mirror of
https://github.com/goharbor/harbor.git
synced 2024-12-18 06:38:19 +01:00
Linking and rewrites
This commit is contained in:
parent
fe7cf8dddb
commit
62673be6da
@ -4,23 +4,16 @@
|
||||
|
||||
# Import Vulnerability Data to an Offline Harbor instance
|
||||
|
||||
Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor administrator needs to manually update the Clair database.
|
||||
If Harbor is installed in an environment without an internet connection, Clair cannot fetch data from the public vulnerability database. In this case, the Harbor administrator must update the Clair database manually.
|
||||
|
||||
This document provides step-by-step instructions on updating Clair vulnerability database in Harbor.
|
||||
## Preparation
|
||||
|
||||
**NOTE:** Harbor does not ship with any vulnerability data. For this reason, if Harbor cannot connect to Internet, the administrator must manually import vulnerability data to Harbor by using instructions given in this document.
|
||||
- You have an instance of Clair that has an internet connection. If you have another instance of Harbor that has internet access, this also works.
|
||||
- Check whether your Clair instance has already updated its vulnerability database to the latest version.
|
||||
|
||||
### Preparation
|
||||
|
||||
A. You need to install an instance of Clair with internet connection. If you have another instance of Harbor with internet access, it also works.
|
||||
|
||||
B. Check whether your Clair instance has already updated the vulnerability database to the latest version. If it has not, wait for Clair to get the data from public endpoints.
|
||||
|
||||
- Use command `docker ps` to find out the container id of Clair.
|
||||
|
||||
- Run command `docker logs container_id` to check the log of the Clair container. If you are using Harbor you can find the latest Clair log under /var/log/harbor/2017-xx-xx/clair.log
|
||||
|
||||
- Look for logs that look like the below:
|
||||
1. Use `docker ps` to find out the container ID of the Clair service.
|
||||
1. Run `docker logs <container_id>` to check the log of the Clair container. If you are using Harbor you can find the latest Clair logs under `/var/log/harbor/2017-xx-xx/clair.log`.
|
||||
1. Look for logs that look like the following:
|
||||
```
|
||||
Jul 3 20:40:45 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:40:45.890364","updater name":"rhel"}
|
||||
Jul 3 20:40:46 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:40:46.768924","updater name":"alpine"}
|
||||
@ -31,45 +24,48 @@ B. Check whether your Clair instance has already updated the vulnerability datab
|
||||
Jul 4 00:26:18 172.18.0.1 clair[3516]: {"Event":"adding metadata to vulnerabilities","Level":"info","Location":"updater.go:253","Time":"2017-07-04 07:26:18.060810"}
|
||||
Jul 4 00:38:05 172.18.0.1 clair[3516]: {"Event":"update finished","Level":"info","Location":"updater.go:198","Time":"2017-07-04 07:38:05.251580"}
|
||||
```
|
||||
- The phrase "finished fetching" indicates that Clair has finished a round of vulnerability update from an endpoint. Please make sure all five endpoints (rhel, alpine, oracle, debian, ubuntu) are updated correctly.
|
||||
The phrase `finished fetching` indicates that Clair has finished a round of vulnerability updates from an endpoint. Make sure all of the `rhel`, `alpine`, `oracle`, `debian`, and `ubuntu` endpoints are updated correctly. If they have not, wait for Clair to get the data.
|
||||
|
||||
## Harbor version < 1.6
|
||||
## Dump Vulnerability Data
|
||||
|
||||
If you're using a version of Harbor prior to 1.6, you can access the correct instructions for your version using the following URL.
|
||||
https://github.com/goharbor/harbor/blob/v\<VERSION NUMBER>/docs/import_vulnerability_data.md
|
||||
1. Log in to the host, that is connected to Internet, on which the Postgres Clair database is running.
|
||||
1. Dump Clair's vulnerability database by running the following commands.
|
||||
|
||||
## Harbor version >= 1.6
|
||||
**NOTE**: The container name `clair-db` is a placeholder for the database container used by the internet-connected instance of Clair.
|
||||
|
||||
Databased were consolidated in version 1.6 which moved the clair database to the harbor-db container and removed the clair-db container.
|
||||
```
|
||||
$ docker exec clair-db /bin/sh -c "pg_dump -U postgres -a -t feature -t keyvalue -t namespace -t schema_migrations -t vulnerability -t vulnerability_fixedin_feature" > vulnerability.sql
|
||||
```
|
||||
|
||||
```
|
||||
$ docker exec clair-db /bin/sh -c "pg_dump -U postgres -c -s" > clear.sql
|
||||
```
|
||||
|
||||
### Dumping vulnerability data
|
||||
The files `vulnerability.sql` and `clear.sql` are generated.
|
||||
|
||||
- Log in to the host (that is connected to Internet) where Clair database (Postgres) is running.
|
||||
- Dump Clair's vulnerability database by the following commands, two files (`vulnerability.sql` and `clear.sql`) are generated:
|
||||
## Back Up the Harbor Clair Database
|
||||
|
||||
_NOTE: The container name 'clair-db' is a placeholder for the db container used by the internet connected instance of clair_
|
||||
|
||||
```
|
||||
$ docker exec clair-db /bin/sh -c "pg_dump -U postgres -a -t feature -t keyvalue -t namespace -t schema_migrations -t vulnerability -t vulnerability_fixedin_feature" > vulnerability.sql
|
||||
$ docker exec clair-db /bin/sh -c "pg_dump -U postgres -c -s" > clear.sql
|
||||
```
|
||||
|
||||
### Back up Harbor's Clair database
|
||||
Before importing the data, it is strongly recommended to back up the Clair database in Harbor.
|
||||
|
||||
```
|
||||
$ docker exec harbor-db /bin/sh -c "pg_dump -U postgres -c" > all.sql
|
||||
```
|
||||
|
||||
### Update Harbor's Clair database
|
||||
Copy the `vulnerability.sql` and `clear.sql` to the host where Harbor is running on. Run the below commands to import the data to Harbor's Clair database:
|
||||
## Update the Harbor Clair Database
|
||||
|
||||
```
|
||||
$ docker exec -i harbor-db psql -U postgres < clear.sql
|
||||
$ docker exec -i harbor-db psql -U postgres < vulnerability.sql
|
||||
```
|
||||
1. Copy the `vulnerability.sql` and `clear.sql` files to the host on which Harbor is running.
|
||||
1. Run the following commands to import the data to the Harbor Clair database:
|
||||
|
||||
### Rescanning images
|
||||
After importing the data, trigger the scanning process in the administrator's web UI: **Administration**->**Configuration**->**Vulnerability**->**SCAN NOW**. Harbor reflects the new changes after the scanning is completed. (Otherwise the summary of the image vulnerabilities will not be displayed correctly.)
|
||||
```
|
||||
$ docker exec -i harbor-db psql -U postgres < clear.sql
|
||||
```
|
||||
```
|
||||
$ docker exec -i harbor-db psql -U postgres < vulnerability.sql
|
||||
```
|
||||
|
||||
## Rescan the Images
|
||||
|
||||
After importing the data, trigger the scanning process in the Harbor interface. For information about running a scan, see [Scan All Images](scan_all_images.md).
|
||||
|
||||
----------
|
||||
|
||||
|
@ -17,7 +17,7 @@ For information about installing Harbor with Clair, see the [Run the Installer S
|
||||
You can manually initiate scanning on a particular image, or on all images in Harbor. Additionally, you can also set a policy to automatically scan all of the images at specific intervals.
|
||||
|
||||
- [Connect Harbor to Additional Vulnerability Scanners](pluggable_scanners.md)
|
||||
- [Scan an Individual Image](scan_individual_image.md)
|
||||
- [Scan Individual Images](scan_individual_image.md)
|
||||
- [Scan All Images](scan_all_images.md)
|
||||
- [Schedule Scans](schedule_scans.md)
|
||||
- [Import Vulnerability Data to an Offline Harbor instance](import_vulnerability_data.md)
|
||||
|
@ -39,7 +39,7 @@ This section describes how to use and maintain Harbor after deployment. These da
|
||||
- [Manage Replications](administration/configuring_replication/manage_replications.md)
|
||||
- [Vulnerability Scanning](administration/vulnerability_scanning/vulnerability_scanning.md)
|
||||
- [Connect Harbor to Additional Vulnerability Scanners](administration/vulnerability_scanning/pluggable_scanners.md)
|
||||
- [Scan an Individual Image](administration/vulnerability_scanning/scan_individual_image.md)
|
||||
- [Scan Individual Images](administration/vulnerability_scanning/scan_individual_image.md)
|
||||
- [Scan All Images](administration/vulnerability_scanning/scan_all_images.md)
|
||||
- [Schedule Scans](administration/vulnerability_scanning/schedule_scans.md)
|
||||
- [Import Vulnerability Data to an Offline Harbor instance](administration/vulnerability_scanning/import_vulnerability_data.md)
|
||||
|
Loading…
Reference in New Issue
Block a user