欢迎来到starnight_cyber的博客

【译】如何使用docker-compose安装anchore

  如何使用docker-compose安装anchore,本篇译自Install with Docker Compose

Preface

  在本节中,您将学习如何启动和运行独立的Anchore引擎安装,以便与Docker Compose一起进行试用、演示和检查。

Requirements

  以下说明假设您使用的是运行Docker v1.12或更高版本的系统,以及至少支持Docker compose配置格式v2的Docker compose版本。

  独立安装将需要至少4GB的RAM和足够的可用磁盘空间来支持您要分析的最大容器映像(我们建议最大容器为映像大小3倍)。对于小的映像/测试(基本的Linux发行版映像、数据库映像等),5GB到10GB的磁盘空间应该足够。

本机环境

[root@localhost ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@localhost ~]# docker -v
Docker version 19.03.4, build 9013bf583a
[root@localhost ~]# docker-compose  -v
docker-compose version 1.24.1, build 4667896

安装使用步骤

设置安装路径

  创建用于存储配置文件的目录。

# mkdir ~/aevolume
# cd ~/aevolume

拷贝配置文件

  下载最新的Anchore引擎容器映像,其中包含部署所需的docker-compose.yaml和配置文件。

# docker pull docker.io/anchore/anchore-engine:latest

  接下来,将包含的docker-compose.yaml复制到~/aevolume/目录。

# docker create --name ae docker.io/anchore/anchore-engine:latest
# docker cp ae:/docker-compose.yaml ~/aevolume/docker-compose.yaml
# docker rm ae

  完成这些步骤后,~/aevolume/工作区现在应该如下所示:

# cd ~/aevolume
# find .
.
./docker-compose.yaml

下载和运行容器

  下载docker-compose.yaml中列出的容器,并使用docker compose cli运行整个安装程序。

  注意:默认情况下,所有服务(包括捆绑的数据库实例)都是暂时的,如果关闭/重新启动,数据将丢失。

# cd ~/aevolume              # 如果一直在这个~/aevolumn,可以不用切换
# docker-compose pull     # 拉取镜像
# docker-compose up -d       # 运行容器

验证服务可用性

  几分钟后(取决于系统速度),您的Anchore引擎服务应该启动并运行,准备使用。您可以验证容器是否与Docker合成一起运行。

刚启动

  如果立即查看状态,可以看到目前是处于启动状态starting...

[root@localhost aevolume]# docker-compose ps
             Name                            Command                       State                   Ports
-----------------------------------------------------------------------------------------------------------------
aevolume_anchore-db_1             docker-entrypoint.sh postgres    Up                      5432/tcp
aevolume_engine-analyzer_1        /docker-entrypoint.sh anch ...   Up (health: starting)   8228/tcp
aevolume_engine-api_1             /docker-entrypoint.sh anch ...   Up (health: starting)   0.0.0.0:8228->8228/tcp
aevolume_engine-catalog_1         /docker-entrypoint.sh anch ...   Up (health: starting)   8228/tcp
aevolume_engine-policy-engine_1   /docker-entrypoint.sh anch ...   Up (health: starting)   8228/tcp
aevolume_engine-simpleq_1         /docker-entrypoint.sh anch ...   Up (health: starting)   8228/tcp

启动完成

  启动完成之后的状态是Up (healthy)。

[root@localhost aevolume]# docker-compose ps
             Name                            Command                  State               Ports
--------------------------------------------------------------------------------------------------------
aevolume_anchore-db_1             docker-entrypoint.sh postgres    Up             5432/tcp
aevolume_engine-analyzer_1        /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp
aevolume_engine-api_1             /docker-entrypoint.sh anch ...   Up (healthy)   0.0.0.0:8228->8228/tcp
aevolume_engine-catalog_1         /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp
aevolume_engine-policy-engine_1   /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp
aevolume_engine-simpleq_1         /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp
[root@localhost aevolume]#

  如果提示unhealthy,那基本上是凉了,我在Ubuntu 18.10上装的时候提示unhealthy。

  可以运行命令以获取Anchore引擎服务的状态:

[root@localhost aevolume]# docker-compose exec engine-api anchore-cli system status
Service policy_engine (anchore-quickstart, http://engine-policy-engine:8228): up
Service catalog (anchore-quickstart, http://engine-catalog:8228): up
Service analyzer (anchore-quickstart, http://engine-analyzer:8228): up
Service simplequeue (anchore-quickstart, http://engine-simpleq:8228): up
Service apiext (anchore-quickstart, http://engine-api:8228): up

Engine DB Version: 0.0.11
Engine Code Version: 0.5.1

【注1】第一次运行anchore引擎时,漏洞数据需要一些时间(10分钟以上,具体取决于网络速度)才能同步到引擎中。为了获得最佳体验,请等到核心漏洞数据馈送完成后再继续。您可以使用cli检查提要同步的状态:

【注2】国内连接可能有问题,如果获取到的结果为空[],说明“网络有问题”。

[root@localhost aevolume]# docker-compose exec engine-api anchore-cli system feeds list
Feed                   Group                  LastSync                          RecordCount        
nvdv2                  nvdv2:cves             None                              0                  
vulnerabilities        alpine:3.10            2019-10-24T10:49:28.863794        1485               
vulnerabilities        alpine:3.3             2019-10-24T10:49:30.419939        457                
vulnerabilities        alpine:3.4             2019-10-24T10:49:31.636178        681                
vulnerabilities        alpine:3.5             2019-10-24T10:49:32.463535        875                
vulnerabilities        alpine:3.6             2019-10-24T10:49:34.712758        1051               
vulnerabilities        alpine:3.7             2019-10-24T10:49:35.736285        1253               
vulnerabilities        alpine:3.8             2019-10-24T10:49:36.873816        1335               
vulnerabilities        alpine:3.9             2019-10-24T10:49:40.829436        1428               
vulnerabilities        amzn:2                 2019-10-24T10:49:42.072979        232                
vulnerabilities        centos:5               2019-10-24T10:49:43.330519        1325               
vulnerabilities        centos:6               2019-10-24T10:49:44.793265        1357               
vulnerabilities        centos:7               2019-10-24T10:49:46.020503        905                
vulnerabilities        centos:8               2019-10-24T10:49:48.220903        78                 
vulnerabilities        debian:10              2019-10-24T10:49:49.230547        21389              
vulnerabilities        debian:11              2019-10-24T10:49:38.252045        18125              
vulnerabilities        debian:7               2019-10-24T10:49:39.583650        20455              
vulnerabilities        debian:8               2019-10-24T10:50:05.533995        22668              
vulnerabilities        debian:9               2019-10-24T10:49:50.416781        21553              
vulnerabilities        debian:unstable        2019-10-24T10:49:54.364496        22481              
vulnerabilities        ol:5                   2019-10-24T10:49:55.540285        1239               
vulnerabilities        ol:6                   2019-10-24T10:49:56.853690        1459               
vulnerabilities        ol:7                   2019-10-24T10:49:58.064640        1048               
vulnerabilities        ol:8                   2019-10-24T10:49:59.457818        71                 
vulnerabilities        ubuntu:12.04           2019-10-24T10:50:00.744212        14948              
vulnerabilities        ubuntu:12.10           2019-10-24T10:50:01.919411        5652               
vulnerabilities        ubuntu:13.04           2019-10-24T10:50:03.075236        4127               
vulnerabilities        ubuntu:14.04           2019-10-24T10:49:52.005554        19946              
vulnerabilities        ubuntu:14.10           2019-10-24T10:49:53.374428        4456               
vulnerabilities        ubuntu:15.04           2019-10-24T10:50:04.390020        5860               
vulnerabilities        ubuntu:15.10           2019-10-24T10:49:13.443607        6513               
vulnerabilities        ubuntu:16.04           2019-10-24T10:49:15.202243        17063              
vulnerabilities        ubuntu:16.10           2019-10-24T10:49:16.851464        8647               
vulnerabilities        ubuntu:17.04           2019-10-24T10:49:18.700772        9157               
vulnerabilities        ubuntu:17.10           2019-10-24T10:49:19.923028        7935               
vulnerabilities        ubuntu:18.04           2019-10-24T10:49:23.690570        11315              
vulnerabilities        ubuntu:18.10           2019-10-24T10:49:25.060819        8392               
vulnerabilities        ubuntu:19.04           2019-10-24T10:49:26.393018        7855               
vulnerabilities        ubuntu:19.10           2019-10-24T10:49:27.653338        6086

  一旦您看到所有漏洞组的记录计数值>0,系统即已完全填充并准备好显示漏洞结果。请注意,feed同步是增量的,因此下次启动anchore引擎时,它将立即就绪。cli工具包括一个有用的实用工具,它将一直阻止,直到feed成功完成同步:

【注】国内的情况,远远不止10分钟。

[root@localhost aevolume]# docker-compose exec engine-api anchore-cli system wait
Starting checks to wait for anchore-engine to be available timeout=-1.0 interval=5.0
API availability: Checking anchore-engine URL (http://localhost:8228)...
API availability: Success.
Service availability: Checking for service set (catalog,apiext,policy_engine,simplequeue,analyzer)...
Service availability: Success.
Feed sync: Checking sync completion for feed set (vulnerabilities)...
Feed sync: Success.

使用Anchore

  开始使用anchore引擎服务来分析镜像。下面是一个简短的示例,它演示了添加容器镜像以进行分析、等待分析完成、然后对分析的镜像运行内容报告、漏洞扫描和策略评估的基本工作流。

添加镜像

[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image add docker.io/library/debian:7
Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264
Parent Digest: sha256:2259b099d947443e44bbd1c94967c785361af8fd22df48a08a3942e2d5630849
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2019-10-24T08:51:47Z
Image ID: 10fcec6d95c4a29f49fa388ed39cded37e63a1532a081ae2386193942fc12e21
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 7
Size: 100884480
Architecture: amd64
Layer Count: 1

Full Tag: docker.io/library/debian:7
Tag Detected At: 2019-10-24T08:50:36Z

分析镜像

  我这里是已经分析过的。

[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image wait docker.io/library/debian:7
Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264
Parent Digest: sha256:2259b099d947443e44bbd1c94967c785361af8fd22df48a08a3942e2d5630849
Analysis Status: analyzed      
Image Type: docker
Analyzed At: 2019-10-24T08:51:47Z
Image ID: 10fcec6d95c4a29f49fa388ed39cded37e63a1532a081ae2386193942fc12e21
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 7
Size: 100884480
Architecture: amd64
Layer Count: 1

Full Tag: docker.io/library/debian:7
Tag Detected At: 2019-10-24T08:50:36Z

查看镜像信息

  可以使用如下命令:

[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image content docker.io/library/debian:7 
os: available
files: available
npm: available
gem: available
python: available
java: available

  我们用os命令来查看操作系统信息:

[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image content docker.io/library/debian:7 os
Package                       Version                      License                                                                                                                                                                                                                           
apt                           0.9.7.9+deb7u7               GPLv2+                                                                                                                                                                                                                            
base-files                    7.1wheezy11                  Unknown  
...

查看漏洞信息

[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image vuln docker.io/library/debian:7 all 
Vulnerability ID        Package                                  Severity          Fix         CVE Refs        Vulnerability URL                                                 
CVE-2005-2541           tar-1.26+dfsg-0.1+deb7u1                 Negligible        None                        https://security-tracker.debian.org/tracker/CVE-2005-2541         
CVE-2007-5686           login-1:4.1.5.1-1+deb7u1                 Negligible        None                        https://security-tracker.debian.org/tracker/CVE-2007-5686         
CVE-2007-5686           passwd-1:4.1.5.1-1+deb7u1                Negligible        None                        https://security-tracker.debian.org/tracker/CVE-2007-5686         
CVE-2007-6755           libssl1.0.0-1.0.1t-1+deb7u4              Negligible        None                        https://security-tracker.debian.org/tracker/CVE-2007-6755       
...

评估镜像

[root@localhost aevolume]# docker-compose exec engine-api anchore-cli evaluate check docker.io/library/debian:7
Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264
Full Tag: docker.io/library/debian:7
Status: pass                  # 镜像检测通过
Last Eval: 2019-10-24T11:01:03Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060

  注意:本文档旨在作为快速入门指南。在与Anchore进一步探讨扫描、策略评估、镜像内容报告、CI/CD集成和其他功能之前,强烈建议您通过阅读概述部分来加深对基本原理、概念和正确使用的理解,从而提高学习水平。

测试nginx

  我们可按前述步骤对其它镜像进行测试,我们选取一个旧版本nginx:1.11.1。

[root@localhost aevolume]# docker pull nginx:1.11.1    # 拉取镜像
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image add nginx:1.11.1    # 添加分析
Image Digest: sha256:0fe6413f3e30fcc5920bc8fa769280975b10b1c26721de956e1428b9e2f29d04
Parent Digest: sha256:0fe6413f3e30fcc5920bc8fa769280975b10b1c26721de956e1428b9e2f29d04
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2019-10-24T11:36:55Z
Image ID: 0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 8
Size: 200519680
Architecture: amd64
Layer Count: 8

Full Tag: docker.io/nginx:1.11.1
Tag Detected At: 2019-10-24T11:34:48Z
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli evaluate check nginx:1.11.1
Image Digest: sha256:0fe6413f3e30fcc5920bc8fa769280975b10b1c26721de956e1428b9e2f29d04
Full Tag: docker.io/nginx:1.11.1
Status: pass       # 检测通过
Last Eval: 2019-10-24T11:53:40Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060

# 因为漏洞比较多,很多可忽略的Negligible和未知Unknown漏洞,我们直接正则过滤
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image vuln nginx:1.11.1 all | grep High
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image vuln nginx:1.11.1 all | grep Medium
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image vuln nginx:1.11.1 all | grep Low
CVE-2018-0739           libssl1.0.0-1.0.1k-3+deb8u5                      Low               1.0.1t-1+deb8u8                              https://security-tracker.debian.org/tracker/CVE-2018-0739           
CVE-2018-0739           openssl-1.0.1k-3+deb8u5                          Low               1.0.1t-1+deb8u8                              https://security-tracker.debian.org/tracker/CVE-2018-0739

  发现只有两个低危Low漏洞,因此检测通过。

  但总感觉不对... nginx:1.11.1自身存在很多漏洞,绝对不止两个低危漏洞的。

posted @ 2019-10-24 19:06  starnight_cyber  阅读(1185)  评论(0编辑  收藏  举报