Enable Container Scanning (specifically klar analyzer) to be run in an offline aka Air-gapped instance
Problem to solve
The current implementation of Container Scanning via the klar analyzer needs to pull some Docker images on each run under the hood. This won't work for on-premises installs that don't have access to the internet, or where the access is really limited to a specific set of hosts (see https://gitlab.com/gitlab-org/gitlab-ee/issues/4742).
Intended users
Further details
Proposal
The approach is to extract pulling the clair
-related images into a scheduled pipeline that runs on a weekly basis. Then, the Docker image of the container-scanning
tool will be modified to use these images from the GitLab instance's registry. The Container-Scanning.gitlab-ci.yml
vendored template will be also updated accordingly.
Implementation plan
-
Update Container-Scanning.gitlab-ci.yml to use $CLAIR_DB_IMAGE
instead ofarminc/clair-db:$CLAIR_DB_IMAGE_TAG
, and ensure that theCLAIR_DB_IMAGE
variable is defaulted toarminc/clair-db:latest
-
Test the above changes by creating a new branch in the container scanning test project which points to the new Container-Scanning.gitlab-ci.yml
template file -
Update the Container Scanning Documentation to include details about how to configure this CLAIR_DB_IMAGE
variable to run in an air-gapped environment. Also include details explaining that the GitLab klar analyzer docker image must be downloaded and hosted on a local registry in order for container scanning to work in an air-gapped environment.
Once the MR from step 1.
above is merged, we need to take care of the following:
-
Update the js-npm test project to use CLAIR_DB_IMAGE
instead ofCLAIR_DB_IMAGE_TAG
. -
Update the container scanning test project to use CLAIR_DB_IMAGE
instead ofCLAIR_DB_IMAGE_TAG
Permissions and Security
No special permissions
Documentation
-
Make it explicit in the container scanning documentation https://docs.gitlab.com/ee/user/application_security/container_scanning/index.html about air-gapped support and how to set it up. Need to add notes on a scheduled pipeline for clair
-related images
Testing
- Follow the directions for setting up an Insecure Local Docker Registry
- Pull the latest version (or any version) of the vulnerabilities database and tag it:
docker pull arminc/clair-db:latest docker tag arminc/clair-db:latest $CI_REGISTRY/namespace/clair-vulnerabilities-db
- Pull the latest version of the GitLab klar analyzer and tag it:
docker pull registry.gitlab.com/gitlab-org/security-products/analyzers/klar:2 docker tag $CI_REGISTRY/namespace/gitlab-klar-analyzer
- Follow the directions to
override the container scanning template
in Running Container Scanning in an offline air-gapped installation and refer to thegitlab-klar-analyzer
and theclair-vulnerabilities-db
which are now hosted on your local container registry:include: - template: Container-Scanning.gitlab-ci.yml container_scanning: image: $CI_REGISTRY/namespace/gitlab-klar-analyzer variables: CLAIR_DB_IMAGE: $CI_REGISTRY/namespace/clair-vulnerabilities-db
- Disconnect your internet connection
- Test on your local GitLab instance
Note: If you encounter the following error during the container scan:
Can't pull image: Get http://gitlab.<yourname>:5000/v2/ubuntu-latest/manifests/latest: dial tcp 127.0.0.1:5000: connect: connection refused
Then you'll need to update your /etc/hosts
file and use an internal IP address instead of 127.0.0.1
. For example, I have the following internal IP address always accessible on my machine:
vboxnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 0a:00:27:00:00:00
inet 192.168.99.1 netmask 0xffffff00 broadcast 192.168.99.255
And in my /etc/hosts
, I had to use the following:
192.168.99.1 gitlab.adamc
What does success look like, and how can we measure that?
The Klar analyzer is able to scan Docker images in an air-gapped environment.
The number of GitLab Ultimate buyers that have limited Internet connectivity on their on-premises instances who started to use Container Scanning tool and gave positive feedback.
What is the type of buyer?
GitLab Ultimate users