Harbor集成clair-镜像各层安全扫描工具

2024-04-17 11:58

本文主要是介绍Harbor集成clair-镜像各层安全扫描工具,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

Harbor:集成clair

Clair是CoreOS提供的一款根据CVE的信息确认镜像各层安全状况的开源工具,harbor集成了clair到其功能之中,这也是和其他同类工具相比一个突出的亮点,而在其集成的实现中,首先clair的功能依然是靠其官方镜像和postgres结合形成,而扫描之后的信息则通过harbor自身的数据库进行保存。

安装方式
在habor中集成clair的功能,方式非常简单,只需要在安装史指定with-clair选项即可

安装命令:sh install.sh –with-clair

而在harbor.cfg中与clair相关的设定信息如下:

设定项    说明    缺省值
clair_db_host    clair数据库host,HA方式需要指定外部地址    postgres
clair_db_password    数据库用户密码    password
clair_db_port    postgre服务端口    5432
clair_db    postgres数据库名    postgres
设定值使用如上缺省值,只是修改clair_db_password:password -> harbor-serverpw

[root@harbor-server harbor]# grep clair_db_password harbor.cfg
clair_db_password = harbor-serverpw
[root@harbor-server harbor]#
[root@harbor-server harbor]# ./prepare
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
The configuration files are ready, please use docker-compose to start the service.
[root@harbor-server harbor]#

安装

[root@harbor-server harbor]# sh install.sh --with-clair

[Step 0]: checking installation environment ...

Note: docker version: 1.13.1

Note: docker-compose version: 1.13.0

[Step 1]: loading Harbor images ...
Loaded image: vmware/registry-photon:v2.6.2-v1.5.2
Loaded image: vmware/photon:1.0
Loaded image: vmware/mariadb-photon:v1.5.2
Loaded image: vmware/harbor-log:v1.5.2
Loaded image: vmware/nginx-photon:v1.5.2
Loaded image: vmware/notary-signer-photon:v0.5.1-v1.5.2
Loaded image: vmware/postgresql-photon:v1.5.2
Loaded image: vmware/harbor-db:v1.5.2
Loaded image: vmware/harbor-jobservice:v1.5.2
Loaded image: vmware/clair-photon:v2.0.4-v1.5.2
Loaded image: vmware/harbor-adminserver:v1.5.2
Loaded image: vmware/harbor-ui:v1.5.2
Loaded image: vmware/redis-photon:v1.5.2
Loaded image: vmware/notary-server-photon:v0.5.1-v1.5.2
Loaded image: vmware/harbor-migrator:v1.5.0


[Step 2]: preparing environment ...
Clearing the configuration file: ./common/config/adminserver/env
Clearing the configuration file: ./common/config/ui/env
Clearing the configuration file: ./common/config/ui/app.conf
Clearing the configuration file: ./common/config/ui/private_key.pem
Clearing the configuration file: ./common/config/db/env
Clearing the configuration file: ./common/config/jobservice/env
Clearing the configuration file: ./common/config/jobservice/config.yml
Clearing the configuration file: ./common/config/registry/config.yml
Clearing the configuration file: ./common/config/registry/root.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.crt
Clearing the configuration file: ./common/config/nginx/cert/192.168.163.128.key
Clearing the configuration file: ./common/config/nginx/nginx.conf
Clearing the configuration file: ./common/config/log/logrotate.conf
loaded secret from file: /data/secretkey
Generated configuration file: ./common/config/nginx/nginx.conf
Generated configuration file: ./common/config/adminserver/env
Generated configuration file: ./common/config/ui/env
Generated configuration file: ./common/config/registry/config.yml
Generated configuration file: ./common/config/db/env
Generated configuration file: ./common/config/jobservice/env
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/log/logrotate.conf
Generated configuration file: ./common/config/jobservice/config.yml
Generated configuration file: ./common/config/ui/app.conf
Generated certificate, key file: ./common/config/ui/private_key.pem, cert file: ./common/config/registry/root.crt
Generated configuration file: ./common/config/clair/postgres_env
Generated configuration file: ./common/config/clair/config.yaml
Generated configuration file: ./common/config/clair/clair_env
The configuration files are ready, please use docker-compose to start the service.


[Step 3]: checking existing instance of Harbor ...


[Step 4]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating harbor-log ... 
Creating harbor-log ... done
Creating harbor-adminserver ... 
Creating registry ... 
Creating clair-db ... 
Creating harbor-db ... 
Creating redis ... 
Creating harbor-db
Creating harbor-adminserver
Creating clair-db
Creating registry
Creating redis ... done
Creating registry ... done
Creating clair
Creating harbor-ui ... 
Creating harbor-ui ... done
Creating harbor-jobservice ... 
Creating nginx ... 
Creating harbor-jobservice
Creating nginx ... done

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at https://192.168.163.128:8848. 
For more details, please visit https://github.com/vmware/harbor .

[root@harbor-server harbor]#

结果确认

[root@harbor-server harbor]# docker-compose -f docker-compose.clair.yml -f docker-compose.yml ps
       Name                     Command               State                                 Ports                               
-------------------------------------------------------------------------------------------------------------------------------
clair                /docker-entrypoint.sh            Up      6060/tcp, 6061/tcp                                                
clair-db             /entrypoint.sh postgres          Up      5432/tcp                                                          
harbor-adminserver   /harbor/start.sh                 Up                                                                        
harbor-db            /usr/local/bin/docker-entr ...   Up      3306/tcp                                                          
harbor-jobservice    /harbor/start.sh                 Up                                                                        
harbor-log           /bin/sh -c /usr/local/bin/ ...   Up      127.0.0.1:1514->10514/tcp                                         
harbor-ui            /harbor/start.sh                 Up                                                                        
nginx                nginx -g daemon off;             Up      0.0.0.0:8848->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp 
redis                docker-entrypoint.sh redis ...   Up      6379/tcp                                                          
registry             /entrypoint.sh serve /etc/ ...   Up      5000/tcp                                                          
[root@harbor-server harbor]# 

推送镜像
[root@harbor-server harbor]# docker login -uroot -pharbor-serverpw 192.168.163.128:8848
Error response from daemon: Get https://192.168.163.128:8848/v2/: unauthorized: authentication required
[root@harbor-server harbor]# 
[root@harbor-server harbor]# docker login -uadmin -pharbor-serverpw 192.168.163.128:8848
Login Succeeded
[root@harbor-server harbor]# docker pull nginx
Using default tag: latest
latest: Pulling from library/nginx
be8881be8156: Pull complete 
32d9726baeef: Pull complete 
87e5e6f71297: Pull complete 
Digest: sha256:d85914d547a6c92faa39ce7058bd7529baacab7e0cd4255442b04577c4d1f424
Status: Downloaded newer image for nginx:latest
[root@harbor-server harbor]# docker tag nginx 192.168.163.128:8848/library/nginx:latest
[root@harbor-server harbor]# docker push 192.168.163.128:8848/library/nginx:latest
The push refers to a repository [192.168.163.128:8848/library/nginx]
08d25fa0442e: Pushed 
a8c4aeeaa045: Pushed 
cdb3f9544e4c: Pushed 
latest: digest: sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f size: 948
[root@harbor-server harbor]# 

镜像扫描
前面提到admin是有权限进行镜像扫描的,通过UI可以看到刚刚推送的镜像还是Not Scanned的状态


选中并进行扫描可以看到当前最新的nginx镜像是没有严重CVE问题的


注意:clair的根本在于CVE的比对,所以自身的数据库数据的更新是非常重要的,就如同病毒库需要更新一样请同样注意clair本身的CVE数据相关的更新是否完成。

数据库相关
与clair扫描相关的数据库表主要有如下几个:

[root@harbor-server harbor]# docker exec -it harbor-db sh
sh-4.3# mysql -uroot -pharbor-serverpw
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 57
Server version: 10.2.14-MariaDB Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use registry
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [registry]> show tables;
+-------------------------------+
| Tables_in_registry            |
+-------------------------------+
| access                        |
| access_log                    |
| alembic_version               |
| clair_vuln_timestamp          |
| harbor_label                  |
| harbor_resource_label         |
| img_scan_job                  |
| img_scan_overview             |
| project                       |
| project_member                |
| project_metadata              |
| properties                    |
| replication_immediate_trigger |
| replication_job               |
| replication_policy            |
| replication_target            |
| repository                    |
| role                          |
| user                          |
| user_group                    |
+-------------------------------+
20 rows in set (0.00 sec)

MariaDB [registry]> desc clair_vuln_timestamp
    -> ;
+-------------+--------------+------+-----+---------------------+-------------------------------+
| Field       | Type         | Null | Key | Default             | Extra                         |
+-------------+--------------+------+-----+---------------------+-------------------------------+
| id          | int(11)      | NO   | PRI | NULL                | auto_increment                |
| namespace   | varchar(128) | NO   | UNI | NULL                |                               |
| last_update | timestamp    | NO   |     | current_timestamp() | on update current_timestamp() |
+-------------+--------------+------+-----+---------------------+-------------------------------+
3 rows in set (0.00 sec)

MariaDB [registry]> desc img_scan_job
    -> ;
+---------------+--------------+------+-----+---------------------+-------------------------------+
| Field         | Type         | Null | Key | Default             | Extra                         |
+---------------+--------------+------+-----+---------------------+-------------------------------+
| id            | int(11)      | NO   | PRI | NULL                | auto_increment                |
| status        | varchar(64)  | NO   | MUL | NULL                |                               |
| repository    | varchar(256) | NO   | MUL | NULL                |                               |
| tag           | varchar(128) | NO   |     | NULL                |                               |
| digest        | varchar(128) | YES  | MUL | NULL                |                               |
| job_uuid      | varchar(64)  | YES  | MUL | NULL                |                               |
| creation_time | timestamp    | NO   |     | current_timestamp() |                               |
| update_time   | timestamp    | NO   |     | current_timestamp() | on update current_timestamp() |
+---------------+--------------+------+-----+---------------------+-------------------------------+
8 rows in set (0.00 sec)

MariaDB [registry]> desc img_scan_overview;
+---------------------+---------------+------+-----+---------------------+-------------------------------+
| Field               | Type          | Null | Key | Default             | Extra                         |
+---------------------+---------------+------+-----+---------------------+-------------------------------+
| id                  | int(11)       | NO   | PRI | NULL                | auto_increment                |
| image_digest        | varchar(128)  | NO   | UNI | NULL                |                               |
| scan_job_id         | int(11)       | NO   |     | NULL                |                               |
| severity            | int(11)       | NO   |     | 0                   |                               |
| components_overview | varchar(2048) | YES  |     | NULL                |                               |
| details_key         | varchar(128)  | YES  |     | NULL                |                               |
| creation_time       | timestamp     | NO   |     | current_timestamp() |                               |
| update_time         | timestamp     | NO   |     | current_timestamp() | on update current_timestamp() |
+---------------------+---------------+------+-----+---------------------+-------------------------------+
8 rows in set (0.00 sec)

MariaDB [registry]> 

扫描信息和执行结果

MariaDB [registry]> select * from img_scan_overview;
+----+-------------------------------------------------------------------------+-------------+----------+----------------------------------------------------+------------------------------------------------------------------+---------------------+---------------------+
| id | image_digest                                                            | scan_job_id | severity | components_overview                                | details_key                                                      | creation_time       | update_time         |
+----+-------------------------------------------------------------------------+-------------+----------+----------------------------------------------------+------------------------------------------------------------------+---------------------+---------------------+
|  1 | sha256:19fca0f4a812d0ba4ad89a4c345ce660ecc7c14c1ce9a9c12ac9db1ca62b4602 |           1 |        0 |                                                    |                                                                  | 2018-08-19 00:00:21 | 2018-08-19 00:00:21 |
|  2 | sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f |           2 |        1 | {"total":80,"summary":[{"severity":1,"count":80}]} | 6d33c67920b31f6dcea328762fe1a814de928a185d9397f61b15a278c17184f2 | 2018-08-19 03:16:33 | 2018-08-19 03:16:37 |
+----+-------------------------------------------------------------------------+-------------+----------+----------------------------------------------------+------------------------------------------------------------------+---------------------+---------------------+
2 rows in set (0.00 sec)

MariaDB [registry]> select * from img_scan_job;
+----+----------+-----------------+--------+-------------------------------------------------------------------------+--------------------------+---------------------+---------------------+
| id | status   | repository      | tag    | digest                                                                  | job_uuid                 | creation_time       | update_time         |
+----+----------+-----------------+--------+-------------------------------------------------------------------------+--------------------------+---------------------+---------------------+
|  1 | error    | library/busybox | latest | sha256:19fca0f4a812d0ba4ad89a4c345ce660ecc7c14c1ce9a9c12ac9db1ca62b4602 | 9ebbdf11f3436ac9ab82997b | 2018-08-19 00:00:21 | 2018-08-19 00:00:25 |
|  2 | finished | library/nginx   | latest | sha256:2de9d5fc6585b3f330ff5f2c323d2a4006a49a476729bbc0910b695771526e3f | ba4a0eca48b096ae41db07cf | 2018-08-19 03:16:33 | 2018-08-19 03:16:37 |
+----+----------+-----------------+--------+-------------------------------------------------------------------------+--------------------------+---------------------+---------------------+
2 rows in set (0.00 sec)

MariaDB [registry]>


 

这篇关于Harbor集成clair-镜像各层安全扫描工具的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/911738

相关文章

高效录音转文字:2024年四大工具精选!

在快节奏的工作生活中,能够快速将录音转换成文字是一项非常实用的能力。特别是在需要记录会议纪要、讲座内容或者是采访素材的时候,一款优秀的在线录音转文字工具能派上大用场。以下推荐几个好用的录音转文字工具! 365在线转文字 直达链接:https://www.pdf365.cn/ 365在线转文字是一款提供在线录音转文字服务的工具,它以其高效、便捷的特点受到用户的青睐。用户无需下载安装任何软件,只

客户案例:安全海外中继助力知名家电企业化解海外通邮困境

1、客户背景 广东格兰仕集团有限公司(以下简称“格兰仕”),成立于1978年,是中国家电行业的领军企业之一。作为全球最大的微波炉生产基地,格兰仕拥有多项国际领先的家电制造技术,连续多年位列中国家电出口前列。格兰仕不仅注重业务的全球拓展,更重视业务流程的高效与顺畅,以确保在国际舞台上的竞争力。 2、需求痛点 随着格兰仕全球化战略的深入实施,其海外业务快速增长,电子邮件成为了关键的沟通工具。

安全管理体系化的智慧油站开源了。

AI视频监控平台简介 AI视频监控平台是一款功能强大且简单易用的实时算法视频监控系统。它的愿景是最底层打通各大芯片厂商相互间的壁垒,省去繁琐重复的适配流程,实现芯片、算法、应用的全流程组合,从而大大减少企业级应用约95%的开发成本。用户只需在界面上进行简单的操作,就可以实现全视频的接入及布控。摄像头管理模块用于多种终端设备、智能设备的接入及管理。平台支持包括摄像头等终端感知设备接入,为整个平台提

【区块链 + 人才服务】区块链集成开发平台 | FISCO BCOS应用案例

随着区块链技术的快速发展,越来越多的企业开始将其应用于实际业务中。然而,区块链技术的专业性使得其集成开发成为一项挑战。针对此,广东中创智慧科技有限公司基于国产开源联盟链 FISCO BCOS 推出了区块链集成开发平台。该平台基于区块链技术,提供一套全面的区块链开发工具和开发环境,支持开发者快速开发和部署区块链应用。此外,该平台还可以提供一套全面的区块链开发教程和文档,帮助开发者快速上手区块链开发。

2024网安周今日开幕,亚信安全亮相30城

2024年国家网络安全宣传周今天在广州拉开帷幕。今年网安周继续以“网络安全为人民,网络安全靠人民”为主题。2024年国家网络安全宣传周涵盖了1场开幕式、1场高峰论坛、5个重要活动、15场分论坛/座谈会/闭门会、6个主题日活动和网络安全“六进”活动。亚信安全出席2024年国家网络安全宣传周开幕式和主论坛,并将通过线下宣讲、创意科普、成果展示等多种形式,让广大民众看得懂、记得住安全知识,同时还

【Linux 从基础到进阶】Ansible自动化运维工具使用

Ansible自动化运维工具使用 Ansible 是一款开源的自动化运维工具,采用无代理架构(agentless),基于 SSH 连接进行管理,具有简单易用、灵活强大、可扩展性高等特点。它广泛用于服务器管理、应用部署、配置管理等任务。本文将介绍 Ansible 的安装、基本使用方法及一些实际运维场景中的应用,旨在帮助运维人员快速上手并熟练运用 Ansible。 1. Ansible的核心概念

超强的截图工具:PixPin

你是否还在为寻找一款功能强大、操作简便的截图工具而烦恼?市面上那么多工具,常常让人无从选择。今天,想给大家安利一款神器——PixPin,一款真正解放双手的截图工具。 想象一下,你只需要按下快捷键就能轻松完成多种截图任务,还能快速编辑、标注甚至保存多种格式的图片。这款工具能满足这些需求吗? PixPin不仅支持全屏、窗口、区域截图等基础功能,它还可以进行延时截图,让你捕捉到每个关键画面。不仅如此

【Kubernetes】K8s 的安全框架和用户认证

K8s 的安全框架和用户认证 1.Kubernetes 的安全框架1.1 认证:Authentication1.2 鉴权:Authorization1.3 准入控制:Admission Control 2.Kubernetes 的用户认证2.1 Kubernetes 的用户认证方式2.2 配置 Kubernetes 集群使用密码认证 Kubernetes 作为一个分布式的虚拟

【Shiro】Shiro 的学习教程(三)之 SpringBoot 集成 Shiro

目录 1、环境准备2、引入 Shiro3、实现认证、退出3.1、使用死数据实现3.2、引入数据库,添加注册功能后端代码前端代码 3.3、MD5、Salt 的认证流程 4.、实现授权4.1、基于角色授权4.2、基于资源授权 5、引入缓存5.1、EhCache 实现缓存5.2、集成 Redis 实现 Shiro 缓存 1、环境准备 新建一个 SpringBoot 工程,引入依赖:

PR曲线——一个更敏感的性能评估工具

在不均衡数据集的情况下,精确率-召回率(Precision-Recall, PR)曲线是一种非常有用的工具,因为它提供了比传统的ROC曲线更准确的性能评估。以下是PR曲线在不均衡数据情况下的一些作用: 关注少数类:在不均衡数据集中,少数类的样本数量远少于多数类。PR曲线通过关注少数类(通常是正类)的性能来弥补这一点,因为它直接评估模型在识别正类方面的能力。 精确率与召回率的平衡:精确率(Pr