标签：集成 Quay com Clair key config clair registry

版本基于Quay 3.2 ，Clair 3.2

1.搭建DNS named 

参考

https://www.cnblogs.com/ericnie/p/12233269.html

2.搭建Quay的基础服务

参考

https://www.cnblogs.com/ericnie/p/12233269.html

这里更新一个地方，在配置的时候，生成SSL的key后直接写在配置界面上。

 

 

 

 

 

 

 然后选择security scanner,把key id记录下来，比如

700660d27213683afbeafa8da4af9b53ff933dba4b8614e39c1bd717cf84f72c

 

 

直接在/mnt/quay/config下解压文件所得 

[root@registry config]# ls
config.yaml  extra_ca_certs  quay-config.tar.gz  ssl.cert  ssl.key

启动quay，打开quay的界面转到superuser可以看到key,千万别删除，千万别删除，千万别删除。

 

注意启动quay以后，需要保证jwtproxy服务启动

[root@f2072855dcac quay-registry]# ps -aux | grep jwtproxy
root       196  0.0  0.1 303656 13620 ?        Sl   10:14   0:00 /usr/local/bin/jwtproxy --config /quay-registry/conf/jwtproxy_conf.yaml
root       552  0.0  0.0  10692   976 ?        R+   10:43   0:00 grep --color=auto jwtproxy

 

 3.配置clair

docker run --name postgres -p 5432:5432 -d postgres
sleep 5
docker run --rm --link postgres:postgres postgres \
   sh -c 'echo "create database clairtest" | psql -h \
   "$POSTGRES_PORT_5432_TCP_ADDR" -p  \
   "$POSTGRES_PORT_5432_TCP_PORT" -U postgres'

 

mkdir /clair-config

config.xml

[root@registry config]# cat /clair-config/config.yaml 
clair:
  database:
    type: pgsql
    options:
      # A PostgreSQL Connection string pointing to the Clair Postgres database.
      # Documentation on the format can be found at: http://www.postgresql.org/docs/9.4/static/libpq-connect.html
      source: postgresql://postgres@192.168.56.107:5432/clairtest?sslmode=disable
      cachesize: 16384
  api:
    # The port at which Clair will report its health status. For example, if Clair is running at
    # https://clair.mycompany.com, the health will be reported at
    # http://clair.mycompany.com:6061/health.
    healthport: 6061

    port: 6062
    timeout: 900s

    # paginationkey can be any random set of characters. *Must be the same across all Clair instances*.
    paginationkey: "XxoPtCUzrUv4JV5dS+yQ+MdW7yLEJnRMwigVY/bpgtQ="

  updater:
    # interval defines how often Clair will check for updates from its upstream vulnerability databases.
    interval: 6h
    notifier:
      attempts: 3
      renotifyinterval: 1h
      http:
        # QUAY_ENDPOINT defines the endpoint at which Quay is running.
        # For example: https://myregistry.mycompany.com
        endpoint: https://registry.example.com/secscan/notify
        proxy: http://localhost:6063
jwtproxy:
  signer_proxy:
    enabled: true
    listen_addr: :6063
    ca_key_file: /certificates/mitm.key # Generated internally, do not change.
    ca_crt_file: /certificates/mitm.crt # Generated internally, do not change.
    signer:
      issuer: security_scanner
      expiration_time: 5m
      max_skew: 1m
      nonce_length: 32
      private_key:
        type: preshared
        options:
          # The ID of the service key generated for Clair. The ID is returned when setting up
          # the key in [Quay Setup](security-scanning.md)
          key_id: 700660d27213683afbeafa8da4af9b53ff933dba4b8614e39c1bd717cf84f72c
          private_key_path: /clair/config/security_scanner.pem


  verifier_proxies:
  - enabled: true
    # The port at which Clair will listen.
    listen_addr: :6060

    # If Clair is to be served via TLS, uncomment these lines. See the "Running Clair under TLS"
    # section below for more information.
    # key_file: /clair/config/clair.key
    # crt_file: /clair/config/clair.crt

    verifier:
      # CLAIR_ENDPOINT is the endpoint at which this Clair will be accessible. Note that the port
      # specified here must match the listen_addr port a few lines above this.
      # Example: https://myclair.mycompany.com:6060
      audience: http://registry.example.com:6060

      upstream: http://localhost:6062
      key_server:
        type: keyregistry
        options:
          # QUAY_ENDPOINT defines the endpoint at which Quay is running.
          # Example: https://myregistry.mycompany.com
          registry: https://registry.example.com/keys/

 

[root@registry clair-config]# ls
config.yaml  security_scanner.pem

启动clair

docker run --restart=always -p 6060:6060 -p 6061:6061 \
   -v /clair-config:/clair/config \
   -v /mnt/quay/config/extra_ca_certs/rootCA.crt:/etc/pki/ca-trust/source/anchors/ca.crt  \
   quay.io/redhat/clair-jwt:v3.2.0

 

4.push镜像，验证

cp rootCA.pem /etc/docker/certs.d/registry.redhat.ren/ca.crt

[root@registry ~]# docker push registry.example.com/admin/debian34:9.5
The push refers to a repository [registry.example.com/admin/debian34]
f715ed19c28b: Pushed 
9.5: digest: sha256:bbb3345ed2e7548dc7a53385b724374ecfb166489a1066cc31b345d0d767df78 size: 529

转到quay界面

 

 

 

 

关键坑

• DNS
• Quay和Clair间的Key
• Jwtproxy
• Clair的config.yaml

折腾好几天。。。。

 

标签：集成,Quay,com,Clair,key,config,clair,registry
来源： https://www.cnblogs.com/ericnie/p/12246243.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。