Debug School

Cover image for Clair on Quay in OpenShift
Suyash Sambhare
Suyash Sambhare

Posted on • Updated on

Clair on Quay in OpenShift

Set Up Clair on a Red Hat Quay OpenShift deployment

Deploying Via the Quay Operator

To set up Clair V4 on a Red Hat Quay deployment on OpenShift, it is highly suggested to use the Quay Operator. By default, the Quay Operator will install or upgrade a Clair deployment along with your Red Hat Quay deployment and configure Clair security scanning robotically.

Manually Deploying Clair

To configure Clair V4 on an active Red Hat Quay OpenShift deployment having Clair V2, first, confirm Red Hat Quay has been upgraded to at least version 3.4.0. Then use the subsequent steps to manually set up Clair V4 alongside Clair V2.
Set your present project to the name of the project in which Red Hat Quay is running.
$ oc project quay-enterprise

Create a Postgres deployment file for Clair v4.
clairv4-postgres.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: clairv4-postgres
  namespace: quay-enterprise
  labels:
    quay-component: clairv4-postgres
spec:
  replicas: 1
  selector:
    matchLabels:
      quay-component: clairv4-postgres
  template:
    metadata:
      labels:
        quay-component: clairv4-postgres
    spec:
      volumes:
        - name: postgres-data
          persistentVolumeClaim:
            claimName: clairv4-postgres
      containers:
        - name: postgres
          image: postgres:11.5
          imagePullPolicy: "IfNotPresent"
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_USER
              value: "postgres"
            - name: POSTGRES_DB
              value: "clair"
            - name: POSTGRES_PASSWORD
              value: "postgres"
            - name: PGDATA
              value: "/etc/postgres/data"
          volumeMounts:
            - name: postgres-data
              mountPath: "/etc/postgres"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: clairv4-postgres
  labels:
    quay-component: clairv4-postgres
spec:
  accessModes:
    - "ReadWriteOnce"
  resources:
    requests:
      storage: "5Gi"
    volumeName: "clairv4-postgres"
---
apiVersion: v1
kind: Service
metadata:
  name: clairv4-postgres
  labels:
    quay-component: clairv4-postgres
spec:
  type: ClusterIP
  ports:
    - port: 5432
      protocol: TCP
      name: postgres
      targetPort: 5432
  selector:
    quay-component: clairv4-postgres
Enter fullscreen mode Exit fullscreen mode

Install the Postgres database

$ oc create -f ./clairv4-postgres.yaml
Generate a Clair config.yaml file to use for Clair v4.

config.yaml

introspection_addr: :8089
http_listen_addr: :8080
log_level: debug
indexer:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=root password=L!nux@123 sslmode=disable
  scanlock_retry: 10
  layer_scan_concurrency: 5
  migrations: true
matcher:
  connstring: host=clairv4-postgres port=5432 dbname=clair user= root password=L!nux@123 sslmode=disable
  max_conn_pool: 100
  run: ""
  migrations: true
  indexer_addr: clair-indexer
notifier:
  connstring: host=clairv4-postgres port=5432 dbname=clair user= root password=L!nux@123 sslmode=disable
  delivery: 1m
  poll_interval: 5m
  migrations: true
auth:
  psk:
    key: MTHGWEFTNzJoMQ== 
    iss: ["quay"]
# tracing and metrics
trace:
  name: "jaeger"
  probability: 1
  jaeger:
    agent_endpoint: "localhost:6831"
    service_name: "clair"
metrics:
  name: "prometheus"
Enter fullscreen mode Exit fullscreen mode
  1. To create a Clair pre-shared key (PSK), allow scanning in the Security Scanner segment of the User Interface and tick Generate PSK.
  2. Generate a secret from the Clair config.yaml:

    $ oc create secret generic clairv4-config-secret --from-file=./config.yaml

  3. Generate the Clair v4 deployment file and modify it as necessary:
    clair-combo.yaml

    \---
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      labels:
        quay-component: clair\-combo
      name: clair\-combo
    spec:
      replicas: 1
      selector:
        matchLabels:
          quay-component: clair\-combo
      template:
        metadata:
          labels:
            quay-component: clair\-combo
        spec:
          containers:
            \- image: registry.redhat.io/quay/clair\-rhel8:v3.6.8
              imagePullPolicy: IfNotPresent
              name: clair\-combo
              env:
                \- name: CLAIR\_CONF
                  value: /clair/config.yaml
                \- name: CLAIR\_MODE
                  value: combo
              ports:
                \- containerPort: 8080
                  name: clair\-http
                  protocol: TCP
                \- containerPort: 8089
                  name: clair\-intro
                  protocol: TCP
              volumeMounts:
                \- mountPath: /clair/
                  name: config
          imagePullSecrets:
            \- name: redhat\-pull\-secret
          restartPolicy: Always
          volumes:
            \- name: config
              secret:
                secretName: clairv4\-config\-secret
    \---
    apiVersion: v1
    kind: Service
    metadata:
      name: clairv4
      labels:
        quay-component: clair\-combo
    spec:
      ports:
        \- name: clair\-http
          port: 80
          protocol: TCP
          targetPort: 8080
        \- name: clair\-introspection
          port: 8089
          protocol: TCP
          targetPort: 8089
      selector:
        quay-component: clair\-combo
      type: ClusterIP
Enter fullscreen mode Exit fullscreen mode

Modify the image to newest clair image name and version.
With the Service set to clairv4, the scanner endpoint for Clair v4 is entered later into the Red Hat Quay config.yaml in the SECURITY_SCANNER_V4_ENDPOINT as http://clairv4.

  1. Build the Clair v4 deployment file

    $ oc create -f ./clair-combo.yaml

  2. Change the config.yaml file for your Red Hat Quay deployment to add the next entries at the end:

    FEATURE\_SECURITY\_NOTIFICATIONS: true
    FEATURE\_SECURITY\_SCANNER: true
    SECURITY\_SCANNER\_V4\_ENDPOINT: http://clairv4
Enter fullscreen mode Exit fullscreen mode
Find the Clair v4 service endpoint
Enter fullscreen mode Exit fullscreen mode
  1. Redeploy the changed config.yaml to the secret holding that file

    $ oc delete secret quay-enterprise-config-secret
    $ oc create secret generic quay-enterprise-config-secret --from-file=./config.yaml

  2. For the new config.yaml to take effect, you need to restart the Red Hat Quay pods. Simply deleting the quay-app pods causes pods with the updated configuration to be deployed.

Images in any of the organizations identified in the namespace whitelist will be scanned by Clair v4.

Clair

Setting up Clair on a non-OpenShift Red Hat Quay deployment

For Red Hat Quay deployments not running on OpenShift, it is possible to configure Clair security scanning manually. Red Hat Quay deployments already running Clair V2 can use the instructions below to add Clair V4 to their deployment.

  1. Deploy a preferably fault-tolerant Postgres database server. Note that Clair requires the uuid-ossp extension to be added to its Postgres database. If the user-supplied in Clair’s config.yaml has the necessary privileges to create the extension then it will be added automatically by Clair itself. If not, then the extension must be added before starting Clair. If the extension is not present, the following error will be displayed when Clair attempts to start.

    ERROR: Please load the "uuid-ossp" extension. (SQLSTATE 42501)

  2. Create a Clair config file in a specific folder, for example, /etc/clairv4/config/config.yaml).

config.yaml

    introspection\_addr: :8089
    http\_listen\_addr: :8080
    log\_level: debug
    indexer:
      connstring: host=clairv4\-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
      scanlock\_retry: 10
      layer\_scan\_concurrency: 5
      migrations: true
    matcher:
      connstring: host=clairv4\-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
      max\_conn\_pool: 100
      run: ""
      migrations: true
      indexer\_addr: clair\-indexer
    notifier:
      connstring: host=clairv4\-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
      delivery\_interval: 1m
      poll\_interval: 5m
      migrations: true

    \# Tracing and metrics
    trace:
      name: "jaeger"
      probability: 1
      jaeger:
        agent\_endpoint: "localhost:6831"
        service\_name: "clair"
    metrics:
      name: "prometheus"
Enter fullscreen mode Exit fullscreen mode
  1. Run Clair via the container image, mounting in the configuration from the file you created.

    $ podman run -p 8080:8080 -p 8089:8089 -e CLAIR\_CONF=/clair/config.yaml -e CLAIR\_MODE=combo -v /etc/clair4/config:/clair -d registry.redhat.io/quay/clair-rhel8:v3.6.8

  2. Follow the remaining instructions from the previous section for configuring Red Hat Quay to use the new Clair V4 endpoint.

Running multiple Clair containers in this fashion is also possible, but for deployment scenarios beyond a single container the use of a container orchestrator like Kubernetes or OpenShift is strongly recommended.

Ref: https://access.redhat.com/documentation/en-us/red_hat_quay/3.6/html/manage_red_hat_quay/clair-intro2

Top comments (0)