Haobor2.2.1配置(trivy扫描器、镜像签名)
docker-compose下载
https://github.com/docker/compose/releases装置
cp docker-compose /usr/local/binchmod +x /usr/local/bin/docker-composeharbor下载
https://github.com/goharbor/harbor/releases解压
tar xf xxx.tgx配置harbor
根下建设:mkdir /datacd harbor/mkdir certscd certs/生成证书及私钥
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crtcd ..cp -r certs/ /编辑配置文件
mv harbor.yml.temp harbor.ymlhostname:example.com certificate: ./certs/registry.crt private_key: ./certs/registry.key harbor_admin_password:Abcd12345配置检测
./prepare装置
有扫描–with-trivy ,有认证–with-notary,有helm charts 模块退出–with-chartmuseum 其中–with-clair已弃用
有扫描–with-trivy ,有认证–with-notary,有helm charts 模块退出–with-chartmuseum
./install.sh --with-notary --with-trivy --with-chartmuseum配置hostname
vim /etc/hosts最初退出:127.0.0.1 example.com浏览器拜访
https://example.com或者:IP:80用户名:admin明码:Abcd12345命令行登陆
docker login example.comUsername:adminPassword:Abcd12345操作命令
敞开
docker-compose down重新部署
执行后会删除配置,我的项目数据并不会删除
./prepare启动
docker-compose up -dTrivy 是一种实用于 CI 的简略而全面的容器破绽扫描程序。软件破绽是指软件或操作系统中存在的故障、缺点或弱点。Trivy 检测操作系统包(Alpine、RHEL、CentOS等)和应用程序依赖(Bundler、Composer、npm、yarn等)的破绽。
Trivy 很容易应用,只有装置二进制文件,就能够扫描了。扫描只需指定容器的镜像名称。与其余镜像扫描工具相比,例如 Clair,Anchore Engine,Quay 相比,Trivy 在准确性、方便性和对 CI 的反对等方面都有着显著的劣势。
举荐在 CI 中应用它,在推送到 Container Registry 之前,您能够轻松地扫描本地容器镜像,Trivy具备如下的特色:
- 检测面很全,能检测全面的破绽,操作系统软件包(Alpine、Red Hat Universal Base Image、Red Hat Enterprise Linux、CentOS、Oracle Linux、Debian、Ubuntu、Amazon Linux、openSUSE Leap、SUSE Enterprise Linux、Photon OS 和 Distrioless)、应用程序依赖项(Bundler、Composer、Pipenv、Poetry、npm、yarn 和 Cargo);
- 应用简略,仅仅只须要指定镜像名称;
- 扫描快且无状态,第一次扫描将在 10 秒内实现(取决于您的网络)。随后的扫描将在一秒钟内实现。与其余扫描器在第一次运行时须要很长时间(大概10分钟)来获取破绽信息,并激励您保护长久的破绽数据库不同,Trivy 是无状态的,不须要保护或筹备;
- 易于装置,装置形式:
$ apt-get install trivy$ yum install trivy$ brew install trivy 遇到的问题及解决办法
在配置了harbor镜像扫描工具trivy后执行镜像扫描报错如下:
2021-04-19T07:19:51.564Z [34mINFO[0m Need to update DB2021-04-19T07:19:51.564Z [34mINFO[0m Downloading DB...2021-04-19T07:20:01.566Z [31mFATAL[0m failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 127.0.0.11:53: read udp 127.0.0.1:48822->127.0.0.11:53: i/o timeout呈现该问题的起因是在下载扫描破绽数据库时超时,导致下载失败,因而解决办法是手动下载该数据库并挂载到trivy容器的/home/scanner/.cache/trivy/db/目录下,下载门路:https://github.com/aquasecuri...
将该数据库解压到宿主机的/data/trivy-adapter/trivy/下,并将harbor.yml文件中的skip_update设置为true,再次在harbor中扫描镜像报错如下:
2021-04-19T07:37:36.182Z [31mERROR[0m The first run cannot skip downloading DB2021-04-19T07:37:36.182Z [31mFATAL[0m database error: --skip-update cannot be specified on the first run: general response handler: unexpected status code: 500, expected: 200呈现该问题的起因是trivy在第一次扫描镜像时不能跳过数据库下载步骤,因而解决办法是在本地宿主机装置trivy,在本地轻易扫描一个镜像,目标是下载破绽数据库,将本地缓存数据库/root/.cache/trivy/下的文件拷贝到镜像挂载目录/data/trivy-adapter/trivy/下,再次在harbor中扫描镜像报错如下:
2021-04-19T08:53:26Z [ERROR] [/pkg/scan/job.go:284]: check scan report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0: running trivy wrapper: running trivy: exit status 1: 2021-04-19T08:53:22.626Z [31mFATAL[0m unable to initialize the cache: unable to initialize fs cache: failed to create cache dir: mkdir /home/scanner/.cache/trivy/fanal: no such file or directory: general response handler: unexpected status code: 500, expected: 200呈现该谬误的起因是在拷贝数据库时不应将fanal下的文件拷贝过来,初步狐疑该文件是harbor启动时主动生成的,因而解决办法是将该文件夹还原,只拷贝/root/.cache/trivy/db/下的文件到/data/trivy-adapter/trivy/db下, 再次在harbor中扫描镜像即可胜利。
启用镜像签名性能
在harbor中启用内容信赖性能,选中抉择框,勾选后,未经签名认证的镜像将不能被拉取,事实如下:
# docker pull example.com/library/foo-apiserver@sha256:0b8cad3c45c2e0db91b070a94c7dc72487d5c1a357168267437518e455f0621fError response from daemon: unknown: The image is not signed in Notary../install.sh --with-notary中的--with-notary字段是开启内容信赖性能的,上面介绍内容信赖性能应用的设置:
# cd ~/.docker/# lsconfig.json# pwd/root/.docker# mkdir tls# cd tls/# mkdir example.com:4443# cd example.com\:4443/# cp /home/work/harbor/certs/registry.crt ca.crt //registry.crt为证书,这里应用了启动harbor时的证书文件# lsca.crt# export DOCKER_CONTENT_TRUST=1# export DOCKER_DONTENT_TRUST_SERVER=https://example.com:4443首次上传时须要设置root明码及仓库明码
# docker push example.com/library/nginx:latest d37eecb5b769: Layer already exists 99134ec7f247: Layer already exists c3a984abe8a8: Layer already exists latest: digest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266 size: 948Signing and pushing trust metadataYou are about to create a new root signing key passphrase. This passphrasewill be used to protect the most sensitive key in your signing system. Pleasechoose a long, complex passphrase and be careful to keep the password and thekey file itself secure and backed up. It is highly recommended that you use apassword manager to generate the passphrase and keep it safe. There will be noway to recover this key. You can find the key in your config directory.Enter passphrase for new root key with ID a7d2071: Repeat passphrase for new root key with ID a7d2071: Enter passphrase for new repository key with ID fe4da48: Repeat passphrase for new repository key with ID fe4da48: Finished initializing "reg.westos.org/library/nginx"Successfully signed reg.westos.org/library/nginx:latest上传镜像会主动签名,此时再拉取镜像:
# docker pull example.com/library/nginx:latestPull (1 of 1): example.com/library/nginx:latest@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9: Pulling from library/nginxDigest: sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9Status: Image is up to date for example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9Tagging example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 as example.com/library/nginx:latestexample.com/library/nginx:latest此时上传另一个镜像时只须要输出仓库明码,同一镜像不同版本号再上传时只须要输出仓库明码
查看认证信息:
# docker trust inspect example.com/library/nginx:latest [ { "Name": "example.com/library/nginx:latest", "SignedTags": [ { "SignedTag": "latest", "Digest": "c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9", "Signers": [ "Repo Admin" ] } ], "Signers": [], "AdministrativeKeys": [ { "Name": "Root", "Keys": [ { "ID": "ef1860607d28455992ad93e71e0e830911e59a43d548c44a41794d490fb63d5b" } ] }, { "Name": "Repository", "Keys": [ { "ID": "ebca503ac3b8be80c585a0ba5c5de386f17a978187dd8da75634ad0bb0a7bd4e" } ] } ] }]删除签名:
# docker trust revoke reg.westos.org/library/nginx:latest Enter passphrase for repository key with ID fe4da48: Successfully deleted signature for reg.westos.org/library/nginx:latest勾销签名机制:
export DOCKER_CONTENT_TRUST=0此时还须要去掉内容信赖选项框,否则无奈上传部署Harbor数据迁徙
- 先敞开harbor仓库:docker-compose down -v
拷贝harbor数据/date/和下的文件到其余目录:
持久数据,如镜像,数据库等在宿主机的/data/目录下,日志在宿主机的/var/log/harbor/目录下/data/database/ 数据库内容,比方身份验证数据/data/registry/ 镜像文件内容......
Harbor各组件性能耗费统计
| NAME | CPU % | MEM USAGE / LIMIT |
|---|---|---|
| harbor-jobservice | 0.39% | 20.38MiB / 15.42GiB |
| nginx | 0.00% | 13.34MiB / 15.42GiB |
| notary-server | 0.09% | 11.52MiB / 15.42GiB |
| notary-signer | 0.00% | 8.781MiB / 15.42GiB |
| harbor-core | 0.00% | 34.72MiB / 15.42GiB |
| trivy-adapter | 0.32% | 32.22MiB / 15.42GiB |
| registry | 0.00% | 14MiB / 15.42GiB |
| harbor-db | 0.00% | 98.83MiB / 15.42GiB |
| redis | 0.45% | 10.46MiB / 15.42GiB |
| chartmuseum | 0.08% | 16.53MiB / 15.42GiB |
| harbor-portal | 0.05% | 15.22MiB / 15.42GiB |
| registryctl | 0.11% | 14.71MiB / 15.42GiB |
| harbor-log | 0.05% | 14.52MiB / 15.42GiB |
| total | 1.54% | 272.66MiB / 15.42GiB |