4.2. Add Clair image scanning to Red Hat Quay


Setting up and deploying Clair image scanning for your Red Hat Quay deployment requires the following basic steps:

  • Setting up a database for Clair
  • Creating authentication keys for Clair
  • Deploying Clair

The following procedure assumes you already have a running Red Hat Quay cluster on an OpenShift platform with the Red Hat Quay Setup container running in your browser:

  1. Create the Clair database: This example configures a postgresql database to use with the Clair image scanner. With the yaml files in the current directory, review those files for possible modifications, then run the following:

    $ oc create -f postgres-clair-storage.yaml
    $ oc create -f postgres-clair-deployment.yaml
    $ oc create -f postgres-clair-service.yaml
    Copy to Clipboard Toggle word wrap
  2. Check Clair database objects: To view the Clair database objects, type:

    $ oc get all | grep -i clair
    pod/postgres-clair-xxxxxxxxx-xxxx 1/1      Running       0                     3m45s
    deployment.apps/postgres-clair    1/1      1             1                     3m45s
    service/postgres-clair            NodePort 172.30.193.64 <none> 5432:30680/TCP 159m
    replicaset.apps/postgres-clair-xx 1        1             1                     3m45s
    Copy to Clipboard Toggle word wrap

    The output shows that the postgres-clair pod is running, postgres-clair was successfully deployed, the postgres-clair service is available on the address and port shown, and 1 replica set of postgres-clair is active.

  3. Open the Red Hat Quay Setup UI: Reload the Red Hat Quay Setup UI and select "Modify configuration for this cluster."
  4. Enable Security Scanning: Scroll to the Security Scanner section and select the "Enable Security Scanning" checkbox. From the fields that appear you need to create an authentication key and enter the security scanner endpoint. Here’s how:

    • Generate key: Click "Create Key" and then type a name for the Clair private key and an optional expiration date (if blank, the key never expires). Then select Generate Key.
    • Copy the Clair key and PEM file: Save the Key ID (to a notepad or similar) and download a copy of the Private Key PEM file (named security_scanner.pem) by selecting "Download Private Key" (if you lose this key, you will need to generate a new one).
  5. Modify clair-config.yaml: Return to the shell and the directory holding your yaml files. Edit the clair-config.yaml file and modify the following values:

    • database.options.source: Make sure the host, port, dbname, user, password, and ssl mode match those values you set when you create the postgres database for Clair.
    • key_id: Search for KEY_ID_HERE in this file and replace it with the contents of the key you generated from the Red Hat Quay Setup screen in the Security Scanner section (security_scanner.pam file).
    • private_key_path: Identify the full path to the security_scanner.pem file you saved earlier.
  6. Create the Clair config secret and service: Run the following commands, identifying the paths to your clair-config.yaml and security_scanner.pem files.

    $ oc create secret generic clair-scanner-config-secret \
       --from-file=config.yaml=/path/to/clair-config.yaml \
       --from-file=security_scanner.pem=/path/to/security_scanner.pem
    $ oc create -f clair-service.yaml
    $ oc create -f clair-deployment.yaml
    Copy to Clipboard Toggle word wrap
  7. Get the clair-service endpoint: In this example, the endpoint of of clair-service would be http://172.30.133.227:6060:

    $ oc get service clair-service
    NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
    clair-service   ClusterIP   172.30.133.227   <none>        6060/TCP,6061/TCP   76s
    Copy to Clipboard Toggle word wrap
  8. Enter Security Scanner Endpoint: Return to the Red Hat Quay Setup screen and fill in the clair-service endpoint. For example, http://clair-service:6060
  9. Deploy configuration: Select to save the configuration, then deploy it when prompted.

A green check mark will appear on the screen when the deployment is done. You can now start using Clair image scanning with Red Hat Quay. For information on the data sources available with the Clair image scanner, see Using Clair data sources.

トップに戻る
Red Hat logoGithubredditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。 最新の更新を見る.

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

Theme

© 2025 Red Hat