The password to access clair db can be configured in harbor.cfg, skip auto-scan if clair-db is not ready

2024-06-26 14:55:06 +02:00 · 2017-07-17 15:00:48 +08:00 · 2017-07-17 15:00:48 +08:00 · 629cf29850
commit 629cf29850
parent 6f2ff672c4
9 changed files with 40 additions and 10 deletions
--- a/make/common/templates/adminserver/env
+++ b/make/common/templates/adminserver/env
@ -37,4 +37,5 @@ GODEBUG=netdns=cgo
 ADMIRAL_URL=$admiral_url
 WITH_NOTARY=$with_notary
 WITH_CLAIR=$with_clair
+CLAIR_DB_PASSWORD=$pg_password
 RESET=false
--- a/make/harbor.cfg
+++ b/make/harbor.cfg
@ -30,6 +30,10 @@ secretkey_path = /data
 #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
 admiral_url = NA

+#The password of the Clair's postgres database, only effective when Harbor is deployed with Clair.
+#Please update it before deployment, subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
+clair_db_password = password
+
 #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
 #only take effect in the first boot, the subsequent changes of these properties 
 #should be performed on web ui
--- a/make/prepare
+++ b/make/prepare
@ -153,6 +153,7 @@ if rcp.has_option("configuration", "admiral_url"):
    admiral_url = rcp.get("configuration", "admiral_url")
 else:
    admiral_url = ""
+pg_password = rcp.get("configuration", "clair_db_password")
 secret_key = get_secret_key(secretkey_path)
 ########

@ -225,13 +226,15 @@ render(os.path.join(templates_dir, "adminserver", "env"),
        token_expiration=token_expiration,
        admiral_url=admiral_url,
        with_notary=args.notary_mode,
-        with_clair=args.clair_mode
+        with_clair=args.clair_mode,
+        pg_password=pg_password
 	)

 render(os.path.join(templates_dir, "ui", "env"), 
        ui_conf_env, 
        ui_secret=ui_secret,
-        jobservice_secret=jobservice_secret,)
+        jobservice_secret=jobservice_secret,
+        )

 render(os.path.join(templates_dir, "registry", 
 		"config.yml"),
@ -370,11 +373,10 @@ if args.notary_mode:
    render(os.path.join(notary_temp_dir, "signer_env"), os.path.join(notary_config_dir, "signer_env"), alias = default_alias)

 if args.clair_mode:
-    pg_password = "password"
    clair_temp_dir = os.path.join(templates_dir, "clair")
    clair_config_dir = prep_conf_dir(config_dir, "clair")
-    print("Copying offline data file for clair DB")
    if os.path.exists(os.path.join(clair_config_dir, "postgresql-init.d")):
+        print("Copying offline data file for clair DB")
        shutil.rmtree(os.path.join(clair_config_dir, "postgresql-init.d"))
    shutil.copytree(os.path.join(clair_temp_dir, "postgresql-init.d"), os.path.join(clair_config_dir, "postgresql-init.d"))
    postgres_env = os.path.join(clair_config_dir, "postgres_env") 
--- a/src/adminserver/systemcfg/systemcfg.go
+++ b/src/adminserver/systemcfg/systemcfg.go
@ -45,6 +45,7 @@ var (
 		common.LDAPSearchPwd,
 		common.MySQLPassword,
 		common.AdminInitialPassword,
+		common.ClairDBPassword,
 	}

 	// all configurations need read from environment variables
@ -120,6 +121,7 @@ var (
 			env:   "WITH_CLAIR",
 			parse: parseStringToBool,
 		},
+		common.ClairDBPassword: "CLAIR_DB_PASSWORD",
 	}

 	// configurations need read from environment variables
@ -144,6 +146,7 @@ var (
 			env:   "WITH_CLAIR",
 			parse: parseStringToBool,
 		},
+		common.ClairDBPassword: "CLAIR_DB_PASSWORD",
 	}
 )

--- a/src/common/const.go
+++ b/src/common/const.go
@ -66,6 +66,7 @@ const (
 	WithNotary                 = "with_notary"
 	WithClair                  = "with_clair"
 	ScanAllPolicy              = "scan_all_policy"
+	ClairDBPassword            = "clair_db_password"

 	DefaultClairEndpoint = "http://clair:6060"
 )
--- a/src/common/dao/base.go
+++ b/src/common/dao/base.go
@ -43,13 +43,13 @@ type Database interface {
 }

 // InitClairDB ...
-func InitClairDB() error {
-	//TODO: Read from env vars.
+func InitClairDB(password string) error {
+	//Except for password other information will not be configurable, so keep it hard coded for 1.2.0.
 	p := &pgsql{
 		host:     "postgres",
 		port:     5432,
 		usr:      "postgres",
-		pwd:      "password",
+		pwd:      password,
 		database: "postgres",
 		sslmode:  false,
 	}
--- a/src/ui/config/config.go
+++ b/src/ui/config/config.go
@ -358,12 +358,20 @@ func ClairEndpoint() string {
 	return common.DefaultClairEndpoint
 }

+// ClairDBPassword returns the password for accessing Clair's DB.
+func ClairDBPassword() (string, error) {
+	cfg, err := mg.Get()
+	if err != nil {
+		return "", err
+	}
+	return cfg[common.ClairDBPassword].(string), nil
+}
+
 // AdmiralEndpoint returns the URL of admiral, if Harbor is not deployed with admiral it should return an empty string.
 func AdmiralEndpoint() string {
 	cfg, err := mg.Get()
 	if err != nil {
 		log.Errorf("Failed to get configuration, will return empty string as admiral's endpoint, error: %v", err)
-
 		return ""
 	}
 	if e, ok := cfg[common.AdmiralEndpoint].(string); !ok || e == "NA" {
--- a/src/ui/main.go
+++ b/src/ui/main.go
@ -92,7 +92,11 @@ func main() {
 		log.Fatalf("failed to initialize database: %v", err)
 	}
 	if config.WithClair() {
-		if err := dao.InitClairDB(); err != nil {
+		clairDBPassword, err := config.ClairDBPassword()
+		if err != nil {
+			log.Fatalf("failed to load clair database information: %v", err)
+		}
+		if err := dao.InitClairDB(clairDBPassword); err != nil {
 			log.Fatalf("failed to initialize clair database: %v", err)
 		}
 	}
--- a/src/ui/service/notifications/registry/handler.go
+++ b/src/ui/service/notifications/registry/handler.go
@ -22,6 +22,7 @@ import (
 	"time"

 	"github.com/vmware/harbor/src/common/dao"
+	clairdao "github.com/vmware/harbor/src/common/dao/clair"
 	"github.com/vmware/harbor/src/common/models"
 	"github.com/vmware/harbor/src/common/utils"
 	"github.com/vmware/harbor/src/common/utils/log"
@ -105,8 +106,14 @@ func (n *NotificationHandler) Post() {
 			}()

 			go api.TriggerReplicationByRepository(pro.ProjectID, repository, []string{tag}, models.RepOpTransfer)
+
 			if autoScanEnabled(project) {
-				if err := uiutils.TriggerImageScan(repository, tag); err != nil {
+				last, err := clairdao.GetLastUpdate()
+				if err != nil {
+					log.Errorf("Failed to get last update from Clair DB, error: %v, the auto scan will be skipped.", err)
+				} else if last == 0 {
+					log.Infof("The Vulnerability data is not ready in Clair DB, the auto scan will be skipped.", err)
+				} else if err := uiutils.TriggerImageScan(repository, tag); err != nil {
 					log.Warningf("Failed to scan image, repository: %s, tag: %s, error: %v", repository, tag, err)
 				}
 			}