Updated docker-compose files by adding clair

Besides adding Clair and PostgreSQL where needed, I also added some further debug messages that were useful when working on a containerized environment. Signed-off-by: Miquel Sabaté Solà <[email protected]>
SUSE · Dec 4, 2017 · fdf1c75 · fdf1c75
1 parent e0f7d53
commit fdf1c75
Show file tree

Hide file tree

Showing 6 changed files with 160 additions and 0 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -8,14 +8,20 @@ services:
     environment:
       - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
       - PORTUS_PUMA_HOST=0.0.0.0:3000
+      - PORTUS_SECURITY_CLAIR_SERVER=http://clair:6060
 
       - PORTUS_DB_HOST=db
       - PORTUS_DB_PASSWORD=portus
       - PORTUS_DB_POOL=5
 
+      # Theoretically not needed, but cconfig's been buggy on this...
+      - CCONFIG_PREFIX=PORTUS
+
       - RAILS_SERVE_STATIC_FILES=true
     ports:
       - 3000:3000
+    depends_on:
+      - db
     links:
       - db
     volumes:
@@ -26,8 +32,33 @@ services:
     command: ./bin/crono
     depends_on:
       - portus
+      - db
+    environment:
+      - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
+
+      # Theoretically not needed, but cconfig's been buggy on this...
+      - CCONFIG_PREFIX=PORTUS
+
+      - PORTUS_DB_HOST=db
+      - PORTUS_DB_PASSWORD=portus
+      - PORTUS_DB_POOL=5
+    volumes:
+      - .:/srv/Portus
+    links:
+      - db
+
+  background:
+    image: opensuse/portus:development
+    entrypoint: bundle exec rails runner /srv/Portus/bin/background.rb
+    depends_on:
+      - portus
+      - db
     environment:
       - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
+      - PORTUS_SECURITY_CLAIR_SERVER=http://clair:6060
+
+      # Theoretically not needed, but cconfig's been buggy on this...
+      - CCONFIG_PREFIX=PORTUS
 
       - PORTUS_DB_HOST=db
       - PORTUS_DB_PASSWORD=portus
@@ -44,11 +75,29 @@ services:
     volumes:
       - .:/srv/Portus
 
+  clair:
+    image: quay.io/coreos/clair:v2.0.1
+    depends_on:
+      - postgres
+    links:
+      - postgres
+    ports:
+      - "6060-6061:6060-6061"
+    volumes:
+      - /tmp:/tmp
+      - ./examples/development/compose/clair.yml:/clair.yml
+    command: [-config, /clair.yml]
+
   db:
     image: library/mariadb:10.0.23
     environment:
       MYSQL_ROOT_PASSWORD: portus
 
+  postgres:
+    image: library/postgres:10-alpine
+    environment:
+      POSTGRES_PASSWORD: portus
+
   registry:
     image: library/registry:2.3.1
     environment:

diff --git a/examples/compose/docker-compose.insecure.yml b/examples/compose/docker-compose.insecure.yml
@@ -4,6 +4,8 @@ services:
   portus:
     image: opensuse/portus:head
     environment:
+      # Theoretically not needed, but cconfig's been buggy on this...
+      - CCONFIG_PREFIX=PORTUS
       - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
 
       # DB. The password for the database should definitely not be here. You are
@@ -34,6 +36,8 @@ services:
   crono:
     image: opensuse/portus:head
     environment:
+      # Theoretically not needed, but cconfig's been buggy on this...
+      - CCONFIG_PREFIX=PORTUS
       - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
 
       # DB. The password for the database should definitely not be here. You are

diff --git a/examples/compose/docker-compose.yml b/examples/compose/docker-compose.yml
@@ -4,6 +4,8 @@ services:
   portus:
     image: opensuse/portus:head
     environment:
+      # Theoretically not needed, but cconfig's been buggy on this...
+      - CCONFIG_PREFIX=PORTUS
       - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
 
       # DB. The password for the database should definitely not be here. You are
@@ -36,6 +38,8 @@ services:
   crono:
     image: opensuse/portus:head
     environment:
+      # Theoretically not needed, but cconfig's been buggy on this...
+      - CCONFIG_PREFIX=PORTUS
       - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
 
       # DB. The password for the database should definitely not be here. You are

diff --git a/examples/development/compose/clair.yml b/examples/development/compose/clair.yml
@@ -0,0 +1,99 @@
+# Copyright 2015 clair authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# The values specified here are the default values that Clair uses if no configuration file is specified or if the keys are not defined.
+clair:
+  database:
+    # Database driver
+    type: pgsql
+    options:
+      # PostgreSQL Connection string
+      # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING
+      source: host=postgres port=5432 user=postgres password=portus sslmode=disable statement_timeout=60000
+
+      # Number of elements kept in the cache
+      # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
+      cachesize: 16384
+
+      # 32-bit URL-safe base64 key used to encrypt pagination tokens
+      # If one is not provided, it will be generated.
+      # Multiple clair instances in the same cluster need the same value.
+      paginationkey:
+
+  api:
+    # v3 grpc/RESTful API server address
+    addr: "0.0.0.0:6060"
+
+    # Health server address
+    # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
+    healthaddr: "0.0.0.0:6061"
+
+    # Deadline before an API request will respond with a 503
+    timeout: 900s
+
+    # Optional PKI configuration
+    # If you want to easily generate client certificates and CAs, try the following projects:
+    # https://github.com/coreos/etcd-ca
+    # https://github.com/cloudflare/cfssl
+    servername:
+    cafile:
+    keyfile:
+    certfile:
+
+  worker:
+    namespace_detectors:
+      - os-release
+      - lsb-release
+      - apt-sources
+      - alpine-release
+      - redhat-release
+
+    feature_listers:
+      - apk
+      - dpkg
+      - rpm
+
+  updater:
+    # Frequency the database will be updated with vulnerabilities from the default data sources
+    # The value 0 disables the updater entirely.
+    interval: 2h
+    enabledupdaters:
+      - debian
+      - ubuntu
+      - rhel
+      - oracle
+      - alpine
+
+  notifier:
+    # Number of attempts before the notification is marked as failed to be sent
+    attempts: 3
+
+    # Duration before a failed notification is retried
+    renotifyinterval: 2h
+
+    http:
+      # Optional endpoint that will receive notifications via POST requests
+      endpoint:
+
+      # Optional PKI configuration
+      # If you want to easily generate client certificates and CAs, try the following projects:
+      # https://github.com/cloudflare/cfssl
+      # https://github.com/coreos/etcd-ca
+      servername:
+      cafile:
+      keyfile:
+      certfile:
+
+      # Optional HTTP Proxy: must be a valid URL (including the scheme).
+      proxy:
diff --git a/examples/development/postgresql/docker-compose.yml b/examples/development/postgresql/docker-compose.yml
@@ -6,6 +6,8 @@ services:
     image: opensuse/portus:development
     command: bash /srv/Portus/examples/development/compose/init
     environment:
+      # Theoretically not needed, but cconfig's been buggy on this...
+      - CCONFIG_PREFIX=PORTUS
       - PORTUS_MACHINE_FQDN_VALUE=${MACHINE_FQDN}
       - PORTUS_PUMA_HOST=0.0.0.0:3000
 

diff --git a/lib/portus/security_backends/clair.rb b/lib/portus/security_backends/clair.rb
@@ -76,6 +76,7 @@ def fetch_layer(digest)
         # Parse the given response and return the result.
         if res.code.to_i == 200
           msg = JSON.parse(res.body)
+          Rails.logger.tagged("clair.get") { Rails.logger.debug msg }
           msg["Layer"]
         else
           handle_response(res, digest, "clair.get")
@@ -126,6 +127,7 @@ def layer_body(digest, parent)
       # finally `kind` is a string that identifies the kind of request.
       def handle_response(response, digest, kind)
         code = response.code.to_i
+        Rails.logger.tagged(kind) { Rails.logger.debug "Handling code: #{code}" }
         return if code == 200 || code == 201
 
         msg = code == 404 ? response.body : error_message(JSON.parse(response.body))