我们正在尝试使用 Anchore Engine Jenkins 插件扫描我们的 docker 镜像。
目前,我们创建应用程序 docker 映像,将其推送到我们自己的私有本地注册表中,然后将其部署到我们的测试环境中。
现在,我们希望在 CI/CD 流程中设置 docker 映像扫描,以检查是否存在任何漏洞。
我们已经使用文档链接中给出的推荐的Docker-Compose yaml方法安装了Anchore Engine: https://anchore.freshdesk.com/support/solutions/articles/36000020729-install-on-docker-swarm
安装后,我们在 Jenkins 中安装了
Anchore 容器映像扫描器插件。
我们按照文档链接中所述配置了插件: https://wiki.jenkins.io/display/JENKINS/Anchore+Container+Image+Scanner+Plugin
但是,扫描失败。错误消息如下:
2018-10-11T07:01:44.647 INFO AnchoreWorker Analysis request accepted, received image digest sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8
2018-10-11T07:01:44.647 INFO AnchoreWorker Waiting for analysis of 10.180.25.2:5000/hello-world:latest, polling status periodically
2018-10-11T07:01:44.647 DEBUG AnchoreWorker anchore-engine get policy evaluation URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true
2018-10-11T07:01:44.648 DEBUG AnchoreWorker Attempting anchore-engine get policy evaluation (1/300)
2018-10-11T07:01:44.675 DEBUG AnchoreWorker anchore-engine get policy evaluation failed. URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true, status: HTTP/1.1 404 NOT FOUND, error: {
"detail": {},
"httpcode": 404,
"message": "image is not analyzed - analysis_status: not_analyzed"
}
注意: 在Image TAG10.180.25.2:5000/hello-world:latest
中,10.180.25.2:5000
是我们本地私有注册表,hello-world:latest
是docker hub中提供的最新hello-world映像,我们在注册表中拉取并推送以尝试使用Anchore-Engine进行映像扫描。
不幸的是,我们无法在网上找到太多资源来尝试解决上述问题。
任何可能使用过Anchore-Engine的人,请让我要求看一看并帮助我们解决这个问题。
此外,锚引擎的任何建议或替代方案或详细步骤,以防我们错过任何内容,我们将不胜感激。
输出结束如下:
2018-10-15T00:48:43.880 WARN AnchoreWorker anchore-engine get policy evaluation failed. HTTP method: GET, URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true, status: 404, error: {
"detail": {},
"httpcode": 404,
"message": "image is not analyzed - analysis_status: not_analyzed"
}
2018-10-15T00:48:43.880 WARN AnchoreWorker Exhausted all attempts polling anchore-engine. Analysis is incomplete for sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8
2018-10-15T00:48:43.880 ERROR AnchorePlugin Failing Anchore Container Image Scanner Plugin step due to errors in plugin execution
hudson.AbortException: Timed out waiting for anchore-engine analysis to complete (increasing engineRetries might help). Check above logs for errors from anchore-engine
at com.anchore.jenkins.plugins.anchore.BuildWorker.runGatesEngine(BuildWorker.java:480)
at com.anchore.jenkins.plugins.anchore.BuildWorker.runGates(BuildWorker.java:343)
at com.anchore.jenkins.plugins.anchore.AnchoreBuilder.perform(AnchoreBuilder.java:338)
at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:81)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
at hudson.model.Build$BuildExecution.build(Build.java:206)
at hudson.model.Build$BuildExecution.doRun(Build.java:163)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
at hudson.model.Run.execute(Run.java:1724)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:421)
我还检查了状态,发现如下:
docker run anchore/engine-cli:latest anchore-cli --u admin --p admin123 --url http://172.18.0.1:8228/v1 system status
Service analyzer (dockerhostid-anchore-engine, http://anchore-engine:8084): up
Service catalog (dockerhostid-anchore-engine, http://anchore-engine:8082): up
Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087): down (unavailable)
Service simplequeue (dockerhostid-anchore-engine, http://anchore-engine:8083): up
Service apiext (dockerhostid-anchore-engine, http://anchore-engine:8228): up
Service kubernetes_webhook (dockerhostid-anchore-engine, http://anchore-engine:8338): up
引擎数据库版本:0.0.7 引擎代码版本:0.2.4
似乎服务策略引擎已关闭
Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087(: down (unavailable(
我还检查了码头工人日志.我发现以下错误:
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [DEBUG] service (policy_engine) starting in: 4
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [INFO] Registration complete.
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [INFO] Checking feeds client credentials
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [DEBUG] Initializing a feeds client
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [bootstrap] [DEBUG] init values: [None, None, None, (), None, None]
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [bootstrap] [DEBUG] using values: ['https://ancho.re/v1/service/feeds', 'https://ancho.re/oauth/token', 'https://ancho.re/v1/account/users', 'anon@ancho.re', 3, 60]
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [urllib3.connectionpool] [DEBUG] Starting new HTTPS connection (1): ancho.re
[service:policy_engine] 2018-10-15 09:37:50+0000 [-] [bootstrap] [ERROR] Preflight checks failed with error: HTTPSConnectionPool(host='ancho.re', port=443): Max retries exceeded with url: /v1/account/users/anon@ancho.re (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7ffa905f0b90>: Failed to establish a new connection: [Errno 113] No route to host',)). Aborting service startup
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/anchore_manager/cli/service.py", line 158, in startup_service
raise Exception("process exited: " + str(rc))
Exception: process exited: 1
[anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] service process exited at (Mon Oct 15 09:37:50 2018): process exited: 1
[anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] exiting service thread
感谢和问候,
罗汉·谢蒂
当图像被添加到锚引擎时,它们会排队等待分析,从而通过一个简单的状态机,该状态机以"not_analyzed"开头,进入"分析",最后以"分析"或"analysis_failed"结束。 只有当图像达到"分析"时,才有可能进行策略评估。
anchore Jenkins 插件将添加一个图像,然后轮询引擎以获取图像状态/评估配置的尝试次数(默认为 300(。 一旦图像进入"分析"(可以进行策略评估(,插件将从引擎接收策略评估结果。
如果已执行最大重试次数并且映像未达到"已分析",如果映像确实达到"已分析"但策略评估产生"失败"结果(意味着映像未通过您配置的策略检查(,则插件将失败构建(默认情况下(。 请注意,所有构建失败行为都可以在插件中控制(即,即使分析或图像评估失败,也有选项允许插件成功(。
您需要查看构建运行的输出的结尾(而不仅仅是帖子的开头(,并结合上述信息,应该清楚哪种情况导致插件构建失败。
我们已经解决了这个问题。
根源:
我们无法从锚引擎 docker 容器中建立成功的 https 连接到 URL : https://ancho.re。 因此,服务:policy_engine无法启动。
https://ancho.re 需要定期下载策略源和同步。如果没有这些策略,锚引擎将无法分析 docker 映像。
溶液:
1(我们在锚引擎的docker-compose.yaml中传递了一个HTTPS_PROXY URL作为环境变量。
我们使用此代理 URL 绕过环境中的限制,并与 https://ancho.re URL 建立连接。
2( 重新启动 docker 容器。
最后,我们启动并运行了所有服务,包括 Anchore 策略引擎。
仅供参考: 下载所有必需的提要需要一段时间,具体取决于您的互联网速度。
最后,感谢 Anchore 社区对 Slack 的快速响应和支持。
希望这有帮助。
热烈的问候,
罗汉·谢蒂