Haobor2.2.1配置(trivy扫描器镜像签名)
Posted Yuan_sr
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Haobor2.2.1配置(trivy扫描器镜像签名)相关的知识,希望对你有一定的参考价值。
Haobor2.2.1配置(trivy扫描器、镜像签名)
docker-compose下载
https://github.com/docker/compose/releases
安装
cp docker-compose /usr/local/bin
chmod +x /usr/local/bin/docker-compose
harbor下载
https://github.com/goharbor/harbor/releases
解压
tar xf xxx.tgx
配置harbor
根下建立:mkdir /data
cd harbor/
mkdir certs
cd certs/
生成证书及私钥
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt
cd ..
cp -r certs/ /
编辑配置文件
mv harbor.yml.temp harbor.yml
hostname:example.com
certificate: ./certs/registry.crt
private_key: ./certs/registry.key
harbor_admin_password:Abcd12345
配置检测
./prepare
安装
有扫描–with-trivy ,有认证–with-notary,有helm charts 模块加入–with-chartmuseum 其中–with-clair已弃用
有扫描–with-trivy ,有认证–with-notary,有helm charts 模块加入–with-chartmuseum
./install.sh --with-notary --with-trivy --with-chartmuseum
配置hostname
vim /etc/hosts
最后加入:
127.0.0.1 example.com
浏览器访问
https://example.com
或者:
IP:80
用户名:admin
密码:Abcd12345
命令行登陆
docker login example.com
Username:admin
Password:Abcd12345
操作命令
关闭
docker-compose down
重新部署
执行后会删除配置,项目数据并不会删除
./prepare
启动
docker-compose up -d
Trivy 是一种适用于 CI 的简单而全面的容器漏洞扫描程序。软件漏洞是指软件或操作系统中存在的故障、缺陷或弱点。Trivy 检测操作系统包(Alpine、RHEL、CentOS等)和应用程序依赖(Bundler、Composer、npm、yarn等)的漏洞。
Trivy 很容易使用,只要安装二进制文件,就可以扫描了。扫描只需指定容器的镜像名称。与其他镜像扫描工具相比,例如 Clair,Anchore Engine,Quay 相比,Trivy 在准确性、方便性和对 CI 的支持等方面都有着明显的优势。
推荐在 CI 中使用它,在推送到 Container Registry 之前,您可以轻松地扫描本地容器镜像,Trivy具备如下的特征:
- 检测面很全,能检测全面的漏洞,操作系统软件包(Alpine、Red Hat Universal Base Image、Red Hat Enterprise Linux、CentOS、Oracle Linux、Debian、Ubuntu、Amazon Linux、openSUSE Leap、SUSE Enterprise Linux、Photon OS 和 Distrioless)、应用程序依赖项(Bundler、Composer、Pipenv、Poetry、npm、yarn 和 Cargo);
- 使用简单,仅仅只需要指定镜像名称;
- 扫描快且无状态,第一次扫描将在 10 秒内完成(取决于您的网络)。随后的扫描将在一秒钟内完成。与其他扫描器在第一次运行时需要很长时间(大约10分钟)来获取漏洞信息,并鼓励您维护持久的漏洞数据库不同,Trivy 是无状态的,不需要维护或准备;
- 易于安装,安装方式:
$ apt-get install trivy
$ yum install trivy
$ brew install trivy
遇到的问题及解决方法
在配置了harbor镜像扫描工具trivy后执行镜像扫描报错如下:
2021-04-19T07:19:51.564Z [34mINFO[0m Need to update DB
2021-04-19T07:19:51.564Z [34mINFO[0m Downloading DB...
2021-04-19T07:20:01.566Z [31mFATAL[0m failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 127.0.0.11:53: read udp 127.0.0.1:48822->127.0.0.11:53: i/o timeout
出现该问题的原因是在下载扫描漏洞数据库时超时,导致下载失败,因此解决方法是手动下载该数据库并挂载到trivy容器的/home/scanner/.cache/trivy/db/目录下,下载路径:https://github.com/aquasecuri...
将该数据库解压到宿主机的/data/trivy-adapter/trivy/下,并将harbor.yml文件中的skip_update设置为true,再次在harbor中扫描镜像报错如下:
2021-04-19T07:37:36.182Z [31mERROR[0m The first run cannot skip downloading DB
2021-04-19T07:37:36.182Z [31mFATAL[0m database error: --skip-update cannot be specified on the first run
: general response handler: unexpected status code: 500, expected: 200
出现该问题的原因是trivy在第一次扫描镜像时不能跳过数据库下载步骤,因此解决方法是在本地宿主机安装trivy,在本地随便扫描一个镜像,目的是下载漏洞数据库,将本地缓存数据库/root/.cache/trivy/下的文件拷贝到镜像挂载目录/data/trivy-adapter/trivy/下,再次在harbor中扫描镜像报错如下:
2021-04-19T08:53:26Z [ERROR] [/pkg/scan/job.go:284]: check scan report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0: running trivy wrapper: running trivy: exit status 1: 2021-04-19T08:53:22.626Z [31mFATAL[0m unable to initialize the cache: unable to initialize fs cache: failed to create cache dir: mkdir /home/scanner/.cache/trivy/fanal: no such file or directory
: general response handler: unexpected status code: 500, expected: 200
出现该错误的原因是在拷贝数据库时不应将fanal下的文件拷贝过去,初步怀疑该文件是harbor启动时自动生成的,因此解决方法是将该文件夹还原,只拷贝/root/.cache/trivy/db/下的文件到/data/trivy-adapter/trivy/db下, 再次在harbor中扫描镜像即可成功。
启用镜像签名功能
在harbor中启用内容信任功能,选中选择框,勾选后,未经签名认证的镜像将不能被拉取,现实如下:
# docker pull example.com/library/foo-apiserver@sha256:0b8cad3c45c2e0db91b070a94c7dc72487d5c1a357168267437518e455f0621f
Error response from daemon: unknown: The image is not signed in Notary.
./install.sh --with-notary中的--with-notary字段是开启内容信任功能的,下面介绍内容信任功能使用的设置:
# cd ~/.docker/
# ls
config.json
# pwd
/root/.docker
# mkdir tls
# cd tls/
# mkdir example.com:4443
# cd example.com\\:4443/
# cp /home/work/harbor/certs/registry.crt ca.crt //registry.crt为证书,这里使用了启动harbor时的证书文件
# ls
ca.crt
# export DOCKER_CONTENT_TRUST=1
# export DOCKER_DONTENT_TRUST_SERVER=https://example.com:4443
首次上传时需要设置root密码及仓库密码
# docker push example.com/library/nginx:latest
d37eecb5b769: Layer already exists
99134ec7f247: Layer already exists
c3a984abe8a8: Layer already exists
latest: digest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266 size: 948
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID a7d2071:
Repeat passphrase for new root key with ID a7d2071:
Enter passphrase for new repository key with ID fe4da48:
Repeat passphrase for new repository key with ID fe4da48:
Finished initializing "reg.westos.org/library/nginx"
Successfully signed reg.westos.org/library/nginx:latest
上传镜像会自动签名,此时再拉取镜像:
# docker pull example.com/library/nginx:latest
Pull (1 of 1): example.com/library/nginx:latest@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9
example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9: Pulling from library/nginx
Digest: sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9
Status: Image is up to date for example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9
Tagging example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 as example.com/library/nginx:latest
example.com/library/nginx:latest
此时上传另一个镜像时只需要输入仓库密码,同一镜像不同版本号再上传时只需要输入仓库密码
查看认证信息:
# docker trust inspect example.com/library/nginx:latest
[
{
"Name": "example.com/library/nginx:latest",
"SignedTags": [
{
"SignedTag": "latest",
"Digest": "c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9",
"Signers": [
"Repo Admin"
]
}
],
"Signers": [],
"AdministrativeKeys": [
{
"Name": "Root",
"Keys": [
{
"ID": "ef1860607d28455992ad93e71e0e830911e59a43d548c44a41794d490fb63d5b"
}
]
},
{
"Name": "Repository",
"Keys": [
{
"ID": "ebca503ac3b8be80c585a0ba5c5de386f17a978187dd8da75634ad0bb0a7bd4e"
}
]
}
]
}
]
删除签名:
# docker trust revoke reg.westos.org/library/nginx:latest
Enter passphrase for repository key with ID fe4da48:
Successfully deleted signature for reg.westos.org/library/nginx:latest
取消签名机制:
export DOCKER_CONTENT_TRUST=0
此时还需要去掉内容信任选项框,否则无法上传部署
Harbor数据迁移
- 先关闭harbor仓库:docker-compose down -v
拷贝harbor数据/date/和下的文件到其他目录:
持久数据,如镜像,数据库等在宿主机的/data/目录下,日志在宿主机的/var/log/harbor/目录下 /data/database/ 数据库内容,比如身份验证数据 /data/registry/ 镜像文件内容 ......
Harbor各组件性能消耗统计
NAME | CPU % | MEM USAGE / LIMIT |
---|---|---|
harbor-jobservice | 0.39% | 20.38MiB / 15.42GiB |
nginx | 0.00% | 13.34MiB / 15.42GiB |
notary-server | 0.09% | 11.52MiB / 15.42GiB |
notary-signer | 0.00% | 8.781MiB / 15.42GiB |
harbor-core | 0.00% | 34.72MiB / 15.42GiB |
trivy-adapter | 0.32% | 32.22MiB / 15.42GiB |
registry | 0.00% | 14MiB / 15.42GiB |
harbor-db | 0.00% | 98.83MiB / 15.42GiB |
redis | 0.45% | 10.46MiB / 15.42GiB |
chartmuseum | 0.08% | 16.53MiB / 15.42GiB |
harbor-portal | 0.05% | 15.22MiB / 15.42GiB |
registryctl | 0.11% | 14.71MiB / 15.42GiB |
harbor-log | 0.05% | 14.52MiB / 15.42GiB |
total | 1.54% | 272.66MiB / 15.42GiB |
以上是关于Haobor2.2.1配置(trivy扫描器镜像签名)的主要内容,如果未能解决你的问题,请参考以下文章