diff --git a/Documentation/reference/config.md b/Documentation/reference/config.md index 0b9897b52a..778ac5033d 100644 --- a/Documentation/reference/config.md +++ b/Documentation/reference/config.md @@ -20,13 +20,16 @@ $ clair -conf ./path/to/config.yaml -mode matcher "indexer": runs just the indexer node "matcher": runs just the matcher node "notifier": runs just the notifier node - "combo": will run both indexer and matcher on the same node. + "combo": will run all services on the same node. -conf (also specified by CLAIR_CONF env variable) A file system path to Clair's config file ``` -The above example starts two Clair nodes using the same configuration. One will only run the indexing facilities while the other will only run the matching facilities. +The above example starts two Clair nodes using the same configuration. +One will only run the indexing facilities while the other will only run the matching facilities. + +If running in "combo" mode you **must** supply the `indexer`, `matcher`, and `notifier` configuration blocks in the configuration. ## Config Reference @@ -40,6 +43,7 @@ indexer: layer_scan_concurrency: 0 migrations: false scanner: {} + airgap: false matcher: connstring: "" max_conn_pool: 0 @@ -48,6 +52,9 @@ matcher: period: "" disable_updaters: false update_retention: 2 +updaters: + sets: nil + config: nil notifier: connstring: "" migrations: false @@ -59,7 +66,8 @@ notifier: webhook: null amqp: null stomp: null -auth: {} +auth: + psk: nil trace: name: "" probability: null @@ -71,7 +79,7 @@ trace: username: null password: null service_name: "" - tags: {} + tags: nil buffer_max: 0 metrics: name: "" @@ -225,6 +233,44 @@ Defaults to 10 If a value of 0 is provided GC is disabled. ``` +### updaters: \ + +``` +Updaters provides configuration for the Matcher's update manager. +``` + +####  sets: []string +``` +A list of string values informing the update manager which Updaters to run. + +If the value is nil the default set of Updaters will run: + "alpine" + "aws" + "debian" + "oracle" + "photon" + "pyupio" + "rhel" + "suse" + "ubuntu" + +If an empty list is provided zero updaters will run. +``` + +####  config: {} +``` +Provides configuration to specific updater sets. + +A map keyed by the name of the updater set name containing a sub-object which will be provided to the updater set's constructor. + +A hypothetical example: + config: + ubuntu: + security_tracker_url: http://security.url + ignore_distributions: + - cosmic +``` + ### notifier: \ ``` Notifier provides Clair Notifier node configuration diff --git a/config/config.go b/config/config.go index 249d393f2b..b57a998582 100644 --- a/config/config.go +++ b/config/config.go @@ -3,9 +3,6 @@ package config import ( "fmt" "strings" - - "github.com/quay/claircore/libvuln/driver" - "gopkg.in/yaml.v3" ) // Clair Modes @@ -53,55 +50,11 @@ type Config struct { LogLevel string `yaml:"log_level" json:"log_level"` Indexer Indexer `yaml:"indexer" json:"indexer"` Matcher Matcher `yaml:"matcher" json:"matcher"` + Updaters Updaters `yaml:"updaters,omitempty" json:"updaters,omitempty"` Notifier Notifier `yaml:"notifier" json:"notifier"` Auth Auth `yaml:"auth" json:"auth"` Trace Trace `yaml:"trace" json:"trace"` Metrics Metrics `yaml:"metrics" json:"metrics"` - Updaters Updaters `yaml:"updaters,omitempty" json:"updaters,omitempty"` -} - -// Updaters configures updater behavior. -type Updaters struct { - // A slice of strings representing which - // updaters will be used. - // - // If nil all default UpdaterSets will be used - // - // The following sets are supported by default: - // "alpine" - // "aws" - // "debian" - // "oracle" - // "photon" - // "pyupio" - // "rhel" - // "suse" - // "ubuntu" - Sets []string `yaml:"sets,omitempty" json:"sets,omitempty"` - // Config holds configuration blocks for UpdaterFactories and Updaters, - // keyed by name. - // - // These are defined by the updater implementation and can't be documented - // here. Improving the documentation for these is an open issue. - Config map[string]yaml.Node `yaml:"config" json:"config"` - // Filter is a regexp that disallows updaters that do not match from - // running. - Filter string `yaml:"filter" json:"filter"` -} - -func (u *Updaters) FilterSets(m map[string]driver.UpdaterSetFactory) { - if u.Sets != nil { - Outer: - for k := range m { - for _, n := range u.Sets { - if k == n { - continue Outer - } - } - delete(m, k) - } - } - return } // Validate confirms the necessary values to support diff --git a/config/updaters.go b/config/updaters.go new file mode 100644 index 0000000000..fcca8c8a88 --- /dev/null +++ b/config/updaters.go @@ -0,0 +1,53 @@ +package config + +import ( + "github.com/quay/claircore/libvuln/driver" + "gopkg.in/yaml.v3" +) + +// Updaters configures updater behavior. +type Updaters struct { + // A slice of strings representing which + // updaters will be used. + // + // If nil all default UpdaterSets will be used + // + // The following sets are supported by default: + // "alpine" + // "aws" + // "debian" + // "oracle" + // "photon" + // "pyupio" + // "rhel" + // "suse" + // "ubuntu" + Sets []string `yaml:"sets,omitempty" json:"sets,omitempty"` + // Config holds configuration blocks for UpdaterFactories and Updaters, + // keyed by name. + // + // These are defined by the updater implementation and can't be documented + // here. Improving the documentation for these is an open issue. + Config map[string]yaml.Node `yaml:"config" json:"config"` + // Filter is a regexp that disallows updaters that do not match from + // running. + // TODO(louis): this is only used in clairctl, should we keep this? + // it may offer an escape hatch for a particular updater name + // from running, vs disabling the updater set completely. + Filter string `yaml:"filter" json:"filter"` +} + +func (u *Updaters) FilterSets(m map[string]driver.UpdaterSetFactory) { + if u.Sets != nil { + Outer: + for k := range m { + for _, n := range u.Sets { + if k == n { + continue Outer + } + } + delete(m, k) + } + } + return +}