Security/Container/Trivy: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
← Older editNewer edit →
VisualWikitext
No edit summary
Line 286: Line 286:
</syntaxhighlight>
</syntaxhighlight>
|}
|}
==Trivy » Harbor » Manage ==
<syntaxhighlight lang="bash">
sudo ./prepare
sudo ./install.sh
docker images|grep harbor
sudo docker compose logs -ft
sudo docker compose up -d
sudo docker compose down
</syntaxhighlight>


==Playground==
==Playground==

Revision as of 03:22, 11 June 2025

cat <<'EXE'| sudo bash
wget -cq https://github.com/aquasecurity/trivy/releases/download/v0.63.0/trivy_0.63.0_Linux-64bit.tar.gz -P ${HOME}/Downloads
tar -xzf ${HOME}/Downloads/trivy_0.63.0_Linux-64bit.tar.gz -C ${HOME}/Downloads
rm  -rf  ${HOME}/Downloads/trivy_0.63.0_Linux-64bit.tar.gz
mv       ${HOME}/Downloads/trivy /usr/local/bin/
EXE

Trivy » Scan

trivy image haproxy:2.8-alpine
trivy image httpd:2.4-alpine
trivy image nginx:alpine
trivy image nginx:1.27

Trivy » Harbor

cat <<'EXE'| bash
wget   -cq https://github.com/goharbor/harbor/releases/download/v2.13.1/harbor-online-installer-v2.13.1.tgz -P ${HOME}/Downloads/
tar   -xzf ${HOME}/Downloads/harbor-online-installer-v2.13.1.tgz -C ${HOME}/Downloads/
rsync  -az ${HOME}/Downloads/harbor/ ${HOME}/Documents/harbor-playground/
rm  -rf    ${HOME}/Downloads/harbor-online-installer-v2.13.1.tgz
rm  -rf    ${HOME}/Downloads/harbor/
EXE

Trivy » Harbor » Internal

cat <<'YML'| tee ${HOME}/Documents/harbor-playground/harbor.yml >/dev/null
---
http:
  port: 1980
hostname: localhost
data_volume: ./harbor-data
harbor_admin_password: sadaqah!

database:
  password: sadaqah!
  max_idle_conns: 10
  max_open_conns: 20
  conn_max_lifetime: 5m
  conn_max_idle_time: 0

trivy:
  skip_java_db_update: false
  ignore_unfixed: false
  security_check: vuln
  offline_scan: false
  skip_update: false
  insecure: false

jobservice:
  max_job_workers: 5
  max_job_duration_hours: 24
  job_loggers:
    - STD_OUTPUT
    - FILE
  logger_sweeper_duration: 1

notification:
  webhook_job_max_retry: 3
  webhook_job_http_client_timeout: 3

log:
  level: warning
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor

upload_purging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false

cache:
  enabled: false
  expire_hours: 24
YML

sudo ./install.sh
sudo docker compose down
docker images|grep harbor
sudo docker compose up -d
sudo docker compose logs -ft

Trivy » Harbor » External

export DOCKER_HOST_IP=host.docker.internal
echo -n 'Password: ';read -s HARBOR_PASSWORD;export HARBOR_PASSWORD;echo
# Password: sadaqah!

cat <<'SQL'| psql
SELECT usename AS "user"     FROM pg_catalog.pg_user WHERE usename LIKE '%harbor%' ORDER BY 1 ASC; -- \du+
SELECT datname as "database" FROM pg_database        WHERE datname LIKE '%harbor%' ORDER BY 1 ASC; -- \l+
SQL

cat <<'DDL'| psql
\! printf '\n'
REVOKE ALL PRIVILEGES ON DATABASE harbor FROM harbor;
DROP OWNED    BY        harbor;
DROP DATABASE IF EXISTS harbor;
DROP USER     IF EXISTS harbor;
DDL

cat << DDL | psql
SELECT 'CREATE DATABASE harbor' 
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'harbor')\gexec
CREATE USER harbor WITH ENCRYPTED PASSWORD '${HARBOR_PASSWORD}';
GRANT ALL PRIVILEGES ON DATABASE harbor TO harbor;
ALTER DATABASE harbor OWNER TO harbor;
DDL

echo -n 'Password: ';read -s PGPASSWORD; export PGPASSWORD; echo
# Password: sadaqah!

psql -p 5432 -U harbor -d harbor -h 10.20.0.1
psql -p 5432 -U harbor -d harbor -h 10.19.83.10

sudo vim /etc/postgresql/16/main/postgresql.conf
# :%s/listen_addresses/listen_addresses/gc

sudo vim /etc/postgresql/16/main/pg_hba.conf 
# :%s/# IPv4 local/# IPv4 local/gc

systemctl status  postgresql.service
systemctl restart postgresql.service
systemctl status  postgresql.service

cat <<'EXE'| sudo bash
cat /etc/redis/redis.conf > ./redis.conf
sed 's|bind 127.0.0.1 -::1|bind 127.0.0.1 -::1 10.20.0.1 10.20.13.1|' -i /etc/redis/redis.conf
systemctl status  redis.service
systemctl restart redis.service
systemctl status  redis.service
redis-cli info    keyspace
EXE

cat <<'YML'| tee ${HOME}/Documents/harbor-playground/harbor.yml >/dev/null
---
http:
  port: 1980
hostname: localhost
data_volume: ./harbor-data
harbor_admin_password: sadaqah!

trivy:
  skip_java_db_update: false
  ignore_unfixed: false
  security_check: vuln
  offline_scan: false
  skip_update: false
  insecure: false

jobservice:
  max_job_workers: 5
  max_job_duration_hours: 24
  job_loggers:
    - STD_OUTPUT
    - FILE
  logger_sweeper_duration: 1

notification:
  webhook_job_max_retry: 3
  webhook_job_http_client_timeout: 3

log:
  level: warning
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor

external_database:
  harbor:
    host: 10.20.13.1
    port: 5432
    db_name: harbor
    username: harbor
    password: sadaqah!
    ssl_mode: disable
    max_idle_conns: 5
    max_open_conns: 10

upload_purging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false

cache:
  enabled: false
  expire_hours: 24
YML

sudo docker compose logs -ft
sudo docker compose down
sudo ./prepare

yq eval '.services.core.extra_hosts += ["host.docker.internal:host-gateway"]'     -i docker-compose.yml
yq eval '.services.registry.extra_hosts += ["host.docker.internal:host-gateway"]' -i docker-compose.yml

sudo docker compose up -d
sudo docker compose logs -ft

Playground

trivy version
trivy help

trivy image haproxy:latest
trivy image httpd:latest

trivy image nginx:latest
trivy image php:latest

systemctl restart postgresql.service
systemctl status  postgresql.service
systemctl restart redis.service
systemctl status  redis.service

redis-cli info keyspace
redis-cli flushall
redis-cli flushdb

external_redis:
  host: host.docker.internal:6379
  tlsOptions:
    enable: false
  registry_db_index: 1
  jobservice_db_index: 2
  trivy_db_index: 5
  idle_timeout_seconds: 30

References

Retrieved from "https://wiki.chorke.org/index.php?title=Security/Container/Trivy&oldid=14794"