如何使用docker-compose安裝anchore,本篇譯自Install with Docker Compose。
Preface
在本節中,您將學習如何啟動和運行獨立的Anchore引擎安裝,以便與Docker Compose一起進行試用、演示和檢查。
Requirements
以下說明假設您使用的是運行Docker v1.12或更高版本的系統,以及至少支持Docker compose配置格式v2的Docker compose版本。
獨立安裝將需要至少4GB的RAM和足夠的可用磁盤空間來支持您要分析的最大容器映像(我們建議最大容器為映像大小3倍)。對於小的映像/測試(基本的Linux發行版映像、數據庫映像等),5GB到10GB的磁盤空間應該足夠。
本機環境
[root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@localhost ~]# docker -v Docker version 19.03.4, build 9013bf583a [root@localhost ~]# docker-compose -v docker-compose version 1.24.1, build 4667896
安裝使用步驟
設置安裝路徑
創建用於存儲配置文件的目錄。
# mkdir ~/aevolume
# cd ~/aevolume
拷貝配置文件
下載最新的Anchore引擎容器映像,其中包含部署所需的docker-compose.yaml和配置文件。
# docker pull docker.io/anchore/anchore-engine:latest
接下來,將包含的docker-compose.yaml復制到~/aevolume/目錄。
# docker create --name ae docker.io/anchore/anchore-engine:latest # docker cp ae:/docker-compose.yaml ~/aevolume/docker-compose.yaml # docker rm ae
完成這些步驟后,~/aevolume/工作區現在應該如下所示:
# cd ~/aevolume
# find .
.
./docker-compose.yaml
下載和運行容器
下載docker-compose.yaml中列出的容器,並使用docker compose cli運行整個安裝程序。
注意:默認情況下,所有服務(包括捆綁的數據庫實例)都是暫時的,如果關閉/重新啟動,數據將丟失。
# cd ~/aevolume # 如果一直在這個~/aevolumn,可以不用切換 # docker-compose pull # 拉取鏡像 # docker-compose up -d # 運行容器
驗證服務可用性
幾分鍾后(取決於系統速度),您的Anchore引擎服務應該啟動並運行,准備使用。您可以驗證容器是否與Docker合成一起運行。
剛啟動
如果立即查看狀態,可以看到目前是處於啟動狀態starting...
[root@localhost aevolume]# docker-compose ps Name Command State Ports ----------------------------------------------------------------------------------------------------------------- aevolume_anchore-db_1 docker-entrypoint.sh postgres Up 5432/tcp aevolume_engine-analyzer_1 /docker-entrypoint.sh anch ... Up (health: starting) 8228/tcp aevolume_engine-api_1 /docker-entrypoint.sh anch ... Up (health: starting) 0.0.0.0:8228->8228/tcp aevolume_engine-catalog_1 /docker-entrypoint.sh anch ... Up (health: starting) 8228/tcp aevolume_engine-policy-engine_1 /docker-entrypoint.sh anch ... Up (health: starting) 8228/tcp aevolume_engine-simpleq_1 /docker-entrypoint.sh anch ... Up (health: starting) 8228/tcp
啟動完成
啟動完成之后的狀態是Up (healthy)。
[root@localhost aevolume]# docker-compose ps Name Command State Ports -------------------------------------------------------------------------------------------------------- aevolume_anchore-db_1 docker-entrypoint.sh postgres Up 5432/tcp aevolume_engine-analyzer_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp aevolume_engine-api_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8228->8228/tcp aevolume_engine-catalog_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp aevolume_engine-policy-engine_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp aevolume_engine-simpleq_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp [root@localhost aevolume]#
如果提示unhealthy,那基本上是涼了,我在Ubuntu 18.10上裝的時候提示unhealthy。
可以運行命令以獲取Anchore引擎服務的狀態:
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli system status Service policy_engine (anchore-quickstart, http://engine-policy-engine:8228): up Service catalog (anchore-quickstart, http://engine-catalog:8228): up Service analyzer (anchore-quickstart, http://engine-analyzer:8228): up Service simplequeue (anchore-quickstart, http://engine-simpleq:8228): up Service apiext (anchore-quickstart, http://engine-api:8228): up Engine DB Version: 0.0.11 Engine Code Version: 0.5.1
【注1】第一次運行anchore引擎時,漏洞數據需要一些時間(10分鍾以上,具體取決於網絡速度)才能同步到引擎中。為了獲得最佳體驗,請等到核心漏洞數據饋送完成后再繼續。您可以使用cli檢查提要同步的狀態:
【注2】國內連接可能有問題,如果獲取到的結果為空[],說明“網絡有問題”。
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli system feeds list Feed Group LastSync RecordCount nvdv2 nvdv2:cves None 0 vulnerabilities alpine:3.10 2019-10-24T10:49:28.863794 1485 vulnerabilities alpine:3.3 2019-10-24T10:49:30.419939 457 vulnerabilities alpine:3.4 2019-10-24T10:49:31.636178 681 vulnerabilities alpine:3.5 2019-10-24T10:49:32.463535 875 vulnerabilities alpine:3.6 2019-10-24T10:49:34.712758 1051 vulnerabilities alpine:3.7 2019-10-24T10:49:35.736285 1253 vulnerabilities alpine:3.8 2019-10-24T10:49:36.873816 1335 vulnerabilities alpine:3.9 2019-10-24T10:49:40.829436 1428 vulnerabilities amzn:2 2019-10-24T10:49:42.072979 232 vulnerabilities centos:5 2019-10-24T10:49:43.330519 1325 vulnerabilities centos:6 2019-10-24T10:49:44.793265 1357 vulnerabilities centos:7 2019-10-24T10:49:46.020503 905 vulnerabilities centos:8 2019-10-24T10:49:48.220903 78 vulnerabilities debian:10 2019-10-24T10:49:49.230547 21389 vulnerabilities debian:11 2019-10-24T10:49:38.252045 18125 vulnerabilities debian:7 2019-10-24T10:49:39.583650 20455 vulnerabilities debian:8 2019-10-24T10:50:05.533995 22668 vulnerabilities debian:9 2019-10-24T10:49:50.416781 21553 vulnerabilities debian:unstable 2019-10-24T10:49:54.364496 22481 vulnerabilities ol:5 2019-10-24T10:49:55.540285 1239 vulnerabilities ol:6 2019-10-24T10:49:56.853690 1459 vulnerabilities ol:7 2019-10-24T10:49:58.064640 1048 vulnerabilities ol:8 2019-10-24T10:49:59.457818 71 vulnerabilities ubuntu:12.04 2019-10-24T10:50:00.744212 14948 vulnerabilities ubuntu:12.10 2019-10-24T10:50:01.919411 5652 vulnerabilities ubuntu:13.04 2019-10-24T10:50:03.075236 4127 vulnerabilities ubuntu:14.04 2019-10-24T10:49:52.005554 19946 vulnerabilities ubuntu:14.10 2019-10-24T10:49:53.374428 4456 vulnerabilities ubuntu:15.04 2019-10-24T10:50:04.390020 5860 vulnerabilities ubuntu:15.10 2019-10-24T10:49:13.443607 6513 vulnerabilities ubuntu:16.04 2019-10-24T10:49:15.202243 17063 vulnerabilities ubuntu:16.10 2019-10-24T10:49:16.851464 8647 vulnerabilities ubuntu:17.04 2019-10-24T10:49:18.700772 9157 vulnerabilities ubuntu:17.10 2019-10-24T10:49:19.923028 7935 vulnerabilities ubuntu:18.04 2019-10-24T10:49:23.690570 11315 vulnerabilities ubuntu:18.10 2019-10-24T10:49:25.060819 8392 vulnerabilities ubuntu:19.04 2019-10-24T10:49:26.393018 7855 vulnerabilities ubuntu:19.10 2019-10-24T10:49:27.653338 6086
一旦您看到所有漏洞組的記錄計數值>0,系統即已完全填充並准備好顯示漏洞結果。請注意,feed同步是增量的,因此下次啟動anchore引擎時,它將立即就緒。cli工具包括一個有用的實用工具,它將一直阻止,直到feed成功完成同步:
【注】國內的情況,遠遠不止10分鍾。
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli system wait Starting checks to wait for anchore-engine to be available timeout=-1.0 interval=5.0 API availability: Checking anchore-engine URL (http://localhost:8228)... API availability: Success. Service availability: Checking for service set (catalog,apiext,policy_engine,simplequeue,analyzer)... Service availability: Success. Feed sync: Checking sync completion for feed set (vulnerabilities)... Feed sync: Success.
使用Anchore
開始使用anchore引擎服務來分析鏡像。下面是一個簡短的示例,它演示了添加容器鏡像以進行分析、等待分析完成、然后對分析的鏡像運行內容報告、漏洞掃描和策略評估的基本工作流。
添加鏡像
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image add docker.io/library/debian:7 Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264 Parent Digest: sha256:2259b099d947443e44bbd1c94967c785361af8fd22df48a08a3942e2d5630849 Analysis Status: analyzed Image Type: docker Analyzed At: 2019-10-24T08:51:47Z Image ID: 10fcec6d95c4a29f49fa388ed39cded37e63a1532a081ae2386193942fc12e21 Dockerfile Mode: Guessed Distro: debian Distro Version: 7 Size: 100884480 Architecture: amd64 Layer Count: 1 Full Tag: docker.io/library/debian:7 Tag Detected At: 2019-10-24T08:50:36Z
分析鏡像
我這里是已經分析過的。
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image wait docker.io/library/debian:7 Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264 Parent Digest: sha256:2259b099d947443e44bbd1c94967c785361af8fd22df48a08a3942e2d5630849 Analysis Status: analyzed Image Type: docker Analyzed At: 2019-10-24T08:51:47Z Image ID: 10fcec6d95c4a29f49fa388ed39cded37e63a1532a081ae2386193942fc12e21 Dockerfile Mode: Guessed Distro: debian Distro Version: 7 Size: 100884480 Architecture: amd64 Layer Count: 1 Full Tag: docker.io/library/debian:7 Tag Detected At: 2019-10-24T08:50:36Z
查看鏡像信息
可以使用如下命令:
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image content docker.io/library/debian:7 os: available files: available npm: available gem: available python: available java: available
我們用os命令來查看操作系統信息:
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image content docker.io/library/debian:7 os Package Version License apt 0.9.7.9+deb7u7 GPLv2+ base-files 7.1wheezy11 Unknown
...
查看漏洞信息
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli image vuln docker.io/library/debian:7 all Vulnerability ID Package Severity Fix CVE Refs Vulnerability URL CVE-2005-2541 tar-1.26+dfsg-0.1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2005-2541 CVE-2007-5686 login-1:4.1.5.1-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686 CVE-2007-5686 passwd-1:4.1.5.1-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686 CVE-2007-6755 libssl1.0.0-1.0.1t-1+deb7u4 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-6755
...
評估鏡像
[root@localhost aevolume]# docker-compose exec engine-api anchore-cli evaluate check docker.io/library/debian:7 Image Digest: sha256:81e88820a7759038ffa61cff59dfcc12d3772c3a2e75b7cfe963c952da2ad264 Full Tag: docker.io/library/debian:7 Status: pass # 鏡像檢測通過 Last Eval: 2019-10-24T11:01:03Z Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
注意:本文檔旨在作為快速入門指南。在與Anchore進一步探討掃描、策略評估、鏡像內容報告、CI/CD集成和其他功能之前,強烈建議您通過閱讀概述部分來加深對基本原理、概念和正確使用的理解,從而提高學習水平。
測試nginx
我們可按前述步驟對其它鏡像進行測試,我們選取一個舊版本nginx:1.11.1。
[root@localhost aevolume]# docker pull nginx:1.11.1 # 拉取鏡像 [root@localhost aevolume]# docker-compose exec engine-api anchore-cli image add nginx:1.11.1 # 添加分析 Image Digest: sha256:0fe6413f3e30fcc5920bc8fa769280975b10b1c26721de956e1428b9e2f29d04 Parent Digest: sha256:0fe6413f3e30fcc5920bc8fa769280975b10b1c26721de956e1428b9e2f29d04 Analysis Status: analyzed Image Type: docker Analyzed At: 2019-10-24T11:36:55Z Image ID: 0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d Dockerfile Mode: Guessed Distro: debian Distro Version: 8 Size: 200519680 Architecture: amd64 Layer Count: 8 Full Tag: docker.io/nginx:1.11.1 Tag Detected At: 2019-10-24T11:34:48Z [root@localhost aevolume]# docker-compose exec engine-api anchore-cli evaluate check nginx:1.11.1 Image Digest: sha256:0fe6413f3e30fcc5920bc8fa769280975b10b1c26721de956e1428b9e2f29d04 Full Tag: docker.io/nginx:1.11.1 Status: pass # 檢測通過 Last Eval: 2019-10-24T11:53:40Z Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
# 因為漏洞比較多,很多可忽略的Negligible和未知Unknown漏洞,我們直接正則過濾 [root@localhost aevolume]# docker-compose exec engine-api anchore-cli image vuln nginx:1.11.1 all | grep High [root@localhost aevolume]# docker-compose exec engine-api anchore-cli image vuln nginx:1.11.1 all | grep Medium [root@localhost aevolume]# docker-compose exec engine-api anchore-cli image vuln nginx:1.11.1 all | grep Low CVE-2018-0739 libssl1.0.0-1.0.1k-3+deb8u5 Low 1.0.1t-1+deb8u8 https://security-tracker.debian.org/tracker/CVE-2018-0739 CVE-2018-0739 openssl-1.0.1k-3+deb8u5 Low 1.0.1t-1+deb8u8 https://security-tracker.debian.org/tracker/CVE-2018-0739
發現只有兩個低危Low漏洞,因此檢測通過。
但總感覺不對... nginx:1.11.1自身存在很多漏洞,絕對不止兩個低危漏洞的。