目的
执行镜像扫描,扫描镜像仓库的镜像,生成报告
安装clair
操作系统:ubuntu 18.06
docker:18.06.3
docker-compose: docker-compose version 1.25.5, build 8a1c60f6
打开github clair
使用docker-compos启动clair, clair-docker-compose配置下载
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/docker-compose.yaml.sample -o $PWD/docker-compose.yaml
$ mkdir $PWD/clair_config
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o $PWD/clair_config/config.yaml
配置下载完成后如下
/clair$ tree
.
├── clair_config
│ └── config.yaml
└── docker-compose.yaml
1 directory, 2 files
/clair$ cat docker-compose.yaml
version: '3.8'
services:
clair:
image: quay.io/coreos/clair:latest
command: -config=/config/config.yaml
ports:
- "6060:6060"
- "6061:6061"
depends_on:
- clairdb
volumes:
- type: bind
source: $PWD/clair_config
target: /config
networks:
- clairnet
restart: on-failure
extra_hosts:
- "yourharbor1.com:192.168.1.100"
- "yourharbor2.com:192.168.1.101"
clairdb:
image: postgres:9.6
networks:
- clairnet
environment:
- POSTGRES_HOST_AUTH_METHOD=trust
networks:
clairnet:
driver: bridge
启动,会下载镜像,等待下载完成启动
$ docker-compose -f docker-compose.yaml up -d
启动后docker logs
查看clair容器能看到自动从漏洞库下载数据
测试clair健康状态
$ curl -X GET -I http://clair.ip:6061/health
HTTP/1.1 200 OK
Server: clair
Date: Tue, 02 Jun 2020 09:39:46 GMT
Content-Length: 0
如果要检测私有镜像仓库
clair启动参数需要添加--insecure-tls
services:
clair:
image: quay.io/coreos/clair:latest
command: [-config=/config/config.yaml, --insecure-tls]
使用clair扫描镜像
klar是一个集成clair和镜像库的工具
Integration of Clair and