4.2. Add Clair image scanning to Red Hat Quay
Setting up and deploying Clair image scanning for your Red Hat Quay deployment requires the following basic steps:
- Setting up a database for Clair
- Creating authentication keys for Clair
- Deploying Clair
The following procedure assumes you already have a running Red Hat Quay cluster on an OpenShift platform with the Red Hat Quay Setup container running in your browser:
Create the Clair database: This example configures a postgresql database to use with the Clair image scanner. With the yaml files in the current directory, review those files for possible modifications, then run the following:
$ oc create -f postgres-clair-storage.yaml $ oc create -f postgres-clair-deployment.yaml $ oc create -f postgres-clair-service.yaml
Check Clair database objects: To view the Clair database objects, type:
$ oc get all | grep -i clair pod/postgres-clair-xxxxxxxxx-xxxx 1/1 Running 0 3m45s deployment.apps/postgres-clair 1/1 1 1 3m45s service/postgres-clair NodePort 172.30.193.64 <none> 5432:30680/TCP 159m replicaset.apps/postgres-clair-xx 1 1 1 3m45s
The output shows that the postgres-clair pod is running, postgres-clair was successfully deployed, the postgres-clair service is available on the address and port shown, and 1 replica set of postgres-clair is active.
- Open the Red Hat Quay Setup UI: Reload the Red Hat Quay Setup UI and select "Modify configuration for this cluster."
Enable Security Scanning: Scroll to the Security Scanner section and select the "Enable Security Scanning" checkbox. From the fields that appear you need to create an authentication key and enter the security scanner endpoint. Here’s how:
- Generate key: Click "Create Key" and then type a name for the Clair private key and an optional expiration date (if blank, the key never expires). Then select Generate Key.
- Copy the Clair key and PEM file: Save the Key ID (to a notepad or similar) and download a copy of the Private Key PEM file (named security_scanner.pem) by selecting "Download Private Key" (if you lose this key, you will need to generate a new one).
Modify clair-config.yaml: Return to the shell and the directory holding your yaml files. Edit the
clair-config.yamlfile and modify the following values:- database.options.source: Make sure the host, port, dbname, user, password, and ssl mode match those values you set when you create the postgres database for Clair.
- key_id: Search for KEY_ID_HERE in this file and replace it with the contents of the key you generated from the Red Hat Quay Setup screen in the Security Scanner section (security_scanner.pam file).
- private_key_path: Identify the full path to the security_scanner.pem file you saved earlier.
Create the Clair config secret and service: Run the following commands, identifying the paths to your
clair-config.yamlandsecurity_scanner.pemfiles.$ oc create secret generic clair-scanner-config-secret \ --from-file=config.yaml=/path/to/clair-config.yaml \ --from-file=security_scanner.pem=/path/to/security_scanner.pem $ oc create -f clair-service.yaml $ oc create -f clair-deployment.yaml
Get the clair-service endpoint: In this example, the endpoint of of clair-service would be http://172.30.133.227:6060:
$ oc get service clair-service NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE clair-service ClusterIP 172.30.133.227 <none> 6060/TCP,6061/TCP 76s
- Enter Security Scanner Endpoint: Return to the Red Hat Quay Setup screen and fill in the clair-service endpoint. For example, http://clair-service:6060
- Deploy configuration: Select to save the configuration, then deploy it when prompted.
A green check mark will appear on the screen when the deployment is done. You can now start using Clair image scanning with Red Hat Quay. For information on the data sources available with the Clair image scanner, see Using Clair data sources.
