Set Up Clair on a Red Hat Quay OpenShift deployment
Deploying Via the Quay Operator
To set up Clair V4 on a Red Hat Quay deployment on OpenShift, it is highly suggested to use the Quay Operator. By default, the Quay Operator will install or upgrade a Clair deployment along with your Red Hat Quay deployment and configure Clair security scanning robotically.
Manually Deploying Clair
To configure Clair V4 on an active Red Hat Quay OpenShift deployment having Clair V2, first, confirm Red Hat Quay has been upgraded to at least version 3.4.0. Then use the subsequent steps to manually set up Clair V4 alongside Clair V2.
Set your present project to the name of the project in which Red Hat Quay is running.
$ oc project quay-enterprise
Create a Postgres deployment file for Clair v4.
clairv4-postgres.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: clairv4-postgres
namespace: quay-enterprise
labels:
quay-component: clairv4-postgres
spec:
replicas: 1
selector:
matchLabels:
quay-component: clairv4-postgres
template:
metadata:
labels:
quay-component: clairv4-postgres
spec:
volumes:
- name: postgres-data
persistentVolumeClaim:
claimName: clairv4-postgres
containers:
- name: postgres
image: postgres:11.5
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 5432
env:
- name: POSTGRES_USER
value: "postgres"
- name: POSTGRES_DB
value: "clair"
- name: POSTGRES_PASSWORD
value: "postgres"
- name: PGDATA
value: "/etc/postgres/data"
volumeMounts:
- name: postgres-data
mountPath: "/etc/postgres"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: clairv4-postgres
labels:
quay-component: clairv4-postgres
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "5Gi"
volumeName: "clairv4-postgres"
---
apiVersion: v1
kind: Service
metadata:
name: clairv4-postgres
labels:
quay-component: clairv4-postgres
spec:
type: ClusterIP
ports:
- port: 5432
protocol: TCP
name: postgres
targetPort: 5432
selector:
quay-component: clairv4-postgres
Install the Postgres database
$ oc create -f ./clairv4-postgres.yaml
Generate a Clair config.yaml file to use for Clair v4.
config.yaml
introspection_addr: :8089
http_listen_addr: :8080
log_level: debug
indexer:
connstring: host=clairv4-postgres port=5432 dbname=clair user=root password=L!nux@123 sslmode=disable
scanlock_retry: 10
layer_scan_concurrency: 5
migrations: true
matcher:
connstring: host=clairv4-postgres port=5432 dbname=clair user= root password=L!nux@123 sslmode=disable
max_conn_pool: 100
run: ""
migrations: true
indexer_addr: clair-indexer
notifier:
connstring: host=clairv4-postgres port=5432 dbname=clair user= root password=L!nux@123 sslmode=disable
delivery: 1m
poll_interval: 5m
migrations: true
auth:
psk:
key: MTHGWEFTNzJoMQ==
iss: ["quay"]
# tracing and metrics
trace:
name: "jaeger"
probability: 1
jaeger:
agent_endpoint: "localhost:6831"
service_name: "clair"
metrics:
name: "prometheus"
- To create a Clair pre-shared key (PSK), allow
scanning
in the Security Scanner segment of the User Interface and tickGenerate PSK
. -
Generate a secret from the Clair
config.yaml
:$ oc create secret generic clairv4-config-secret --from-file=./config.yaml
Generate the Clair v4 deployment file and modify it as necessary:
clair-combo.yaml
\---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
quay-component: clair\-combo
name: clair\-combo
spec:
replicas: 1
selector:
matchLabels:
quay-component: clair\-combo
template:
metadata:
labels:
quay-component: clair\-combo
spec:
containers:
\- image: registry.redhat.io/quay/clair\-rhel8:v3.6.8
imagePullPolicy: IfNotPresent
name: clair\-combo
env:
\- name: CLAIR\_CONF
value: /clair/config.yaml
\- name: CLAIR\_MODE
value: combo
ports:
\- containerPort: 8080
name: clair\-http
protocol: TCP
\- containerPort: 8089
name: clair\-intro
protocol: TCP
volumeMounts:
\- mountPath: /clair/
name: config
imagePullSecrets:
\- name: redhat\-pull\-secret
restartPolicy: Always
volumes:
\- name: config
secret:
secretName: clairv4\-config\-secret
\---
apiVersion: v1
kind: Service
metadata:
name: clairv4
labels:
quay-component: clair\-combo
spec:
ports:
\- name: clair\-http
port: 80
protocol: TCP
targetPort: 8080
\- name: clair\-introspection
port: 8089
protocol: TCP
targetPort: 8089
selector:
quay-component: clair\-combo
type: ClusterIP
Modify the image to newest clair image name and version.
With the Service set to clairv4, the scanner endpoint for Clair v4 is entered later into the Red Hat Quay config.yaml
in the SECURITY_SCANNER_V4_ENDPOINT
as http://clairv4
.
-
Build the Clair v4 deployment file
$ oc create -f ./clair-combo.yaml
Change the
config.yaml
file for your Red Hat Quay deployment to add the next entries at the end:
FEATURE\_SECURITY\_NOTIFICATIONS: true
FEATURE\_SECURITY\_SCANNER: true
SECURITY\_SCANNER\_V4\_ENDPOINT: http://clairv4
Find the Clair v4 service endpoint
-
Redeploy the changed
config.yaml
to the secret holding that file$ oc delete secret quay-enterprise-config-secret
$ oc create secret generic quay-enterprise-config-secret --from-file=./config.yaml
For the new
config.yaml
to take effect, you need to restart the Red Hat Quay pods. Simply deleting thequay-app
pods causes pods with the updated configuration to be deployed.
Images in any of the organizations identified in the namespace whitelist will be scanned by Clair v4.
Setting up Clair on a non-OpenShift Red Hat Quay deployment
For Red Hat Quay deployments not running on OpenShift, it is possible to configure Clair security scanning manually. Red Hat Quay deployments already running Clair V2 can use the instructions below to add Clair V4 to their deployment.
-
Deploy a preferably fault-tolerant Postgres database server. Note that Clair requires the
uuid-ossp
extension to be added to its Postgres database. If the user-supplied in Clair’sconfig.yaml
has the necessary privileges to create the extension then it will be added automatically by Clair itself. If not, then the extension must be added before starting Clair. If the extension is not present, the following error will be displayed when Clair attempts to start.ERROR: Please load the "uuid-ossp" extension. (SQLSTATE 42501)
Create a Clair config file in a specific folder, for example,
/etc/clairv4/config/config.yaml
).
config.yaml
introspection\_addr: :8089
http\_listen\_addr: :8080
log\_level: debug
indexer:
connstring: host=clairv4\-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
scanlock\_retry: 10
layer\_scan\_concurrency: 5
migrations: true
matcher:
connstring: host=clairv4\-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
max\_conn\_pool: 100
run: ""
migrations: true
indexer\_addr: clair\-indexer
notifier:
connstring: host=clairv4\-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
delivery\_interval: 1m
poll\_interval: 5m
migrations: true
\# Tracing and metrics
trace:
name: "jaeger"
probability: 1
jaeger:
agent\_endpoint: "localhost:6831"
service\_name: "clair"
metrics:
name: "prometheus"
-
Run Clair via the container image, mounting in the configuration from the file you created.
$ podman run -p 8080:8080 -p 8089:8089 -e CLAIR\_CONF=/clair/config.yaml -e CLAIR\_MODE=combo -v /etc/clair4/config:/clair -d registry.redhat.io/quay/clair-rhel8:v3.6.8
Follow the remaining instructions from the previous section for configuring Red Hat Quay to use the new Clair V4 endpoint.
Running multiple Clair containers in this fashion is also possible, but for deployment scenarios beyond a single container the use of a container orchestrator like Kubernetes or OpenShift is strongly recommended.
Ref: https://access.redhat.com/documentation/en-us/red_hat_quay/3.6/html/manage_red_hat_quay/clair-intro2
Top comments (0)