Redhat clair 无法通过通知程序发送通知
Redhat clair could not send notification via notifier
我目前正在寻找可以使用 clair 扫描 quayrepos 的方法。
这里有一些基本信息:
- Docker 版本: 19.03.13
- Docker API 版本:1.40
- GO版本:go1.13.15
- OS: 红帽 7.9
- 容器版本(Redis、Postgres、Clair、Quay):最新
- 存储:RadisGWStorage
- 码头数据库:Mariadb(外部服务器)
- Clair DB:Postgres(运行 在与 quay 相同的服务器上)
- Redis、Postgres、Clair 和 Quay 运行 在同一台服务器上,但在不同的容器中。
我的问题:
{"Event":"could not send notification via notifier","Level":"error","Location":"notifier.go:173","Time":"2020-10-15 08:04:40.730379","error":"Post https://domain/secscan/notify: proxyconnect tcp: dial tcp IP:6063: connect: connection refused","notification name":"09c0498e-c30d-4f1b-9bb2-d07588351618","sender name":"webhook"}
{"Event":"giving up on sending notification : max attempts exceeded","Level":"info","Location":"notifier.go:157","Time":"2020-10-15 08:04:40.730431","max attempts":3,"notification name":"09c0498e-c30d-4f1b-9bb2-d07588351618","sender name":"webhook"}
我的克莱尔配置:
clair:
database:
type: pgsql
options:
# A PostgreSQL Connection string pointing to the Clair Postgres database.
# Documentation on the format can be found at http//www.postgresql.org/docs/9.4/static/libpq-connect.html
source: postgresql://username:password@domain:5432/clairtest?sslmode=disable
cachesize: 16384
api:
# The port at which Clair will report its health status. For example, if Clair is running at
# https://clair.mycompany.com, the health will be reported at
# http://clair.mycompany.com:6061/health.
healthport: 6061
port: 6062
timeout: 900s
# paginationkey can be any random set of characters. *Must be the same across all Clair instances*.
paginationkey: "key"
updater:
# interval defines how often Clair will check for updates from its upstream vulnerability databases.
interval: 6h
notifier:
attempts: 3
renotifyinterval: 1h
http:
# QUAY_ENDPOINT defines the endpoint at which Quay is running.
# For example: http://myregistry.mycompany.com
endpoint: https://domain/secscan/notify
proxy: https://domain:6063
jwtproxy:
signer_proxy:
enabled: true
listen_addr: :6063
ca_key_file: /certificates/mitm.key # Generated internally, do not change.
ca_crt_file: /certificates/mitm.crt # Generated internally, do not change.
insecure_skip_verify: true
signer:
issuer: security_scanner
expiration_time: 5m
max_skew: 1m
nonce_length: 32
private_key:
type: preshared
options:
key_id: key
private_key_path: /clair/config/security_scanner.pem
verifier_proxies:
- enabled: true
# The port at which Clair will listen.
listen_addr: :6060
# If Clair is to be served via TLS, uncomment these lines. See the "Running Clair under TLS"
# section below for more information.
# key_file: /clair/config/clair.key
# crt_file: /clair/config/clair.crt
verifier:
# CLAIR_ENDPOINT is the endpoint at which this Clair will be accessible. Note that the port
# specified here must match the listen_addr port a few lines above this.
# Example: https://myclair.mycompany.com:6060
audience: https://domain:6060
upstream: https://domain:6062
key_server:
type: keyregistry
options:
# QUAY_ENDPOINT defines the endpoint at which Quay is running.
# Example: https://myregistry.mycompany.com
registry: https://domain/keys/
claims_verifiers:
- type: static
options:
iss: jwtproxy
那么你知道怎么解决这个问题吗,或者你知道我怎样才能更好地调试它。顺便说一句,我已经尝试使用 tcpdump、strace 和 wireshark 对其进行调试。
感谢您的帮助!
我几个小时前就解决了。首先,我将 IP 更改为 127.0.0.1:6063。在那之后我们发现如果你不给他中间 ca, quay 和 clair 就不能创建到 rootca 的信任链。然后我们发现 clair 的密钥已过期,无法创建新密钥。所以我们删除了所有密钥,并在几次重新启动后,它工作正常。
LG VallingSki
我目前正在寻找可以使用 clair 扫描 quayrepos 的方法。 这里有一些基本信息:
- Docker 版本: 19.03.13
- Docker API 版本:1.40
- GO版本:go1.13.15
- OS: 红帽 7.9
- 容器版本(Redis、Postgres、Clair、Quay):最新
- 存储:RadisGWStorage
- 码头数据库:Mariadb(外部服务器)
- Clair DB:Postgres(运行 在与 quay 相同的服务器上)
- Redis、Postgres、Clair 和 Quay 运行 在同一台服务器上,但在不同的容器中。
我的问题:
{"Event":"could not send notification via notifier","Level":"error","Location":"notifier.go:173","Time":"2020-10-15 08:04:40.730379","error":"Post https://domain/secscan/notify: proxyconnect tcp: dial tcp IP:6063: connect: connection refused","notification name":"09c0498e-c30d-4f1b-9bb2-d07588351618","sender name":"webhook"}
{"Event":"giving up on sending notification : max attempts exceeded","Level":"info","Location":"notifier.go:157","Time":"2020-10-15 08:04:40.730431","max attempts":3,"notification name":"09c0498e-c30d-4f1b-9bb2-d07588351618","sender name":"webhook"}
我的克莱尔配置:
clair:
database:
type: pgsql
options:
# A PostgreSQL Connection string pointing to the Clair Postgres database.
# Documentation on the format can be found at http//www.postgresql.org/docs/9.4/static/libpq-connect.html
source: postgresql://username:password@domain:5432/clairtest?sslmode=disable
cachesize: 16384
api:
# The port at which Clair will report its health status. For example, if Clair is running at
# https://clair.mycompany.com, the health will be reported at
# http://clair.mycompany.com:6061/health.
healthport: 6061
port: 6062
timeout: 900s
# paginationkey can be any random set of characters. *Must be the same across all Clair instances*.
paginationkey: "key"
updater:
# interval defines how often Clair will check for updates from its upstream vulnerability databases.
interval: 6h
notifier:
attempts: 3
renotifyinterval: 1h
http:
# QUAY_ENDPOINT defines the endpoint at which Quay is running.
# For example: http://myregistry.mycompany.com
endpoint: https://domain/secscan/notify
proxy: https://domain:6063
jwtproxy:
signer_proxy:
enabled: true
listen_addr: :6063
ca_key_file: /certificates/mitm.key # Generated internally, do not change.
ca_crt_file: /certificates/mitm.crt # Generated internally, do not change.
insecure_skip_verify: true
signer:
issuer: security_scanner
expiration_time: 5m
max_skew: 1m
nonce_length: 32
private_key:
type: preshared
options:
key_id: key
private_key_path: /clair/config/security_scanner.pem
verifier_proxies:
- enabled: true
# The port at which Clair will listen.
listen_addr: :6060
# If Clair is to be served via TLS, uncomment these lines. See the "Running Clair under TLS"
# section below for more information.
# key_file: /clair/config/clair.key
# crt_file: /clair/config/clair.crt
verifier:
# CLAIR_ENDPOINT is the endpoint at which this Clair will be accessible. Note that the port
# specified here must match the listen_addr port a few lines above this.
# Example: https://myclair.mycompany.com:6060
audience: https://domain:6060
upstream: https://domain:6062
key_server:
type: keyregistry
options:
# QUAY_ENDPOINT defines the endpoint at which Quay is running.
# Example: https://myregistry.mycompany.com
registry: https://domain/keys/
claims_verifiers:
- type: static
options:
iss: jwtproxy
那么你知道怎么解决这个问题吗,或者你知道我怎样才能更好地调试它。顺便说一句,我已经尝试使用 tcpdump、strace 和 wireshark 对其进行调试。
感谢您的帮助!
我几个小时前就解决了。首先,我将 IP 更改为 127.0.0.1:6063。在那之后我们发现如果你不给他中间 ca, quay 和 clair 就不能创建到 rootca 的信任链。然后我们发现 clair 的密钥已过期,无法创建新密钥。所以我们删除了所有密钥,并在几次重新启动后,它工作正常。
LG VallingSki