docker-compose下載

https://github.com/docker/compose/releases

安裝

cp docker-compose /usr/local/bin chmod +x /usr/local/bin/docker-compose

harbor下載

https://github.com/goharbor/harbor/releases

解壓

tar xf xxx.tgx

配置harbor

根下建立:mkdir /data cd harbor/ mkdir certs cd certs/

生成證書及私鑰

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt cd .. cp -r certs/ /

編輯配置文件

mv harbor.yml.temp harbor.yml hostname:example.comcertificate: ./certs/registry.crtprivate_key: ./certs/registry.keyharbor_admin_password:Abcd12345

配置檢測

./prepare

安裝

有掃描–with-trivy ,有認證–with-notary，有helm charts 模塊加入–with-chartmuseum 其中–with-clair已棄用
有掃描–with-trivy ,有認證–with-notary，有helm charts 模塊加入–with-chartmuseum

./install.sh --with-notary --with-trivy --with-chartmuseum

配置hostname

vim /etc/hosts 最后加入： 127.0.0.1 example.com

瀏覽器訪問

https://example.com 或者: IP:80 用戶名：admin 密碼：Abcd12345

命令行登陸

docker login example.com Username:admin Password:Abcd12345

操作命令

關閉

docker-compose down

重新部署
執行后會刪除配置,項目數據并不會刪除

./prepare

啟動

docker-compose up -d

Trivy 是一種適用于 CI 的簡單而全面的容器漏洞掃描程序。軟件漏洞是指軟件或操作系統中存在的故障、缺陷或弱點。Trivy 檢測操作系統包（Alpine、RHEL、CentOS等）和應用程序依賴（Bundler、Composer、npm、yarn等）的漏洞。

Trivy 很容易使用，只要安裝二進制文件，就可以掃描了。掃描只需指定容器的鏡像名稱。與其他鏡像掃描工具相比，例如 Clair，Anchore Engine，Quay 相比，Trivy 在準確性、方便性和對 CI 的支持等方面都有著明顯的優勢。

推薦在 CI 中使用它，在推送到 Container Registry 之前，您可以輕松地掃描本地容器鏡像，Trivy具備如下的特征：

檢測面很全，能檢測全面的漏洞，操作系統軟件包（Alpine、Red Hat Universal Base Image、Red Hat Enterprise Linux、CentOS、Oracle Linux、Debian、Ubuntu、Amazon Linux、openSUSE Leap、SUSE Enterprise Linux、Photon OS 和 Distrioless）、應用程序依賴項（Bundler、Composer、Pipenv、Poetry、npm、yarn 和 Cargo）；

使用簡單，僅僅只需要指定鏡像名稱；

掃描快且無狀態，第一次掃描將在 10 秒內完成（取決于您的網絡）。隨后的掃描將在一秒鐘內完成。與其他掃描器在第一次運行時需要很長時間（大約10分鐘）來獲取漏洞信息，并鼓勵您維護持久的漏洞數據庫不同，Trivy 是無狀態的，不需要維護或準備；

易于安裝，安裝方式：

$ apt-get install trivy $ yum install trivy $ brew install trivy

遇到的問題及解決方法

在配置了harbor鏡像掃描工具trivy后執行鏡像掃描報錯如下：

2021-04-19T07:19:51.564Z [34mINFO[0m Need to update DB 2021-04-19T07:19:51.564Z [34mINFO[0m Downloading DB... 2021-04-19T07:20:01.566Z [31mFATAL[0m failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 127.0.0.11:53: read udp 127.0.0.1:48822->127.0.0.11:53: i/o timeout

出現該問題的原因是在下載掃描漏洞數據庫時超時，導致下載失敗，因此解決方法是手動下載該數據庫并掛載到trivy容器的/home/scanner/.cache/trivy/db/目錄下，下載路徑:https://github.com/aquasecurity/trivy-db/releases
將該數據庫解壓到宿主機的/data/trivy-adapter/trivy/下，并將harbor.yml文件中的skip_update設置為true,再次在harbor中掃描鏡像報錯如下：

2021-04-19T07:37:36.182Z [31mERROR[0m The first run cannot skip downloading DB 2021-04-19T07:37:36.182Z [31mFATAL[0m database error: --skip-update cannot be specified on the first run : general response handler: unexpected status code: 500, expected: 200

出現該問題的原因是trivy在第一次掃描鏡像時不能跳過數據庫下載步驟，因此解決方法是在本地宿主機安裝trivy，在本地隨便掃描一個鏡像，目的是下載漏洞數據庫，將本地緩存數據庫/root/.cache/trivy/下的文件拷貝到鏡像掛載目錄/data/trivy-adapter/trivy/下，再次在harbor中掃描鏡像報錯如下：

2021-04-19T08:53:26Z [ERROR] [/pkg/scan/job.go:284]: check scan report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0: running trivy wrapper: running trivy: exit status 1: 2021-04-19T08:53:22.626Z [31mFATAL[0m unable to initialize the cache: unable to initialize fs cache: failed to create cache dir: mkdir /home/scanner/.cache/trivy/fanal: no such file or directory : general response handler: unexpected status code: 500, expected: 200

出現該錯誤的原因是在拷貝數據庫時不應將fanal下的文件拷貝過去，初步懷疑該文件是harbor啟動時自動生成的，因此解決方法是將該文件夾還原，只拷貝/root/.cache/trivy/db/下的文件到/data/trivy-adapter/trivy/db下， 再次在harbor中掃描鏡像即可成功。

啟用鏡像簽名功能

在harbor中啟用內容信任功能，選中選擇框，勾選后，未經簽名認證的鏡像將不能被拉取,現實如下：

# docker pull example.com/library/foo-apiserver@sha256:0b8cad3c45c2e0db91b070a94c7dc72487d5c1a357168267437518e455f0621f Error response from daemon: unknown: The image is not signed in Notary.

./install.sh --with-notary中的–with-notary字段是開啟內容信任功能的，下面介紹內容信任功能使用的設置：

# cd ~/.docker/ # ls config.json # pwd /root/.docker # mkdir tls # cd tls/ # mkdir example.com:4443 # cd example.com\:4443/ # cp /home/work/harbor/certs/registry.crt ca.crt //registry.crt為證書，這里使用了啟動harbor時的證書文件 # ls ca.crt # export DOCKER_CONTENT_TRUST=1 # export DOCKER_DONTENT_TRUST_SERVER=https://example.com:4443

首次上傳時需要設置root密碼及倉庫密碼

# docker push example.com/library/nginx:latest d37eecb5b769: Layer already exists 99134ec7f247: Layer already exists c3a984abe8a8: Layer already exists latest: digest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266 size: 948 Signing and pushing trust metadata You are about to create a new root signing key passphrase. This passphrase will be used to protect the most sensitive key in your signing system. Please choose a long, complex passphrase and be careful to keep the password and the key file itself secure and backed up. It is highly recommended that you use a password manager to generate the passphrase and keep it safe. There will be no way to recover this key. You can find the key in your config directory. Enter passphrase for new root key with ID a7d2071: Repeat passphrase for new root key with ID a7d2071: Enter passphrase for new repository key with ID fe4da48: Repeat passphrase for new repository key with ID fe4da48: Finished initializing "reg.westos.org/library/nginx" Successfully signed reg.westos.org/library/nginx:latest

上傳鏡像會自動簽名，此時再拉取鏡像：

# docker pull example.com/library/nginx:latest Pull (1 of 1): example.com/library/nginx:latest@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9: Pulling from library/nginx Digest: sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 Status: Image is up to date for example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 Tagging example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 as example.com/library/nginx:latest example.com/library/nginx:latest

此時上傳另一個鏡像時只需要輸入倉庫密碼，同一鏡像不同版本號再上傳時只需要輸入倉庫密碼

查看認證信息：

# docker trust inspect example.com/library/nginx:latest [{"Name": "example.com/library/nginx:latest","SignedTags": [{"SignedTag": "latest","Digest": "c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9","Signers": ["Repo Admin"]}],"Signers": [],"AdministrativeKeys": [{"Name": "Root","Keys": [{"ID": "ef1860607d28455992ad93e71e0e830911e59a43d548c44a41794d490fb63d5b"}]},{"Name": "Repository","Keys": [{"ID": "ebca503ac3b8be80c585a0ba5c5de386f17a978187dd8da75634ad0bb0a7bd4e"}]}]} ]

刪除簽名:

# docker trust revoke reg.westos.org/library/nginx:latest Enter passphrase for repository key with ID fe4da48: Successfully deleted signature for reg.westos.org/library/nginx:latest

取消簽名機制：

export DOCKER_CONTENT_TRUST=0 此時還需要去掉內容信任選項框，否則無法上傳部署

Harbor數據遷移

• 先關閉harbor倉庫：docker-compose down -v
• 拷貝harbor數據/date/和下的文件到其他目錄：

持久數據，如鏡像，數據庫等在宿主機的/data/目錄下,日志在宿主機的/var/log/harbor/目錄下 /data/database/ 數據庫內容，比如身份驗證數據 /data/registry/ 鏡像文件內容 ......

Harbor各組件性能消耗統計

NAMECPU %MEM USAGE / LIMIT

harbor-jobservice	0.39%	20.38MiB / 15.42GiB
nginx	0.00%	13.34MiB / 15.42GiB
notary-server	0.09%	11.52MiB / 15.42GiB
notary-signer	0.00%	8.781MiB / 15.42GiB
harbor-core	0.00%	34.72MiB / 15.42GiB
trivy-adapter	0.32%	32.22MiB / 15.42GiB
registry	0.00%	14MiB / 15.42GiB
harbor-db	0.00%	98.83MiB / 15.42GiB
redis	0.45%	10.46MiB / 15.42GiB
chartmuseum	0.08%	16.53MiB / 15.42GiB
harbor-portal	0.05%	15.22MiB / 15.42GiB
registryctl	0.11%	14.71MiB / 15.42GiB
harbor-log	0.05%	14.52MiB / 15.42GiB
total	1.54%	272.66MiB / 15.42GiB

總結

以上是生活随笔為你收集整理的Harbor2.2.1配置（trivy扫描器、镜像签名）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。