Clair镜像扫描社区版持续探索
Clair地址
https://github.com/quay/clair/blob/master/Documentation/running-clair.md
claricli地址
https://github.com/joelee2012/claircli
-
安装配置
mkdir $PWD/clair_config curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o $PWD/clair_config/config.yaml docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres docker run --net=host -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair:latest -config=/config/config.yaml
启动后clair会下载漏洞库然后放到postgres数据库中。需要等待一段时间,fetching结束
[root@mirror ~]# docker logs -f 0a4aa93eb96b {"Event":"running database migrations","Level":"info","Location":"pgsql.go:216","Time":"2020-01-27 07:48:23.835691"} {"Event":"database migration ran successfully","Level":"info","Location":"pgsql.go:223","Time":"2020-01-27 07:48:23.840739"} {"Event":"notifier service is disabled","Level":"info","Location":"notifier.go:77","Time":"2020-01-27 07:48:23.840913"} {"Event":"starting main API","Level":"info","Location":"api.go:52","Time":"2020-01-27 07:48:23.840946","port":6060} {"Event":"starting health API","Level":"info","Location":"api.go:85","Time":"2020-01-27 07:48:23.841310","port":6061} {"Event":"updater service started","Level":"info","Location":"updater.go:83","Time":"2020-01-27 07:48:23.841383","lock identifier":"07fb180b-49f7-4f40-80ca-013b6587807a"} {"Event":"Handled HTTP request","Level":"info","Location":"router.go:57","Time":"2020-01-27 07:50:09.745914","elapsed time":361665425,"method":"DELETE","remote addr":"192.168.56.108:56760","request uri":"/v1/layers/sha256:bc9ab73e5b14b9fbd3687a4d8c1f1360533d6ee9ffc3f5ecc6630794b40257b7","status":"404"} {"Event":"failed to write response","Level":"warning","Location":"routes.go:94","Time":"2020-01-27 07:54:46.354907","error":"http: Handler timeout"} {"Event":"Handled HTTP request","Level":"info","Location":"router.go:57","Time":"2020-01-27 07:54:46.354942","elapsed time":276604498860,"method":"POST","remote addr":"192.168.56.108:56762","request uri":"/v1/layers","status":"201"} {"Event":"updating vulnerabilities","Level":"info","Location":"updater.go:192","Time":"2020-01-27 07:55:54.897757"} {"Event":"fetching vulnerability updates","Level":"info","Location":"updater.go:239","Time":"2020-01-27 07:55:54.897791"} {"Event":"Start fetching vulnerabilities","Level":"info","Location":"ubuntu.go:85","Time":"2020-01-27 07:55:54.897816","package":"Ubuntu"} {"Event":"Start fetching vulnerabilities","Level":"info","Location":"alpine.go:52","Time":"2020-01-27 07:55:54.921575","package":"Alpine"} {"Event":"Start fetching vulnerabilities","Level":"info","Location":"debian.go:63","Time":"2020-01-27 07:55:54.943595","package":"Debian"} {"Event":"Start fetching vulnerabilities","Level":"info","Location":"oracle.go:119","Time":"2020-01-27 07:55:54.944000","package":"Oracle Linux"} {"Event":"Start fetching vulnerabilities","Level":"info","Location":"rhel.go:92","Time":"2020-01-27 07:55:54.944082","package":"RHEL"} {"Event":"finished fetching","Level":"info","Location":"updater.go:253","Time":"2020-01-27 07:56:25.455733","updater name":"alpine"} {"Event":"finished fetching","Level":"info","Location":"updater.go:253","Time":"2020-01-27 07:57:55.854087","updater name":"rhel"} {"Event":"could not unmarshal Debian's JSON","Level":"error","Location":"debian.go:115","Time":"2020-01-27 08:01:06.093947","error":"read tcp 10.0.3.15:34708-\u003e23.111.9.35:443: read: connection reset by peer"} {"Event":"an error occured when fetching update","Level":"error","Location":"updater.go:246","Time":"2020-01-27 08:01:06.094057","error":"updater/fetchers: could not parse","updater name":"debian"}
-
安装claircli
curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py" python get-pip.py pip install claircli
-
扫描
[root@mirror images]# claircli -c http://mirror.redhat.ren:6060 docker.io/debian:9.5 2020-01-27 15:28:12,685|INFO|*****************************1****************************** 2020-01-27 15:28:12,686|INFO|Analyzing <Image: docker.io/debian:9.5> 2020-01-27 15:28:17,951|INFO|Push layer [1/1]: sha256:bc9ab73e5b14b9fbd3687a4d8c1f1360533d6ee9ffc3f5ecc6630794b40257b7 2020-01-27 15:28:47,134|INFO|Fetch vulnerabilities for <Image: docker.io/debian:9.5> 2020-01-27 15:28:47,207|INFO|Defcon1 : 0 2020-01-27 15:28:47,207|INFO|Critical : 0 2020-01-27 15:28:47,208|INFO|High : 0 2020-01-27 15:28:47,208|INFO|Medium : 0 2020-01-27 15:28:47,208|WARNING|Low : 26 2020-01-27 15:28:47,208|WARNING|Negligible : 42 2020-01-27 15:28:47,208|WARNING|Unknown : 30 2020-01-27 15:28:47,208|INFO|Generate html report for docker.io/debian:9.5 2020-01-27 15:28:47,265|INFO|Location: /root/images/clair-docker.io_debian_9.5.html 2020-01-27 15:28:47,265|INFO|============================================================ 2020-01-27 15:28:47,265|INFO| CLAIR ANALYSIS REPORTS: (1) IN TOTAL 2020-01-27 15:28:47,265|INFO|============================================================ 2020-01-27 15:28:47,266|ERROR|IMAGES WITH DETECTED VULNERABILITIES (1) 2020-01-27 15:28:47,266|ERROR|docker.io/debian:9.5
会在当前目录生成一个html文件,打开文件是一个报告。
-
离线扫描
在线环境下把数据都下载好,然后备份和恢复postgres数据库(在离线环境的postgres中)
pg_dump -h localhost -U postgres postgres > postgres.data
#基于docker cp 把data文件拷贝出来,然后拷贝到目的的容器中
#恢复数据
psql -h localhost -U postgres -d postgres < /postgres.data
root@db9486caa384:/# psql -h localhost -U postgres -d postgres < /postgres.data SET SET SET SET SET set_config ------------ (1 row) SET SET SET SET CREATE TYPE ALTER TYPE CREATE TYPE ALTER TYPE SET SET CREATE TABLE ALTER TABLE ......
启动clair如常
docker run --net=host -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair:latest -config=/config/config.yaml
然后扫描本地镜像
[root@mirror ~]# claircli -c http://mirror.redhat.ren:6060 -l 192.168.56.108 mirror.redhat.ren/admin/tomcat:latest 2020-01-28 21:04:37,389|INFO|Starting local http server 2020-01-28 21:04:37,424|INFO|Local http server serving at port: 14314 2020-01-28 21:04:37,426|INFO|*****************************1****************************** 2020-01-28 21:04:37,426|INFO|Analyzing <Image: mirror.redhat.ren/admin/tomcat:latest> 2020-01-28 21:05:09,241|INFO|Push layer [1/11]: 8693c46878e0d0517532d9b1ea31ffbc23ba701c43ebf82d9ecd138cf898f487 2020-01-28 21:05:09,743|INFO|Push layer [2/11]: 9d69425a0fe81b1ce88b04e3ca63679c8f1646fb3a13f55787e9c88c115c07ae 2020-01-28 21:05:09,846|INFO|Push layer [3/11]: b4a98f921e2418946eaab03f3812ca01f5fbd52b69a31952cf0922a5160f805b 2020-01-28 21:05:09,897|INFO|Push layer [4/11]: fa5f03c842d20196817bc410ad55ba16c8a110167c68b12566e4d573d7dc5a1a 2020-01-28 21:05:09,923|INFO|Push layer [5/11]: 16a4d2a6a17d1ae4dea154f4b5e3963cc44d692d557b870807234183ee001750 2020-01-28 21:05:12,215|INFO|Push layer [6/11]: b2c0ffaebb919d289598e78efafe118d4bb8127ffac833d5e27ca34375f4689d 2020-01-28 21:05:12,260|INFO|Push layer [7/11]: 4ef4bec3c7a09988cc2dc25fc8e745b81e1449794e35287dcd0d64ce8575b3b2 2020-01-28 21:05:12,292|INFO|Push layer [8/11]: c444b941df6cf078379bbc2c81a1ba58a1adb941a7fe3a4767fa08b8ff412903 2020-01-28 21:05:12,329|INFO|Push layer [9/11]: 45e5acc6a43952d622274e904ae4596d7af3218c5ba196c986b66809096a8869 2020-01-28 21:05:12,362|INFO|Push layer [10/11]: 0d31824d0cfc60d1fe9ee262c9dbafd192dc153c1279faba1b9a04c36620f550 2020-01-28 21:05:12,866|INFO|Push layer [11/11]: 33b14cc3bdef0ae89a9eecd7d9cfd7e1ba294a0206c36dbd311b2efc74aa0072 2020-01-28 21:05:12,886|INFO|Fetch vulnerabilities for <Image: mirror.redhat.ren/admin/tomcat:latest> 2020-01-28 21:05:12,912|INFO|Defcon1 : 0 2020-01-28 21:05:12,912|INFO|Critical : 0 2020-01-28 21:05:12,912|INFO|High : 0 2020-01-28 21:05:12,912|INFO|Medium : 0 2020-01-28 21:05:12,912|WARNING|Low : 30 2020-01-28 21:05:12,912|WARNING|Negligible : 65 2020-01-28 21:05:12,912|WARNING|Unknown : 90 2020-01-28 21:05:12,913|INFO|Generate html report for mirror.redhat.ren/admin/tomcat:latest 2020-01-28 21:05:13,127|INFO|Location: /root/clair-mirror.redhat.ren_admin_tomcat_latest.html 2020-01-28 21:05:13,158|INFO|============================================================ 2020-01-28 21:05:13,158|INFO| CLAIR ANALYSIS REPORTS: (1) IN TOTAL 2020-01-28 21:05:13,158|INFO|============================================================ 2020-01-28 21:05:13,158|ERROR|IMAGES WITH DETECTED VULNERABILITIES (1) 2020-01-28 21:05:13,158|ERROR|mirror.redhat.ren/admin/tomcat:latest
扫描私有镜像库暂时还有点问题,需要继续研究。
