CD2H gitForager

zalando-stups/clair-sqs

Name: clair-sqs

Owner: STUPS by Zalando

Description: CoreOS' Clair packaged for use with AWS SQS and SNS

Created: 2016-05-12 08:21:27.0

Updated: 2018-01-16 16:15:28.0

Pushed: 2017-03-03 20:08:25.0

Homepage:

Size: 25666

Language: Go

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

Clair w/ SQS

CoreOS' Clair is a tool to check your rkt and Docker images for security vulnerabilities. This repository contains a special distribution of Clair that uses SQS to trigger the analysis of your container images and only provides protected read access to Clair's API.

Concept

The clair-sqs container takes “layer pushes” via SQS and provides notifications via SNS (which can then again forward the notification to an SQS queue if you like). For that, two sidecars are deployed next to Clair:

receiver
The receiver listens on an SQS queue and forwards messages to POST /v1/layers in Clair.
sender
The sender receives notifications from Clair via a local webhook, fetches the notification details and sends those details to an SNS topic.

In addition, skipper is added as a sidecar to provide read-only access to Clair's API. This allows you to provide all detailed information to your users without exposing the capability to insert fake layers.

Architecture Visualization

Usage

As soon as you have clair-sqs running, you can push layers to clair and receive reports about your layers. The message format is exactly as described in Clair's documentation for the /v1/layers semantic:

To push layers, send a JSON message to SQS with the same structure as you would send to POST /v1/layers. You can also batch layers by sending the same JSON wrapped into a JSON list as a message. This also helps with ordering of the layers so that indexing is faster.
Each time, a layer was analysed or vulnerabilities might have changed, you will get an SNS notification with a JSON message that is the same as GET /v1/layers/:name. The message will be either of type CLAIR.CONTENTTYPE = (string) "application/json" for raw JSON messages or CLAIR.CONTENTTYPE = (string) "application/base64gzip" for gzipped, base64ed messages that would otherwise be too big.

Configuration

This Docker container is configured via environment variables that are the following:

CLAIR_DATABASE_SOURCE
The database source definition. For PostgreSQL as described here: http://www.postgresql.org/docs/9.4/static/libpq-connect.html.
CLAIR_API_PAGINATIONKEY
32-bit URL-safe base64 key used to encrypt pagination tokens. If one is not provided, it will be generated. Multiple clair instances in the same cluster need the same value.
RECEIVER_QUEUE_URL
The URL of the SQS queue you want to read “layer push” messages from.
RECEIVER_QUEUE_REGION
The region of your SQS queue. (for feedback on new layers)
RECEIVER_TOPIC_ARN
The ARN of the SNS topic you want to receive notifications on.
RECEIVER_TOPIC_REGION
The region of your SNS topic.
SENDER_TOPIC_ARN
The ARN of the SNS topic you want to receive notifications on. (for feedback on new CVEs)
SENDER_TOPIC_REGION
The region of your SNS topic.

Building

docker build -t clair-sqs .

Running locally

Run a local PostgreSQL database:

docker run -d --name postgres postgres:9.4

Figure out the linked IP of PostgreSQL:

docker run --link postgres ubuntu env | grep POSTGRES_PORT_5432_TCP_ADDR

Run clair-sqs:

docker run -it --link postgres \
    -p 8080:8080 \
    -p 6060:6060 \
    -v $HOME/.aws:/root/.aws \
    -e CLAIR_DATABASE_SOURCE=postgres://172.17.0.2:5432/postgres\?user=postgres\\\&sslmode=disable \
    -e RECEIVER_QUEUE_URL=https://sqs.eu-central-1.amazonaws.com/1234567890/clair-layers \
    -e RECEIVER_QUEUE_REGION=eu-central-1 \
    -e RECEIVER_TOPIC_ARN=arn:aws:sns:eu-central-1:1234567890:clair-notifications \
    -e RECEIVER_TOPIC_REGION=eu-central-1 \
    -e SENDER_TOPIC_ARN=arn:aws:sns:eu-central-1:1234567890:clair-notifications \
    -e SENDER_TOPIC_REGION=eu-central-1 \
    clair-sqs

Port 8080 provides readonly access to the Clair API and port 6060 provides raw Clair API access. For production usage, you want to also specify the CLAIR_API_PAGINATIONKEY configuration.

Now you can index a Docker image by extracting the layers and pushing the information to SQS:

tools/index-image.sh \
    https://sqs.eu-central-1.amazonaws.com/1234567890/clair-layers eu-central-1 \
    registry.opensource.zalan.do \
    stups ubuntu 15.10-16

License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ?Software?), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED ?AS IS?, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.