Clair has been removed as the default vulnerability scanner in Harbor v2.2. It’s highly recommended that you configure Trivy as your default scanner instead. If you want to continue using Clair in v2.2 and later, you must configure it as an external scanner.
If Harbor is installed in an environment without an internet connection, Clair cannot fetch data from the public vulnerability database. In this case, the Harbor administrator must update the Clair database manually.
Preparation
You have an instance of Clair that has an internet connection. If you have another instance of Harbor that has internet access, this also works.
Check whether your Clair instance has already updated its vulnerability database to the latest version.
- Use
docker ps
to find out the container ID of the Clair service. - Run
docker logs <container_id>
to check the log of the Clair container. If you are using Harbor you can find the latest Clair logs under/var/log/harbor/2017-xx-xx/clair.log
. - Look for logs that look like the following:
Jul 3 20:40:45 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:40:45.890364","updater name":"rhel"}
Jul 3 20:40:46 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:40:46.768924","updater name":"alpine"}
Jul 3 20:40:47 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:40:47.190982","updater name":"oracle"}
Jul 3 20:41:07 172.18.0.1 clair[3516]: {"Event":"Debian buster is not mapped to any version number (eg. Jessie-\u003e8). Please update me.","Level":"warning","Location":"debian.go:128","Time":"2017-07-04 03:41:07.833720"}
Jul 3 20:41:07 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 03:41:07.833975","updater name":"debian"}
Jul 4 00:26:17 172.18.0.1 clair[3516]: {"Event":"finished fetching","Level":"info","Location":"updater.go:227","Time":"2017-07-04 07:26:17.596986","updater name":"ubuntu"}
Jul 4 00:26:18 172.18.0.1 clair[3516]: {"Event":"adding metadata to vulnerabilities","Level":"info","Location":"updater.go:253","Time":"2017-07-04 07:26:18.060810"}
Jul 4 00:38:05 172.18.0.1 clair[3516]: {"Event":"update finished","Level":"info","Location":"updater.go:198","Time":"2017-07-04 07:38:05.251580"}
- Use
The phrase finished fetching
indicates that Clair has finished a round of vulnerability updates from an endpoint. Make sure all of the rhel
, alpine
, oracle
, debian
, and ubuntu
endpoints are updated correctly. If they have not, wait for Clair to get the data.
Dump Vulnerability Data
Log in to the host, that is connected to Internet, on which the Postgres Clair database is running.
Dump Clair’s vulnerability database by running the following commands.
The container name
clair-db
is a placeholder for the database container used by the internet-connected instance of Clair.$ docker exec clair-db /bin/sh -c "pg_dump -U postgres -a -t feature -t keyvalue -t namespace -t schema_migrations -t vulnerability -t vulnerability_fixedin_feature" > vulnerability.sql
$ docker exec clair-db /bin/sh -c "pg_dump -U postgres -c -s" > clear.sql
The files vulnerability.sql
and clear.sql
are generated.
Back Up the Harbor Clair Database
Before importing the data, it is strongly recommended to back up the Clair database in Harbor.
docker exec harbor-db /bin/sh -c "pg_dump -U postgres -c" > all.sql
Update the Harbor Clair Database
Copy the
vulnerability.sql
andclear.sql
files to the host on which Harbor is running.Run the following commands to import the data to the Harbor Clair database:
docker exec -i harbor-db psql -U postgres < clear.sql
docker exec -i harbor-db psql -U postgres < vulnerability.sql
Rescan the Images
After importing the data, trigger the scanning process in the Harbor interface. For information about running a scan, see Scan All Artifacts.