据库(MySQL)一览 clair数据库(PostgreSql)一览 harbor手动导入漏洞数据方法 背景 先 ...
- docker 离线安装_企业级Docker私库Harbor安装详解
Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,Harbor提供了基于角色的访问控制机制,并通过项目来对镜像进行组织和访问权限的控制 1:安装 Docker-compo ...
- 【Vue.js 牛刀小试】:第九章 - 组件基础再探(data、props)
系列目录地址 一.基础知识概览 第一章 - 一些基础概念(posted at 2018-10-31) 第二章 - 常见的指令的使用(posted at 2018-11-01) 第三章 - 事件修饰符的 ...
- Maven精选系列--发布jar包到Nexus私库
转载自 Maven精选系列--发布jar包到Nexus私库 Nexus2可以通过管理界面来上传jar包到私库中,而最新的Nexus3却找不到了上传界面,只能通过以下方式来发布到私库. 发布第三方jar ...
- Maven精选系列--私库搭建及使用
转载自 Maven精选系列--私库搭建及使用 为什么要使用私库 maven默认去远程中央仓库下载JAR包的,访问国外网络相当慢,如果团队每个人都去下载一遍无疑是网络的浪费,当然也可以添加国内的镜像,如 ...
最新文章
- ReentrantLock和synchronized两种锁定机制
- js两个等号和三个等号_js中两个等号(==)和三个等号(===)的区别
- 窗体的扩展样式GWL_EXSTYLE: 用于SetWindowLong
- memcached的最佳实践方案(转)
- 网工的Linux系统学习历程
- 【Java从0到架构师】git 入门和基本应用
- 【iOS】Swift3:context.executeFecthRequest(request, error: nil)
- word---自定义编号样式
- jq设置html的css属性,jQuery css() 方法
- 2021年广东开放大学期末考试方法,怎么查题,找答案
- mysql实例备份和单库备份_史上最简单的MySQL数据备份与还原教程(上)(三十五)...
- c语言编程十进制转八进制算法,C语言十进制如何转八进制?
- 每日学点python之六(列表与元组)
- mindmanager2018官方下载地址
- 安装pywifi的坑
- 自定义类型:枚举,结构体,联合体
- RocketMq之消费方式
- U盘中的文件夹都变成了.exe文件
- android 仿微信demo————微信消息界面实现(移动端)
- 布局福建市场,维也纳酒店欧暇·地中海酒店能否为投资人带来信心与底气?