Haobor2.2.1 configuration (trivy scanner, image signature)

Haobor2.2.1 configuration (trivy scanner, image signature)

Docker compose Download

https://github.com/docker/compose/releases

install

cp docker-compose /usr/local/bin
chmod +x /usr/local/bin/docker-compose

harbor Download

https://github.com/goharbor/harbor/releases

decompression

tar xf xxx.tgx

Configure harbor

Root establishment:mkdir /data
cd harbor/
mkdir certs
cd certs/

Generate certificate and private key

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt
cd ..
cp -r certs/ /

Edit profile

mv harbor.yml.temp harbor.yml
hostname:example.com
 certificate: ./certs/registry.crt
 private_key: ./certs/registry.key
 harbor_admin_password:Abcd12345

Configuration detection

./prepare

install

Scanning – with trivy, authentication – with notary, helm charts module added – with chartuseum, where – with claim has been abandoned
Scanning – with trivy, authentication – with notary, helm charts module added – with chartuseum

./install.sh --with-notary --with-trivy --with-chartmuseum

Configure hostname

vim /etc/hosts
 Finally add:
127.0.0.1 example.com

Browser access

https://example.com
 perhaps:
IP:80
 user name: admin
 password: Abcd12345

Command line login

docker login example.com
Username:admin
Password:Abcd12345

Operation command

close

docker-compose down

Redeployment
The configuration will be deleted after execution, and the project data will not be deleted

./prepare

start-up

docker-compose up -d

Trivy is a simple and comprehensive container vulnerability scanner for CI. Software vulnerabilities refer to faults, defects or weaknesses in software or operating system. Trivy detects vulnerabilities in operating system packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.).

Trivy is easy to use and can be scanned as long as binaries are installed. You only need to specify the name of the mirrored container. Compared with other image scanning tools, such as Clair, anchor engine and Quay, trivy has obvious advantages in accuracy, convenience and CI support.

It is recommended to use it in CI. You can easily scan the local container image before pushing it to the Container Registry. Trivy has the following characteristics:

  1. It has a wide range of detection and can detect comprehensive vulnerabilities. Operating system software packages (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distrioless) Application dependencies (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo);
  2. It is easy to use. You only need to specify the image name;
  3. The scan is fast and stateless, and the first scan will be completed in 10 seconds (depending on your network). The subsequent scan will complete in one second. Unlike other scanners, which take a long time (about 10 minutes) to obtain vulnerability information when running for the first time, and encourage you to maintain a persistent vulnerability database, Trivy is stateless and does not need maintenance or preparation;
  4. Easy to install, installation method:
$ apt-get install trivy
$ yum install trivy
$ brew install trivy

Problems encountered and Solutions

After configuring the harbor image scanning tool trivy, an error is reported when performing image scanning as follows:

2021-04-19T07:19:51.564Z	[34mINFO[0m	Need to update DB
2021-04-19T07:19:51.564Z	[34mINFO[0m	Downloading DB...
2021-04-19T07:20:01.566Z	[31mFATAL[0m	failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 127.0.0.11:53: read udp 127.0.0.1:48822->127.0.0.11:53: i/o timeout

The reason for this problem is that the download failed due to the timeout when downloading and scanning the vulnerability database. Therefore, the solution is to manually download the database and mount it to / home / scanner / Under cache / trivy / db /, download path: https://github.com/aquasecurity/trivy-db/releases
Unzip the database to / data / trivy adapter / trivy / of the host computer, and then Skip in YML file_ Set update to true and scan the image in harbor again. The error is as follows:

2021-04-19T07:37:36.182Z	[31mERROR[0m	The first run cannot skip downloading DB
2021-04-19T07:37:36.182Z	[31mFATAL[0m	database error: --skip-update cannot be specified on the first run
: general response handler: unexpected status code: 500, expected: 200

The reason for this problem is that trivy cannot skip the database download step when scanning the image for the first time. Therefore, the solution is to install trivy on the local host and scan an image locally. The purpose is to download the vulnerability database and cache the local database / root / Copy the file under cache / trivy / to the image mounting directory / data / trivy adapter / trivy /, scan the image in harbor again, and the error is as follows:

2021-04-19T08:53:26Z [ERROR] [/pkg/scan/job.go:284]: check scan report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0: running trivy wrapper: running trivy: exit status 1: 2021-04-19T08:53:22.626Z	[31mFATAL[0m	unable to initialize the cache: unable to initialize fs cache: failed to create cache dir: mkdir /home/scanner/.cache/trivy/fanal: no such file or directory
: general response handler: unexpected status code: 500, expected: 200

The reason for this error is that the file under fanal should not be copied when copying the database. It is preliminarily suspected that the file is automatically generated when harbor is started. Therefore, the solution is to restore the folder and copy only / root / The file in cache / trivy / db / is transferred to / data / trivy adapter / trivy / DB, and the image can be successfully scanned in harbor again.

Enable mirror signature

Enable the content trust function in harbor, select the check box, and after checking, the image without signature authentication will not be pulled. The reality is as follows:

# docker pull example.com/library/foo-apiserver@sha256:0b8cad3c45c2e0db91b070a94c7dc72487d5c1a357168267437518e455f0621f
Error response from daemon: unknown: The image is not signed in Notary.

./install. The – with notary field in SH -- with notary enables the content trust function. The following describes the settings used by the content trust function:

# cd ~/.docker/
# ls
config.json
# pwd
/root/.docker
# mkdir tls
# cd tls/
# mkdir example.com:4443
# cd example.com\:4443/
# cp /home/work/harbor/certs/registry. crt  ca.crt  //registry. When the certificate of the CRT file is used, the CRT certificate is used here
# ls
ca.crt
# export DOCKER_CONTENT_TRUST=1
# export DOCKER_DONTENT_TRUST_SERVER=https://example.com:4443

When uploading for the first time, you need to set the root password and warehouse password

# docker push example.com/library/nginx:latest 
d37eecb5b769: Layer already exists 
99134ec7f247: Layer already exists 
c3a984abe8a8: Layer already exists 
latest: digest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266 size: 948
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID a7d2071: 
Repeat passphrase for new root key with ID a7d2071: 
Enter passphrase for new repository key with ID fe4da48: 
Repeat passphrase for new repository key with ID fe4da48: 
Finished initializing "reg.westos.org/library/nginx"
Successfully signed reg.westos.org/library/nginx:latest

Uploading the image will automatically sign, and then pull the image:

# docker pull example.com/library/nginx:latest
Pull (1 of 1): example.com/library/nginx:latest@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9
example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9: Pulling from library/nginx
Digest: sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9
Status: Image is up to date for example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9
Tagging example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 as example.com/library/nginx:latest
example.com/library/nginx:latest

At this time, when uploading another image, you only need to enter the warehouse password. When uploading the same image with different version numbers, you only need to enter the warehouse password

To view authentication information:

# docker trust inspect example.com/library/nginx:latest 
[
    {
        "Name": "example.com/library/nginx:latest",
        "SignedTags": [
            {
                "SignedTag": "latest",
                "Digest": "c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9",
                "Signers": [
                    "Repo Admin"
                ]
            }
        ],
        "Signers": [],
        "AdministrativeKeys": [
            {
                "Name": "Root",
                "Keys": [
                    {
                        "ID": "ef1860607d28455992ad93e71e0e830911e59a43d548c44a41794d490fb63d5b"
                    }
                ]
            },
            {
                "Name": "Repository",
                "Keys": [
                    {
                        "ID": "ebca503ac3b8be80c585a0ba5c5de386f17a978187dd8da75634ad0bb0a7bd4e"
                    }
                ]
            }
        ]
    }
]

Delete signature:

# docker trust revoke reg.westos.org/library/nginx:latest 
Enter passphrase for repository key with ID fe4da48: 
Successfully deleted signature for reg.westos.org/library/nginx:latest

Cancel signature mechanism:

export DOCKER_CONTENT_TRUST=0
 At this time, you also need to remove the content trust option box, otherwise the deployment cannot be uploaded

Harbor data migration

  • Close the harbor warehouse first: docker compose down - V
  • Copy the file under harbor data / date / and to other directories:
Persistent data, such as image and database, are stored in the host computer/data/Under the directory,Log on host/var/log/harbor/Under the directory
/data/database/ Database content, such as authentication data
/data/registry/ Image file content
......

Performance consumption statistics of Harbor components

NAMECPU %MEM USAGE / LIMIT
harbor-jobservice0.39%20.38MiB / 15.42GiB
nginx0.00%13.34MiB / 15.42GiB
notary-server0.09%11.52MiB / 15.42GiB
notary-signer0.00%8.781MiB / 15.42GiB
harbor-core0.00%34.72MiB / 15.42GiB
trivy-adapter0.32%32.22MiB / 15.42GiB
registry0.00%14MiB / 15.42GiB
harbor-db0.00%98.83MiB / 15.42GiB
redis0.45%10.46MiB / 15.42GiB
chartmuseum0.08%16.53MiB / 15.42GiB
harbor-portal0.05%15.22MiB / 15.42GiB
registryctl0.11%14.71MiB / 15.42GiB
harbor-log0.05%14.52MiB / 15.42GiB
total1.54%272.66MiB / 15.42GiB

Keywords: Docker

Added by ironmonk3y on Thu, 17 Feb 2022 14:16:17 +0200

Popular Keywords

©2024 Programming VIP