Merge pull request #6721 from SDBrett/clair-import-doc

Updated clair db import for Harbor 1.6+
This commit is contained in:
Wenkai Yin 2019-02-12 19:54:55 +08:00 committed by GitHub
commit 9c8c96ad4f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -2,13 +2,13 @@
Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor administrator needs to manually update the Clair database. Harbor has integrated with Clair to scan vulnerabilities in images. When Harbor is installed in an environment without internet connection, Clair cannot fetch data from the public vulnerability database. Under this circumstance, Harbor administrator needs to manually update the Clair database.
This document provides step-by-step instructions on updating Clair vulnerability database in Harbor v1.2. This document provides step-by-step instructions on updating Clair vulnerability database in Harbor.
**NOTE:** Harbor does not ship with any vulnerability data. For this reason, if Harbor cannot connect to Internet, the administrator must manually import vulnerability data to Harbor by using instructions given in this document. **NOTE:** Harbor does not ship with any vulnerability data. For this reason, if Harbor cannot connect to Internet, the administrator must manually import vulnerability data to Harbor by using instructions given in this document.
### Preparation ### Preparation
A. You need to install an instance of Clair 2.0.1 with internet connection. If you have another instance of Harbor v1.2 with internet access, it also works. A. You need to install an instance of Clair with internet connection. If you have another instance of Harbor with internet access, it also works.
B. Check whether your Clair instance has already updated the vulnerability database to the latest version. If it has not, wait for Clair to get the data from public endpoints. B. Check whether your Clair instance has already updated the vulnerability database to the latest version. If it has not, wait for Clair to get the data from public endpoints.
@ -29,28 +29,39 @@ B. Check whether your Clair instance has already updated the vulnerability datab
``` ```
- The phrase "finished fetching" indicates that Clair has finished a round of vulnerability update from an endpoint. Please make sure all five endpoints (rhel, alpine, oracle, debian, ubuntu) are updated correctly. - The phrase "finished fetching" indicates that Clair has finished a round of vulnerability update from an endpoint. Please make sure all five endpoints (rhel, alpine, oracle, debian, ubuntu) are updated correctly.
## Harbor version < 1.6
If you're using a version of Harbor prior to 1.6, you can access the correct instructions for your version using the following URL.
https://github.com/goharbor/harbor/blob/v\<VERSION NUMBER>/docs/import_vulnerability_data.md
## Harbor version >= 1.6
Databased were consolidated in version 1.6 which moved the clair database to the harbor-db container and removed the clair-db container.
### Dumping vulnerability data ### Dumping vulnerability data
- Log in to the host (that is connected to Internet) where Clair database (Postgres) is running. - Log in to the host (that is connected to Internet) where Clair database (Postgres) is running.
- Dump Clair's vulnerability database by the following commands, two files (`vulnerability.sql` and `clear.sql`) are generated: - Dump Clair's vulnerability database by the following commands, two files (`vulnerability.sql` and `clear.sql`) are generated:
_NOTE: The container name 'clair-db' is a placeholder for the db container used by the internet connected instance of clair_
``` ```
$ docker exec clair-db /bin/bash -c "pg_dump -U postgres -a -t feature -t keyvalue -t namespace -t schema_migrations -t vulnerability -t vulnerability_fixedin_feature" > vulnerability.sql $ docker exec clair-db /bin/sh -c "pg_dump -U postgres -a -t feature -t keyvalue -t namespace -t schema_migrations -t vulnerability -t vulnerability_fixedin_feature" > vulnerability.sql
$ docker exec clair-db /bin/bash -c "pg_dump -U postgres -c -s" > clear.sql $ docker exec clair-db /bin/sh -c "pg_dump -U postgres -c -s" > clear.sql
``` ```
### Back up Harbor's Clair database ### Back up Harbor's Clair database
Before importing the data, it is strongly recommended to back up the Clair database in Harbor. Before importing the data, it is strongly recommended to back up the Clair database in Harbor.
``` ```
$ docker exec clair-db /bin/bash -c "pg_dump -U postgres -c" > all.sql $ docker exec harbor-db /bin/sh -c "pg_dump -U postgres -c" > all.sql
``` ```
### Update Harbor's Clair database ### Update Harbor's Clair database
Copy the `vulnerability.sql` and `clear.sql` to the host where Harbor is running on. Run the below commands to import the data to Harbor's Clair database: Copy the `vulnerability.sql` and `clear.sql` to the host where Harbor is running on. Run the below commands to import the data to Harbor's Clair database:
``` ```
$ docker exec -i clair-db psql -U postgres < clear.sql $ docker exec -i harbor-db psql -U postgres < clear.sql
$ docker exec -i clair-db psql -U postgres < vulnerability.sql $ docker exec -i harbor-db psql -U postgres < vulnerability.sql
``` ```
### Rescanning images ### Rescanning images