第 7 章 Clair 安全扫描

Clair 是可与 Red Hat Quay 搭配使用的一组微服务，可用于对与一组 Linux 操作系统关联的容器镜像进行漏洞扫描。Clair 的微服务设计使得它适合在高度可扩展的配置中运行，其中组件可以根据企业环境单独扩展。

Clair 使用以下漏洞数据库来扫描您的镜像中的问题：

alpine SecDB 数据库
AWS UpdateInfo
Debian Oval 数据库
Oracle Oval 数据库
RHEL Oval 数据库
SUSE Oval 数据库
Ubuntu Oval 数据库
Pyup.io (python)数据库

如需有关 Clair 如何使用不同数据库进行安全映射的信息，请参阅 ClairCore Severity Mapping。

注意

随着 Red Hat Quay 3.4 的发布，新的 Clair V4 （镜像 registry.redhat.io/quay/clair-rhel8）完全替换了之前的 Clair V2 (image quay.io/redhat/clair-jwt)。有关如何在 V4 更新时以只读模式运行 V2 的信息。

7.1. 在 Red Hat Quay OpenShift 部署上设置 Clair
复制链接

7.1.1. 部署 Via 的 Quay Operator
复制链接

要在 OpenShift 上的新 Red Hat Quay 部署上设置 Clair V4，强烈建议您使用 Quay Operator。默认情况下，Quay Operator 将安装或升级 Clair 部署以及 Red Hat Quay 部署，并自动配置 Clair 安全扫描。

7.1.2. 手动部署 Clair
复制链接

要在运行 Clair V2 的现有 Red Hat Quay OpenShift 部署中配置 Clair V4，首先确保 Red Hat Quay 已升级到至少 3.4.0 版本。然后，使用以下步骤手动设置 Clair V4 和 Clair V2。

将当前项目设置为运行 Red Hat Quay 的项目的名称。例如：
```
oc project quay-enterprise
```
```
$ oc project quay-enterprise
```
Copy to Clipboard Toggle word wrap

为 Clair v4 创建 Postgres 部署文件（例如，cl airv4-postgres.yaml），如下所示：

clairv4-postgres.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: clairv4-postgres
  namespace: quay-enterprise
  labels:
    quay-component: clairv4-postgres
spec:
  replicas: 1
  selector:
    matchLabels:
      quay-component: clairv4-postgres
  template:
    metadata:
      labels:
        quay-component: clairv4-postgres
    spec:
      volumes:
        - name: postgres-data
          persistentVolumeClaim:
            claimName: clairv4-postgres
      containers:
        - name: postgres
          image: postgres:11.5
          imagePullPolicy: "IfNotPresent"
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_USER
              value: "postgres"
            - name: POSTGRES_DB
              value: "clair"
            - name: POSTGRES_PASSWORD
              value: "postgres"
            - name: PGDATA
              value: "/etc/postgres/data"
          volumeMounts:
            - name: postgres-data
              mountPath: "/etc/postgres"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: clairv4-postgres
  labels:
    quay-component: clairv4-postgres
spec:
  accessModes:
    - "ReadWriteOnce"
  resources:
    requests:
      storage: "5Gi"
    volumeName: "clairv4-postgres"
---
apiVersion: v1
kind: Service
metadata:
  name: clairv4-postgres
  labels:
    quay-component: clairv4-postgres
spec:
  type: ClusterIP
  ports:
    - port: 5432
      protocol: TCP
      name: postgres
      targetPort: 5432
  selector:
    quay-component: clairv4-postgres

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: clairv4-postgres
  namespace: quay-enterprise
  labels:
    quay-component: clairv4-postgres
spec:
  replicas: 1
  selector:
    matchLabels:
      quay-component: clairv4-postgres
  template:
    metadata:
      labels:
        quay-component: clairv4-postgres
    spec:
      volumes:
        - name: postgres-data
          persistentVolumeClaim:
            claimName: clairv4-postgres
      containers:
        - name: postgres
          image: postgres:11.5
          imagePullPolicy: "IfNotPresent"
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_USER
              value: "postgres"
            - name: POSTGRES_DB
              value: "clair"
            - name: POSTGRES_PASSWORD
              value: "postgres"
            - name: PGDATA
              value: "/etc/postgres/data"
          volumeMounts:
            - name: postgres-data
              mountPath: "/etc/postgres"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: clairv4-postgres
  labels:
    quay-component: clairv4-postgres
spec:
  accessModes:
    - "ReadWriteOnce"
  resources:
    requests:
      storage: "5Gi"
    volumeName: "clairv4-postgres"
---
apiVersion: v1
kind: Service
metadata:
  name: clairv4-postgres
  labels:
    quay-component: clairv4-postgres
spec:
  type: ClusterIP
  ports:
    - port: 5432
      protocol: TCP
      name: postgres
      targetPort: 5432
  selector:
    quay-component: clairv4-postgres

Copy to Clipboard

Toggle word wrap

部署 postgres 数据库，如下所示：
```
oc create -f ./clairv4-postgres.yaml
```
```
$ oc create -f ./clairv4-postgres.yaml
```
Copy to Clipboard Toggle word wrap

创建 Clair config.yaml 文件，用于 Clair v4。例如：

config.yaml

introspection_addr: :8089
http_listen_addr: :8080
log_level: debug
indexer:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  scanlock_retry: 10
  layer_scan_concurrency: 5
  migrations: true
matcher:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  max_conn_pool: 100
  run: ""
  migrations: true
  indexer_addr: clair-indexer
notifier:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  delivery: 1m
  poll_interval: 5m
  migrations: true
auth:
  psk:
    key: MTU5YzA4Y2ZkNzJoMQ== 
    iss: ["quay"]
# tracing and metrics
trace:
  name: "jaeger"
  probability: 1
  jaeger:
    agent_endpoint: "localhost:6831"
    service_name: "clair"
metrics:
  name: "prometheus"

introspection_addr: :8089
http_listen_addr: :8080
log_level: debug
indexer:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  scanlock_retry: 10
  layer_scan_concurrency: 5
  migrations: true
matcher:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  max_conn_pool: 100
  run: ""
  migrations: true
  indexer_addr: clair-indexer
notifier:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  delivery: 1m
  poll_interval: 5m
  migrations: true
auth:
  psk:
    key: MTU5YzA4Y2ZkNzJoMQ==


    iss: ["quay"]
# tracing and metrics
trace:
  name: "jaeger"
  probability: 1
  jaeger:
    agent_endpoint: "localhost:6831"
    service_name: "clair"
metrics:
  name: "prometheus"

Copy to Clipboard

Toggle word wrap

1: 要生成 Clair 预共享密钥(PSK)，请在用户界面的安全扫描器部分中启用 扫描，然后点 Generate PSK。

有关 Clair 配置格式的更多信息，请参阅上游 Clair 文档。

从 Clair config.yaml 创建 secret：

oc create secret generic clairv4-config-secret --from-file=./config.yaml

$ oc create secret generic clairv4-config-secret --from-file=./config.yaml

Copy to Clipboard

Toggle word wrap

创建 Clair v4 部署文件（例如，clair-combo.yaml），并根据需要进行修改：

clair-combo.yaml

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    quay-component: clair-combo
  name: clair-combo
spec:
  replicas: 1
  selector:
    matchLabels:
      quay-component: clair-combo
  template:
    metadata:
      labels:
        quay-component: clair-combo
    spec:
      containers:
        - image: registry.redhat.io/quay/clair-rhel8:v3.5.7  
          imagePullPolicy: IfNotPresent
          name: clair-combo
          env:
            - name: CLAIR_CONF
              value: /clair/config.yaml
            - name: CLAIR_MODE
              value: combo
          ports:
            - containerPort: 8080
              name: clair-http
              protocol: TCP
            - containerPort: 8089
              name: clair-intro
              protocol: TCP
          volumeMounts:
            - mountPath: /clair/
              name: config
      imagePullSecrets:
        - name: redhat-pull-secret
      restartPolicy: Always
      volumes:
        - name: config
          secret:
            secretName: clairv4-config-secret
---
apiVersion: v1
kind: Service
metadata:
  name: clairv4 
  labels:
    quay-component: clair-combo
spec:
  ports:
    - name: clair-http
      port: 80
      protocol: TCP
      targetPort: 8080
    - name: clair-introspection
      port: 8089
      protocol: TCP
      targetPort: 8089
  selector:
    quay-component: clair-combo
  type: ClusterIP

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    quay-component: clair-combo
  name: clair-combo
spec:
  replicas: 1
  selector:
    matchLabels:
      quay-component: clair-combo
  template:
    metadata:
      labels:
        quay-component: clair-combo
    spec:
      containers:
        - image: registry.redhat.io/quay/clair-rhel8:v3.5.7


          imagePullPolicy: IfNotPresent
          name: clair-combo
          env:
            - name: CLAIR_CONF
              value: /clair/config.yaml
            - name: CLAIR_MODE
              value: combo
          ports:
            - containerPort: 8080
              name: clair-http
              protocol: TCP
            - containerPort: 8089
              name: clair-intro
              protocol: TCP
          volumeMounts:
            - mountPath: /clair/
              name: config
      imagePullSecrets:
        - name: redhat-pull-secret
      restartPolicy: Always
      volumes:
        - name: config
          secret:
            secretName: clairv4-config-secret
---
apiVersion: v1
kind: Service
metadata:
  name: clairv4


  labels:
    quay-component: clair-combo
spec:
  ports:
    - name: clair-http
      port: 80
      protocol: TCP
      targetPort: 8080
    - name: clair-introspection
      port: 8089
      protocol: TCP
      targetPort: 8089
  selector:
    quay-component: clair-combo
  type: ClusterIP

Copy to Clipboard

Toggle word wrap

1: 将镜像更改为最新的 clair 镜像名称和版本。
2: 将 Service 设置为 clairv4 时，Clair v4 的扫描程序端点稍后会在 SECURITY_SCANNER_SCANNER_V4_ENDPOINT 中的 Red Hat Quay config.yaml 中输入为 http://clairv4。

创建 Clair v4 部署，如下所示：
```
oc create -f ./clair-combo.yaml
```
```
$ oc create -f ./clair-combo.yaml
```
Copy to Clipboard Toggle word wrap
修改 Red Hat Quay 部署的 config.yaml 文件，以在末尾添加以下条目：
```
FEATURE_SECURITY_SCANNER: true
SECURITY_SCANNER_V4_ENDPOINT: http://clairv4 
```
```
FEATURE_SECURITY_SCANNER: true
SECURITY_SCANNER_V4_ENDPOINT: http://clairv4 
```
1
Copy to Clipboard Toggle word wrap
1
识别 Clair v4 服务端点

将修改后的 config.yaml 重新部署到包含该文件的 secret （如 quay-enterprise-config-secret:

oc delete secret quay-enterprise-config-secret
oc create secret generic quay-enterprise-config-secret --from-file=./config.yaml

$ oc delete secret quay-enterprise-config-secret
$ oc create secret generic quay-enterprise-config-secret --from-file=./config.yaml

Copy to Clipboard

Toggle word wrap

要使新的 config.yaml 生效，您需要重启 Red Hat Quay pod。只需删除 quay-app pod 会导致部署具有更新的配置的 pod。

此时，在命名空间白名单中标识的任何机构中的镜像将被 Clair v4 扫描。

第 7 章 Clair 安全扫描

7.1. 在 Red Hat Quay OpenShift 部署上设置 Clair
复制链接

7.1.1. 部署 Via 的 Quay Operator
复制链接

7.1.2. 手动部署 Clair
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

第 7 章 Clair 安全扫描

7.1. 在 Red Hat Quay OpenShift 部署上设置 Clair复制链接链接已复制到粘贴板!

7.1.1. 部署 Via 的 Quay Operator复制链接链接已复制到粘贴板!

7.1.2. 手动部署 Clair复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

7.1. 在 Red Hat Quay OpenShift 部署上设置 Clair
复制链接

7.1.1. 部署 Via 的 Quay Operator
复制链接

7.1.2. 手动部署 Clair
复制链接