docker映像中安装软件
Clair is an open source project for the static analysis of vulnerabilities in application containers.
Clair 是一个开源项目,用于对 应用程序容器中的漏洞进行 静态分析 。
One of the main differences between a traditional deployment and a Docker deployment is the way that software dependencies are handled. In traditional deployments, the software dependencies need to be installed and managed by a dedicated team. They install required versions of dependencies, upgrading them when security issues arise, and performing regular patches to the operating system packages. Managing and installing all the dependencies on the hosts and resolving dependency conflicts between different software on the same server is a challenge and time-consuming.
传统部署和Docker部署之间的主要区别之一是处理软件依赖项的方式。 在传统部署中,需要由专门的团队来安装和管理软件依赖项。 他们安装所需版本的依赖项,在出现安全问题时对其进行升级,并对操作系统软件包执行常规补丁程序。 在主机上管理和安装所有依赖项以及解决同一服务器上不同软件之间的依赖项冲突是一项挑战,而且非常耗时。
Docker deployments solve these challenges by encapsulating all the needed dependencies for a given software within its own Docker image. These dependencies are installed during the Docker build time and are only applicable for the containers running with the generated Docker image (these dependencies do not also affect the host). However, since Docker images consist of multiple layers, starting from the OS (ubuntu, alpine, centos, etc) to the application layer itself, there’s a risk that the Docker images will include vulnerabilities that could expose some security risks and provide the attackers with ways to gain access to the hosting servers.
Docker部署通过将给定软件的所有必需依赖项封装在其自己的Docker映像中来解决这些挑战。 这些依赖项是在Docker构建期间安装的,仅适用于与生成的Docker映像一起运行的容器(这些依赖项也不会影响主机)。 但是,由于Docker映像由多层组成,从操作系统(ubuntu,alpine,centos等)到应用程序层本身,因此存在Docker映像将包含一些漏洞的风险,这些漏洞可能会暴露一些安全风险并为攻击者提供访问托管服务器的方法。
According to the National Vulnerability Database, there are more than 75,000 known vulnerabilities. Some of these vulnerabilities are well-known, like Heartbleed which affected OpenSSL. This means that there’s a high chance that the Docker images used to deploy the applications include some of these vulnerabilities. Obtaining this information requires scanning Docker images and perform analysis and comparison against known vulnerabilities. Unfortunately, this feature is not available in both the Docker registry and Portus so another tool is needed to achieve this goal.
根据国家漏洞数据库的数据,已知漏洞超过75,000。 其中一些漏洞是众所周知的,例如Heartbleed影响了OpenSSL。 这意味着用于部署应用程序的Docker映像很有可能包含其中一些漏洞。 获取此信息需要扫描Docker映像并针对已知漏洞进行分析和比较。 不幸的是,此功能在Docker注册表和Portus中均不可用,因此需要另一种工具来实现此目标。
Clair is a tool that can be used to scan Docker images and report any vulnerabilities found. Clair exposes an API for indexing docker images and queries the database for vulnerabilities of a particular image. Before we jump into deploying Clair and integrating it with Portus, let’s have a quick look at how Clair works:
Clair是一个可用于扫描Docker映像并报告发现的任何漏洞的工具。 Clair公开了用于索引docker映像的API,并在数据库中查询特定映像的漏洞。 在开始部署Clair并将其与Portus集成之前,让我们快速看一下Clair的工作方式:
- Clair periodically pulls external databases and updates its internal database with known vulnerabilities. Clair会定期拉出外部数据库并使用已知漏洞更新其内部数据库。
Clients (Registry or Portus) send images to Clair API to be analyzed.
客户端(注册表或端口)将图像发送到Clair API进行分析。
- For performance and efficiency reasons, Clair analyzes Docker images layer by layer and not on image bases. This is because Docker images share layers and there’s no need to analyze the same data/layer more than once. 出于性能和效率方面的考虑,Clair逐层而不是基于映像分析Docker映像。 这是因为Docker映像共享层,并且无需多次分析同一数据/层。
- Clair passes the image layers to workers to detect vulnerabilities in each of the layers. Three different detectors for finding vulnerabilities in Docker image layers are supported by Clair. Clair将图像层传递给工作人员以检测每个层中的漏洞。 Clair支持三种用于在Docker图像层中查找漏洞的检测器。
The first type is the
Data Detector
, which is responsible for scanning the layer for any static configurations that should not be included in production.第一种是
Data Detector
,它负责扫描层以查找不应该包含在生产中的任何静态配置。The second type is the
Feature Detector
, which basically can be anything in the Docker container, from packages like OpenSSL to configuration parameters.第二种是
Feature Detector
,它基本上可以是Docker容器中的任何东西,从像OpenSSL这样的包到配置参数。The last detector is the
Namespace Detector
. This detector is based on the context betweenfeatures
andvulnerabilities
. This detector is able to find issues like installing acentos6
package oncentos7
.最后一个检测器是
Namespace Detector
。 该检测器基于features
和vulnerabilities
之间的上下文。 这个探测器能够找到像安装问题centos6
软件包centos7
。
克莱尔部署 (Clair deployment)
As described above, Clair stores the data collected about the Docker images in an internal database (PostgreSQL database). Therefore, we need access to an HA PostgreSQL database to perform the deployment in production environments. For the sake of simplicity, I will deploy a PostgreSQL server with the Clair Docker stack (this is also can be done in testing environments).
如上所述,Clair将有关Docker映像的收集数据存储在内部数据库(PostgreSQL数据库)中。 因此,我们需要访问HA PostgreSQL数据库才能在生产环境中执行部署。 为了简单起见,我将使用Clair Docker堆栈部署PostgreSQL服务器(这也可以在测试环境中完成)。
To avoid using Docker volumes for the Clair service I decided to build a custom image that includes a configuration template and can be configured using environment valuables. Here’s the Dockerfile
for the custom docker image:
为了避免为Clair服务使用Docker卷,我决定构建一个自定义映像,该映像包含配置模板,并且可以使用环境贵重物品进行配置。 这是自定义Dockerfile
映像的Dockerfile
:
And here’s the entry-point file that takes care of rendering the template and generate the config file for Clair:
这是入口点文件,负责渲染模板并为Clair生成配置文件:
Finally, here’s the Docker swarm stack I used to deploy Clair and its dependencies:
最后,这是我用来部署Clair及其依赖项的Docker集群堆栈:
After deploying the Clair stack (Clair server and PostgreSQL database) the next step is to integrate Clair with Portus to be able to scan Docker images. By default, Clair exposes its API on port 6060
. As a result, to integrate Clair with Portus we need configure Portus with the Clair URL, which will be something like this: http://clair_server:86060
. We need to add this value to the environment variables PORTUS_SECURITY_CLAIR_SERVER
, or by updating Portus configs.
部署Clair堆栈(Clair服务器和PostgreSQL数据库)之后,下一步是将Clair与Portus集成在一起,以便能够扫描Docker映像。 默认情况下,Clair在端口6060
上公开其API。 因此,要将Clair与Portus集成,我们需要使用Clair URL配置Portus,该网址将类似于: http://clair_server:86060
。 我们需要将此值添加到环境变量PORTUS_SECURITY_CLAIR_SERVER
或通过更新Portus 配置来添加。
After integrating Clair with Portus and push some images to the Docker registry, we can start seeing vulnerabilities reports, as shown below:
将Clair与Portus集成并将一些映像推送到Docker注册表后,我们可以开始查看漏洞报告,如下所示:
遗言 (Last Word)
I updated the Swarm orca project created in this post to also include Clair. You can deploy Clair simply by executing the command below (you need also to deploy the other services to make it work on your local machine):
我更新在此创建的群虎鲸项目后期也包括克莱尔。 您只需执行以下命令即可部署Clair(还需要部署其他服务以使其在本地计算机上运行):
SCM=copy bundle exec cap local deploy:setup deploy:clair
结论 (Conclusion)
To improve the quality of produced Docker images and avoid being exposed to known vulnerabilities, it’s recommended to:
为了提高生成的Docker映像的质量并避免暴露于已知漏洞,建议执行以下操作:
- Start scanning Docker images for such vulnerabilities. 开始扫描Docker映像以查找此类漏洞。
- Integrate the scanning process with the release cycle of the software applications. 将扫描过程与软件应用程序的发布周期集成在一起。
翻译自: https://medium.com/better-programming/detect-vulnerabilities-in-docker-images-d21f1b762898
docker映像中安装软件