 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Your containers have become an absolute necessity for your company. Without them, you couldn’t be nearly as agile as needed to keep up with the ever-rising demands placed on your business. Because of this, you might well be deploying more and more services, by way of containers.
That means you might be pulling down more and more images from various sources. With the rising number of vulnerabilities found in images today, you could easily fall prey to a vulnerability that could cause your company problems. In some cases … big problems.
How do you avoid that? You make use of a Docker registry capable of scanning those images. One such registry is Harbor. In the first part of this series, I walked you through the process of installing Harbor on Ubuntu 18.04. (Read: “Install the Docker Harbor Registry Server on Ubuntu 18.04”). This time around, I’ll show you how to successfully upload and scan images to Harbor.
The only things you’ll need to make this work are:
The images to be uploaded can be those you’ve created yourself or those you’ve pulled down from various registries (such as Docker Hub).
With those pieces at the ready, let’s get to work.
In order to push images to your Harbor registry, from machines on your network, each machine must have a copy of the Harbor server SSL certificates. In the test case I outlined in the original piece, I used self-signed certificates. I’ll continue with that example here. If you’ve purchased certificates from a trusted CA, you’ll only have to modify the names of the certificates copies.
Here are the steps to copy the certificates:
Your client is now ready to upload images to the harbor server. Make sure to do this for any client on your network that needs to be able to upload images to the Harbor server.
Before an image can be pushed to the Harbor server, it must be first tagged. A Docker image tag is a piece of attached data that conveys useful information about an image. Say, for example, you have different developers working from one image, but each creates something completely different. Each of those developers could tag their image with their username, so the purpose of each image is clear. Or maybe you create similar images for different purposes (like security, dev, web, database, etc.). By tagging these images, you don’t have to guess the purpose they serve.
To tag an image, such that it can be then pushed to the Harbor registry, you’d issue a command like so:
docker tag IMAGE SERVER_IP/PROJECT_NAME/IMAGE:TAG
Where:
Say, for example, developer jack is using the official ubuntu image, and wants to tag it so it can be sent to the test project on the Harbor server at IP address 192.168.1.75. The command for this would be:
docker tag ubuntu 192.168.1.75/test/ubuntu:jack
With the image tagged, it’s ready to be pushed to the Harbor server.
Now it’s time to push that tagged image to the Harbor server. Before you can successfully do this, you must log into the Harbor server from the client. To do this, open a terminal window on the client and issue the command:
docker login SERVER_IP
Where SERVER_IP is the IP address of the Harbor server.
You will be prompted for your Harbor user account credentials. If you don’t already have a user account, have the Harbor server admin create one for you. Once you’ve successfully authenticated, you’re ready to push your image. Do so with the command:
docker push SERVER_IP/PROJECT_NAME/IMAGE:TAG
To push our example tagged image from above, the command would be:
docker push 192.168.1.75/test/ubuntu:jack
Once the push completes, the image is ready to be scanned.
Log into the Harbor registry and make your way to the project housing the newly-pushed image. You should see the tagged image listed (Figure A).
Click on the image name. This will reveal the tagged image (Figure B).
Click the checkbox associated with the tagged image and then click SCAN. Once you’ve clicked SCAN, the image will be queued and then scanned. Depending on the size and complexity of the image, the scan can take some time.
When the scan completes, click the tag name to reveal the scan results. You should see a listing of all relevant CVE entries, along with their severity, associated package, and current version of the package (Figure C).
With the results in hand, you can then determine if the image is safe enough to be used. If it is not, you can act accordingly (by either scrapping the image or resolving the vulnerabilities).
And that’s how you scan a Docker image for vulnerabilities, with the Harbor Registry. If you’re serious about using Docker containers for your business, you should treat the security of those images with a measure of caution.
