Commit 3cfeb46c authored by qhoangxuan's avatar qhoangxuan

wi8 - clair

parent a47a16f6
FROM golang:1.8-alpine
MAINTAINER Quang-Nhat Hoang-Xuan <hxquangnhat@gmail.com>
VOLUME /config
EXPOSE 6060 6061
ENV GOPATH /go
RUN apk add --no-cache git bzr rpm xz && \
go get -v github.com/coreos/clair/cmd/clair && \
go install -v github.com/coreos/clair/cmd/clair && \
mv /go/bin/clair /clair && \
go install -v github.com/coreos/clair/contrib/analyze-local-images && \
mv /go/bin/analyze-local-images /bin/analyzer && \
rm -rf /go /usr/local/go
RUN apk update && \
apk add ca-certificates wget && \
update-ca-certificates
RUN wget https://get.docker.com/builds/Linux/x86_64/docker-17.03.0-ce.tgz && \
tar -xvf docker-17.03.0-ce.tgz && \
mv docker/docker /bin && \
rm -rf docker docker-17.03.0-ce.tgz
ENTRYPOINT ["/clair"]
# Copyright 2015 clair authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# The values specified here are the default values that Clair uses if no configuration file is specified or if the keys are not defined.
clair:
database:
# PostgreSQL Connection string
# http://www.postgresql.org/docs/9.4/static/libpq-connect.html
type: pgsql
options:
source:
postgresql://postgres:password@clair_postgres:5432?sslmode=disable
# Number of elements kept in the cache
# Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
cacheSize: 16384
api:
# API server port
port: 6060
# Health server port
# This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
healthport: 6061
# Deadline before an API request will respond with a 503
timeout: 900s
# 32-bit URL-safe base64 key used to encrypt pagination tokens
# If one is not provided, it will be generated.
# Multiple clair instances in the same cluster need the same value.
paginationKey:
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/coreos/etcd-ca
# https://github.com/cloudflare/cfssl
servername:
cafile:
keyfile:
certfile:
updater:
# Frequency the database will be updated with vulnerabilities from the default data sources
# The value 0 disables the updater entirely.
interval: 2h
notifier:
# Number of attempts before the notification is marked as failed to be sent
attempts: 3
# Duration before a failed notification is retried
renotifyInterval: 2h
http:
# Optional endpoint that will receive notifications via POST requests
endpoint:
# Optional PKI configuration
# If you want to easily generate client certificates and CAs, try the following projects:
# https://github.com/cloudflare/cfssl
# https://github.com/coreos/etcd-ca
servername:
cafile:
keyfile:
certfile:
# Optional HTTP Proxy: must be a valid URL (including the scheme).
proxy:
version: '2'
services:
postgres:
container_name: clair_postgres
image: postgres:latest
environment:
POSTGRES_PASSWORD: password
clair:
container_name: clair_clair
image: hxquangnhat/clair:latest
depends_on:
- postgres
ports:
- "6060-6061:6060-6061"
links:
- postgres
volumes:
- /tmp:/tmp
- ./clair_config:/config
- /var/run/docker.sock:/var/run/docker.sock
command: [-config, /config/config.yaml]
......@@ -43,3 +43,17 @@ Zoe is composed of two main processes and depends on a number of external servic
Instead we are working on a suite of integration tests that will run Zoe components against real, live instances of the services Zoe depends on.
These tests will also be run before commits are pushed to the public repository.
Zapp image vulnerability scan
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We use **clair**, a vulnerability static analyzer for Containers, from **CoreOS** to analyze Zoe docker image before using it.
If the base image you are using to build Zoe has too many vulnerabilities, you could choose another images which have less vulnerabilities.
The result after analyzing would be on the **console output** of the Jenkins job for Zoe. Insert the script below into the Zoe's Jenkins job to do the Clair analysis, all the necessary files could be found on ``ci/clair`` folder:
::
export imageID=`docker image inspect <your-registry-address>/zoe:$BUILD_ID | grep "Id" | awk -F ' ' '{print $2}' | awk -F ',' '{print $1}' | awk -F '"' '{print $2}'`
docker exec clair_clair analyzer $imageID
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment