Enable Clair in HA

Run clair with Core Harbor services
Add check logic for Clair DB

Makefile

@@ -306,6 +306,8 @@ modify_composefile_clair:
 	@cp $(DOCKERCOMPOSEFILEPATH)/$(DOCKERCOMPOSECLAIRTPLFILENAME) $(DOCKERCOMPOSEFILEPATH)/$(DOCKERCOMPOSECLAIRFILENAME)
 	@$(SEDCMD) -i 's/__postgresql_version__/$(CLAIRDBVERSION)/g' $(DOCKERCOMPOSEFILEPATH)/$(DOCKERCOMPOSECLAIRFILENAME)
 	@$(SEDCMD) -i 's/__clair_version__/$(CLAIRVERSION)-$(VERSIONTAG)/g' $(DOCKERCOMPOSEFILEPATH)/$(DOCKERCOMPOSECLAIRFILENAME)
+	@cp $(DOCKERCOMPOSEFILEPATH)/ha/$(DOCKERCOMPOSECLAIRTPLFILENAME) $(DOCKERCOMPOSEFILEPATH)/ha/$(DOCKERCOMPOSECLAIRFILENAME)
+	@$(SEDCMD) -i 's/__clair_version__/$(CLAIRVERSION)-$(VERSIONTAG)/g' $(DOCKERCOMPOSEFILEPATH)/ha/$(DOCKERCOMPOSECLAIRFILENAME)
 
 modify_sourcefiles:
 	@echo "change mode of source files."

make/ha/docker-compose.clair.tpl

@@ -0,0 +1,32 @@
+version: '2'
+services:
+  ui:
+    networks:
+      harbor-clair:
+        aliases:
+          - harbor-ui
+  jobservice:
+    networks:
+      - harbor-clair
+  registry:
+    networks:
+      - harbor-clair
+  clair:
+    networks:
+      - harbor-clair
+    container_name: clair
+    image: vmware/clair-photon:__clair_version__
+    restart: always
+    cpu_quota: 150000
+    depends_on:
+      - log
+    volumes:
+      - ./common/config/clair:/config
+    logging:
+      driver: "syslog"
+      options:
+        syslog-address: "tcp://127.0.0.1:1514"
+        tag: "clair"
+networks:
+  harbor-clair:
+    external: false

make/install.sh

@@ -165,7 +165,7 @@ if [ $with_notary ] && [ ! $harbor_ha ]
 then
 	prepare_para="${prepare_para} --with-notary"
 fi
-if [ $with_clair ] && [ ! $harbor_ha ]
+if [ $with_clair ]
 then
 	prepare_para="${prepare_para} --with-clair"
 fi
@@ -182,7 +182,7 @@ if [ $with_notary ] && [ ! $harbor_ha ]
 then
 	docker_compose_list="${docker_compose_list} -f docker-compose.notary.yml"
 fi
-if [ $with_clair ] && [ ! $harbor_ha ]
+if [ $with_clair ]
 then
 	docker_compose_list="${docker_compose_list} -f docker-compose.clair.yml"
 fi
@@ -199,6 +199,8 @@ if [ $harbor_ha ]
 then
     mv docker-compose.yml docker-compose.yml.bak 
     cp ha/docker-compose.yml docker-compose.yml
+    mv docker-compose.clair.yml docker-compose.clair.yml.bak
+    cp ha/docker-compose.clair.yml docker-compose.clair.yml
 fi
 docker-compose $docker_compose_list up -d
 

make/prepare

@@ -30,8 +30,13 @@ def validate(conf, args):
         redis_url = rcp.get("configuration", "redis_url")
         if redis_url is None or len(redis_url) < 1:
             raise Exception("Error: In HA mode redis is required redis_url need to point to an redis cluster")
-        if args.notary_mode or args.clair_mode:
-            raise Exception("Error: HA mode doesn't support clair and notary currently")
+        if args.notary_mode:
+            raise Exception("Error: HA mode doesn't support Notary currently")
+        if args.clair_mode:
+            clair_db_host = rcp.get("configuration", "clair_db_host")
+            if "postgres" == clair_db_host:
+                raise Exception("Error: In HA mode, clair_db_host in harbor.cfg needs to point to an external Postgres DB address.")
+
         cert_path = rcp.get("configuration", "ssl_cert")
         cert_key_path = rcp.get("configuration", "ssl_cert_key")
         shared_cert_key = os.path.join(base_dir, "ha", os.path.basename(cert_key_path))