Merge pull request #2166 from reasonerjt/deploy-clair

use docker-compose to deploy clair with harbor

make/common/templates/clair/config.yaml

@@ -0,0 +1,23 @@
+clair:
+  database:
+    type: pgsql
+    options:
+      source: postgresql://postgres:$password@postgres:5432?sslmode=disable
+
+      # Number of elements kept in the cache
+      # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
+      cachesize: 16384
+
+  api:
+    # API server port
+    port: 6060
+    healthport: 6061
+
+    # Deadline before an API request will respond with a 503
+    timeout: 300s
+  updater:
+    interval: 0h
+
+  notifier:
+    attempts: 3
+    renotifyinterval: 2h

make/common/templates/clair/postgres_env

@@ -0,0 +1 @@
+POSTGRES_PASSWORD=$password

make/docker-compose.clair.yml

@@ -0,0 +1,48 @@
+version: '2'
+services:
+  ui:
+    networks:
+      harbor-clair:
+        aliases:
+          - harbor-ui
+  jobservice:
+    networks:
+      - harbor-clair
+  postgres:
+    networks:
+      harbor-clair:
+        aliases:
+          - postgres
+    container_name: clair-db
+    image: postgres:latest
+    restart: always
+    depends_on:
+      - log
+    env_file:
+      ./common/config/clair/postgres_env
+    volumes:
+      - /data/clair-db:/var/lib/postgresql/data
+    logging:
+      driver: "syslog"
+      options:  
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "clair-db"
+  clair:
+    networks:
+      - harbor-clair
+    container_name: clair
+    image: quay.io/coreos/clair:v2.0.0-rc.0
+    restart: always
+    depends_on:
+      - postgres
+    volumes:
+      - ./common/config/clair:/config
+    command: [-config, /config/config.yaml]
+    logging:
+      driver: "syslog"
+      options:  
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "clair"
+networks:
+  harbor-clair:
+    external: false

make/prepare

@@ -95,6 +95,7 @@ def delfile(src):
 parser = argparse.ArgumentParser()
 parser.add_argument('--conf', dest='cfgfile', default=base_dir+'/harbor.cfg',type=str,help="the path of Harbor configuration file")
 parser.add_argument('--with-notary', dest='notary_mode', default=False, action='store_true', help="the Harbor instance is to be deployed with notary")
+parser.add_argument('--with-clair', dest='clair_mode', default=False, action='store_true', help="the Harbor instance is to be deployed with clair")
 args = parser.parse_args()
 
 delfile(config_dir)
@@ -223,7 +224,8 @@ render(os.path.join(templates_dir, "adminserver", "env"),
         jobservice_secret=jobservice_secret,
         token_expiration=token_expiration,
         admiral_url=admiral_url,
-        with_notary=args.notary_mode
+        with_notary=args.notary_mode,
+        scanner=args.clair_mode and "clair" or "none"
 	)
 
 render(os.path.join(templates_dir, "ui", "env"), 
@@ -364,10 +366,18 @@ if args.notary_mode:
             ssl_cert = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_path)),
             ssl_cert_key = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_key_path)))
 
-
     default_alias = get_alias(secretkey_path)
     render(os.path.join(notary_temp_dir, "signer_env"), os.path.join(notary_config_dir, "signer_env"), alias = default_alias)
 
+if args.clair_mode:
+    pg_password = "password"
+    clair_temp_dir = os.path.join(templates_dir, "clair")
+    clair_config_dir = prep_conf_dir(config_dir, "clair")
+    postgres_env = os.path.join(clair_config_dir, "postgres_env") 
+    render(os.path.join(clair_temp_dir, "postgres_env"), postgres_env, password = pg_password)
+    clair_conf = os.path.join(clair_config_dir, "config.yaml")
+    render(os.path.join(clair_temp_dir, "config.yaml"), clair_conf, password = pg_password)
+
 FNULL.close()
 print("The configuration files are ready, please use docker-compose to start the service.")