堆栈内存溢出
  繁体   English   中英

使用 Clair 进行 Docker 静态分析?

[英]Docker Static Analysis With Clair?

 原文  2021-11-16 23:18:51       docker/ docker-compose/ docker-machine/ clair

问题描述

谁能帮助 Clair 处理 Docker 静态分析? 我在分析时遇到错误帮助我弄清楚或告诉我如何正确安装 Docker Clair 扫描仪?

获取设置

git clone git@github.com:Charlie-belmer/Docker-security-example.git  

docker-compose.yml 
version: '2.1'

services:
  postgres:
    image: postgres:12.1
    restart: unless-stopped
    volumes:
      - ./docker-compose-data/postgres-data/:/var/lib/postgresql/data:rw
    environment:
      - POSTGRES_PASSWORD=ChangeMe
      - POSTGRES_USER=clair
      - POSTGRES_DB=clair
    
  clair:
    image: quay.io/coreos/clair:v4.3.4
    restart: unless-stopped
    volumes:
      - ./docker-compose-data/clair-config/:/config/:ro
      - ./docker-compose-data/clair-tmp/:/tmp/:rw
    depends_on: 
      postgres:
        condition: service_started
    command: [--log-level=debug, --config, /config/config.yml]
    user: root

  clairctl:
    image: jgsqware/clairctl:latest
    restart: unless-stopped
    environment: 
      - DOCKER_API_VERSION=1.41
    volumes:
      - ./docker-compose-data/clairctl-reports/:/reports/:rw
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on: 
      clair: 
        condition: service_started
    user: root

docker-compose up

服务器启动时没有错误,但卡在同一条消息上我不明白他不喜欢什么

test@parallels-virtual-platform:~/Docker-security-example/clair$ docker-compose up
clair_postgres_1 is up-to-date
Recreating clair_clair_1 ... done
Recreating clair_clairctl_1 ... done
Attaching to clair_postgres_1, clair_clair_1, clair_clairctl_1
clair_1     | flag provided but not defined: -log-level
clair_1     | Usage of /bin/clair:
clair_1     |   -conf value
clair_1     |       The file system path to Clair's config file.
clair_1     |   -mode value
clair_1     |       The operation mode for this server. (default combo)
postgres_1  | 
postgres_1  | PostgreSQL Database directory appears to contain a database; Skipping initialization
postgres_1  | 
postgres_1  | 2021-11-16 22:55:36.851 UTC [1] LOG:  starting PostgreSQL 12.1 (Debian 12.1-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
postgres_1  | 2021-11-16 22:55:36.851 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
postgres_1  | 2021-11-16 22:55:36.851 UTC [1] LOG:  listening on IPv6 address "::", port 5432
postgres_1  | 2021-11-16 22:55:36.853 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
postgres_1  | 2021-11-16 22:55:36.877 UTC [24] LOG:  database system was shut down at 2021-11-16 22:54:58 UTC
postgres_1  | 2021-11-16 22:55:36.888 UTC [1] LOG:  database system is ready to accept connections
postgres_1  | 2021-11-16 23:01:15.219 UTC [1] LOG:  received smart shutdown request
postgres_1  | 2021-11-16 23:01:15.225 UTC [1] LOG:  background worker "logical replication launcher" (PID 30) exited with exit code 1
postgres_1  | 
postgres_1  | PostgreSQL Database directory appears to contain a database; Skipping initialization
postgres_1  | 
postgres_1  | 2021-11-16 23:02:11.993 UTC [1] LOG:  starting PostgreSQL 12.1 (Debian 12.1-1.pgdg100+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 8.3.0-6) 8.3.0, 64-bit
postgres_1  | 2021-11-16 23:02:11.994 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
postgres_1  | 2021-11-16 23:02:11.994 UTC [1] LOG:  listening on IPv6 address "::", port 5432
postgres_1  | 2021-11-16 23:02:11.995 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
postgres_1  | 2021-11-16 23:02:12.009 UTC [26] LOG:  database system was interrupted; last known up at 2021-11-16 23:00:37 UTC
postgres_1  | 2021-11-16 23:02:12.164 UTC [26] LOG:  database system was not properly shut down; automatic recovery in progress
postgres_1  | 2021-11-16 23:02:12.166 UTC [26] LOG:  redo starts at 0/1745C50
postgres_1  | 2021-11-16 23:02:12.166 UTC [26] LOG:  invalid record length at 0/1745D38: wanted 24, got 0
postgres_1  | 2021-11-16 23:02:12.166 UTC [26] LOG:  redo done at 0/1745D00
postgres_1  | 2021-11-16 23:02:12.180 UTC [1] LOG:  database system is ready to accept connections
postgres_1  | 2021-11-16 23:02:12.471 UTC [33] ERROR:  duplicate key value violates unique constraint "lock_name_key"
postgres_1  | 2021-11-16 23:02:12.471 UTC [33] DETAIL:  Key (name)=(updater) already exists.
postgres_1  | 2021-11-16 23:02:12.471 UTC [33] STATEMENT:  INSERT INTO Lock(name, owner, until) VALUES($1, $2, $3)
clair_clair_1 exited with code 2
clair_1     | flag provided but not defined: -log-level
clair_1     | Usage of /bin/clair:
clair_1     |   -conf value
clair_1     |       The file system path to Clair's config file.
clair_1     |   -mode value
clair_1     |       The operation mode for this server. (default combo)
clair_1     | flag provided but not defined: -log-level
clair_1     | Usage of /bin/clair:
clair_1     |   -conf value
clair_1     |       The file system path to Clair's config file.
clair_1     |   -mode value
clair_1     |       The operation mode for this server. (default combo)
clair_clair_1 exited with code 2
clair_1     | flag provided but not defined: -log-level
clair_1     | Usage of /bin/clair:
clair_1     |   -conf value
clair_1     |       The file system path to Clair's config file.
clair_1     |   -mode value
clair_1     |       The operation mode for this server. (default combo)
clair_clair_1 exited with code 2
clair_1     | flag provided but not defined: -log-level
clair_1     | Usage of /bin/clair:
clair_1     |   -conf value
clair_1     |       The file system path to Clair's config file.
clair_1     |   -mode value
clair_1     |       The operation mode for this server. (default combo)
clair_clair_1 exited with code 2
clair_1     | flag provided but not defined: -log-level
clair_1     | Usage of /bin/clair:
clair_1     |   -conf value
clair_1     |       The file system path to Clair's config file.
clair_1     |   -mode value
clair_1     |       The operation mode for this server. (default combo)
clair_clair_1 exited with code 2
clair_1     | flag provided but not defined: -log-level
clair_1     | Usage of /bin/clair:
clair_1     |   -conf value
clair_1     |       The file system path to Clair's config file.
clair_1     |   -mode value
clair_1     |       The operation mode for this server. (default combo)

安装坏容器

docker pull imiell/bad-dockerfile

docker-compose exec clairctl clairctl analyze -l imiell/bad-dockerfile


client quit unexpectedly
2021-11-16 23:05:19.221606 C | cmd: pushing image "imiell/bad-dockerfile:latest": pushing layer to clair: Post http://clair:6060/v1/layers: dial tcp: lookup clair: Try again

我不明白他不喜欢分析什么?

2 个解决方案

解决方案1
 0  2022-01-04 10:43:14

我认为您正在使用旧的 clairctl 和新的 Clair v4。 您应该从这里使用 clairctl: https : //github.com/quay/clair/releases/tag/v4.3.5

解决方案2
 0  2022-01-05 15:10:47

我昨天刚解决了这个问题,Clair 4.3.4 版本只支持两个命令行选项, modeconf 你的输出证明了这一点:

clair_1     | flag provided but not defined: -log-level
clair_1     | Usage of /bin/clair:
clair_1     |   -conf value
clair_1     |       The file system path to Clair's config file.
clair_1     |   -mode value
clair_1     |       The operation mode for this server. (default combo)

将命令行更改为仅指定您的配置文件(docker-compose.yml 的第 23 行)并将您的debug指令放在配置文件中。

command: [--conf, /config/config.yml]

这应该让克莱尔运行。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 配置以使用paclair分析docker-images来解决来自nexus的问题 静态网站的docker 使用Docker的外部静态IP Redhat clair 无法通过通知程序发送通知 docker具有静态地址的多个容器 在Docker 1.7上分配静态IP Docker Compose 静态 IP 地址 Docker 容器的多个静态 IP Express 未加载 static 文件夹和 docker Docker容器上的静态IP无法正常工作
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM