第三款:Clair
概述
Clair 是基于 API 的漏洞扫描程序,可对开源容器层的任何已知安全漏洞进行检测,更加便于创建持续监控容器并查找安全漏洞的服务。Clair 能定期从各个来源收集漏洞元数据,对容器镜像索引,并提供用于检索
镜像发现的特征的 API。漏洞元数据一旦更新,用户就会收到提醒,这样就能从之前扫描的镜像中及时发现新的漏洞。另外,Clair 还提供了可用于查询特定容器镜像漏洞的 API。
安装
1、在 OpenShift 安装 Clair 环境
- 创建项目
- 创建 clairv4-postgres.yaml 文件,内容如下:
- 执行命令,根据 clairv4-postgres.yaml 创建对象
- 创建 config.yaml 文件,内容如下:
- 执行命令,根据 config.yaml 文件创建 secret
- 创建 clairv4-postgres.yaml 文件,内容如下:
- 执行命令,根据 clairv4-postgres.yaml 创建对象
- 创建 config.yaml 文件,内容如下:
- 执行命令,根据 config.yaml 文件创建 secret
步骤详细命令如下:
1.
$ oc new-project quay-enterprise
2.
--- apiVersion: apps/v1 kind: Deployment metadata: name: clairv4-postgres namespace: quay-enterprise labels: quay-component: clairv4-postgres spec: replicas: 1 selector: matchLabels: quay-component: clairv4-postgres template: metadata: labels: quay-component: clairv4-postgres spec: volumes: - name: postgres-data persistentVolumeClaim: claimName: clairv4-postgres containers: - name: postgres image: postgres:11.5 imagePullPolicy: "IfNotPresent" resources: limits: cpu: '2' memory: 6Gi requests: cpu: '1' memory: 4Gi ports: - containerPort: 5432 env: - name: POSTGRES_USER value: "postgres" - name: POSTGRES_DB value: "clair" - name: POSTGRES_PASSWORD value: "postgres" - name: PGDATA value: "/etc/postgres/data" volumeMounts: - name: postgres-data mountPath: "/etc/postgres" --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: clairv4-postgres labels: quay-component: clairv4-postgres spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "10Gi" volumeName: "clairv4-postgres"
3.
1. $ oc create -f clairv4-postgres.yaml 2. $ oc expose deployment/clairv4-postgres
4.
introspection_addr: :8089 http_listen_addr: :8080 log_level: debug indexer: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable scanlock_retry: 10 layer_scan_concurrency: 5 migrations: true matcher: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable max_conn_pool: 100 run: "" migrations: true indexer_addr: clair-indexer notifier: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable delivery: 1m poll_interval: 5m migrations: true
5.
$ oc create secret generic clairv4-config-secret --from-file=./config.yaml
6.
--- apiVersion: apps/v1 kind: Deployment metadata: labels: quay-component: clair-combo name: clair-combo spec: replicas: 1 selector: matchLabels: quay-component: clair-combo template: metadata: labels: quay-component: clair-combo spec: containers: - image: quay.io/projectquay/clair:4.1.0 imagePullPolicy: IfNotPresent name: clair-combo env: - name: CLAIR_CONF value: /clair/config.yaml - name: CLAIR_MODE value: combo ports: - containerPort: 8080 name: clair-http protocol: TCP - containerPort: 8089 name: clair-intro protocol: TCP volumeMounts: - mountPath: /clair/ name: config imagePullSecrets: - name: redhat-pull-secret restartPolicy: Always volumes: - name: config secret: secretName: clairv4-config-secret --- apiVersion: v1 kind: Service metadata: name: clairv4 labels: quay-component: clair-combo spec: ports: - name: clair-http port: 80 protocol: TCP targetPort: 8080 - name: clair-introspection port: 8089 protocol: TCP targetPort: 8089 selector: quay-component: clair-combo type: ClusterIP
7.
1. $ oc apply -f clair-combo.yaml 2. $ oc expose svc/clairv4
8.
$ oc get all NAME READY STATUS RESTARTS AGE pod/clair-combo-6754dcfd75-wwbt9 1/1 Running 0 34s pod/clairv4-postgres-b9f679dc6-fhmcs 1/1 Running 0 2m51s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/clairv4 ClusterIP 10.217.4.159 <none> 80/TCP,8089/TCP 34s service/clairv4-postgres ClusterIP 10.217.5.64 <none> 5432/TCP 119s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/clair-combo 1/1 1 1 34s deployment.apps/clairv4-postgres 1/1 1 1 2m51s NAME DESIRED CURRENT READY AGE replicaset.apps/clair-combo-6754dcfd75 1 1 1 34s replicaset.apps/clairv4-postgres-b9f679dc6 1 1 1 2m51s NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD route.route.openshift.io/clairv4 clairv4-quay-enterprise.crc-dzk9v-master-0.crc.fa7bdknrdb3y.instruqt.io clairv4 clair-http None
安装 Clair 客户端
从 https://github.com/quay/clair/releases 下载 Clair 客户端。
$ curl -L https://github.com/quay/clair/releases/download/v4.3.5/clairctl-linux-amd64 -o ~/clairctl $ chmod +x clairctl $ PATH=$PATH:~/
