112 lines
4.3 KiB
Markdown
112 lines
4.3 KiB
Markdown
# Running Clair
|
|
|
|
The following document outlines possible ways to deploy Clair both on your local machine and to a cluster of machines.
|
|
|
|
## Official Container Repositories
|
|
|
|
Clair is officially packaged and released as a container.
|
|
|
|
* [quay.io/coreos/clair] - Stable releases
|
|
* [quay.io/coreos/clair-jwt] - Stable releases with an embedded instance of [jwtproxy]
|
|
* [quay.io/coreos/clair-git] - Development releases
|
|
|
|
[quay.io/coreos/clair]: https://quay.io/repository/coreos/clair
|
|
[jwtproxy]: https://github.com/coreos/jwtproxy
|
|
[quay.io/coreos/clair-jwt]: https://quay.io/repository/coreos/clair-jwt
|
|
[quay.io/coreos/clair-git]: https://quay.io/repository/coreos/clair-git
|
|
|
|
## Common Architecture
|
|
|
|
### Registry Integration
|
|
|
|
Clair can be integrated directly into a container registry such that the registry is responsible for interacting with Clair on behalf of the user.
|
|
This type of setup avoids the manual scanning of images and creates a sensible location to which Clair's vulnerability notifications can be propagated.
|
|
The registry can also be used for authorization to avoid sharing vulnerability information about images to which one might not have access.
|
|
|
|
|
|
|
|
### CI/CD Integration
|
|
|
|
Clair can be integrated into a CI/CD pipeline such that when a container image is produced, the step after pushing the image to a registry is to compose a request for Clair to scan that particular image.
|
|
This type of integration is more flexible, but relies on additional components to be setup in order to secure.
|
|
|
|
## Deployment Strategies
|
|
|
|
**NOTE:** These instructions demonstrate running HEAD and not stable versions.
|
|
|
|
The following are community supported instructions to run Clair in a variety of ways.
|
|
A [PostgreSQL 9.4+] database instance is required for all instructions.
|
|
|
|
[PostgreSQL 9.4+]: https://www.postgresql.org
|
|
|
|
### Cluster
|
|
|
|
#### Kubernetes
|
|
|
|
If you don't have a local Kubernetes cluster already, check out [minikube].
|
|
|
|
[minikube]: https://github.com/kubernetes/minikube
|
|
|
|
```
|
|
git clone https://github.com/coreos/clair
|
|
cd clair/contrib/k8s
|
|
kubectl create secret generic clairsecret --from-file=./config.yaml
|
|
kubectl create -f clair-kubernetes.yaml
|
|
```
|
|
|
|
### Local
|
|
|
|
#### Docker Compose
|
|
|
|
```sh
|
|
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/contrib/compose/docker-compose.yml -o $HOME/docker-compose.yml
|
|
$ mkdir $HOME/clair_config
|
|
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o $HOME/clair_config/config.yaml
|
|
$ $EDITOR $HOME/clair_config/config.yaml # Edit database source to be postgresql://postgres:password@postgres:5432?sslmode=disable
|
|
$ docker-compose -f $HOME/docker-compose.yml up -d
|
|
```
|
|
|
|
Docker Compose may start Clair before Postgres which will raise an error.
|
|
If this error is raised, manually execute `docker-compose start clair`.
|
|
|
|
#### Docker
|
|
|
|
```sh
|
|
$ mkdir $PWD/clair_config
|
|
$ curl -L https://raw.githubusercontent.com/coreos/clair/master/config.yaml.sample -o $PWD/clair_config/config.yaml
|
|
$ docker run -d -e POSTGRES_PASSWORD="" -p 5432:5432 postgres:9.6
|
|
$ docker run -d -p 6060-6061:6060-6061 -v $PWD/clair_config:/config quay.io/coreos/clair-git:latest -config=/config/config.yaml
|
|
```
|
|
|
|
#### Source
|
|
|
|
To build Clair, you need to latest stable version of [Go] and a working [Go environment].
|
|
In addition, Clair requires some additional binaries be installed on the system [$PATH] as runtime dependencies:
|
|
|
|
* [git]
|
|
* [bzr]
|
|
* [rpm]
|
|
* [xz]
|
|
|
|
[Go]: https://github.com/golang/go/releases
|
|
[Go environment]: https://golang.org/doc/code.html
|
|
[git]: https://git-scm.com
|
|
[bzr]: http://bazaar.canonical.com/en
|
|
[rpm]: http://www.rpm.org
|
|
[xz]: http://tukaani.org/xz
|
|
[$PATH]: https://en.wikipedia.org/wiki/PATH_(variable)
|
|
|
|
```sh
|
|
$ go get github.com/coreos/clair
|
|
$ go install github.com/coreos/clair/cmd/clair
|
|
$ $EDITOR config.yaml # Add the URI for your postgres database
|
|
$ ./$GOPATH/bin/clair -config=config.yaml
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### I just started up Clair and nothing appears to be working, what's the deal?
|
|
|
|
During the first run, Clair will bootstrap its database with vulnerability data from the configured data sources.
|
|
It can take several minutes before the database has been fully populated, but once this data is stored in the database, subsequent updates will take far less time.
|