我的容器设置中的 clair 导致码头安全扫描失败
问题描述 投票:0回答:1
我有一个正在运行的码头注册表,我可以将图像推送到其中。但由于某种未知原因,配置的 Clair 扫描失败。
我不知道这是否是我的码头配置或我的克莱尔的问题......或两者都有问题? 我很感激任何帮助和建议。 :)
我的期望: 正在运行的 Clair 扫描并显示结果:)
我得到了什么:
扫描处于“排队”状态并且没有任何反应
码头日志中出现以下错误消息:
securityworker stdout | 2024-01-15 22:06:12,770 [284] [ERROR] [util.secscan.v4.api] Security scanner endpoint responded with non-200 HTTP status code: 500
securityworker stdout | NoneType: None
securityworker stdout | 2024-01-15 22:06:12,770 [284] [ERROR] [data.secscan_model.secscan_v4_model] Failed to perform indexing, security scanner API error
securityworker stdout | Traceback (most recent call last):
securityworker stdout | File "/quay-registry/util/secscan/v4/api.py", line 252, in index
securityworker stdout | resp = self._perform(actions["Index"](body))
securityworker stdout | File "/quay-registry/util/secscan/v4/api.py", line 360, in _perform
securityworker stdout | raise Non200ResponseException(resp)
securityworker stdout | util.secscan.v4.api.Non200ResponseException
securityworker stdout | During handling of the above exception, another exception occurred:
securityworker stdout | Traceback (most recent call last):
securityworker stdout | File "/quay-registry/data/secscan_model/secscan_v4_model.py", line 417, in _index
securityworker stdout | (report, state) = self._secscan_api.index(manifest, layers)
securityworker stdout | File "/quay-registry/util/secscan/v4/api.py", line 256, in index
securityworker stdout | raise APIRequestFailure(ex)
securityworker stdout | util.secscan.v4.api.APIRequestFailure
以及 Clair 中相应的错误消息
9:54PM WRN layers fetch failure error="encountered error while fetching a layer: fetcher: request failed: Get \"http://example.com/v2/server/test/blobs/sha256:cc067951b11fb09519e7620e2a9a0e84e216c660aed7a38f4f3cf004354e24e1\": dial tcp 82.165.69.92:443: i/o timeout" component=internal/indexer/controller/Controller.Index manifest=sha256:a98415716a91066ef5e442969887ebb3df7d80775b5bfa7b67fcaed989833d84 state=FetchLayers
9:54PM INF layers fetch done component=internal/indexer/controller/Controller.Index manifest=sha256:a98415716a91066ef5e442969887ebb3df7d80775b5bfa7b67fcaed989833d84 state=FetchLayers
9:54PM ERR error during scan error="failed to fetch layers: encountered error while fetching a layer: fetcher: request failed: Get \"http://example.com/v2/server/test/blobs/sha256:cc067951b11fb09519e7620e2a9a0e84e216c660aed7a38f4f3cf004354e24e1\": dial tcp 82.165.69.92:443: i/o timeout" component=internal/indexer/controller/Controller.Index manifest=sha256:a98415716a91066ef5e442969887ebb3df7d80775b5bfa7b67fcaed989833d84 state=FetchLayers
我的设置是使用 traefik,但我认为这不是主要问题,因为通信似乎有效。 我的撰写文件是:
version: "3.7"
services:
quay:
container_name: quay
image: quay.io/projectquay/quay:3.10.1
volumes:
- ./config/quay:/quay-registry/conf/stack
# - ./data/quay/registry:/datastorage/registry
environment:
QUAY_VERSION: 3.10.1
QUAY_HOTRELOAD: "true"
DEBUGLOG: "false"
IGNORE_VALIDATION: "true"
QUAYRUN: /tmp
WORKER_COUNT_UNSUPPORTED_MINIMUM: "1"
WORKER_COUNT: "1"
depends_on:
quay-db:
condition: service_healthy
quay-redis:
condition: service_healthy
networks:
- quay-backend
- traefik-servicenet
labels:
- "traefik.enable=true"
- "traefik.http.routers.quay.rule=Host(`example.com`)"
- "traefik.http.routers.quay.entrypoints=websecure"
- "traefik.http.routers.quay.tls=true"
- "traefik.http.routers.quay.tls.certresolver=letsencrypt"
- "traefik.http.services.quay.loadbalancer.server.port=8080"
- "traefik.docker.network=traefik-servicenet"
quay-db:
container_name: quay-db
image: docker.io/library/postgres:15
environment:
POSTGRES_USER: "quay"
POSTGRES_PASSWORD: "quay"
POSTGRES_DB: "quay"
volumes:
- "./config/postgres/pg_bootstrap.sql:/docker-entrypoint-initdb.d/pg_bootstrap.sql"
- "./data/quay-db:/var/lib/postgresql/data"
ports:
- "5432:5432"
networks:
- quay-backend
healthcheck:
test: ["CMD-SHELL", "pg_isready -U quay -d quay"]
interval: 10s
timeout: 9s
retries: 3
start_period: 10s
quay-redis:
container_name: quay-redis
image: docker.io/library/redis:7
ports:
- "6379:6379"
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
networks:
- quay-backend
clair:
container_name: quay-clair
image: quay.io/projectquay/clair:4.4.0
volumes:
- "./config/clair:/src/clair/"
environment:
CLAIR_CONF: "/src/clair/config.yaml"
CLAIR_MODE: "combo"
cpus: 2
command:
["bash", "-c", "cd /src/clair/cmd/clair; go run -mod vendor ."]
depends_on:
clair-db:
condition: service_healthy
networks:
- quay-backend
clair-db:
container_name: clair-db
image: docker.io/library/postgres:13
environment:
POSTGRES_HOST_AUTH_METHOD: trust
volumes:
- ./config/postgres/init.sql:/docker-entrypoint-initdb.d/init.sql
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- ./data/clair-db:/var/lib/postgresql/data
healthcheck:
test:
- CMD-SHELL
- "pg_isready -U postgres"
interval: 5s
timeout: 4s
retries: 12
start_period: 10s
networks:
- quay-backend
networks:
traefik-servicenet:
external: true
quay-backend:
driver: bridge
internal: true
clair相关的quay config.yaml
...
# clair
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://quay-clair:6000
SECURITY_SCANNER_V4_PSK: some_base64==
...
最后是我的 clair config.yaml
---
log_level: debug-color
introspection_addr: ""
http_listen_addr: ":6000"
updaters: {}
indexer:
connstring: "host=clair-db port=5432 user=clair dbname=indexer sslmode=disable"
scanlock_retry: 10
layer_scan_concurrency: 5
migrations: true
matcher:
connstring: "host=clair-db port=5432 user=clair dbname=matcher sslmode=disable"
max_conn_pool: 100
migrations: true
notifier:
connstring: "host=clair-db port=5432 user=clair dbname=notifier sslmode=disable"
indexer_addr: http://localhost:6000/
matcher_addr: http://localhost:6000/
migrations: true
delivery_interval: 5s
poll_interval: 15s
webhook:
target: "http://localhost:6000/secscan/notification"
callback: "http://localhost:6000/notifier/api/v1/notification"
metrics:
name: "prometheus"
# ===== AUTH
auth:
psk:
key: 'some_base64=='
iss:
- 'quay'
完整码头配置.yaml:
ACTION_LOG_ARCHIVE_LOCATION: default
ALLOWED_OCI_ARTIFACT_TYPES:
application/vnd.oci.image.config.v1+json:
- application/vnd.oci.image.layer.v1.tar+zstd
application/vnd.sylabs.sif.config.v1+json:
- application/vnd.sylabs.sif.layer.v1+tar
AUTHENTICATION_TYPE: Database
AVATAR_KIND: local
BUILDLOGS_REDIS:
host: quay-redis
port: 6379
CONTACT_INFO:
- mailto:[email protected]
DATABASE_SECRET_KEY: 7e597f39-lala-lala-lala-9bfdcee1a628
DB_CONNECTION_ARGS: {}
DB_URI: postgresql://quay:quay@quay-db/quay
DEFAULT_TAG_EXPIRATION: 2w
DISTRIBUTED_STORAGE_CONFIG:
default:
- LocalStorage
- storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
- default
EXTERNAL_TLS_TERMINATION: true
FEATURE_ACI_CONVERSION: false
FEATURE_ACTION_LOG_ROTATION: false
FEATURE_ANONYMOUS_ACCESS: true
FEATURE_APP_REGISTRY: true
FEATURE_APP_SPECIFIC_TOKENS: false
FEATURE_BITBUCKET_BUILD: false
FEATURE_BLACKLISTED_EMAILS: false
FEATURE_BUILD_SUPPORT: false
FEATURE_CHANGE_TAG_EXPIRATION: true
FEATURE_DIRECT_LOGIN: true
FEATURE_EXTENDED_REPOSITORY_NAMES: true
FEATURE_FIPS: false
FEATURE_GITHUB_BUILD: false
FEATURE_GITHUB_LOGIN: false
FEATURE_GITLAB_BUILD: false
FEATURE_GOOGLE_LOGIN: false
FEATURE_INVITE_ONLY_USER_CREATION: false
FEATURE_MAILING: false
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: false
FEATURE_PARTIAL_USER_AUTOCOMPLETE: false
FEATURE_PROXY_STORAGE: false
FEATURE_REPO_MIRROR: false
FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH: false
FEATURE_REQUIRE_TEAM_INVITE: true
FEATURE_RESTRICTED_V1_PUSH: true
# clair
FEATURE_SECURITY_NOTIFICATIONS: false
FEATURE_SECURITY_SCANNER: true
FEATURE_STORAGE_REPLICATION: false
FEATURE_TEAM_SYNCING: false
# user
FEATURE_USER_CREATION: false
FEATURE_USER_INITIALIZE: false
FEATURE_USER_LAST_ACCESSED: true
FEATURE_USER_LOG_ACCESS: false
FEATURE_USER_METADATA: false
FEATURE_USER_RENAME: false
FEATURE_USERNAME_CONFIRMATION: false
#
FRESH_LOGIN_TIMEOUT: 10m
GITHUB_LOGIN_CONFIG: {}
GITHUB_TRIGGER_CONFIG: {}
GITLAB_TRIGGER_KIND: {}
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_EMAIL_ATTR: mail
LDAP_UID_ATTR: uid
LDAP_URI: ldap://localhost
LOG_ARCHIVE_LOCATION: default
LOGS_MODEL: database
LOGS_MODEL_CONFIG: {}
MAIL_DEFAULT_SENDER: [email protected]
MAIL_PASSWORD: somesecurepassword
MAIL_PORT: 465
MAIL_SERVER: smtp.some.com
MAIL_USE_AUTH: true
MAIL_USE_TLS: true
MAIL_USERNAME: [email protected]
PREFERRED_URL_SCHEME: https
REGISTRY_TITLE: Project Quay
REGISTRY_TITLE_SHORT: Quay
REPO_MIRROR_INTERVAL: 30
REPO_MIRROR_TLS_VERIFY: true
SEARCH_MAX_RESULT_PAGE_COUNT: 10
SEARCH_RESULTS_PER_PAGE: 10
SECRET_KEY: 6cf643d5-lala-lala-lala-a8bdf9a6d341
# clair
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://quay-clair:6000
SECURITY_SCANNER_V4_PSK: some_base64==
#
SERVER_HOSTNAME: example.com
SETUP_COMPLETE: true
SUPER_USERS:
- admin
TAG_EXPIRATION_OPTIONS:
- 0s
- 1d
- 1w
- 2w
- 4w
TEAM_RESYNC_STALE_TIME: 30m
TESTING: false
USE_CDN: false
USER_EVENTS_REDIS:
host: quay-redis
port: 6379
USER_RECOVERY_TOKEN_LIFETIME: 30m
USERFILES_LOCATION: default
1个回答
0
投票
投票
有类似问题 你有什么想法吗?
最新问题
- 如何加快此电子邮件地址收集速度(Android/Kotlin)?
- 如何为项目阅读器创建 Spring Batch 单独的类实现
- 在抽象类方法上不执行任何操作,但在从concreate类实例调用时应该可以工作
- 无法使用 create-vue 找到模块“vuex”的声明文件
- 无法在 Android 中通过 USB 将 ZPL 发送到 Zebra zd420 打印机
- 将 JPA 和 Webflux 组合用于 SpringBoot 应用程序
- 我不明白viewController.navigationController.viewControllers中的removeAll函数是如何工作的
- 有没有一种简洁的方法可以用C#编写这个条件表达式
- 当任意名称设置为“.SeriesCollection(1).Name”时,名称为空白
- 将静态 Web 应用程序后端链接到 API 管理时使用自定义订阅密钥标头
- ejs 文件可以与 github 页面一起使用吗?
- 在我的flutter应用程序中获取用户SimID和设备id
- 如何找到最后一列数据?
- Android 13 flutter 应用程序问题 - 当从应用程序的任何屏幕返回时,即使我没有使用 Get.off / Navigator.pushReplacement,它也会关闭应用程序
- 使用 i18next 进行 React 生产构建会导致翻译仅显示字符串
- 既然 Dart 中有模式匹配,最好用它来迭代映射吗?
- 在 mongoose Node.js 中将 id 替换为 _id 并使用 toObject 会出错
- 根据定界符打破Javascript字符串
- 如何强制输入占位符跨多行换行
- 如何在不构建项目中所有单元和合约测试的情况下生成并运行单个合约测试? Java Spring Cloud 合约验证器
© www.soinside.com 2019 - 2024. All rights reserved.