Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 3. Setting up Clair on standalone Red Hat Quay deployments

For standalone Red Hat Quay deployments, you can set up Clair manually.

Procedure

  1. In your Red Hat Quay installation directory, create a new directory for the Clair database data: 

    $ mkdir /home/<user-name>/quay-poc/postgres-clairv4
    Copy to Clipboard Toggle word wrap

  2. Set the appropriate permissions for the postgres-clairv4 file by entering the following command: 

    $ setfacl -m u:26:-wx /home/<user-name>/quay-poc/postgres-clairv4
    Copy to Clipboard Toggle word wrap

  3. Deploy a Clair PostgreSQL database by entering the following command: 

    $ sudo podman run -d --name postgresql-clairv4 \
  -e POSTGRESQL_USER=clairuser \
  -e POSTGRESQL_PASSWORD=clairpass \
  -e POSTGRESQL_DATABASE=clair \
  -e POSTGRESQL_ADMIN_PASSWORD=adminpass \
  -p 5433:5432 \
  -v /home/<user-name>/quay-poc/postgres-clairv4:/var/lib/pgsql/data:Z \
  registry.redhat.io/rhel8/postgresql-15
    Copy to Clipboard Toggle word wrap

  4. Install the PostgreSQL uuid-ossp module for your Clair deployment: 

    $ sudo podman exec -it postgresql-clairv4 /bin/bash -c 'echo "CREATE EXTENSION IF NOT EXISTS \"uuid-ossp\"" | psql -d clair -U postgres'
    Copy to Clipboard Toggle word wrap

    Example output

    CREATE EXTENSION
    Copy to Clipboard Toggle word wrap

    Note

    Clair requires the uuid-ossp extension to be added to its PostgreSQL database. For users with proper privileges, creating the extension will automatically be added by Clair. If users do not have the proper privileges, the extension must be added before start Clair.

    If the extension is not present, the following error will be displayed when Clair attempts to start: ERROR: Please load the "uuid-ossp" extension. (SQLSTATE 42501).

  5. Stop the Quay container if it is running and restart it in configuration mode, loading the existing configuration as a volume: 

    $ sudo podman run --rm -it --name quay_config \
  -p 80:8080 -p 443:8443 \
  -v $QUAY/config:/conf/stack:Z \
  registry.redhat.io/quay/quay-rhel8:v3.14.4 config secret
    Copy to Clipboard Toggle word wrap
  6. Log in to the configuration tool and click Enable Security Scanning in the Security Scanner section of the UI.
  7. Set the HTTP endpoint for Clair using a port that is not already in use on the quay-server system, for example, 8081.

  8. Create a pre-shared key (PSK) using the Generate PSK button.

    Security Scanner UI

    Security Scanner

  9. Validate and download the config.yaml file for Red Hat Quay, and then stop the Quay container that is running the configuration editor.

  10. Extract the new configuration bundle into your Red Hat Quay installation directory, for example: 

    $ tar xvf quay-config.tar.gz -d /home/<user-name>/quay-poc/
    Copy to Clipboard Toggle word wrap

  11. Create a folder for your Clair configuration file, for example: 

    $ mkdir /etc/opt/clairv4/config/
    Copy to Clipboard Toggle word wrap

  12. Change into the Clair configuration folder: 

    $ cd /etc/opt/clairv4/config/
    Copy to Clipboard Toggle word wrap

  13. Create a Clair configuration file, for example: 

    http_listen_addr: :8081
introspection_addr: :8088
log_level: debug
indexer:
  connstring: host=quay-server.example.com port=5433 dbname=clair user=clairuser password=clairpass sslmode=disable
  scanlock_retry: 10
  layer_scan_concurrency: 5
  migrations: true
matcher:
  connstring: host=quay-server.example.com port=5433 dbname=clair user=clairuser password=clairpass sslmode=disable
  max_conn_pool: 100
  migrations: true
  indexer_addr: clair-indexer
notifier:
  connstring: host=quay-server.example.com port=5433 dbname=clair user=clairuser password=clairpass sslmode=disable
  delivery_interval: 1m
  poll_interval: 5m
  migrations: true
auth:
  psk:
    key: "MTU5YzA4Y2ZkNzJoMQ=="
    iss: ["quay"]
# tracing and metrics
trace:
  name: "jaeger"
  probability: 1
  jaeger:
    agent:
      endpoint: "localhost:6831"
    service_name: "clair"
metrics:
  name: "prometheus"
    Copy to Clipboard Toggle word wrap

    For more information about Clair’s configuration format, see Clair configuration reference.

  14. Start Clair by using the container image, mounting in the configuration from the file you created: 

    $ sudo podman run -d --name clairv4 \
-p 8081:8081 -p 8088:8088 \
-e CLAIR_CONF=/clair/config.yaml \
-e CLAIR_MODE=combo \
-v /etc/opt/clairv4/config:/clair:Z \
registry.redhat.io/quay/clair-rhel8:v3.14.4
    Copy to Clipboard Toggle word wrap
    Note

    Running multiple Clair containers is also possible, but for deployment scenarios beyond a single container the use of a container orchestrator like Kubernetes or OpenShift Container Platform is strongly recommended.

3.1. Upgrading the Clair PostgreSQL database
Copier lien

If you are upgrading Red Hat Quay to version 13, you must migrate your Clair PostgreSQL database version from PostgreSQL version 13 version 15. This requires bringing down your Clair PostgreSQL 13 database and running a migration script to initiate the process.

Use the following procedure to upgrade your Clair PostgreSQL database from version 13 to version 15.

Important

Clair security scans might become temporarily disrupted after the migration procedure has succeeded.

Procedure

  1. Stop the Red Hat Quay container by entering the following command: 

    $ sudo podman stop <quay_container_name>
    Copy to Clipboard Toggle word wrap

  2. Stop the Clair container by running the following command: 

    $ sudo podman stop <clair_container_id>
    Copy to Clipboard Toggle word wrap

  3. Run the following Podman process from SCLOrg’s Data Migration procedure, which allows for data migration from a remote PostgreSQL server: 

    $ sudo podman run -d --name <clair_migration_postgresql_database>
    1 
    
  -e POSTGRESQL_MIGRATION_REMOTE_HOST=<container_ip_address> \
    2 
    
  -e POSTGRESQL_MIGRATION_ADMIN_PASSWORD=remoteAdminP@ssword \
  -v </host/data/directory:/var/lib/pgsql/data:Z> \
    3 
    
  [ OPTIONAL_CONFIGURATION_VARIABLES ]
  registry.redhat.io/rhel8/postgresql-15
    Copy to Clipboard Toggle word wrap
    1
    Insert a name for your Clair PostgreSQL 15 migration database.
    2
    Your new Clair PostgreSQL 15 database container IP address. Can obtained by running the following command: sudo podman inspect -f "{{.NetworkSettings.IPAddress}}" postgresql-quay.
    3
    You must specify a different volume mount point than the one from your initial Clair PostgreSQL 13 deployment, and modify the access control lists for said directory. For example: 
    $ mkdir -p /host/data/clair-postgresql15-directory
    Copy to Clipboard Toggle word wrap 
    $ setfacl -m u:26:-wx /host/data/clair-postgresql15-directory
    Copy to Clipboard Toggle word wrap

    This prevents data from being overwritten by the new container.

  4. Stop the Clair PostgreSQL 13 container: 

    $ sudo podman stop <clair_postgresql13_container_name>
    Copy to Clipboard Toggle word wrap

  5. After completing the PostgreSQL migration, run the Clair PostgreSQL 15 container, using the new data volume mount from Step 3, for example, </host/data/clair-postgresql15-directory:/var/lib/postgresql/data>: 

    $ sudo podman run -d --rm --name <postgresql15-clairv4> \
  -e POSTGRESQL_USER=<clair_username> \
  -e POSTGRESQL_PASSWORD=<clair_password> \
  -e POSTGRESQL_DATABASE=<clair_database_name> \
  -e POSTGRESQL_ADMIN_PASSWORD=<admin_password> \
  -p 5433:5432 \
  -v </host/data/clair-postgresql15-directory:/var/lib/postgresql/data:Z> \
    registry.redhat.io/rhel8/postgresql-15
    Copy to Clipboard Toggle word wrap

  6. Start the Red Hat Quay container by entering the following command: 

    $ sudo podman run -d --rm -p 80:8080 -p 443:8443 --name=quay \
-v /home/<quay_user>/quay-poc/config:/conf/stack:Z \
-v /home/<quay_user>/quay-poc/storage:/datastorage:Z \
{productrepo}/{quayimage}:{productminv}
    Copy to Clipboard Toggle word wrap

  7. Start the Clair container by entering the following command: 

    $ sudo podman run -d --name clairv4 \
-p 8081:8081 -p 8088:8088 \
-e CLAIR_CONF=/clair/config.yaml \
-e CLAIR_MODE=combo \
registry.redhat.io/quay/clair-rhel8:{productminv}
    Copy to Clipboard Toggle word wrap

For more information, see Data Migration.

3.2. Using Clair with an upstream image for Red Hat Quay
Copier lien

For most users, independent upgrades of Clair from the current version (4.8) are unnecessary. In some cases, however, customers might want to pull an image of Clair from the upstream repository for various reasons, such as for specific bug fixes or to try new features that have not yet been released downstream. You can use the following procedure to run an upstream version of Clair with Red Hat Quay.

Important

Upstream versions of Clair have not been fully tested for compatibility with Red Hat Quay. As a result, this combination might cause issues with your deployment.

Procedure

  1. Enter the following command to stop Clair if it is running: 

    $ podman stop <clairv4_container_name>
    Copy to Clipboard Toggle word wrap

  2. Navigate to the upstream repository, find the version of Clair that you want to use, and pull it to your local machine. For example: 

    $ podman pull quay.io/projectquay/clair:nightly-2024-02-03
    Copy to Clipboard Toggle word wrap

  3. Start Clair by using the container image, mounting in the configuration from the file you created: 

    $ podman run -d --name clairv4 \
-p 8081:8081 -p 8088:8088 \
-e CLAIR_CONF=/clair/config.yaml \
-e CLAIR_MODE=combo \
-v /etc/opt/clairv4/config:/clair:Z \
quay.io/projectquay/clair:nightly-2024-02-03
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat