我们正在尝试使用 Anchore Engine Jenkins 插件扫描我们的 docker 镜像。
目前我们创建我们的应用程序 docker 镜像,将其推送到我们自己的私有(private)本地注册表中,然后将其部署到我们的测试环境中。
现在,我们要在 CI/CD 进程中设置 docker 镜像扫描以检查是否存在漏洞。
我们已经使用文档链接中推荐的 Docker-Compose yaml 方法安装了 Anchore Engine:
https://anchore.freshdesk.com/support/solutions/articles/36000020729-install-on-docker-swarm
安装后,我们安装了
Jenkins 中的锚定容器图像扫描器插件。
我们按照文档链接中的说明配置了插件:
https://wiki.jenkins.io/display/JENKINS/Anchore+Container+Image+Scanner+Plugin
但是,扫描失败。错误信息如下:
2018-10-11T07:01:44.647 INFO AnchoreWorker Analysis request accepted, received image digest sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8
2018-10-11T07:01:44.647 INFO AnchoreWorker Waiting for analysis of 10.180.25.2:5000/hello-world:latest, polling status periodically
2018-10-11T07:01:44.647 DEBUG AnchoreWorker anchore-engine get policy evaluation URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true
2018-10-11T07:01:44.648 DEBUG AnchoreWorker Attempting anchore-engine get policy evaluation (1/300)
2018-10-11T07:01:44.675 DEBUG AnchoreWorker anchore-engine get policy evaluation failed. URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true, status: HTTP/1.1 404 NOT FOUND, error: {
"detail": {},
"httpcode": 404,
"message": "image is not analyzed - analysis_status: not_analyzed"
}
笔记:
在图像标签
10.180.25.2:5000/hello-world:latest , 10.180.25.2:5000是我们本地的私有(private)注册表和hello-world:latest是 docker hub 中可用的最新 hello-world 图像,我们将其拉入并推送到我们的注册表中,以尝试使用 Anchore-Engine 进行图像扫描。不幸的是,我们无法在网上找到很多资源来尝试解决上述问题。
任何可能在 Anchore-Engine 上工作过的人,请我请求查看并帮助我们解决此问题。
此外,如果我们可能遗漏任何内容,我们将非常感谢锚定引擎的任何建议或替代方案或详细步骤。
输出结束如下:
2018-10-15T00:48:43.880 WARN AnchoreWorker anchore-engine get policy evaluation failed. HTTP method: GET, URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true, status: 404, error: {
"detail": {},
"httpcode": 404,
"message": "image is not analyzed - analysis_status: not_analyzed"
}
2018-10-15T00:48:43.880 WARN AnchoreWorker Exhausted all attempts polling anchore-engine. Analysis is incomplete for sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8
2018-10-15T00:48:43.880 ERROR AnchorePlugin Failing Anchore Container Image Scanner Plugin step due to errors in plugin execution
hudson.AbortException: Timed out waiting for anchore-engine analysis to complete (increasing engineRetries might help). Check above logs for errors from anchore-engine
at com.anchore.jenkins.plugins.anchore.BuildWorker.runGatesEngine(BuildWorker.java:480)
at com.anchore.jenkins.plugins.anchore.BuildWorker.runGates(BuildWorker.java:343)
at com.anchore.jenkins.plugins.anchore.AnchoreBuilder.perform(AnchoreBuilder.java:338)
at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:81)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
at hudson.model.Build$BuildExecution.build(Build.java:206)
at hudson.model.Build$BuildExecution.doRun(Build.java:163)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
at hudson.model.Run.execute(Run.java:1724)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:421)
我还检查了状态,发现如下:
docker run anchore/engine-cli:latest anchore-cli --u admin --p admin123 --url http://172.18.0.1:8228/v1 system status
Service analyzer (dockerhostid-anchore-engine, http://anchore-engine:8084): up
Service catalog (dockerhostid-anchore-engine, http://anchore-engine:8082): up
Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087): down (unavailable)
Service simplequeue (dockerhostid-anchore-engine, http://anchore-engine:8083): up
Service apiext (dockerhostid-anchore-engine, http://anchore-engine:8228): up
Service kubernetes_webhook (dockerhostid-anchore-engine, http://anchore-engine:8338): up
引擎数据库版本:0.0.7
引擎代码版本:0.2.4
似乎服务策略引擎已关闭
服务策略引擎(dockerhostid-anchore-engine,http://anchore-engine:8087):关闭(不可用)
我还检查了 docker logs 。我发现以下错误:
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [DEBUG] service (policy_engine) starting in: 4
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [INFO] Registration complete.
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [INFO] Checking feeds client credentials
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [DEBUG] Initializing a feeds client
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [bootstrap] [DEBUG] init values: [None, None, None, (), None, None]
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [bootstrap] [DEBUG] using values: ['https://ancho.re/v1/service/feeds', 'https://ancho.re/oauth/token', 'https://ancho.re/v1/account/users', 'anon@ancho.re', 3, 60]
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [urllib3.connectionpool] [DEBUG] Starting new HTTPS connection (1): ancho.re
[service:policy_engine] 2018-10-15 09:37:50+0000 [-] [bootstrap] [ERROR] Preflight checks failed with error: HTTPSConnectionPool(host='ancho.re', port=443): Max retries exceeded with url: /v1/account/users/anon@ancho.re (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7ffa905f0b90>: Failed to establish a new connection: [Errno 113] No route to host',)). Aborting service startup
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore_manager/cli/service.py", line 158, in startup_service
raise Exception("process exited: " + str(rc))
Exception: process exited: 1
[anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] service process exited at (Mon Oct 15 09:37:50 2018): process exited: 1
[anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] exiting service thread
谢谢并恭祝安康,
罗汉·谢蒂
最佳答案
当图像被添加到锚定引擎时,它们会排队等待分析,这会将它们移动到一个简单的状态机,该状态机以“not_analyzed”开头,进入“analyzing”,最后以“analyzed”或“analysis_failed”结束。只有当图像达到“已分析”时,才能进行策略评估。
anchore Jenkins 插件将添加一个图像,然后轮询引擎以获取配置的尝试次数(默认 300)的图像状态/评估。一旦图像进入“分析”状态(可以进行策略评估),插件就会从引擎接收策略评估结果。
如果已执行最大重试次数并且图像未达到“已分析”,则该插件将失败构建(默认情况下),如果图像确实达到“已分析”但策略评估产生“失败”结果(意味着图像未通过您配置的策略检查)。请注意,所有构建失败行为都可以在插件中控制(即,即使分析或图像评估失败,也有允许插件成功的选项)。
您需要查看构建运行的输出的结尾(而不仅仅是帖子的开头),并结合上面的信息,应该清楚哪种情况导致插件构建失败。
关于security - Anchore Engine - Jenkins CI 插件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52772140/