k8s-demo集群搭建详细步骤05:搭建镜像仓库Harbor 2.4.2+镜像扫描Trivy 0.25.3

Jason2020
1,470 阅读6分钟

本文已参与「新人创作礼」活动,一起开启掘金创作之路

一、安装Docker-compose

1、下载docker-compose

[root@harbor ~]# curl -L https://get.daocloud.io/docker/compose/releases/download/v2.3.4/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
[root@harbor ~]# chmod +x /usr/local/bin/docker-compose

2、查看docker-compose版本号

[root@harbor ~]# docker-compose --version
docker-compose version 2.3.4

二、安装容器镜像扫描器 Trivy v0.25.3

1、Trivy 介绍

overview.png

ScannerOS PackagesApplication DependenciesEasy to useAccuracySuitable for CI
Trivy
Clair×
Anchore Engine
Quay××
MicroScanner×
Docker Hub×××
GCR××

对比文章来源 github.com/dmyerscough…

2、安装 trivy

[root@harbor ~]# vi /etc/yum.repos.d/trivy.repo
[trivy]
name=Trivy repository
baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/ 
gpgcheck=0
enabled=1
[root@harbor ~]# yum -y install trivy
已加载插件:fastestmirror
... ... ... ... ...
总下载量:16 M
安装大小:46 M
Downloading packages:
trivy-0.26.0.el7.x86_64.rpm                                                                                                                              |  16 MB  00:26:09
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  验证中      : trivy-0.26.0-1.x86_64                                                                                                                                       1/1

已安装:
  trivy.x86_64 0:0.26.0-1

完毕!
[root@harbor ~]# mkdir -p /home/scanner/.cache

三、安装harbor(v2.4.2) 并集成 Trivy(v0.25.3)

1、下载并解压到/usr/local/目录下

harbor-installer.png

下载页面 github.com/goharbor/ha…

[root@harbor ~]# wget https://github.com/goharbor/harbor/releases/download/v2.4.2/harbor-online-installer-v2.4.2.tgz
[root@harbor ~]# tar zxvf harbor-online-installer-v2.4.2.tgz  -C /usr/local/

2、创建CA证书、harbor服务端证书、docker客户端证书

  • CA
    • ca.key CA私钥(Certification Authority认证机构)
    • ca.crt 自签名根证书,颁发给域名 ca.harbor.demo
  • Harbor
    • harbor.demo.server.key harbor服务器私钥
    • harbor.demo.server.csr 证书签名请求 Certificate Signing Request
    • v3.ext 即x509 v3 extension file
    • harbor.demo.server.cert harbor服务器证书,颁发给域名 harbor.demo
  • docker
    • docker.client.key docker私钥
    • docker.client.csr docker证书签名请求
    • docker.client.cert Docker客户端证书
  • CERT或CRT是Certificate的缩写,即证书
  • 执行脚本如下
[root@harbor ~]# openssl genrsa -out ca.key 4096
[root@harbor ~]# openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=GD/L=Shenzhen/O=jason/OU=Personal/CN=ca.harbor.demo" \
 -key ca.key -out ca.crt
[root@harbor ~]# openssl genrsa -out harbor.demo.server.key 4096
[root@harbor ~]# openssl req -sha512 -new \
    -subj "/C=CN/ST=GD/L=Shenzhen/O=jason/OU=Personal/CN=harbor.demo" \
    -key harbor.demo.server.key -out harbor.demo.server.csr
[root@harbor ~]# cat > v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @jason

[jason]
DNS.1=harbor.demo
DNS.2=harbor
DNS.3=hostname
EOF
[root@harbor ~]# openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in harbor.demo.server.csr \
    -out harbor.demo.server.cert
[root@harbor ~]# rm -rf harbor.demo.server.csr
[root@harbor ~]# openssl genrsa -out docker.client.key 4096
[root@harbor ~]# openssl req -sha512 -new \
    -subj "/C=CN/ST=GD/L=Shenzhen/O=jason/OU=Personal/CN=docker" \
    -key docker.client.key -out docker.client.csr
[root@harbor ~]# openssl x509 -req -sha512 -days 3650 \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in docker.client.csr \
    -out docker.client.cert
[root@harbor ~]# rm -rf docker.client.csr
[root@harbor ~]# mkdir -p /etc/docker/certs.d/harbor.demo
[root@harbor ~]# yes | mv docker.client.key /etc/docker/certs.d/harbor.demo/
[root@harbor ~]# yes | mv docker.client.cert /etc/docker/certs.d/harbor.demo/
[root@harbor ~]# yes | cp ca.crt /etc/docker/certs.d/harbor.demo/
[root@harbor ~]# systemctl restart docker
[root@harbor ~]#

req  产生证书签发申请命令
-x509 签发X.509格式证书命令。X.509是最通用的一种签名证书格式。
-new 生成证书请求
-key 指定私钥文件
-nodes 表示私钥不加密
-out 输出
-subj 指定用户信息
-days 有效期

  • 下面在harbor.yml中配置Harbor证书

参考 goharbor.io/docs/2.4.0/…

3、修改配置:/usr/local/harbor/harbor.yml

[root@harbor ~]# cd /usr/local/harbor
[root@harbor harbor]# mkdir -p /opt/harbor/data
[root@harbor harbor]# cp harbor.yml.tmpl harbor.yml
[root@harbor harbor]# vi harbor.yml
[root@harbor harbor]# diff harbor.yml harbor.yml.tmpl
5,9c5
< hostname: harbor.demo
<
< # add by jason@vip.qq.com
< self_registration: off
< project_creation_restriction: adminonly
---
> hostname: reg.mydomain.com
21,22c17,18
<   certificate: /etc/docker/certs.d/harbor.demo/harbor.demo.crt
<   private_key: /etc/docker/certs.d/harbor.demo/harbor.demo.key
---
>   certificate: /your/certificate/path
>   private_key: /your/private/key/path
38c34
< harbor_admin_password: Harbor12345678
---
> harbor_admin_password: Harbor12345
51c47
< data_volume: /opt/harbor/data
---
> data_volume: /data
[root@harbor harbor]#
  • 设置hostname
    • hostname: IP或域名
  • 禁止用户注册,也可以在安装完成后,在管理界面设置
    • self_registration: off
  • 设置只有管理员可以创建项目
    • project_creation_restriction: adminonly
  • 设置admin的密码
    • harbor_admin_password: Harbor12345678
  • 设置数据目录 data_volume,trivy_adapter的漏洞数据库等会存在这个目录下
    • data_volume: /opt/harbor/data
  • 配置https证书,通过https访问
    • certificate: /usr/local/harbor/harbor.demo.cert
    • private_key: /usr/local/harbor/harbor.demo.key

trivy-adapter 漏洞数据库路径是 /opt/harbor/data/trivy-adapter/trivy
如果漏洞数据库下载失败,可以手工下载 github.com/aquasecurit…

4、安装harbor

[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# ./prepare
[root@harbor harbor]# ./install.sh --with-trivy
[Step 0]: checking if docker is installed ...

Note: docker version: 20.10.14

[Step 1]: checking docker-compose is installed ...

Note: docker-compose version: 2.3.4


[Step 2]: preparing environment ...

[Step 3]: preparing harbor configs ...
prepare base dir is set to /usr/local/harbor
Unable to find image 'goharbor/prepare:v2.4.2' locally
v2.4.2: Pulling from goharbor/prepare
... ... ... ... ... ...
[+] Running 10/10
 ⠿ Network harbor_harbor        Created                     0.0s
 ⠿ Container harbor-log         Started                     0.5s
 ⠿ Container redis              Started                     1.2s
 ⠿ Container registryctl        Started                     1.0s
 ⠿ Container harbor-portal      Started                     1.2s
 ⠿ Container harbor-db          Started                     1.2s
 ⠿ Container registry           Started                     1.1s
 ⠿ Container harbor-core        Started                     1.4s
 ⠿ Container nginx              Started                     1.7s
 ⠿ Container harbor-jobservice  Started                     1.7s
✔ ----Harbor has been installed and started successfully.----
[root@harbor harbor]# docker images
REPOSITORY                    TAG       IMAGE ID       CREATED       SIZE
goharbor/redis-photon         v2.4.2    61d136910774   2 weeks ago   158MB
goharbor/harbor-registryctl   v2.4.2    f43545bdfd12   2 weeks ago   138MB
goharbor/registry-photon      v2.4.2    1927be8b8775   2 weeks ago   80.8MB
goharbor/nginx-photon         v2.4.2    4189bfe82749   2 weeks ago   47.3MB
goharbor/harbor-log           v2.4.2    b2279d3a2ba5   2 weeks ago   162MB
goharbor/harbor-jobservice    v2.4.2    d22f0a749835   2 weeks ago   222MB
goharbor/harbor-core          v2.4.2    672a56385d29   2 weeks ago   199MB
goharbor/harbor-portal        v2.4.2    bc60d9eaf4ad   2 weeks ago   56.3MB
goharbor/harbor-db            v2.4.2    91d13ec46b2c   2 weeks ago   226MB
goharbor/prepare              v2.4.2    d2100ed70ba4   2 weeks ago   269MB
[root@harbor harbor]# docker-compose down
[root@harbor harbor]# docker-compose up -d
[root@harbor harbor]# docker-compose ps
NAME                COMMAND                  SERVICE             STATUS              PORTS
harbor-core         "/harbor/entrypoint.…"   core                running (healthy)
harbor-db           "/docker-entrypoint.…"   postgresql          running (healthy)
harbor-jobservice   "/harbor/entrypoint.…"   jobservice          running (healthy)
harbor-log          "/bin/sh -c /usr/loc…"   log                 running (healthy)   127.0.0.1:1514->10514/tcp
harbor-portal       "nginx -g 'daemon of…"   portal              running (healthy)
nginx               "nginx -g 'daemon of…"   proxy               running (healthy)   0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
redis               "redis-server /etc/r…"   redis               running (healthy)
registry            "/home/harbor/entryp…"   registry            running (healthy)
registryctl         "/home/harbor/start.…"   registryctl         running (healthy)
trivy-adapter       "/home/scanner/entry…"   trivy-adapter       running (healthy)
[root@harbor harbor]#
  • 要下载容器镜像等,执行过程比较长,会有很多日志,耐心等待

harbor-images.png

  • 常用命令
[root@harbor ~]# cd /usr/local/harbor/
[root@harbor harbor]# docker-compose start
[root@harbor harbor]# docker-compose stop
[root@harbor harbor]# docker-compose up -d
[root@harbor harbor]# docker-compose down

start 是启动已经创建的(现有的)容器,和stop对应;down 相当于stop he rm 命令,和up命令对应

5、测试:命令行登录 harbor.demo

[root@harbor ~]# docker login harbor.demo
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@harbor ~]#
[root@harbor ~]# docker login -u admin -p Harbor12345678 https://harbor.demo
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

[root@harbor ~]#

四、WEB访问测试

  • 在浏览器输入容器镜像仓库地址,例如 harbor.demo

harbor.png

需要在 C:\Windows\System32\drivers\etc\hosts 文件中添加一行
192.168.66.130 harbor.demo

五、测试容器镜像扫描 alpine:3.15 和 ubuntu:18.04

1、搜索并下载容器镜像

[root@harbor ~]# docker search alpine
NAME                               DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
alpine                             A minimal Docker image based on Alpine Linux…   8654      [OK]
alpine/git                         A  simple git container running in alpine li…   195                  [OK]
alpine/socat                       Run socat command in alpine container           79                   [OK]
alpine/helm                        Auto-trigger docker build for kubernetes hel…   52
[root@harbor ~]# curl -s -S "https://registry.hub.docker.com/v2/repositories/library/alpine/tags/" | \
    sed -e 's/,/,\n/g' -e 's/\[/\[\n/g' | \
    grep '"name"' | \
    awk -F\" '{print $4;}' | \
    sort -fu | \
    sed -e "s/^/alpine:/"
alpine:3
alpine:3.12
alpine:3.12.12
alpine:3.13
alpine:3.13.10
alpine:3.14
alpine:3.14.6
alpine:3.15
alpine:3.15.4
alpine:latest
[root@harbor ~]# docker pull alpine:3.15
[root@harbor ~]# docker tag alpine:3.15 harbor.demo/os/alpine:3.15
[root@harbor ~]# docker push harbor.demo/os/alpine:3.15

harbor-trivy.png

2、扫描容器镜像

trivy-ubuntu.png

在镜像详情页面查看扫描漏洞信息,如下图所示

1664279712820.png

3、Docker方式使用 trivy (这一步可以忽略)

参考 github.com/aquasecurit…
参考 goharbor.io/blog/harbor…

扫描报告存放路径是 /opt/harbor/data/trivy-adapter/reports

[root@harbor ~]# docker pull aquasec/trivy:0.25.3
[root@harbor ~]# mkdir -p /opt/trivy/cache
[root@harbor ~]# docker run --rm -v /opt/trivy/cache:/root/.cache/ aquasec/trivy:0.25.3 image alpine:3.15
2022-04-07T15:40:27.121Z        INFO    Need to update DB
2022-04-07T15:40:27.121Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-07T15:40:27.121Z        INFO    Downloading DB...
... ... ... ... ...
2022-04-07T16:25:34.653Z        INFO    Detected OS: alpine
2022-04-07T16:25:34.654Z        INFO    Detecting Alpine vulnerabilities...
2022-04-07T16:25:34.654Z        INFO    Number of language-specific files: 0

alpine:3.15 (alpine 3.15.4)
===========================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

参考

  • 先用起来,通过操作实践认识kubernetes(k8s),积累多了自然就理解了
  • 把理解的知识分享出来,自造福田,自得福缘
  • 追求简单,容易使人理解,知识的上下文也是知识的一部分,例如版本,时间等
  • 欢迎留言交流,也可以提出问题,一般在周末回复和完善文档
  • Jason@vip.qq.com 2022-4-1
avatar
文章
阅读
粉丝