1

我们正在尝试使用 Anchore Engine Jenkins 插件扫描我们的 docker 镜像。

目前我们创建我们的应用程序 docker 镜像,将其推送到我们自己的私有本地注册表中,然后将其部署到我们的测试环境中。

现在,我们要在 CI/CD 进程中设置 docker 镜像扫描以检查是否存在漏洞。

我们已经使用文档链接中推荐的 Docker-Compose yaml 方法安装了 Anchore Engine: https ://anchore.freshdesk.com/support/solutions/articles/36000020729-install-on-docker-swarm

安装后,我们在 Jenkins 中安装了
Anchore Container Image Scanner Plugin。

我们按照文档链接中的说明配置了插件: https ://wiki.jenkins.io/display/JENKINS/Anchore+Container+Image+Scanner+Plugin

但是,扫描失败。错误信息如下:

2018-10-11T07:01:44.647 INFO   AnchoreWorker   Analysis request accepted, received image digest sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8
2018-10-11T07:01:44.647 INFO   AnchoreWorker   Waiting for analysis of 10.180.25.2:5000/hello-world:latest, polling status periodically
2018-10-11T07:01:44.647 DEBUG  AnchoreWorker   anchore-engine get policy evaluation URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true
2018-10-11T07:01:44.648 DEBUG  AnchoreWorker   Attempting anchore-engine get policy evaluation (1/300)
2018-10-11T07:01:44.675 DEBUG  AnchoreWorker   anchore-engine get policy evaluation failed. URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true, status: HTTP/1.1 404 NOT FOUND, error: {
  "detail": {}, 
  "httpcode": 404, 
  "message": "image is not analyzed - analysis_status: not_analyzed"
}

注意:在 Image TAG10.180.25.2:5000/hello-world:latest中,10.180.25.2:5000是我们的本地私有注册表,并且hello-world:latest是 docker hub 中可用的最新 hello-world 映像,我们将其拉入并推送到注册表中以尝试使用 Anchore-Engine 进行映像扫描。

不幸的是,我们无法在网上找到太多资源来尝试解决上述问题。

任何可能在 Anchore-Engine 上工作过的人,请我请求查看并帮助我们解决此问题。

此外,如果我们可能遗漏任何内容,我们将不胜感激任何关于锚定引擎的建议或替代方案或详细步骤。

输出结束如下:

2018-10-15T00:48:43.880 WARN AnchoreWorker anchore-engine get policy evaluation failed. HTTP method: GET, URL: http://10.180.25.2:8228/v1/images/sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8/check?tag=10.180.25.2:5000/hello-world:latest&detail=true, status: 404, error: {
"detail": {},
"httpcode": 404,
"message": "image is not analyzed - analysis_status: not_analyzed"
}

2018-10-15T00:48:43.880 WARN AnchoreWorker Exhausted all attempts polling anchore-engine. Analysis is incomplete for sha256:7d6fb7e5e7a74a4309cc436f6d11c29a96cbf27a4a8cb45a50cb0a326dc32fe8
2018-10-15T00:48:43.880 ERROR AnchorePlugin Failing Anchore Container Image Scanner Plugin step due to errors in plugin execution
hudson.AbortException: Timed out waiting for anchore-engine analysis to complete (increasing engineRetries might help). Check above logs for errors from anchore-engine
at com.anchore.jenkins.plugins.anchore.BuildWorker.runGatesEngine(BuildWorker.java:480)
at com.anchore.jenkins.plugins.anchore.BuildWorker.runGates(BuildWorker.java:343)
at com.anchore.jenkins.plugins.anchore.AnchoreBuilder.perform(AnchoreBuilder.java:338)
at hudson.tasks.BuildStepCompatibilityLayer.perform(BuildStepCompatibilityLayer.java:81)
at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:744)
at hudson.model.Build$BuildExecution.build(Build.java:206)
at hudson.model.Build$BuildExecution.doRun(Build.java:163)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:504)
at hudson.model.Run.execute(Run.java:1724)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
at hudson.model.ResourceController.execute(ResourceController.java:97)
at hudson.model.Executor.run(Executor.java:421)

我还检查了状态,发现如下:

docker run anchore/engine-cli:latest anchore-cli --u admin --p admin123 --url http://172.18.0.1:8228/v1 system status
Service analyzer (dockerhostid-anchore-engine, http://anchore-engine:8084): up
Service catalog (dockerhostid-anchore-engine, http://anchore-engine:8082): up
Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087): down (unavailable)
Service simplequeue (dockerhostid-anchore-engine, http://anchore-engine:8083): up
Service apiext (dockerhostid-anchore-engine, http://anchore-engine:8228): up
Service kubernetes_webhook (dockerhostid-anchore-engine, http://anchore-engine:8338): up

引擎数据库版本:0.0.7 引擎代码版本:0.2.4

似乎服务策略引擎已关闭

服务策略引擎(dockerhostid-anchore-engine,http://anchore-engine:8087):down(不可用)

我还检查了 docker logs 。我发现以下错误:

[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [DEBUG] service (policy_engine) starting in: 4
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [INFO] Registration complete.
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [INFO] Checking feeds client credentials
[service:policy_engine] 2018-10-15 09:37:46+0000 [-] [bootstrap] [DEBUG] Initializing a feeds client
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [bootstrap] [DEBUG] init values: [None, None, None, (), None, None]
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [bootstrap] [DEBUG] using values: ['https://ancho.re/v1/service/feeds', 'https://ancho.re/oauth/token', 'https://ancho.re/v1/account/users', 'anon@ancho.re', 3, 60]
[service:policy_engine] 2018-10-15 09:37:47+0000 [-] [urllib3.connectionpool] [DEBUG] Starting new HTTPS connection (1): ancho.re
[service:policy_engine] 2018-10-15 09:37:50+0000 [-] [bootstrap] [ERROR] Preflight checks failed with error: HTTPSConnectionPool(host='ancho.re', port=443): Max retries exceeded with url: /v1/account/users/anon@ancho.re (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7ffa905f0b90>: Failed to establish a new connection: [Errno 113] No route to host',)). Aborting service startup
Traceback (most recent call last):
 File "/usr/lib/python2.7/site-packages/anchore_manager/cli/service.py", line 158, in startup_service
   raise Exception("process exited: " + str(rc))
Exception: process exited: 1
[anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] service process exited at (Mon Oct 15 09:37:50 2018): process exited: 1
[anchore-policy-engine] [anchore_manager.cli.service/startup_service()] [INFO] exiting service thread

谢谢并恭祝安康,

罗汉·谢蒂

4

2 回答 2

0

当图像被添加到锚定引擎时,它们会排队等待分析,这会将它们通过一个简单的状态机移动,该状态机以“not_analyzed”开头,进入“analyzing”,最后以“analyzed”或“analysis_failed”结束。只有当图像达到“已分析”时,才能进行策略评估。

anchore Jenkins 插件将添加一个图像,然后轮询引擎以获取配置的尝试次数(默认 300)的图像状态/评估。一旦图像进入“已分析”(可以进行策略评估),插件就会从引擎接收策略评估结果。

如果已执行最大重试次数并且图像未达到“已分析”,则该插件将失败构建(默认情况下),如果图像确实达到“已分析”但策略评估产生“失败”结果(意味着图像未通过您配置的策略检查)。请注意,所有构建失败行为都可以在插件中控制(即,即使分析或图像评估失败,也有允许插件成功的选项)。

您需要查看构建运行的输出的结尾(而不仅仅是帖子的开头),并结合上面的信息,应该清楚哪种情况导致插件构建失败。

于 2018-10-13T15:52:37.397 回答
0

我们已经解决了这个问题。

根本原因:

我们无法从 anchore-engine docker 容器中成功建立到 URL 的 https 连接: https ://ancho.re。结果 service:policy_engine 无法启动。

https://ancho.re需要定期下载政策提要和同步。如果没有这些策略,锚定引擎将无法分析 docker 图像。

解决方案:

1) 我们在 anchore-engine 的 docker-compose.yaml 中传递了一个 HTTPS_PROXY URL 作为环境变量。

我们使用这个代理 URL 来绕过我们环境中的限制,并与https://ancho.re url 建立连接。

2) 重新启动 docker 容器。

最后,我们启动并运行了所有服务,包括 Anchore 策略引擎。

仅供参考:根据您的互联网速度,下载所有必需的 Feed 需要一段时间。

最后,感谢 Anchore 社区对 Slack 的快速响应和支持。

希望这可以帮助。

温暖的问候,

罗汉·谢蒂

于 2018-10-19T04:08:29.010 回答