Skip to content
This repository has been archived by the owner on Feb 4, 2022. It is now read-only.

Latest commit

 

History

History
123 lines (94 loc) · 5.58 KB

README.md

File metadata and controls

123 lines (94 loc) · 5.58 KB

Clair w/ SQS

CoreOS' Clair is a tool to check your rkt and Docker images for security vulnerabilities. This repository contains a special distribution of Clair that uses SQS to trigger the analysis of your container images and only provides protected read access to Clair's API.

Concept

The clair-sqs container takes "layer pushes" via SQS and provides notifications via SNS (which can then again forward the notification to an SQS queue if you like). For that, two sidecars are deployed next to Clair:

  • receiver
    • The receiver listens on an SQS queue and forwards messages to POST /v1/layers in Clair.
  • sender
    • The sender receives notifications from Clair via a local webhook, fetches the notification details and sends those details to an SNS topic.

In addition, skipper is added as a sidecar to provide read-only access to Clair's API. This allows you to provide all detailed information to your users without exposing the capability to insert fake layers.

Architecture Visualization

Usage

As soon as you have clair-sqs running, you can push layers to clair and receive reports about your layers. The message format is exactly as described in Clair's documentation for the /v1/layers semantic:

  • To push layers, send a JSON message to SQS with the same structure as you would send to POST /v1/layers. You can also batch layers by sending the same JSON wrapped into a JSON list as a message. This also helps with ordering of the layers so that indexing is faster.
  • Each time, a layer was analysed or vulnerabilities might have changed, you will get an SNS notification with a JSON message that is the same as GET /v1/layers/:name. The message will be either of type CLAIR.CONTENTTYPE = (string) "application/json" for raw JSON messages or CLAIR.CONTENTTYPE = (string) "application/base64gzip" for gzipped, base64ed messages that would otherwise be too big.

Configuration

This Docker container is configured via environment variables that are the following:

  • CLAIR_DATABASE_SOURCE
  • CLAIR_API_PAGINATIONKEY
    • 32-bit URL-safe base64 key used to encrypt pagination tokens. If one is not provided, it will be generated. Multiple clair instances in the same cluster need the same value.
  • RECEIVER_QUEUE_URL
    • The URL of the SQS queue you want to read "layer push" messages from.
  • RECEIVER_QUEUE_REGION
    • The region of your SQS queue. (for feedback on new layers)
  • RECEIVER_TOPIC_ARN
    • The ARN of the SNS topic you want to receive notifications on.
  • RECEIVER_TOPIC_REGION
    • The region of your SNS topic.
  • SENDER_TOPIC_ARN
    • The ARN of the SNS topic you want to receive notifications on. (for feedback on new CVEs)
  • SENDER_TOPIC_REGION
    • The region of your SNS topic.

Building

docker build -t clair-sqs .

Running locally

Run a local PostgreSQL database:

docker run -d --name postgres postgres:9.4

Figure out the linked IP of PostgreSQL:

docker run --link postgres ubuntu env | grep POSTGRES_PORT_5432_TCP_ADDR

Run clair-sqs:

docker run -it --link postgres \
    -p 8080:8080 \
    -p 6060:6060 \
    -v $HOME/.aws:/root/.aws \
    -e CLAIR_DATABASE_SOURCE=postgres://172.17.0.2:5432/postgres\?user=postgres\\\&sslmode=disable \
    -e RECEIVER_QUEUE_URL=https://sqs.eu-central-1.amazonaws.com/1234567890/clair-layers \
    -e RECEIVER_QUEUE_REGION=eu-central-1 \
    -e RECEIVER_TOPIC_ARN=arn:aws:sns:eu-central-1:1234567890:clair-notifications \
    -e RECEIVER_TOPIC_REGION=eu-central-1 \
    -e SENDER_TOPIC_ARN=arn:aws:sns:eu-central-1:1234567890:clair-notifications \
    -e SENDER_TOPIC_REGION=eu-central-1 \
    clair-sqs

Port 8080 provides readonly access to the Clair API and port 6060 provides raw Clair API access. For production usage, you want to also specify the CLAIR_API_PAGINATIONKEY configuration.

Now you can index a Docker image by extracting the layers and pushing the information to SQS:

tools/index-image.sh \
    https://sqs.eu-central-1.amazonaws.com/1234567890/clair-layers eu-central-1 \
    registry.opensource.zalan.do \
    stups ubuntu 15.10-16

License

The MIT License (MIT) Copyright © 2016 Zalando SE, https://tech.zalando.com

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.