docker-compose下載

https://github.com/docker/compose/releases

安裝

cp docker-compose /usr/local/bin chmod +x /usr/local/bin/docker-compose

harbor下載

https://github.com/goharbor/harbor/releases

解壓

tar xf xxx.tgx

配置harbor

根下建立:mkdir /data cd harbor/ mkdir certs cd certs/

生成證書及私鑰

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout registry.key -out registry.crt cd .. cp -r certs/ /

編輯配置文件

mv harbor.yml.temp harbor.yml hostname:example.comcertificate: ./certs/registry.crtprivate_key: ./certs/registry.keyharbor_admin_password:Abcd12345

配置檢測

./prepare

安裝

有掃描–with-trivy ,有認(rèn)證–with-notary，有helm charts 模塊加入–with-chartmuseum 其中–with-clair已棄用
有掃描–with-trivy ,有認(rèn)證–with-notary，有helm charts 模塊加入–with-chartmuseum

./install.sh --with-notary --with-trivy --with-chartmuseum

配置hostname

vim /etc/hosts 最后加入： 127.0.0.1 example.com

瀏覽器訪問

https://example.com 或者: IP:80 用戶名：admin 密碼：Abcd12345

命令行登陸

docker login example.com Username:admin Password:Abcd12345

操作命令

關(guān)閉

docker-compose down

重新部署
執(zhí)行后會刪除配置,項目數(shù)據(jù)并不會刪除

./prepare

啟動

docker-compose up -d

Trivy 是一種適用于 CI 的簡單而全面的容器漏洞掃描程序。軟件漏洞是指軟件或操作系統(tǒng)中存在的故障、缺陷或弱點。Trivy 檢測操作系統(tǒng)包（Alpine、RHEL、CentOS等）和應(yīng)用程序依賴（Bundler、Composer、npm、yarn等）的漏洞。

Trivy 很容易使用，只要安裝二進(jìn)制文件，就可以掃描了。掃描只需指定容器的鏡像名稱。與其他鏡像掃描工具相比，例如 Clair，Anchore Engine，Quay 相比，Trivy 在準(zhǔn)確性、方便性和對 CI 的支持等方面都有著明顯的優(yōu)勢。

推薦在 CI 中使用它，在推送到 Container Registry 之前，您可以輕松地掃描本地容器鏡像，Trivy具備如下的特征：

檢測面很全，能檢測全面的漏洞，操作系統(tǒng)軟件包（Alpine、Red Hat Universal Base Image、Red Hat Enterprise Linux、CentOS、Oracle Linux、Debian、Ubuntu、Amazon Linux、openSUSE Leap、SUSE Enterprise Linux、Photon OS 和 Distrioless）、應(yīng)用程序依賴項（Bundler、Composer、Pipenv、Poetry、npm、yarn 和 Cargo）；

使用簡單，僅僅只需要指定鏡像名稱；

掃描快且無狀態(tài)，第一次掃描將在 10 秒內(nèi)完成（取決于您的網(wǎng)絡(luò)）。隨后的掃描將在一秒鐘內(nèi)完成。與其他掃描器在第一次運行時需要很長時間（大約10分鐘）來獲取漏洞信息，并鼓勵您維護(hù)持久的漏洞數(shù)據(jù)庫不同，Trivy 是無狀態(tài)的，不需要維護(hù)或準(zhǔn)備；

易于安裝，安裝方式：

$ apt-get install trivy $ yum install trivy $ brew install trivy

遇到的問題及解決方法

在配置了harbor鏡像掃描工具trivy后執(zhí)行鏡像掃描報錯如下：

2021-04-19T07:19:51.564Z [34mINFO[0m Need to update DB 2021-04-19T07:19:51.564Z [34mINFO[0m Downloading DB... 2021-04-19T07:20:01.566Z [31mFATAL[0m failed to download vulnerability DB: failed to download vulnerability DB: failed to list releases: Get "https://api.github.com/repos/aquasecurity/trivy-db/releases": dial tcp: lookup api.github.com on 127.0.0.11:53: read udp 127.0.0.1:48822->127.0.0.11:53: i/o timeout

出現(xiàn)該問題的原因是在下載掃描漏洞數(shù)據(jù)庫時超時，導(dǎo)致下載失敗，因此解決方法是手動下載該數(shù)據(jù)庫并掛載到trivy容器的/home/scanner/.cache/trivy/db/目錄下，下載路徑:https://github.com/aquasecurity/trivy-db/releases
將該數(shù)據(jù)庫解壓到宿主機的/data/trivy-adapter/trivy/下，并將harbor.yml文件中的skip_update設(shè)置為true,再次在harbor中掃描鏡像報錯如下：

2021-04-19T07:37:36.182Z [31mERROR[0m The first run cannot skip downloading DB 2021-04-19T07:37:36.182Z [31mFATAL[0m database error: --skip-update cannot be specified on the first run : general response handler: unexpected status code: 500, expected: 200

出現(xiàn)該問題的原因是trivy在第一次掃描鏡像時不能跳過數(shù)據(jù)庫下載步驟，因此解決方法是在本地宿主機安裝trivy，在本地隨便掃描一個鏡像，目的是下載漏洞數(shù)據(jù)庫，將本地緩存數(shù)據(jù)庫/root/.cache/trivy/下的文件拷貝到鏡像掛載目錄/data/trivy-adapter/trivy/下，再次在harbor中掃描鏡像報錯如下：

2021-04-19T08:53:26Z [ERROR] [/pkg/scan/job.go:284]: check scan report with mime type application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0: running trivy wrapper: running trivy: exit status 1: 2021-04-19T08:53:22.626Z [31mFATAL[0m unable to initialize the cache: unable to initialize fs cache: failed to create cache dir: mkdir /home/scanner/.cache/trivy/fanal: no such file or directory : general response handler: unexpected status code: 500, expected: 200

出現(xiàn)該錯誤的原因是在拷貝數(shù)據(jù)庫時不應(yīng)將fanal下的文件拷貝過去，初步懷疑該文件是harbor啟動時自動生成的，因此解決方法是將該文件夾還原，只拷貝/root/.cache/trivy/db/下的文件到/data/trivy-adapter/trivy/db下， 再次在harbor中掃描鏡像即可成功。

啟用鏡像簽名功能

在harbor中啟用內(nèi)容信任功能，選中選擇框，勾選后，未經(jīng)簽名認(rèn)證的鏡像將不能被拉取,現(xiàn)實如下：

# docker pull example.com/library/foo-apiserver@sha256:0b8cad3c45c2e0db91b070a94c7dc72487d5c1a357168267437518e455f0621f Error response from daemon: unknown: The image is not signed in Notary.

./install.sh --with-notary中的–with-notary字段是開啟內(nèi)容信任功能的，下面介紹內(nèi)容信任功能使用的設(shè)置：

# cd ~/.docker/ # ls config.json # pwd /root/.docker # mkdir tls # cd tls/ # mkdir example.com:4443 # cd example.com\:4443/ # cp /home/work/harbor/certs/registry.crt ca.crt //registry.crt為證書，這里使用了啟動harbor時的證書文件 # ls ca.crt # export DOCKER_CONTENT_TRUST=1 # export DOCKER_DONTENT_TRUST_SERVER=https://example.com:4443

首次上傳時需要設(shè)置root密碼及倉庫密碼

# docker push example.com/library/nginx:latest d37eecb5b769: Layer already exists 99134ec7f247: Layer already exists c3a984abe8a8: Layer already exists latest: digest: sha256:7ac7819e1523911399b798309025935a9968b277d86d50e5255465d6592c0266 size: 948 Signing and pushing trust metadata You are about to create a new root signing key passphrase. This passphrase will be used to protect the most sensitive key in your signing system. Please choose a long, complex passphrase and be careful to keep the password and the key file itself secure and backed up. It is highly recommended that you use a password manager to generate the passphrase and keep it safe. There will be no way to recover this key. You can find the key in your config directory. Enter passphrase for new root key with ID a7d2071: Repeat passphrase for new root key with ID a7d2071: Enter passphrase for new repository key with ID fe4da48: Repeat passphrase for new repository key with ID fe4da48: Finished initializing "reg.westos.org/library/nginx" Successfully signed reg.westos.org/library/nginx:latest

上傳鏡像會自動簽名，此時再拉取鏡像：

# docker pull example.com/library/nginx:latest Pull (1 of 1): example.com/library/nginx:latest@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9: Pulling from library/nginx Digest: sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 Status: Image is up to date for example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 Tagging example.com/library/nginx@sha256:c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9 as example.com/library/nginx:latest example.com/library/nginx:latest

此時上傳另一個鏡像時只需要輸入倉庫密碼，同一鏡像不同版本號再上傳時只需要輸入倉庫密碼

查看認(rèn)證信息：

# docker trust inspect example.com/library/nginx:latest [{"Name": "example.com/library/nginx:latest","SignedTags": [{"SignedTag": "latest","Digest": "c137f6c852bfdf74694fe20693bb11e61b51e0b8c50d17dff881f2db05e65de9","Signers": ["Repo Admin"]}],"Signers": [],"AdministrativeKeys": [{"Name": "Root","Keys": [{"ID": "ef1860607d28455992ad93e71e0e830911e59a43d548c44a41794d490fb63d5b"}]},{"Name": "Repository","Keys": [{"ID": "ebca503ac3b8be80c585a0ba5c5de386f17a978187dd8da75634ad0bb0a7bd4e"}]}]} ]

刪除簽名:

# docker trust revoke reg.westos.org/library/nginx:latest Enter passphrase for repository key with ID fe4da48: Successfully deleted signature for reg.westos.org/library/nginx:latest

取消簽名機制：

export DOCKER_CONTENT_TRUST=0 此時還需要去掉內(nèi)容信任選項框，否則無法上傳部署

Harbor數(shù)據(jù)遷移

• 先關(guān)閉harbor倉庫：docker-compose down -v
• 拷貝harbor數(shù)據(jù)/date/和下的文件到其他目錄：

持久數(shù)據(jù)，如鏡像，數(shù)據(jù)庫等在宿主機的/data/目錄下,日志在宿主機的/var/log/harbor/目錄下 /data/database/ 數(shù)據(jù)庫內(nèi)容，比如身份驗證數(shù)據(jù) /data/registry/ 鏡像文件內(nèi)容 ......

Harbor各組件性能消耗統(tǒng)計

NAMECPU %MEM USAGE / LIMIT

harbor-jobservice	0.39%	20.38MiB / 15.42GiB
nginx	0.00%	13.34MiB / 15.42GiB
notary-server	0.09%	11.52MiB / 15.42GiB
notary-signer	0.00%	8.781MiB / 15.42GiB
harbor-core	0.00%	34.72MiB / 15.42GiB
trivy-adapter	0.32%	32.22MiB / 15.42GiB
registry	0.00%	14MiB / 15.42GiB
harbor-db	0.00%	98.83MiB / 15.42GiB
redis	0.45%	10.46MiB / 15.42GiB
chartmuseum	0.08%	16.53MiB / 15.42GiB
harbor-portal	0.05%	15.22MiB / 15.42GiB
registryctl	0.11%	14.71MiB / 15.42GiB
harbor-log	0.05%	14.52MiB / 15.42GiB
total	1.54%	272.66MiB / 15.42GiB

總結(jié)

以上是生活随笔為你收集整理的Harbor2.2.1配置（trivy扫描器、镜像签名）的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。