Harbor集成clair-镜像各层安全扫描工具
Harbor:集成clair
Clair是CoreOS提供的一款根据CVE的信息确认镜像各层安全状况的开源工具,harbor集成了clair到其功能之中,这也是和其他同类工具相比一个突出的亮点,而在其集成的实现中,首先clair的功能依然是靠其官方镜像和postgres结合形成,而扫描之后的信息则通过harbor自身的数据库进行保存。
安装方式
在habor中集成clair的功能,方式非常简单,只需要在安装史指定with-clair选项即可
安装命令:sh install.sh –with-clair
而在harbor.cfg中与clair相关的设定信息如下:
设定项 说明 缺省值
clair_db_host clair数据库host,HA方式需要指定外部地址 postgres
clair_db_password 数据库用户密码 password
clair_db_port postgre服务端口 5432
clair_db postgres数据库名 postgres
设定值使用如上缺省值,只是修改clair_db_password:password -> harbor-serverpw
[root@harbor-server harbor]# grep clair_db_password harbor.cfg
clair_db_password = harbor-serverpw
[root@harbor-server harbor]#
[root@harbor-server harbor]# ./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@harbor-server harbor]#
安装
[root@harbor-server harbor]# sh install.sh --with-clair
[Step 0]: checking installation environment ...
Note: docker version: 1.13.1
Note: docker-compose version: 1.13.0
[Step 1]: loading Harbor images ...
Loaded image: vmware/registry-photon:v2.6.2-v1.5.2
Loaded image: vmware/photon:1.0
Loaded image: vmware/mariadb-photon:v1.5.2
Loaded image: vmware/harbor-log:v1.5.2
Loaded image: vmware/nginx-photon:v1.5.2
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.2
Loaded image: vmware/postgresql-photon:v1.5.2
Loaded image: vmware/harbor-db:v1.5.2
Loaded image: vmware/harbor-jobservice:v1.5.2
Loaded image: vmware/clair-photon:v2.0.4-v1.5.2
Loaded image: vmware/harbor-adminserver:v1.5.2
Loaded image: vmware/harbor-ui:v1.5.2
Loaded image: vmware/redis-photon:v1.5.2
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.2
Loaded image: vmware/harbor-migrator:v1.5.0
[Step 2]: preparing environment ...
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
Generated configuration file: ./common/config/clair/postgres_env
Generated configuration file: ./common/config/clair/config.yaml
Generated configuration file: ./common/config/clair/clair_env
The configuration files are ready, please use docker-compose to start the service.
[Step 3]: checking existing instance of Harbor ...
[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating harbor-log ...
Creating harbor-log ... done
Creating harbor-adminserver ...
Creating registry ...
Creating clair-db ...
Creating harbor-db ...
Creating redis ...
Creating harbor-db
Creating harbor-adminserver
Creating clair-db
Creating registry
Creating redis ... done
Creating registry ... done
Creating clair
Creating harbor-ui ...
Creating harbor-ui ... done
Creating harbor-jobservice ...
Creating nginx ...
Creating harbor-jobservice
Creating nginx ... done
✔ ----Harbor has been installed and started successfully.----
Now you should be able to visit the admin portal at https://192.168.163.128:8848.
For more details, please visit https://github.com/vmware/harbor .
[root@harbor-server harbor]#
结果确认
[root@harbor-server harbor]# docker-compose -f docker-compose.clair.yml -f docker-compose.yml ps
Name Command State Ports
-------------------------------------------------------------------------------------------------------------------------------
clair /docker-entrypoint.sh Up 6060/tcp, 6061/tcp
clair-db /entrypoint.sh postgres Up 5432/tcp
harbor-adminserver /harbor/start.sh Up
harbor-db /usr/local/bin/docker-entr ... Up 3306/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-ui /harbor/start.sh Up
nginx nginx -g daemon off; Up 0.0.0.0:8848->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh serve /etc/ ... Up 5000/tcp
[root@harbor-server harbor]#
推送镜像
[root@harbor-server harbor]# docker login -uroot -pharbor-serverpw 192.168.163.128:8848
Error response from daemon: Get https://192.168.163.128:8848/v2/: unauthorized: authentication required
[root@harbor-server harbor]#
[root@harbor-server harbor]# docker login -uadmin -pharbor-serverpw 192.168.163.128:8848
Login Succeeded
[root@harbor-server harbor]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
be8881be8156: Pull complete
32d9726baeef: Pull complete
87e5e6f71297: Pull complete
Digest: sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
Status: Downloaded newer image for nginx:latest
[root@harbor-server harbor]# docker tag nginx 192.168.163.128:8848/library/nginx:latest
[root@harbor-server harbor]# docker push 192.168.163.128:8848/library/nginx:latest
The push refers to a repository [192.168.163.128:8848/library/nginx]
08d25fa0442e: Pushed
a8c4aeeaa045: Pushed
cdb3f9544e4c: Pushed
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948
[root@harbor-server harbor]#
镜像扫描
前面提到admin是有权限进行镜像扫描的,通过UI可以看到刚刚推送的镜像还是Not Scanned的状态
选中并进行扫描可以看到当前最新的nginx镜像是没有严重CVE问题的
注意:clair的根本在于CVE的比对,所以自身的数据库数据的更新是非常重要的,就如同病毒库需要更新一样请同样注意clair本身的CVE数据相关的更新是否完成。
数据库相关
与clair扫描相关的数据库表主要有如下几个:
[root@harbor-server harbor]# docker exec -it harbor-db sh
sh-4.3# mysql -uroot -pharbor-serverpw
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 57
Server version: 10.2.14-MariaDB Source distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use registry
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [registry]> show tables;
+-------------------------------+
| Tables_in_registry |
+-------------------------------+
| access |
| access_log |
| alembic_version |
| clair_vuln_timestamp |
| harbor_label |
| harbor_resource_label |
| img_scan_job |
| img_scan_overview |
| project |
| project_member |
| project_metadata |
| properties |
| replication_immediate_trigger |
| replication_job |
| replication_policy |
| replication_target |
| repository |
| role |
| user |
| user_group |
+-------------------------------+
20 rows in set (0.00 sec)
MariaDB [registry]> desc clair_vuln_timestamp
-> ;
+-------------+--------------+------+-----+---------------------+-------------------------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------------+-------------------------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| namespace | varchar(128) | NO | UNI | NULL | |
| last_update | timestamp | NO | | current_timestamp() | on update current_timestamp() |
+-------------+--------------+------+-----+---------------------+-------------------------------+
3 rows in set (0.00 sec)
MariaDB [registry]> desc img_scan_job
-> ;
+---------------+--------------+------+-----+---------------------+-------------------------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+--------------+------+-----+---------------------+-------------------------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| status | varchar(64) | NO | MUL | NULL | |
| repository | varchar(256) | NO | MUL | NULL | |
| tag | varchar(128) | NO | | NULL | |
| digest | varchar(128) | YES | MUL | NULL | |
| job_uuid | varchar(64) | YES | MUL | NULL | |
| creation_time | timestamp | NO | | current_timestamp() | |
| update_time | timestamp | NO | | current_timestamp() | on update current_timestamp() |
+---------------+--------------+------+-----+---------------------+-------------------------------+
8 rows in set (0.00 sec)
MariaDB [registry]> desc img_scan_overview;
+---------------------+---------------+------+-----+---------------------+-------------------------------+
| Field | Type | Null | Key | Default | Extra |
+---------------------+---------------+------+-----+---------------------+-------------------------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| image_digest | varchar(128) | NO | UNI | NULL | |
| scan_job_id | int(11) | NO | | NULL | |
| severity | int(11) | NO | | 0 | |
| components_overview | varchar(2048) | YES | | NULL | |
| details_key | varchar(128) | YES | | NULL | |
| creation_time | timestamp | NO | | current_timestamp() | |
| update_time | timestamp | NO | | current_timestamp() | on update current_timestamp() |
+---------------------+---------------+------+-----+---------------------+-------------------------------+
8 rows in set (0.00 sec)
MariaDB [registry]>
扫描信息和执行结果
MariaDB [registry]> select * from img_scan_overview;
+----+-------------------------------------------------------------------------+-------------+----------+----------------------------------------------------+------------------------------------------------------------------+---------------------+---------------------+
| id | image_digest | scan_job_id | severity | components_overview | details_key | creation_time | update_time |
+----+-------------------------------------------------------------------------+-------------+----------+----------------------------------------------------+------------------------------------------------------------------+---------------------+---------------------+
| 1 | sha256:19fca0f4a812d0ba4ad89a4c345ce660ecc7c14c1ce9a9c12ac9db1ca62b4602 | 1 | 0 | | | 2018-08-19 00:00:21 | 2018-08-19 00:00:21 |
| 2 | sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f | 2 | 1 | {"total":80,"summary":[{"severity":1,"count":80}]} | 6d33c67920b31f6dcea328762fe1a814de928a185d9397f61b15a278c17184f2 | 2018-08-19 03:16:33 | 2018-08-19 03:16:37 |
+----+-------------------------------------------------------------------------+-------------+----------+----------------------------------------------------+------------------------------------------------------------------+---------------------+---------------------+
2 rows in set (0.00 sec)
MariaDB [registry]> select * from img_scan_job;
+----+----------+-----------------+--------+-------------------------------------------------------------------------+--------------------------+---------------------+---------------------+
| id | status | repository | tag | digest | job_uuid | creation_time | update_time |
+----+----------+-----------------+--------+-------------------------------------------------------------------------+--------------------------+---------------------+---------------------+
| 1 | error | library/busybox | latest | sha256:19fca0f4a812d0ba4ad89a4c345ce660ecc7c14c1ce9a9c12ac9db1ca62b4602 | 9ebbdf11f3436ac9ab82997b | 2018-08-19 00:00:21 | 2018-08-19 00:00:25 |
| 2 | finished | library/nginx | latest | sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f | ba4a0eca48b096ae41db07cf | 2018-08-19 03:16:33 | 2018-08-19 03:16:37 |
+----+----------+-----------------+--------+-------------------------------------------------------------------------+--------------------------+---------------------+---------------------+
2 rows in set (0.00 sec)
MariaDB [registry]>
Harbor集成clair-镜像各层安全扫描工具相关推荐
- Harbor集成Clair镜像安全扫描原理探知
上一篇文章中我们简单了解了Harbor集成Clair的安装方案及内网模式下CVE漏洞数据的手动导入功能.本篇文章,我们再梳理下漏洞扫描的具体原理和实现. 关于clair Clair是CoreOS 20 ...
- Harbor集成Clair镜像安全扫描并手动导入漏洞数据
通过这篇文章,你会了解到: harbor启停方法 clair镜像扫描原理 harbor数据库(MySQL)一览 clair数据库(PostgreSql)一览 harbor手动导入漏洞数据方法 背景 先 ...
- 【Docker】镜像安全扫描工具clair与clairctl
镜像扫描结构图 方式2的具体操作步骤 clair是什么? clair是一个开源项目,用于静态分析appc和docker容器中的漏洞. 漏洞元数据从一组已知的源连续导入,并与容器映像的索引内容相关联,以 ...
- WordPress漏洞扫描工具WPScan
WordPress漏洞扫描工具WPScan WordPress是主流的PHP网站模版,以构建博客而闻名.WordPress可以通过安装插件和主题的方式扩展功能,这也带来的安全隐患.WordPress是 ...
- Joomla!网站扫描工具joomscan
Joomla!网站扫描工具joomscan Joomla!是一款知名的PHP语言编写的CMS系统.很多网站都使用Joomla!搭建而成.Kali Linux集成了一款Joomla!网站扫描工具joom ...
- 小型Web应用扫描工具Grabber
小型Web应用扫描工具Grabber Grabber是Kali Linux集成的一款Web应用扫描工具.该工具适合中小Web应用,如个人博客.论坛等.该工具使用Python语言编写,支持常见的漏洞检测 ...
- docker基础:私库系列:再探Harbor:(5)集成clair
Clair是CoreOS提供的一款根据CVE的信息确认镜像各层安全状况的开源工具,harbor集成了clair到其功能之中,这也是和其他同类工具相比一个突出的亮点,而在其集成的实现中,首先clair的 ...
- 使用clair镜像扫描
文章目录 目的 安装clair 使用clair扫描镜像 Usage 使用docker镜像的klar扫描 镜像作为drone插件执行 目的 执行镜像扫描,扫描镜像仓库的镜像,生成报告 安装clair 操 ...
- 【Docker】clair镜像扫描的实现
clair镜像扫描的实现 一.前言 clair扫描的相关基础请先移步我的另外一篇文章镜像安全扫描工具clair与clairctl 这次我们采用clair api方式的扫描,基本思路是 打包镜像 解压t ...
最新文章
- HTML的base href = “” /
- vue3.0 视频播放插件(vue-vedio-player)
- 【数据结构与算法】之深入解析“格雷编码”的求解思路与算法示例
- 家用简单电线路图_家庭配电箱接线图解 家用配电箱安装方法
- 使用客户端对象模型读取SharePoint列表数据
- libxml的安装和相关数据结构详解
- spring集成 log4j + slf4j
- html有序列表和无序列表互相嵌套,关于列表的嵌套,下列说法正确的是( )。 答案:无序列表和有序列表可以相互嵌套与 之间相当于一个容器,可以嵌套无序列表、有序列表等网页元素...
- 超越java jb51_.net mvc超过了最大请求长度的解决方法
- 腾讯视频QLV格式转换为MP4格式
- ubuntu双系统 卸载+重装(ubuntu20.04)
- 20201228攻防世界WEB模块入门级别全详解通关记录
- HTML用css把英文字母改大,CSS转换英文大小写text-transform属性
- 学习到第一个国庆的感想
- 高通机器视觉快速指南二
- Go云原生高性能编程技法,值得观看
- csgo 直连服务器,csgo你只可以从大厅连接此服务器解决办法
- 3D Tiles 简单介绍
- 机器学习-有监督学习-分类算法:k-近邻(KNN)算法【多分类】
- 台式电脑前置面板的耳机插孔没声音
热门文章
- reg类型变量综合电路_Verilog - HDL考核试卷一及答案 -
- 蓝桥杯 蓝肽子序列 python(2020动态规划)
- 河南理工大学python挂科率_河南理工大学就业率怎么样,2020年排名好不好
- MTPuTTY连接Ubuntu\Linux SSH登陆出现Access Denied错误
- 无法写入最后一个_5000GB写入测试!影驰擎GA-E评测:只卖19999元的16TB企业级SSD...
- [Telink泰凌微825x]Windows下开发环境搭建与烧录(二)
- 假设当年产值为100c语言答案,计量经济学试题及答案(1)
- canvas绘制字体时遇到Bookshelf Symbol 7字体bug
- luoguP1074 靶形数独
- [转载]逆向工程不是炫耀者用来装B的工具