Documentation
¶
Index ¶
- Constants
- Variables
- type AMQP
- type Auth
- type AuthKeyserver
- type AuthPSK
- type Base64
- type Config
- type Exchange
- type Indexer
- type Jaeger
- type LogLevel
- type Login
- type Matcher
- type Matchers
- type Metrics
- type Mode
- type Notifier
- type Prometheus
- type STOMP
- type ScannerConfig
- type TLS
- type Trace
- type Updaters
- type Warning
- type Webhook
- Bugs
Examples ¶
Constants ¶
View Source
const ( // DefaultAddress is used if an "http_listen_addr" is not provided in the config. DefaultAddress = ":6060" // DefaultScanLockRetry is the default retry period for attempting locks // during the indexing process. Its name is a historical accident. DefaultScanLockRetry = 1 // DefaultMatcherPeriod is the default interval for running updaters. DefaultMatcherPeriod = 30 * time.Minute // DefaultUpdateRetention is the number of updates per vulnerability // database to retain. DefaultUpdateRetention = 10 // DefaultNotifierPollInterval is the default (and minimum) interval for the // notifier's change poll interval. The notifier will poll the database for // updated vulnerability databases at this rate. DefaultNotifierPollInterval = 5 * time.Second // DefaultNotifierDeliveryInterval is the default (and minimum) interval for // the notifier's delivery interval. The notifier will attempt to deliver // outstanding notifications at this rate. DefaultNotifierDeliveryInterval = 5 * time.Second )
These are defaults, used in the documented spots.
Variables ¶
View Source
var (
ErrDeprecated = errors.New("setting will be removed in a future release")
)
These are some common kinds of Warnings.
Functions ¶
This section is empty.
Types ¶
type AMQP ¶
type AMQP struct {
TLS *TLS `yaml:"tls" json:"tls"`
// The AMQP exchange notifications will be delivered to.
// A passive declare is performed and if the exchange does not exist
// the declare will fail.
Exchange Exchange `yaml:"exchange" json:"exchange"`
// The routing key used to route notifications to the desired queue.
RoutingKey string `yaml:"routing_key" json:"routing_key"`
// The callback url where notifications are retrieved.
Callback string `yaml:"callback" json:"callback"`
// A list of AMQP compliant URI scheme. see: https://www.rabbitmq.com/uri-spec.html
// example: "amqp://user:pass@host:10000/vhost"
//
// The first successful connection will be used by the amqp deliverer.
//
// If "amqps://" broker URI schemas are provided the TLS configuration below is required.
URIs []string `yaml:"uris" json:"uris"`
// Specifies the number of notifications delivered in single AMQP message
// when Direct is true.
//
// Ignored if Direct is not true
// If 0 or 1 is provided no rollup occurs and each notification is delivered
// separately.
Rollup int `yaml:"rollup" json:"rollup"`
// AMQPConfigures the AMQP delivery to deliver notifications directly to
// the configured Exchange.
//
// If true "Callback" is ignored.
// If false a notifier.Callback is delivered to the queue and clients
// utilize the pagination API to retrieve.
Direct bool `yaml:"direct" json:"direct"`
}
AMQP configures the AMQP notification mechanism.
type Auth ¶
type Auth struct {
PSK *AuthPSK `yaml:"psk,omitempty" json:"psk,omitempty"`
Keyserver *AuthKeyserver `yaml:"keyserver,omitempty" json:"keyserver,omitempty"`
}
Auth holds the specific configs for different authentication methods.
These should be pointers to structs, so that it's possible to distinguish between "absent" and "present and misconfigured."
type AuthKeyserver ¶
type AuthKeyserver struct {
API string `yaml:"api" json:"api"`
Intraservice Base64 `yaml:"intraservice" json:"intraservice"`
}
AuthKeyserver is the configuration for doing authentication with the Quay keyserver protocol.
The "Intraservice" key is only needed when the overall config mode is not "combo".
type AuthPSK ¶
AuthPSK is the configuration for doing pre-shared key based authentication.
The "Issuer" key is what the service expects to verify as the "issuer" claim.
type Base64 ¶
type Base64 []byte
Base64 is a byte slice that encodes to and from base64-encoded strings.
func (*Base64) MarshalText ¶
MarshalText implements encoding.TextMarshaler.
func (*Base64) UnmarshalText ¶
UnmarshalText implements encoding.TextUnmarshaler.
type Config ¶
type Config struct {
// TLS configures HTTPS support.
//
// Note that any non-trivial deployment means the certificate provided here
// will need to be for the name the load balancer uses to connect to a given
// Clair instance.
//
// This is not used for outgoing requests; setting the SSL_CERT_DIR
// environment variable is the recommended way to do that. The release
// container has `/var/run/certs` added to the list already.
TLS *TLS `yaml:"tls,omitempty" json:"tls,omitempty"`
// Sets which mode the clair instance will run.
Mode Mode `yaml:"-" json:"-"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// exposes Clair node's functionality to the network.
// see /openapi/v1 for api spec.
HTTPListenAddr string `yaml:"http_listen_addr" json:"http_listen_addr"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// exposes Clair's metrics and health endpoints.
IntrospectionAddr string `yaml:"introspection_addr" json:"introspection_addr"`
// Set the logging level.
LogLevel LogLevel `yaml:"log_level" json:"log_level"`
Indexer Indexer `yaml:"indexer" json:"indexer"`
Matcher Matcher `yaml:"matcher" json:"matcher"`
Matchers Matchers `yaml:"matchers" json:"matchers"`
Updaters Updaters `yaml:"updaters,omitempty" json:"updaters,omitempty"`
Notifier Notifier `yaml:"notifier" json:"notifier"`
Auth Auth `yaml:"auth" json:"auth"`
Trace Trace `yaml:"trace" json:"trace"`
Metrics Metrics `yaml:"metrics" json:"metrics"`
}
Config is the configuration object for the commands in github.com/quay/clair/v4/cmd/...
type Exchange ¶
type Exchange struct {
// The name of the exchange
Name string `yaml:"name" json:"name"`
// The type of the exchange. Typically:
// "direct"
// "fanout"
// "topic"
// "headers"
Type string `yaml:"type" json:"type"`
// Whether the exchange survives server restarts
Durable bool `yaml:"durability" json:"durability"`
// Whether bound consumers define the lifecycle of the Exchange.
AutoDelete bool `yaml:"auto_delete" json:"auto_delete"`
}
Exchange are the required fields necessary to check the existence of an Exchange
For more details see: https://godoc.org/github.com/streadway/amqp#Channel.ExchangeDeclarePassive
type Indexer ¶
type Indexer struct {
// Scanner allows for passing configuration options to layer scanners.
Scanner ScannerConfig `yaml:"scanner" json:"scanner"`
// A Postgres connection string.
//
// formats
// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
// or
// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
ConnString string `yaml:"connstring" json:"connstring"`
// A positive value representing seconds.
//
// Concurrent Indexers lock on manifest scans to avoid clobbering.
// This value tunes how often a waiting Indexer will poll for the lock.
// TODO: Move to async operating mode
ScanLockRetry int `yaml:"scanlock_retry" json:"scanlock_retry"`
// A positive values representing quantity.
//
// Indexers will index a Manifest's layers concurrently.
// This value tunes the number of layers an Indexer will scan in parallel.
LayerScanConcurrency int `yaml:"layer_scan_concurrency" json:"layer_scan_concurrency"`
// Rate limits the number if index report creation requests.
//
// Setting this to 0 will attempt to auto-size this value. Setting a
// negative value means "unlimited." The auto-sizing is a multiple of the
// number of available cores.
//
// The API will return a 429 status code if concurrency is exceeded.
IndexReportRequestConcurrency int `yaml:"index_report_request_concurrency" json:"index_report_request_concurrency"`
// A "true" or "false" value
//
// Whether Indexer nodes handle migrations to their database.
Migrations bool `yaml:"migrations" json:"migrations"`
// Airgap disables scanners that have signaled they expect to talk to the
// Internet.
Airgap bool `yaml:"airgap" json:"airgap"`
}
Indexer provides Clair Indexer node configuration
type Jaeger ¶
type Jaeger struct {
Tags map[string]string `yaml:"tags" json:"tags"`
Agent struct {
Endpoint string `yaml:"endpoint" json:"endpoint"`
} `yaml:"agent" json:"agent"`
Collector struct {
Username *string `yaml:"username" json:"username"`
Password *string `yaml:"password" json:"password"`
Endpoint string `yaml:"endpoint" json:"endpoint"`
} `yaml:"collector" json:"collector"`
ServiceName string `yaml:"service_name" json:"service_name"`
BufferMax int `yaml:"buffer_max" json:"buffer_max"`
}
Jaeger specific distributed tracing configuration.
type LogLevel ¶
type LogLevel int
A LogLevel is a log level recognized by Clair.
The zero value is "info".
const ( InfoLog LogLevel = iota // info DebugColorLog // debug-color DebugLog // debug WarnLog // warn ErrorLog // error FatalLog // fatal PanicLog // panic )
The recognized log levels, with their string representations as the comments.
NB "Fatal" and "Panic" are not used in clair or claircore, and will result in almost no logging.
func ParseLogLevel ¶
ParseLogLevel returns the log lever for the given string.
The passed string is case-insensitive.
func (*LogLevel) UnmarshalText ¶
UnmarshalText implements encoding.TextUnmarshaler.
type Login ¶
type Login struct {
Login string `yaml:"login" json:"login"`
Passcode string `yaml:"passcode" json:"passcode"`
}
Login is the login details for a STOMP broker.
type Matcher ¶
type Matcher struct {
// A Postgres connection string.
//
// Formats:
// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
// or
// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
ConnString string `yaml:"connstring" json:"connstring"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// A Matcher contacts an Indexer to create a VulnerabilityReport.
// The location of this Indexer is required.
IndexerAddr string `yaml:"indexer_addr" json:"indexer_addr"`
// Period controls how often updaters are run.
//
// The default is 30 minutes.
Period time.Duration `yaml:"period" json:"period"`
// UpdateRetention controls the number of updates to retain between
// garbage collection periods.
//
// The lowest possible value is 2 in order to compare updates for notification
// purposes.
//
// A value of 0 disables GC.
UpdateRetention int `yaml:"update_retention" json:"update_retention"`
// A positive integer
//
// Clair allows for a custom connection pool size.
// This number will directly set how many active sql
// connections are allowed concurrently.
MaxConnPool int `yaml:"max_conn_pool" json:"max_conn_pool"`
// CacheAge controls how long clients should be hinted to cache responses
// for.
//
// If empty, the duration set in "Period" will be used. This means client
// may cache "stale" results for 2(Period) - 1 seconds.
CacheAge time.Duration `yaml:"cache_age,omitempty" json:"cache_age,omitempty"`
// A "true" or "false" value
//
// Whether Matcher nodes handle migrations to their databases.
Migrations bool `yaml:"migrations" json:"migrations"`
// DisableUpdaters disables the updater's running of matchers.
//
// This should be toggled on if vulnerabilities are being provided by
// another mechanism.
DisableUpdaters bool `yaml:"disable_updaters" json:"disable_updaters"`
}
Matcher is the configuration for the matcher service.
type Matchers ¶
type Matchers struct {
// Config holds configuration blocks for MatcherFactories and Matchers,
// keyed by name.
Config map[string]interface{} `yaml:"config" json:"config"`
// A slice of strings representing which
// matchers will be used.
//
// If nil all default Matchers will be used
//
// The following names are supported by default:
// "alpine"
// "aws"
// "debian"
// "oracle"
// "photon"
// "python"
// "rhel"
// "suse"
// "ubuntu"
// "crda" - remotematcher calls hosted api via RPC.
Names []string `yaml:"names" json:"names"`
}
Matchers configures the individual matchers run by the matcher system.
type Metrics ¶
type Metrics struct {
Prometheus Prometheus `yaml:"prometheus" json:"prometheus"`
Name string `yaml:"name" json:"name"`
}
Metrics specifies how to configure Clair's metrics exporting.
The "Name" key must match the provider to use.
Currently, only "prometheus" is supported.
type Mode ¶
type Mode int
A Mode is an operating mode recognized by Clair.
This is not directly settable by serializing into a Config object.
const ( ComboMode Mode = iota // combo IndexerMode // indexer MatcherMode // matcher NotifierMode // notifier )
Clair modes, with their string representations as the comments.
type Notifier ¶
type Notifier struct {
// Only one of the following should be provided in the configuration
//
// Configures the notifier for webhook delivery
Webhook *Webhook `yaml:"webhook" json:"webhook"`
// Configures the notifier for AMQP delivery.
AMQP *AMQP `yaml:"amqp" json:"amqp"`
// Configures the notifier for STOMP delivery.
STOMP *STOMP `yaml:"stomp" json:"stomp"`
// A Postgres connection string.
//
// Formats:
// url: "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full"
// or
// string: "user=pqgotest dbname=pqgotest sslmode=verify-full"
ConnString string `yaml:"connstring" json:"connstring"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// A Notifier contacts an Indexer to create obtain manifests affected by vulnerabilities.
// The location of this Indexer is required.
IndexerAddr string `yaml:"indexer_addr" json:"indexer_addr"`
// A string in <host>:<port> format where <host> can be an empty string.
//
// A Notifier contacts a Matcher to list update operations and acquire diffs.
// The location of this Indexer is required.
MatcherAddr string `yaml:"matcher_addr" json:"matcher_addr"`
// A time.ParseDuration parsable string
//
// The frequency at which the notifier will query at Matcher for Update Operations.
// If a value smaller then 1 second is provided it will be replaced with the
// default 5 second poll interval.
PollInterval time.Duration `yaml:"poll_interval" json:"poll_interval"`
// A time.ParseDuration parsable string
//
// The frequency at which the notifier attempt delivery of created or previously failed
// notifications
// If a value smaller then 1 second is provided it will be replaced with the
// default 5 second delivery interval.
DeliveryInterval time.Duration `yaml:"delivery_interval" json:"delivery_interval"`
// DisableSummary disables summarizing vulnerabilities per-manifest.
//
// The default is to summarize any new vulnerabilities to the most severe
// one, in the thought that any additional processing for end-user
// notifications can have policies around severity and fetch a complete
// VulnerabilityReport if it'd like.
//
// For a machine-consumption use case, it may be easier to instead have the
// notifier push all the data.
DisableSummary bool `yaml:"disable_summary" json:"disable_summary"`
// A "true" or "false" value
//
// Whether Notifier nodes handle migrations to their database.
Migrations bool `yaml:"migrations" json:"migrations"`
}
Notifier provides Clair Notifier node configuration
type Prometheus ¶
type Prometheus struct {
// Endpoint is a URL path where
// Prometheus metrics will be hosted.
Endpoint *string `yaml:"endpoint" json:"endpoint"`
}
Prometheus specific metrics configuration.
type STOMP ¶
type STOMP struct {
// optional tls portion of config
TLS *TLS `yaml:"tls" json:"tls"`
// optional user login portion of config
Login *Login `yaml:"user" json:"user"`
// The callback url where notifications are retrieved.
Callback string `yaml:"callback" json:"callback"`
// the destination messages will be delivered to
Destination string `yaml:"destination" json:"destination"`
// a list of URIs to send messages to.
// a linear search of this list is always performed.
//
// Note that "URI" is a misnomer, this must be host:port pairs.
URIs []string `yaml:"uris" json:"uris"`
// Specifies the number of notifications delivered in single STOMP message
// when Direct is true.
//
// Ignored if Direct is not true
// If 0 or 1 is provided no rollup occurs and each notification is delivered
// separately.
Rollup int `yaml:"rollup" json:"rollup"`
// Configures the STOMP delivery to deliver notifications directly to
// the configured Destination.
//
// If true "Callback" is ignored.
// If false a notifier.Callback is delivered to the queue and clients
// utilize the pagination API to retrieve.
Direct bool `yaml:"direct" json:"direct"`
}
STOMP configures the STOMP notification mechanism.
type ScannerConfig ¶
type ScannerConfig struct {
Package map[string]interface{} `yaml:"package" json:"package"`
Dist map[string]interface{} `yaml:"dist" json:"dist"`
Repo map[string]interface{} `yaml:"repo" json:"repo"`
}
ScannerConfig is the object consulted for configuring the various types of scanners.
type TLS ¶
type TLS struct {
// The filesystem path where a root CA can be read.
//
// This can also be controlled by the SSL_CERT_FILE and SSL_CERT_DIR
// environment variables, or adding the relevant certs to the system trust
// store.
RootCA string `yaml:"root_ca" json:"root_ca"`
// The filesystem path where a tls certificate can be read.
Cert string `yaml:"cert" json:"cert"`
// The filesystem path where a tls private key can be read.
Key string `yaml:"key" json:"key"`
}
TLS describes some TLS settings.
These are currently only used in the Notifier. Using the environment variables "SSL_CERT_DIR" or "SSL_CERT_FILE" or modifying the system's trust store are the ways to modify root CAs for all outgoing TLS connections.
type Trace ¶
type Trace struct {
Name string `yaml:"name" json:"name"`
Probability *float64 `yaml:"probability" json:"probability"`
Jaeger Jaeger `yaml:"jaeger" json:"jaeger"`
}
Trace specifies how to configure Clair's tracing support.
The "Name" key must match the provider to use.
Currently, only "jaeger" is supported.
type Updaters ¶
type Updaters struct {
// Filter is a regexp that disallows updaters that do not match from
// running.
// TODO(louis): this is only used in clairctl, should we keep this?
// it may offer an escape hatch for a particular updater name
// from running, vs disabling the updater set completely.
Filter string `yaml:"filter" json:"filter"`
// Config holds configuration blocks for UpdaterFactories and Updaters,
// keyed by name.
//
// These are defined by the updater implementation and can't be documented
// here. Improving the documentation for these is an open issue.
Config map[string]interface{} `yaml:"config" json:"config"`
// A slice of strings representing which
// updaters will be used.
//
// If nil all default UpdaterSets will be used
//
// The following sets are supported by default:
// "alpine"
// "aws"
// "debian"
// "oracle"
// "photon"
// "pyupio"
// "rhel"
// "suse"
// "ubuntu"
Sets []string `yaml:"sets,omitempty" json:"sets,omitempty"`
}
Updaters configures updater behavior.
type Warning ¶
type Warning struct {
// contains filtered or unexported fields
}
Warning is a linter warning.
Users can treat them like errors and use the sentinel values exported by this package.
func Lint ¶
Lint runs lints on the provided Config.
An error is reported only if an error occurred while running the lints. An invalid Config may still report a nil error along with a slice of Warnings.
Most validation steps run by Validate will also run lints.
Example ¶
var c Config
c.Auth.Keyserver = &AuthKeyserver{}
c.Auth.PSK = &AuthPSK{}
ws, err := Lint(&c)
fmt.Println("error:", err)
for _, w := range ws {
fmt.Printf("warning: %v\n", &w)
}
Output: error: <nil> warning: http listen address not provided, default will be used (at $.http_listen_addr) warning: introspection address not provided, default will be used (at $.introspection_addr) warning: connection string is empty and no relevant environment variables found (at $.indexer.connstring) warning: connection string is empty and no relevant environment variables found (at $.matcher.connstring) warning: updater period is very aggressive: most sources are updated daily (at $.matcher.period) warning: update garbage collection is off (at $.matcher.update_retention) warning: connection string is empty and no relevant environment variables found (at $.notifier.connstring) warning: interval is very fast: may result in increased workload (at $.notifier.poll_interval) warning: interval is very fast: may result in increased workload (at $.notifier.delivery_interval) warning: both "PSK" and "Keyserver" authentication methods are defined (at $.auth) warning: authentication method deprecated: setting will be removed in a future release (at $.auth.keyserver)
type Webhook ¶
type Webhook struct {
// any HTTP headers necessary for the request to Target
Headers http.Header `yaml:"headers" json:"headers"`
// the URL where our webhook will be delivered
Target string `yaml:"target" json:"target"`
// the callback url where notifications can be received
// the notification will be appended to this url
Callback string `yaml:"callback" json:"callback"`
// whether the webhook deliverer will sign out going.
// if true webhooks will be sent with a jwt signed by
// the notifier's private key.
Signed bool `yaml:"signed" json:"signed"`
}
Webhook configures the "webhook" notification mechanism.
Notes ¶
Bugs ¶
The DefaultNotifierPollInterval is absurdly low.
The DefaultNotifierDeliveryInterval is absurdly low.
Source Files
Click to show internal directories.
Click to hide internal directories.