环境

• oras v1.0.0 (https://github.com/oras-project/oras)
• harbor v2.5.3 (https://github.com/goharbor/harbor)
• trivy-db v2 (https://github.com/aquasecurity/trivy)

1. 使用oras 拉取trivy-db:2

因为国内访问trivy-db经常出现网络问题，这边使用oras工具提前将trivy-db下载下来，使用离线的trivy-db对镜像进行扫描。
安装oras

export VERSION="1.0.0" 
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_${VERSION}_*.tar.gz oras-install/

查看oras版本

/home # oras version                                                                                                                                                      
Version:        1.0.0
Go version:     go1.20.2
Git commit:     b58e7b910ca556973d111e9bd734a71baef03db2
Git tree state: clean

使用oras拉取trivy-db 2

oran@trivy:~$ oras pull ghcr.io/aquasecurity/trivy-db:2
Downloading 0d70da8057a9 db.tar.gz
Downloaded  0d70da8057a9 db.tar.gz
Pulled [registry] ghcr.io/aquasecurity/trivy-db:2
Digest: sha256:e455efdcc885690b91a01ee58d5c449705c899203de35e1d9377a4f46a1c8674
oran@trivy:~$ ls -lh db.tar.gz
-rw-rw-r-- 1 oran oran 37M Mar 24 06:19 db.tar.gz

2. 下载harbor

下载harbor installer

wget https://github.com/goharbor/harbor/releases/download/v2.5.3/harbor-online-installer-v2.5.3.tgz

解压到本地

tar -xzvf harbor-offline-installer-v2.5.3.tgz 

拷贝harbor.yml

cp harbor.yml.tmpl harbor.yml

3. 修改配置文件

3.1 创建私有证书

#创建ca.key
oran@trivy:~$ openssl genrsa -out ca.key 4096
#创建c.crt
oran@trivy:~$ sudo openssl req -x509 -new -nodes -sha512 -days 3650  -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=oran-registry.harbor.k8s.local" -key ca.key  -out ca.crt
#创建server.key
oran@trivy:~$ sudo openssl genrsa -out oran-registry.key 4096
#创建server.csr
oran@trivy:~$ sudo openssl req -sha512 -new     -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=oran-registry.harbor.k8s.local"  -key oran-registry.key -out oran-registry.csr
#创建x509 v3 扩展 文件
oran@trivy:/home/certs$ cat v3.ext 
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=oran-registry.harbor.k8s.local
DNS.2=oran-registry
#使用v3.ext文件为harbor服务器创建证书
oran@trivy:~$ sudo openssl x509 -req -sha512 -days 3650     -extfile v3.ext     -CA ca.crt -CAkey ca.key -CAcreateserial     -in oran-registry.csr -out oran-registry.crt
-out oran-registry.crt
Certificate request self-signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = example, OU = Personal, CN = oran-registry.harbor.k8s.local

将证书放在对应目录下

#创建目录
oran@trivy:~$ mkdir -p /etc/docker/certs.d/oran-registry.harbor.k8s.local
#将crt文件转换为cert文件
oran@trivy:~$ openssl x509 -inform PEM -in oran-registry.crt -outoran-registry.cert
#将cert和key放在对应目录下
oran@trivy:~$ cp oran-registry.cert oran-registry.key ca.crt/etc/docker/certs.d/oran-registry.harbor.k8s.local/

重启docker

oran@trivy:~$ systemctl restart docker

3.2 修改hostname

我这里使用的示例为hostname: oran-registry.harbor.k8s.local，修改为自己对应的hostname即可。

# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: oran-registry.harbor.k8s.local

3.3 修改证书路径

修改为对应的证书路径

https:
  # https port for harbor, default is 443
  port: 443
  # The path of cert and key files for nginx
  certificate: /home/certs/oran-registry.crt
  private_key: /home/certs/oran-registry.key

3.4 修改密码

根据个人需求修改harbor的password和database的password

harbor_admin_password: <Your Password>

# Harbor DB configuration
database:
  # The password for the root user of Harbor DB. Change this before any production use.
  password: <Your Password>
  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
  max_idle_conns: 100
  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
  # Note: the default number of connections is 1024 for postgres of harbor.
  max_open_conns: 900

3.5 为trivy设置离线配置

因为trivy扫描会联网拉取trivy-db，国内网络无法访问，这里使用离线版trivy-db v2版本。设置跳过更新和离线扫描都为true。

trivy:
  # ignoreUnfixed The flag to display only fixed vulnerabilities
  ignore_unfixed: false
  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
  #
  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
  skip_update: true
  #
  # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
  # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
  # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
  # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
  # It would work if all the dependencies are in local.
  # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
  offline_scan: true
  #
  # insecure The flag to skip verifying registry certificate
  insecure: false

3.5.1 拷贝trivy-db到本地

创建db目录并将下载好的db文件放在里面并修改权限

mkdir -p /data/trivy-adapter/trivy/db/

*注：如果之前启动了harbor需要使用docker-compose down 命令将服务停下；如果之前通过install.sh --with-trivy安装过trivy则需要将/data/trivy-adapter/trivy/db/下的文件清空rm -rf /data/trivy-adapter/trivy/db/

解压db.tar.gz到对应目录

tar -xzvf db.tar.gz -C /data/trivy-adapter/trivy/db/

修改trivy-db权限

chown -R 10000:10000 /data/trivy-adapter/trivy/db/

4. 安装harbor

安装带有trivy的harbor，可根据个人需求添加相关参数

bash install.sh --with-trivy

查看harbor，运行都为healthy

image.png

5. 测试

5.1 docker login

oran@trivy:~/harbor/harbor$ sudo docker login oran-registry.harbor.k8s.local
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

5.2 harbor web

image.png

5.3 镜像的拉取与推送

docker push

oran@trivy:~/harbor/harbor$ sudo docker push oran-registry.harbor.k8s.local/library/nginx:latest 
The push refers to repository [oran-registry.harbor.k8s.local/library/nginx]
a1bd4a5c5a79: Pushed 
597a12cbab02: Pushed 
8820623d95b7: Pushed 
338a545766ba: Pushed 
e65242c66bbe: Pushed 
3af14c9a24c9: Pushed 
latest: digest: sha256:557c9ede65655e5a70e4a32f1651638ea3bfb0802edd982810884602f700ba25 size: 1570

docker pull

oran@trivy:~/harbor/harbor$ sudo docker pull oran-registry.harbor.k8s.local/library/nginx:latest
latest: Pulling from library/nginx
f1f26f570256: Pull complete 
84181e80d10e: Pull complete 
1ff0f94a8007: Pull complete 
d776269cad10: Pull complete 
e9427fcfa864: Pull complete 
d4ceccbfc269: Pull complete 
Digest: sha256:557c9ede65655e5a70e4a32f1651638ea3bfb0802edd982810884602f700ba25
Status: Downloaded newer image for oran-registry.harbor.k8s.local/library/nginx:latest
oran-registry.harbor.k8s.local/library/nginx:latest

5.4 漏洞扫描

点击扫描

image.png

扫描成功

image.png

查看漏洞详情

image.png