虚机ubuntu20.04,
安装docker,
sudo apt install docker.io,
sudo systemctl enable docker,
sudo gpasswd -a ubuntu docker,
newgrp docker,
安装docker-compose,
sudo apt install docker-compose,
给harbor起个本地域名,
sudo vim /etc/hosts,
10.90.11.166 harbortrivy.com
给harbor创建证书和私钥,
openssl req -x509 -nodes -newkey rsa:4096 -sha256 -days 999 -keyout /home/ubuntu/harbortrivy.com.key -out /home/ubuntu/harbortrivy.com.crt -subj "/C=CN/ST=docker/L=beijing/O=harbortrivy/OU=New site/CN=harbortrivy.com/[email protected]",
下载harbor在线安装版本,
wget https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-online-installer-v2.4.1.tgz,
tar -zxvf harbor-online-installer-v2.4.1.tgz,cd harbor,
修改配置,vim harbor.yml,
hostname: harbortrivy.com
certificate: /home/ubuntu/harbortrivy.com.crt
private_key: /home/ubuntu/harbortrivy.com.key
harbor_admin_password: harbortrivy
安装,指定trivy,notary等参数,
sudo ./install.sh --with-notary --with-trivy --with-chartmuseum,
安装成功后,https登录,admin/harbortrivy,
看到默认安装了trivy做为漏洞扫描器,
对于默认项目library,配置管理中能够看到可以进行各种安全配置,
push一个容器镜像上去看看,
在docker客户端,需要把harbor的证书弄过来放到docker的目录下,
sudo mkdir -p /etc/docker/certs.d/harbortrivy.com,
sudo scp [email protected]:/home/ubuntu/harbortrivy.com.crt /etc/docker/certs.d/harbortrivy.com,
本地域名也得添加一下,sudo vim /etc/hosts,
10.90.11.166 harbortrivy.com
登录一下,docker login --username=admin harbortrivy.com,
下载个log4j的容器镜像,
docker pull ghcr.io/christophetd/log4shell-vulnerable-app:latest,
重新tag一下,docker tag 248241e9f7fa harbortrivy.com/library/log4shell-vulnerable-app:latest,
最后push镜像,docker push harbortrivy.com/library/log4shell-vulnerable-app:latest,
在harbor这边看效果,对push上来的容器镜像自动进行了漏洞扫描,
原文始发于微信公众号(云计算和网络安全技术实践):容器镜像仓库harbor+trivy的安装使用
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论