diff --git a/make/common/templates/clair/config.yaml b/make/common/templates/clair/config.yaml new file mode 100644 index 000000000..b09a0870f --- /dev/null +++ b/make/common/templates/clair/config.yaml @@ -0,0 +1,23 @@ +clair: + database: + type: pgsql + options: + source: postgresql://postgres:$password@postgres:5432?sslmode=disable + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + api: + # API server port + port: 6060 + healthport: 6061 + + # Deadline before an API request will respond with a 503 + timeout: 300s + updater: + interval: 0h + + notifier: + attempts: 3 + renotifyinterval: 2h diff --git a/make/common/templates/clair/postgres_env b/make/common/templates/clair/postgres_env new file mode 100644 index 000000000..787c6df0b --- /dev/null +++ b/make/common/templates/clair/postgres_env @@ -0,0 +1 @@ +POSTGRES_PASSWORD=$password diff --git a/make/docker-compose.clair.yml b/make/docker-compose.clair.yml new file mode 100644 index 000000000..b6e5b46af --- /dev/null +++ b/make/docker-compose.clair.yml @@ -0,0 +1,48 @@ +version: '2' +services: + ui: + networks: + harbor-clair: + aliases: + - harbor-ui + jobservice: + networks: + - harbor-clair + postgres: + networks: + harbor-clair: + aliases: + - postgres + container_name: clair-db + image: postgres:latest + restart: always + depends_on: + - log + env_file: + ./common/config/clair/postgres_env + volumes: + - /data/clair-db:/var/lib/postgresql/data + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "clair-db" + clair: + networks: + - harbor-clair + container_name: clair + image: quay.io/coreos/clair:v2.0.0-rc.0 + restart: always + depends_on: + - postgres + volumes: + - ./common/config/clair:/config + command: [-config, /config/config.yaml] + logging: + driver: "syslog" + options: + syslog-address: "tcp://127.0.0.1:1514" + tag: "clair" +networks: + harbor-clair: + external: false diff --git a/make/prepare b/make/prepare index 0366ebc30..ce75eba5d 100755 --- a/make/prepare +++ b/make/prepare @@ -95,6 +95,7 @@ def delfile(src): parser = argparse.ArgumentParser() parser.add_argument('--conf', dest='cfgfile', default=base_dir+'/harbor.cfg',type=str,help="the path of Harbor configuration file") parser.add_argument('--with-notary', dest='notary_mode', default=False, action='store_true', help="the Harbor instance is to be deployed with notary") +parser.add_argument('--with-clair', dest='clair_mode', default=False, action='store_true', help="the Harbor instance is to be deployed with clair") args = parser.parse_args() delfile(config_dir) @@ -223,7 +224,8 @@ render(os.path.join(templates_dir, "adminserver", "env"), jobservice_secret=jobservice_secret, token_expiration=token_expiration, admiral_url=admiral_url, - with_notary=args.notary_mode + with_notary=args.notary_mode, + scanner=args.clair_mode and "clair" or "none" ) render(os.path.join(templates_dir, "ui", "env"), @@ -364,10 +366,18 @@ if args.notary_mode: ssl_cert = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_path)), ssl_cert_key = os.path.join("/etc/nginx/cert", os.path.basename(target_cert_key_path))) - default_alias = get_alias(secretkey_path) render(os.path.join(notary_temp_dir, "signer_env"), os.path.join(notary_config_dir, "signer_env"), alias = default_alias) +if args.clair_mode: + pg_password = "password" + clair_temp_dir = os.path.join(templates_dir, "clair") + clair_config_dir = prep_conf_dir(config_dir, "clair") + postgres_env = os.path.join(clair_config_dir, "postgres_env") + render(os.path.join(clair_temp_dir, "postgres_env"), postgres_env, password = pg_password) + clair_conf = os.path.join(clair_config_dir, "config.yaml") + render(os.path.join(clair_temp_dir, "config.yaml"), clair_conf, password = pg_password) + FNULL.close() print("The configuration files are ready, please use docker-compose to start the service.")