最近coreos 发布了第一个稳定版的 Clair。 Clair 是用于静态分析容器漏洞的。
项目地址: https://github.com/coreos/clair
安装说明: https://github.com/coreos/clai ... ME.md
api使用说明: https://github.com/coreos/clai ... ME.md
说明里有些不到位的地方,我自己整理了一下:
Clair 仓库里的文档不是很全,我用下面的命令在docker 安装的
$ docker run --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword -d postgres
$ mkdir $HOME/clair_config
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.example.yaml -o $HOME/clair_config/config.yaml
$ $EDITOR $HOME/clair_config/config.yaml # Add the URI for your postgres database
这行: source: postgresql://postgres:mysecretpassword@postgres:5432?sslmode=disable
$ docker run -d --link some-postgres:postgres -p 6060-6061:6060-6061 -v $HOME/clair_config:/config quay.io/coreos/clair -config=/config/config.yaml
需要运行一段时间,namespaces会自动增加的。
$ http GET http://192.168.99.100:6060/v1/namespaces
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Length: 139
Content-Type: application/json;charset=utf-8
Date: Wed, 23 Mar 2016 13:40:29 GMT
Server: clair
{
"Namespaces": [
{
"Name": "debian:9"
},
{
"Name": "debian:7"
},
{
"Name": "debian:unstable"
},
{
"Name": "debian:8"
},
{
"Name": "debian:6"
},
{
"Name": "ubuntu:15.04"
},
{
"Name": "ubuntu:14.04"
},
{
"Name": "ubuntu:14.10"
},
{
"Name": "ubuntu:12.04"
},
{
"Name": "ubuntu:15.10"
},
{
"Name": "ubuntu:12.10"
},
{
"Name": "ubuntu:13.04"
},
{
"Name": "centos:6"
},
{
"Name": "centos:7"
},
{
"Name": "alpine:3.3.1"
}
]
}
安装后,会有个6060端口和6061 端口开放,如果你是在Mac OSX 里运行的话,需要找到docker-machine 的IP 地址:
$ docker-machine ip default
192.168.99.100
另外建议下载httpie 来方便的运行 API 命令, 安装指南在这里: https://github.com/jkbrzt/httpie
$ export GOPATH=~/go
$ go get -u github.com/coreos/clair/contrib/analyze-local-images
$ docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
alpine 3.3 sha256:90239 4 weeks ago 4.794 MB
python 2.7-alpine sha256:dd22f 4 days ago 72.59 MB
$ ~/go/bin/analyze-local-images -endpoint "http://192.168.99.100:6060" -my-address "192.168.99.1" sha256:bdeba
2016-03-24 00:51:46.402394 I | Saving sha256:dd22f to local disk (this may take some time)
2016-03-24 00:51:50.790207 I | Retrieving image history
2016-03-24 00:51:50.790498 I | Setting up HTTP server (allowing: 192.168.99.100)
2016-03-24 00:51:50.993039 I | Analyzing 7 layers...
2016-03-24 00:51:50.993078 I | Analyzing 061232993debe19e048a5d9c774c5d338548ecfbb0239ee4163126dae0140dd6
2016-03-24 00:51:50.996947 I | Analyzing 1c65a9822da53a4a95961435f56ef33f4477ca1565eb9c1d58a5070016859282
2016-03-24 00:51:51.000084 I | Analyzing 4390cef4f59e1f151361d40db43d4960f23625eca66ebb774bfa37893cf680ae
2016-03-24 00:51:51.002810 I | Analyzing bb00ffee73d2d2be09d5b5aef31741e5dc126d8df016b74e0fe00db64dd9b84b
2016-03-24 00:51:51.023537 I | Analyzing fbafe5adf71025904c4b57092474acd0fb4f23e3f3ad47e2b096ae3098655974
2016-03-24 00:51:51.038989 I | Analyzing 0a58753f8a1d1e69295cf09a7903683c4ef938443cc54eef97ae12c5b430e929
2016-03-24 00:51:51.042544 I | Analyzing cf539c4370716f1d668d8c6dd3e0a511b0bf59ce70eb6fe8970e57c1b6a7b8ee
2016-03-24 00:51:51.047216 I | Retrieving image's vulnerabilities
Clair report for image sha256:dd22f (2016-03-23 13:51:51.075386919 +0000 UTC)
NOTE: No features have been detected in the image. This usually means that the image isn't supported by Clair.
endpoint 就是docker 的IP, my-address 就是你和clair容器通讯时的IP。sha256:dd22f 是镜像的 ID
最后,我运行了几个镜像,一直是说没有监测到问题。大家有建议的话,请回复。