安全性对任何产品来说都非常重要，比如著名的HeartBleed就曾经给很多忽视安全问题的企业带来了很大的影响。而随着容器化的推进，早在2015年的一次调查中，研究者就曾发现取样的Dockerhub上有30%-40%的镜像存在安全性的问题。Anchore正是这样一款针对容器的安全扫描的工具，类似于Docker在其收费版中提供的功能那样，能对应用容器的脆弱性进行静态扫描，同时支持whitelist/blacklist以及评估策略的设定。

项目地址

项目详细项目地址https://github.com/anchore/anchore开发语言PythonLicenseApache 2

为什么使用Anchore

随着容器化的逐渐推进，使用的安全性也受到越来越多地重视。在很多场景下，都需要对容器的脆弱性进行扫描，比如

项目详细镜像来源不明在互联网上下载的镜像，可以直接使用，非常的方便，但是是否真正安全还非常难说生产环境的实践容器上到生产环境之后，生产环境对容器的安全性要求一般较高，此时需要容器的安全性得到保证

依赖条件

以下列出本文安装Anchore所需的依赖

依赖详细CentOS版本CentOS 7Docker版本>1.10epel-releaseyum install epel-releaserpm-pythonyum install rpm-pythondpkgyum install dpkgpython-pipyum install python-pip

工作原理

通过对容器的layer进行扫描，发现漏洞并进行预警，其使用数据是基于Common Vulnerabilities and Exposures数据库(简称CVE), 各Linux发行版一般都有自己的CVE源，而Anchore则是与其进行匹配以判断漏洞的存在与否，比如HeartBleed的CVE为：CVE-2014-0160, Anchore通过query 命令的 cve-scan选项可以对镜像的CVE进行扫描。

运行方式

Anchore支持两种方式

项番方式镜像方式使用Anchore的镜像普通安装使用yum或者apt等直接安装

事前准备

docker版本

[root@liumiaocn ~]# docker version Client: Version: 1.12.6 API version: 1.24 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64 Go version: go1.7.4 Git commit: 88a4867/1.12.6 Built: Mon Jul 3 16:02:02 2017 OS/Arch: linux/amd64 Server: Version: 1.12.6 API version: 1.24 Package version: docker-1.12.6-32.git88a4867.el7.centos.x86_64 Go version: go1.7.4 Git commit: 88a4867/1.12.6 Built: Mon Jul 3 16:02:02 2017 OS/Arch: linux/amd64 [root@liumiaocn ~]#

运行Clair

Step 1: 使用pip安装Anchore

[root@liumiaocn ~]# pip install anchore Collecting anchore Downloading anchore-1.1.3-py2-none-any.whl (184kB) 100% |████████████████████████████████| 194kB 45kB/s Collecting click (from anchore) Downloading click-6.7-py2.py3-none-any.whl (71kB) 100% |████████████████████████████████| 71kB 51kB/s Requirement already satisfied (use --upgrade to upgrade): pyyaml in /usr/lib64/python2.7/site-packages (from anchore) Collecting docker-py (from anchore) Downloading docker_py-1.10.6-py2.py3-none-any.whl (50kB) 100% |████████████████████████████████| 51kB 63kB/s Collecting requests<2.11 (from anchore) Downloading requests-2.10.0-py2.py3-none-any.whl (506kB) 100% |████████████████████████████████| 512kB 44kB/s Collecting clint (from anchore) Downloading clint-0.5.1.tar.gz Collecting prettytable (from anchore) Downloading prettytable-0.7.2.zip Requirement already satisfied (use --upgrade to upgrade): websocket-client>=0.32.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore) Requirement already satisfied (use --upgrade to upgrade): backports.ssl-match-hostname>=3.5; python_version < "3.5" in /usr/lib/python2.7/site-packages (from docker-py->anchore) Requirement already satisfied (use --upgrade to upgrade): ipaddress>=1.0.16; python_version < "3.3" in /usr/lib/python2.7/site-packages (from docker-py->anchore) Requirement already satisfied (use --upgrade to upgrade): six>=1.4.0 in /usr/lib/python2.7/site-packages (from docker-py->anchore) Requirement already satisfied (use --upgrade to upgrade): docker-pycreds>=0.2.1 in /usr/lib/python2.7/site-packages (from docker-py->anchore) Collecting args (from clint->anchore) Downloading args-0.1.0.tar.gz Installing collected packages: click, requests, docker-py, args, clint, prettytable, anchore Found existing installation: requests 2.11.1 Uninstalling requests-2.11.1: Successfully uninstalled requests-2.11.1 Running setup.py install for args ... done Running setup.py install for clint ... done Running setup.py install for prettytable ... done Successfully installed anchore-1.1.3 args-0.1.0 click-6.7 clint-0.5.1 docker-py-1.10.6 prettytable-0.7.2 requests-2.10.0 You are using pip version 8.1.2, however version 9.0.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command. [root@liumiaocn ~]#

Step 2：安装后版本确认

[root@liumiaocn ~]# anchore --version anchore, version 1.1.3 [root@liumiaocn ~]#

Step 3：初期化Anchore的Database

使用feeds sync命令，可以看出Anchore从不同的Linux发行版中取出相应的CVE等的信息存到其Database的过程如下：

[root@liumiaocn ~]# anchore feeds sync syncing data for subscribed feed (vulnerabilities) ... syncing group data: debian:unstable: ... skipping group data: ubuntu:16.04: ... skipping group data: centos:6: ... skipping group data: centos:7: ... skipping group data: centos:5: ... skipping group data: ubuntu:14.10: ... skipping group data: ubuntu:15.04: ... skipping group data: debian:9: ... syncing group data: debian:8: ... syncing group data: ubuntu:12.04: ... syncing group data: debian:7: ... syncing group data: ubuntu:16.10: ... syncing group data: alpine:3.3: ... syncing group data: alpine:3.4: ... syncing group data: alpine:3.5: ... syncing group data: alpine:3.6: ... syncing group data: ol:6: ... syncing group data: ubuntu:14.04: ... syncing group data: ubuntu:15.10: ... syncing group data: ubuntu:12.10: ... syncing group data: ubuntu:17.04: ... syncing group data: ol:7: ... syncing group data: ubuntu:13.04: ... syncing group data: ol:5: ... skipping data sync for unsubscribed feed (packages) ... [root@liumiaocn ~]#

镜像准备

随便找一个镜像，作为用来进行扫描的对象，本次扫描使用Clair中使用的Database的镜像源。

[root@liumiaocn ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE docker.io/postgres latest 33b13ed6b80a 5 days ago 268.8 MB [root@liumiaocn ~]#

对镜像进行分析

[root@liumiaocn ~]# anchore analyze --image docker.io/postgres:latest --imagetype base Analyzing image: docker.io/postgres:latest 33b13ed6b80a: analyzed. [root@liumiaocn ~]#

生成结果报告

[root@liumiaocn ~]# anchore gate --image docker.io/postgres:latest 33b13ed6b80a: evaluating policies ... +--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+ | Image Id | Repo Tag | Gate | Trigger | Check Output | Gate Action | +--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+ | 33b13ed6b80a | docker.io/postgres:latest | DOCKERFILECHECK | FROMSCRATCH | 'FROM' container is 'scratch' - | GO | | | | | | (scratch) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNLOW | Low Vulnerability found in package | GO | | | | | | - coreutils (CVE-2016-2781 - https | | | | | | | ://security-tracker.debian.org/trac | | | | | | | ker/CVE-2016-2781) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO | | | | | | package - login (CVE-2007-5686 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2007-5686) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO | | | | | | package - passwd (CVE-2007-5686 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2007-5686) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNMEDIUM | Medium Vulnerability found in | WARN | | | | | | package - libxml2 (CVE-2017-9048 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2017-9048) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNMEDIUM | Medium Vulnerability found in | WARN | | | | | | package - libxml2 (CVE-2017-9049 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2017-9049) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Negligible Vulnerability found in | GO | | | | | | package - python2.7 (CVE-2013-7040 | | | | | | | - https://security-tracker.debian.o | | | | | | | rg/tracker/CVE-2013-7040) | | | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNHIGH | High Vulnerability found in package | STOP | | | | | | - libsqlite3-0 (CVE-2017-10989 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2017-10989) | | ... | 33b13ed6b80a | docker.io/postgres:latest | ANCHORESEC | VULNUNKNOWN | Unknown Vulnerability found in | GO | | | | | | package - locales (CVE-2017-12132 - | | | | | | | https://security-tracker.debian.org | | | | | | | /tracker/CVE-2017-12132) | | | 33b13ed6b80a | docker.io/postgres:latest | FINAL | FINAL | | STOP | +--------------+---------------------------+-----------------+-------------+-------------------------------------+-------------+

确认CVE

[root@liumiaocn ~]# anchore query --image docker.io/postgres:latest cve-scan all +------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+ | CVE ID | Severity | *Total Affected | Vulnerable Package | Fix Available | Fix Images | Rebuild Images | URL | +------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+ | CVE-2017-9525 | Medium | 1 | cron-3.0pl1-127+deb8u1 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d | | | | | | | tgres:latest) | | ebian.org/tracker/CVE-2017 | | | | | | | | | -9525 | | CVE-2017-9050 | Medium | 1 | libxml2-2.9.1+dfsg1-5+deb8 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d | | | | | u4 | | tgres:latest) | | ebian.org/tracker/CVE-2017 | | | | | | | | | -9050 | | CVE-2017-9049 | Medium | 1 | libxml2-2.9.1+dfsg1-5+deb8 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d | | | | | u4 | | tgres:latest) | | ebian.org/tracker/CVE-2017 | | | | | | | | | -9049 | ... | CVE-2004-0971 | Negligible | 1 | krb5-locales-1.12.1+dfsg-1 | None | 33b13ed6b80a(docker.io/pos | None | https://security-tracker.d | | | | | 9+deb8u2 | | tgres:latest) | | ebian.org/tracker/CVE-2004 | | | | | | | | | -0971 | +------------------+------------+-----------------+----------------------------+---------------+----------------------------+----------------+----------------------------+

总结

本文简单介绍了Anchore这款针对于镜像的安全工具的安装到使用方法，而Anchore的功能不仅限于此，在DevOps落地的时候引入Anchore作为其中的一环对镜像的安全保驾护航不算是一个坏的注意。

淼叔 认证博客专家 神经网络 TensorFlow NLP 资深架构师，PMP、OCP、CSM、HPE University讲师，EXIN DevOps Professional与DevOps Master认证讲师，曾担任HPE GD China DevOps & Agile Leader，帮助企业级客户提供DevOps咨询培训以及实施指导。熟悉通信和金融领域，有超过十年金融外汇行业的架构设计、开发、维护经验，在十几年的IT从业生涯中拥有了软件开发设计领域接近全生命周期的经验和知识积累，著有企业级DevOps技术与工具实战。