我的容器设置中的 clair 导致码头安全扫描失败
问题描述 投票:0回答:1
我有一个正在运行的码头注册表,我可以将图像推送到其中。但由于某种未知原因,配置的 Clair 扫描失败。
我不知道这是否是我的码头配置或我的克莱尔的问题......或两者都有问题? 我很感激任何帮助和建议。 :)
我的期望: 正在运行的 Clair 扫描并显示结果:)
我得到了什么:
扫描处于“排队”状态并且没有任何反应
码头日志中出现以下错误消息:
securityworker stdout | 2024-01-15 22:06:12,770 [284] [ERROR] [util.secscan.v4.api] Security scanner endpoint responded with non-200 HTTP status code: 500
securityworker stdout | NoneType: None
securityworker stdout | 2024-01-15 22:06:12,770 [284] [ERROR] [data.secscan_model.secscan_v4_model] Failed to perform indexing, security scanner API error
securityworker stdout | Traceback (most recent call last):
securityworker stdout | File "/quay-registry/util/secscan/v4/api.py", line 252, in index
securityworker stdout | resp = self._perform(actions["Index"](body))
securityworker stdout | File "/quay-registry/util/secscan/v4/api.py", line 360, in _perform
securityworker stdout | raise Non200ResponseException(resp)
securityworker stdout | util.secscan.v4.api.Non200ResponseException
securityworker stdout | During handling of the above exception, another exception occurred:
securityworker stdout | Traceback (most recent call last):
securityworker stdout | File "/quay-registry/data/secscan_model/secscan_v4_model.py", line 417, in _index
securityworker stdout | (report, state) = self._secscan_api.index(manifest, layers)
securityworker stdout | File "/quay-registry/util/secscan/v4/api.py", line 256, in index
securityworker stdout | raise APIRequestFailure(ex)
securityworker stdout | util.secscan.v4.api.APIRequestFailure
以及 Clair 中相应的错误消息
9:54PM WRN layers fetch failure error="encountered error while fetching a layer: fetcher: request failed: Get \"http://example.com/v2/server/test/blobs/sha256:cc067951b11fb09519e7620e2a9a0e84e216c660aed7a38f4f3cf004354e24e1\": dial tcp 82.165.69.92:443: i/o timeout" component=internal/indexer/controller/Controller.Index manifest=sha256:a98415716a91066ef5e442969887ebb3df7d80775b5bfa7b67fcaed989833d84 state=FetchLayers
9:54PM INF layers fetch done component=internal/indexer/controller/Controller.Index manifest=sha256:a98415716a91066ef5e442969887ebb3df7d80775b5bfa7b67fcaed989833d84 state=FetchLayers
9:54PM ERR error during scan error="failed to fetch layers: encountered error while fetching a layer: fetcher: request failed: Get \"http://example.com/v2/server/test/blobs/sha256:cc067951b11fb09519e7620e2a9a0e84e216c660aed7a38f4f3cf004354e24e1\": dial tcp 82.165.69.92:443: i/o timeout" component=internal/indexer/controller/Controller.Index manifest=sha256:a98415716a91066ef5e442969887ebb3df7d80775b5bfa7b67fcaed989833d84 state=FetchLayers
我的设置是使用 traefik,但我认为这不是主要问题,因为通信似乎有效。 我的撰写文件是:
version: "3.7"
services:
quay:
container_name: quay
image: quay.io/projectquay/quay:3.10.1
volumes:
- ./config/quay:/quay-registry/conf/stack
# - ./data/quay/registry:/datastorage/registry
environment:
QUAY_VERSION: 3.10.1
QUAY_HOTRELOAD: "true"
DEBUGLOG: "false"
IGNORE_VALIDATION: "true"
QUAYRUN: /tmp
WORKER_COUNT_UNSUPPORTED_MINIMUM: "1"
WORKER_COUNT: "1"
depends_on:
quay-db:
condition: service_healthy
quay-redis:
condition: service_healthy
networks:
- quay-backend
- traefik-servicenet
labels:
- "traefik.enable=true"
- "traefik.http.routers.quay.rule=Host(`example.com`)"
- "traefik.http.routers.quay.entrypoints=websecure"
- "traefik.http.routers.quay.tls=true"
- "traefik.http.routers.quay.tls.certresolver=letsencrypt"
- "traefik.http.services.quay.loadbalancer.server.port=8080"
- "traefik.docker.network=traefik-servicenet"
quay-db:
container_name: quay-db
image: docker.io/library/postgres:15
environment:
POSTGRES_USER: "quay"
POSTGRES_PASSWORD: "quay"
POSTGRES_DB: "quay"
volumes:
- "./config/postgres/pg_bootstrap.sql:/docker-entrypoint-initdb.d/pg_bootstrap.sql"
- "./data/quay-db:/var/lib/postgresql/data"
ports:
- "5432:5432"
networks:
- quay-backend
healthcheck:
test: ["CMD-SHELL", "pg_isready -U quay -d quay"]
interval: 10s
timeout: 9s
retries: 3
start_period: 10s
quay-redis:
container_name: quay-redis
image: docker.io/library/redis:7
ports:
- "6379:6379"
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
networks:
- quay-backend
clair:
container_name: quay-clair
image: quay.io/projectquay/clair:4.4.0
volumes:
- "./config/clair:/src/clair/"
environment:
CLAIR_CONF: "/src/clair/config.yaml"
CLAIR_MODE: "combo"
cpus: 2
command:
["bash", "-c", "cd /src/clair/cmd/clair; go run -mod vendor ."]
depends_on:
clair-db:
condition: service_healthy
networks:
- quay-backend
clair-db:
container_name: clair-db
image: docker.io/library/postgres:13
environment:
POSTGRES_HOST_AUTH_METHOD: trust
volumes:
- ./config/postgres/init.sql:/docker-entrypoint-initdb.d/init.sql
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- ./data/clair-db:/var/lib/postgresql/data
healthcheck:
test:
- CMD-SHELL
- "pg_isready -U postgres"
interval: 5s
timeout: 4s
retries: 12
start_period: 10s
networks:
- quay-backend
networks:
traefik-servicenet:
external: true
quay-backend:
driver: bridge
internal: true
clair相关的quay config.yaml
...
# clair
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://quay-clair:6000
SECURITY_SCANNER_V4_PSK: some_base64==
...
最后是我的 clair config.yaml
---
log_level: debug-color
introspection_addr: ""
http_listen_addr: ":6000"
updaters: {}
indexer:
connstring: "host=clair-db port=5432 user=clair dbname=indexer sslmode=disable"
scanlock_retry: 10
layer_scan_concurrency: 5
migrations: true
matcher:
connstring: "host=clair-db port=5432 user=clair dbname=matcher sslmode=disable"
max_conn_pool: 100
migrations: true
notifier:
connstring: "host=clair-db port=5432 user=clair dbname=notifier sslmode=disable"
indexer_addr: http://localhost:6000/
matcher_addr: http://localhost:6000/
migrations: true
delivery_interval: 5s
poll_interval: 15s
webhook:
target: "http://localhost:6000/secscan/notification"
callback: "http://localhost:6000/notifier/api/v1/notification"
metrics:
name: "prometheus"
# ===== AUTH
auth:
psk:
key: 'some_base64=='
iss:
- 'quay'
完整码头配置.yaml:
ACTION_LOG_ARCHIVE_LOCATION: default
ALLOWED_OCI_ARTIFACT_TYPES:
application/vnd.oci.image.config.v1+json:
- application/vnd.oci.image.layer.v1.tar+zstd
application/vnd.sylabs.sif.config.v1+json:
- application/vnd.sylabs.sif.layer.v1+tar
AUTHENTICATION_TYPE: Database
AVATAR_KIND: local
BUILDLOGS_REDIS:
host: quay-redis
port: 6379
CONTACT_INFO:
- mailto:[email protected]
DATABASE_SECRET_KEY: 7e597f39-lala-lala-lala-9bfdcee1a628
DB_CONNECTION_ARGS: {}
DB_URI: postgresql://quay:quay@quay-db/quay
DEFAULT_TAG_EXPIRATION: 2w
DISTRIBUTED_STORAGE_CONFIG:
default:
- LocalStorage
- storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
- default
EXTERNAL_TLS_TERMINATION: true
FEATURE_ACI_CONVERSION: false
FEATURE_ACTION_LOG_ROTATION: false
FEATURE_ANONYMOUS_ACCESS: true
FEATURE_APP_REGISTRY: true
FEATURE_APP_SPECIFIC_TOKENS: false
FEATURE_BITBUCKET_BUILD: false
FEATURE_BLACKLISTED_EMAILS: false
FEATURE_BUILD_SUPPORT: false
FEATURE_CHANGE_TAG_EXPIRATION: true
FEATURE_DIRECT_LOGIN: true
FEATURE_EXTENDED_REPOSITORY_NAMES: true
FEATURE_FIPS: false
FEATURE_GITHUB_BUILD: false
FEATURE_GITHUB_LOGIN: false
FEATURE_GITLAB_BUILD: false
FEATURE_GOOGLE_LOGIN: false
FEATURE_INVITE_ONLY_USER_CREATION: false
FEATURE_MAILING: false
FEATURE_NONSUPERUSER_TEAM_SYNCING_SETUP: false
FEATURE_PARTIAL_USER_AUTOCOMPLETE: false
FEATURE_PROXY_STORAGE: false
FEATURE_REPO_MIRROR: false
FEATURE_REQUIRE_ENCRYPTED_BASIC_AUTH: false
FEATURE_REQUIRE_TEAM_INVITE: true
FEATURE_RESTRICTED_V1_PUSH: true
# clair
FEATURE_SECURITY_NOTIFICATIONS: false
FEATURE_SECURITY_SCANNER: true
FEATURE_STORAGE_REPLICATION: false
FEATURE_TEAM_SYNCING: false
# user
FEATURE_USER_CREATION: false
FEATURE_USER_INITIALIZE: false
FEATURE_USER_LAST_ACCESSED: true
FEATURE_USER_LOG_ACCESS: false
FEATURE_USER_METADATA: false
FEATURE_USER_RENAME: false
FEATURE_USERNAME_CONFIRMATION: false
#
FRESH_LOGIN_TIMEOUT: 10m
GITHUB_LOGIN_CONFIG: {}
GITHUB_TRIGGER_CONFIG: {}
GITLAB_TRIGGER_KIND: {}
LDAP_ALLOW_INSECURE_FALLBACK: false
LDAP_EMAIL_ATTR: mail
LDAP_UID_ATTR: uid
LDAP_URI: ldap://localhost
LOG_ARCHIVE_LOCATION: default
LOGS_MODEL: database
LOGS_MODEL_CONFIG: {}
MAIL_DEFAULT_SENDER: [email protected]
MAIL_PASSWORD: somesecurepassword
MAIL_PORT: 465
MAIL_SERVER: smtp.some.com
MAIL_USE_AUTH: true
MAIL_USE_TLS: true
MAIL_USERNAME: [email protected]
PREFERRED_URL_SCHEME: https
REGISTRY_TITLE: Project Quay
REGISTRY_TITLE_SHORT: Quay
REPO_MIRROR_INTERVAL: 30
REPO_MIRROR_TLS_VERIFY: true
SEARCH_MAX_RESULT_PAGE_COUNT: 10
SEARCH_RESULTS_PER_PAGE: 10
SECRET_KEY: 6cf643d5-lala-lala-lala-a8bdf9a6d341
# clair
SECURITY_SCANNER_INDEXING_INTERVAL: 30
SECURITY_SCANNER_V4_ENDPOINT: http://quay-clair:6000
SECURITY_SCANNER_V4_PSK: some_base64==
#
SERVER_HOSTNAME: example.com
SETUP_COMPLETE: true
SUPER_USERS:
- admin
TAG_EXPIRATION_OPTIONS:
- 0s
- 1d
- 1w
- 2w
- 4w
TEAM_RESYNC_STALE_TIME: 30m
TESTING: false
USE_CDN: false
USER_EVENTS_REDIS:
host: quay-redis
port: 6379
USER_RECOVERY_TOKEN_LIFETIME: 30m
USERFILES_LOCATION: default
1个回答
0
投票
投票
有类似问题 你有什么想法吗?
最新问题
- 这可以用 lambda 函数来完成吗?
- 在Python中检测范围
- Azure DPS 上的 SAS 令牌与 Azure IoT Edge 不匹配
- 如何在 ASP.Net Core 中验证上传的文件
- 在VB.Net中,根据文件路径导航到Treeview节点
- 阅读文档时私有 GitHub 存储库的 Intersphinx 配置问题
- Flutter 在屏幕打开时进行屏幕相关的 API 调用(实时 API 调用)
- 记录通过 HTTP 客户端完成的所有 HTTP 请求和响应
- ApexCharts 类型线 - 背景颜色
- 如何创建具有 @GenerateValue 的实体实例来插入模拟数据而不更新现有行?
- 如何通过网络应用程序在 Instagram 和 Tiktok 上共享视频
- 如何在 Node.js 中播放音频 |功能丰富且跨平台
- 添加Android不支持的本地语言
- 在 ASP.NET 中导出到 Excel 时如何将数字格式化为字符串数据类型?
- Rsuite 日期选择器格式
- 使用 VBA 自动分析 Excel 提示
- 使用按钮进行身份验证时,一键不会关闭
- 如何将 Figma 动画导出为具有透明背景的 gif?
- 删除 Snowflake 中的专栏评论
- Java:如何在Java中将一个数字分成固定比例的部分,同时确保总和正确?
© www.soinside.com 2019 - 2024. All rights reserved.