1

我正在使用 Clair 在我的港口进行漏洞检查。

像 Clair 这样的服务有成千上万的主机不断地访问托管 git 服务器(https://git.launchpad.net/ubuntu-cve-tracker/)使服务器饱和,因此有适当的扩展措施导致它返回一个503 错误,当太多客户端同时点击它时。

这些是我在 Clair pod 中的错误:

{"Event":"could not pull ubuntu-cve-tracker repository","Level":"error","Location":"ubuntu.go:174",
"Time":"2021-06-25 06:38:32.859806","error":"exit status 128",
"output":"Cloning into '.'...

fatal: unable to access '[https://git.launchpad.net/ubuntu-cve-tracker/':|https://git.launchpad.net/ubuntu-cve-tracker/%27:] 
The requested URL returned error: 503\n"} 

{"Event":"an error occured when fetching update","Level":"error","Location":"updater.go:246",
"Time":"2021-06-25 06:38:32.859934","error":"could not download requested resource","updater name":"ubuntu"}
panic: runtime error: slice bounds out of range goroutine 549 [running]: github.com/coreos/clair/ext/vulnsrc/rhel.toFeatureVersions(0xc000208390, 0x2, 0xc000246070, 0x1, 0x1, 0xc0001bc200, 0x1, 0x1, 0x0, 0x908f38, ...) /go/src/github.com/coreos/clair/ext/vulnsrc/rhel/rhel.go:292 +0xc3b github.com/coreos/clair/ext/vulnsrc/rhel.parseRHSA(0x7fcc0f4a24b0, 0xc00038c0f0, 0xc00038c0f0, 0x7fcc0f4a24b0, 0xc00038c0f0, 0x8e2708, 0x4) /go/src/github.com/coreos/clair/ext/vulnsrc/rhel/rhel.go:182 +0x1c8 

根据https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1925337,这是来自 git 服务器的错误,在该帖子中,他们建议让 Clair 从其他来源提取数据,而不是表示离线方法。那么除了离线方法之外,还有其他方法可以减少对 git 服务器的漏洞检查次数吗?

我试图控制对 git 服务器的点击次数,但我在 Clair 中找不到配置。

有谁知道我们如何控制漏洞检查的命中或避免重新启动我的 pod?

另外,我发现在我的 Harbor UI 上安排了一次扫描(每小时、每天或每周),但是如何安排扫描来说明每天的帮助?
是不是只有到那时它才会尝试执行 git clone 来获取最新的 CVE?

4

1 回答 1

1

首先检查这是否与goharbor/harbor问题 14720相关联:“当漏洞存储库出现问题时,克莱尔反复重启”,日志如下

{"Event":"Start fetching vulnerabilities","Level":"info","Location":"ubuntu.go:85","Time":"2021-04-21 19:18:24.446743","package":"Ubuntu"}
...
{"Event":"could not pull ubuntu-cve-tracker repository","Level":"error","Location":"ubuntu.go:174","Time":"2021-04-21 19:18:25.147515","error":"exit status 128","output":"Cloning into '.'...\nfatal: unable to access 'https://git.launchpad.net/ubuntu-cve-tracker/': The requested URL returned error: 503\n"}
{"Event":"an error occured when fetching update","Level":"error","Location":"updater.go:246","Time":"2021-04-21 19:18:25.147607","error":"could not download requested resource","updater name":"ubuntu"}
...
panic: runtime error: slice bounds out of range [25:24]

goroutine 327 [running]:
github.com/quay/clair/v2/ext/vulnsrc/rhel.toFeatureVersions(0xc0065215a8, 0x2, 0xc0000b4f08, 0x1, 0x1, 0xc006ef7aa0, 0x1, 0x1, 0x2, 0xc0000b4ef0, ...)
    /go/src/github.com/quay/clair/ext/vulnsrc/rhel/rhel.go:276 +0xbf8

它指的是quay/clairissue 1249,但海港案例已使用PR 15032关闭,使用CLAIRVERSION=v2.1.7

于 2021-07-20T07:10:02.687 回答