Haobor2.2.1 配置（trivy 扫描器、镜像签名）

docker-compose 下载

https://github.com/docker/compose/releases

装置

cp docker-compose /usr/local/bin
chmod +x /usr/local/bin/docker-compose

harbor 下载

https://github.com/goharbor/harbor/releases

解压

tar xf xxx.tgx

配置 harbor

根下建设:mkdir /data
cd harbor/
mkdir certs
cd certs/

生成证书及私钥

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt
cd ..
cp -r certs/ /

编辑配置文件

mv harbor.yml.temp harbor.yml
hostname:example.com
 certificate: ./certs/registry.crt
 private_key: ./certs/registry.key
 harbor_admin_password:Abcd12345

配置检测

./prepare

装置

有扫描–with-trivy , 有认证–with-notary，有 helm charts 模块退出–with-chartmuseum 其中–with-clair 已弃用
有扫描–with-trivy , 有认证–with-notary，有 helm charts 模块退出–with-chartmuseum

./install.sh --with-notary --with-trivy --with-chartmuseum

配置 hostname

vim /etc/hosts
最初退出：127.0.0.1 example.com

浏览器拜访

https://example.com
或者:
IP:80
用户名：admin
明码：Abcd12345

命令行登陆

docker login example.com
Username:admin
Password:Abcd12345

操作命令

敞开

docker-compose down

重新部署
执行后会删除配置, 我的项目数据并不会删除

./prepare

启动

docker-compose up -d

Trivy 是一种实用于 CI 的简略而全面的容器破绽扫描程序。软件破绽是指软件或操作系统中存在的故障、缺点或弱点。Trivy 检测操作系统包（Alpine、RHEL、CentOS 等）和应用程序依赖（Bundler、Composer、npm、yarn 等）的破绽。

Trivy 很容易应用，只有装置二进制文件，就能够扫描了。扫描只需指定容器的镜像名称。与其余镜像扫描工具相比，例如 Clair，Anchore Engine，Quay 相比，Trivy 在准确性、方便性和对 CI 的反对等方面都有着显著的劣势。

举荐在 CI 中应用它，在推送到 Container Registry 之前，您能够轻松地扫描本地容器镜像，Trivy 具备如下的特色：

1. 检测面很全，能检测全面的破绽，操作系统软件包（Alpine、Red Hat Universal Base Image、Red Hat Enterprise Linux、CentOS、Oracle Linux、Debian、Ubuntu、Amazon Linux、openSUSE Leap、SUSE Enterprise Linux、Photon OS 和 Distrioless）、应用程序依赖项（Bundler、Composer、Pipenv、Poetry、npm、yarn 和 Cargo）；
2. 应用简略，仅仅只须要指定镜像名称；
3. 扫描快且无状态，第一次扫描将在 10 秒内实现（取决于您的网络）。随后的扫描将在一秒钟内实现。与其余扫描器在第一次运行时须要很长时间（大概 10 分钟）来获取破绽信息，并激励您保护长久的破绽数据库不同，Trivy 是无状态的，不须要保护或筹备；
4. 易于装置，装置形式：

$ apt-get install trivy
$ yum install trivy
$ brew install trivy 

遇到的问题及解决办法

在配置了 harbor 镜像扫描工具 trivy 后执行镜像扫描报错如下：

2021-04-19T07:19:51.564Z    [34mINFO[0m    Need to update DB
2021-04-19T07:19:51.564Z    [34mINFO[0m    Downloading DB...
2021-04-19T07:20:01.566Z    [31mFATAL[0m    failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 127.0.0.11:53: read udp 127.0.0.1:48822->127.0.0.11:53: i/o timeout

呈现该问题的起因是在下载扫描破绽数据库时超时，导致下载失败，因而解决办法是手动下载该数据库并挂载到 trivy 容器的 /home/scanner/.cache/trivy/db/ 目录下，下载门路:https://github.com/aquasecuri…
将该数据库解压到宿主机的 /data/trivy-adapter/trivy/ 下，并将 harbor.yml 文件中的 skip_update 设置为 true, 再次在 harbor 中扫描镜像报错如下：

2021-04-19T07:37:36.182Z    [31mERROR[0m    The first run cannot skip downloading DB
2021-04-19T07:37:36.182Z    [31mFATAL[0m    database error: --skip-update cannot be specified on the first run
: general response handler: unexpected status code: 500, expected: 200

呈现该问题的起因是 trivy 在第一次扫描镜像时不能跳过数据库下载步骤，因而解决办法是在本地宿主机装置 trivy，在本地轻易扫描一个镜像，目标是下载破绽数据库，将本地缓存数据库 /root/.cache/trivy/ 下的文件拷贝到镜像挂载目录 /data/trivy-adapter/trivy/ 下，再次在 harbor 中扫描镜像报错如下：

2021-04-19T08:53:26Z [ERROR] [/pkg/scan/job.go:284]: check scan report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0: running trivy wrapper: running trivy: exit status 1: 2021-04-19T08:53:22.626Z    [31mFATAL[0m    unable to initialize the cache: unable to initialize fs cache: failed to create cache dir: mkdir /home/scanner/.cache/trivy/fanal: no such file or directory
: general response handler: unexpected status code: 500, expected: 200

呈现该谬误的起因是在拷贝数据库时不应将 fanal 下的文件拷贝过来，初步狐疑该文件是 harbor 启动时主动生成的，因而解决办法是将该文件夹还原，只拷贝 /root/.cache/trivy/db/ 下的文件到 /data/trivy-adapter/trivy/db 下，再次在 harbor 中扫描镜像即可胜利。

启用镜像签名性能

在 harbor 中启用内容信赖性能，选中抉择框，勾选后，未经签名认证的镜像将不能被拉取, 事实如下：

# docker pull example.com/library/foo-apiserver@sha256:0b8cad3c45c2e0db91b070a94c7dc72487d5c1a357168267437518e455f0621f
Error response from daemon: unknown: The image is not signed in Notary.

./install.sh –with-notary 中的 –with-notary 字段是开启内容信赖性能的，上面介绍内容信赖性能应用的设置：

# cd ~/.docker/
# ls
config.json
# pwd
/root/.docker
# mkdir tls
# cd tls/
# mkdir example.com:4443
# cd example.com\:4443/
# cp /home/work/harbor/certs/registry.crt  ca.crt  //registry.crt 为证书，这里应用了启动 harbor 时的证书文件
# ls
ca.crt
# export DOCKER_CONTENT_TRUST=1
# export DOCKER_DONTENT_TRUST_SERVER=https://example.com:4443

首次上传时须要设置 root 明码及仓库明码

# docker push example.com/library/nginx:latest 
d37eecb5b769: Layer already exists 
99134ec7f247: Layer already exists 
c3a984abe8a8: Layer already exists 
latest: digest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266 size: 948
Signing and pushing trust metadata
You are about to create a new root signing key passphrase. This passphrase
will be used to protect the most sensitive key in your signing system. Please
choose a long, complex passphrase and be careful to keep the password and the
key file itself secure and backed up. It is highly recommended that you use a
password manager to generate the passphrase and keep it safe. There will be no
way to recover this key. You can find the key in your config directory.
Enter passphrase for new root key with ID a7d2071: 
Repeat passphrase for new root key with ID a7d2071: 
Enter passphrase for new repository key with ID fe4da48: 
Repeat passphrase for new repository key with ID fe4da48: 
Finished initializing "reg.westos.org/library/nginx"
Successfully signed reg.westos.org/library/nginx:latest

上传镜像会主动签名，此时再拉取镜像：

# docker pull example.com/library/nginx:latest
Pull (1 of 1): example.com/library/nginx:latest@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9
example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9: Pulling from library/nginx
Digest: sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9
Status: Image is up to date for example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9
Tagging example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 as example.com/library/nginx:latest
example.com/library/nginx:latest

此时上传另一个镜像时只须要输出仓库明码，同一镜像不同版本号再上传时只须要输出仓库明码

查看认证信息：

# docker trust inspect example.com/library/nginx:latest 
[
    {
        "Name": "example.com/library/nginx:latest",
        "SignedTags": [
            {
                "SignedTag": "latest",
                "Digest": "c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9",
                "Signers": ["Repo Admin"]
            }
        ],
        "Signers": [],
        "AdministrativeKeys": [
            {
                "Name": "Root",
                "Keys": [
                    {"ID": "ef1860607d28455992ad93e71e0e830911e59a43d548c44a41794d490fb63d5b"}
                ]
            },
            {
                "Name": "Repository",
                "Keys": [
                    {"ID": "ebca503ac3b8be80c585a0ba5c5de386f17a978187dd8da75634ad0bb0a7bd4e"}
                ]
            }
        ]
    }
]

删除签名:

# docker trust revoke reg.westos.org/library/nginx:latest 
Enter passphrase for repository key with ID fe4da48: 
Successfully deleted signature for reg.westos.org/library/nginx:latest

勾销签名机制：

export DOCKER_CONTENT_TRUST=0
此时还须要去掉内容信赖选项框，否则无奈上传部署

Harbor 数据迁徙

• 先敞开 harbor 仓库：docker-compose down -v

• 拷贝 harbor 数据 /date/ 和下的文件到其余目录：

  持久数据，如镜像，数据库等在宿主机的 /data/ 目录下, 日志在宿主机的 /var/log/harbor/ 目录下
  /data/database/ 数据库内容，比方身份验证数据
  /data/registry/ 镜像文件内容
  ......

Harbor 各组件性能耗费统计