Skip to content

Enable Container Scanning (specifically klar analyzer) to be run in an offline aka Air-gapped instance

Problem to solve

The current implementation of Container Scanning via the klar analyzer needs to pull some Docker images on each run under the hood. This won't work for on-premises installs that don't have access to the internet, or where the access is really limited to a specific set of hosts (see https://gitlab.com/gitlab-org/gitlab-ee/issues/4742).

Intended users

Further details

Proposal

The approach is to extract pulling the clair-related images into a scheduled pipeline that runs on a weekly basis. Then, the Docker image of the container-scanning tool will be modified to use these images from the GitLab instance's registry. The Container-Scanning.gitlab-ci.yml vendored template will be also updated accordingly.

Implementation plan

  1. Update Container-Scanning.gitlab-ci.yml to use $CLAIR_DB_IMAGE instead of arminc/clair-db:$CLAIR_DB_IMAGE_TAG, and ensure that the CLAIR_DB_IMAGE variable is defaulted to arminc/clair-db:latest
  2. Test the above changes by creating a new branch in the container scanning test project which points to the new Container-Scanning.gitlab-ci.yml template file
  3. Update the Container Scanning Documentation to include details about how to configure this CLAIR_DB_IMAGE variable to run in an air-gapped environment. Also include details explaining that the GitLab klar analyzer docker image must be downloaded and hosted on a local registry in order for container scanning to work in an air-gapped environment.

Once the MR from step 1. above is merged, we need to take care of the following:

  1. Update the js-npm test project to use CLAIR_DB_IMAGE instead of CLAIR_DB_IMAGE_TAG.
  2. Update the container scanning test project to use CLAIR_DB_IMAGE instead of CLAIR_DB_IMAGE_TAG

Permissions and Security

No special permissions

Documentation

Testing

  1. Follow the directions for setting up an Insecure Local Docker Registry
  2. Pull the latest version (or any version) of the vulnerabilities database and tag it: 
    docker pull arminc/clair-db:latest
docker tag arminc/clair-db:latest $CI_REGISTRY/namespace/clair-vulnerabilities-db
  3. Pull the latest version of the GitLab klar analyzer and tag it: 
    docker pull registry.gitlab.com/gitlab-org/security-products/analyzers/klar:2
docker tag $CI_REGISTRY/namespace/gitlab-klar-analyzer
  4. Follow the directions to override the container scanning template in Running Container Scanning in an offline air-gapped installation and refer to the gitlab-klar-analyzer and the clair-vulnerabilities-db which are now hosted on your local container registry: 
     include:
   - template: Container-Scanning.gitlab-ci.yml
 
 container_scanning:
   image: $CI_REGISTRY/namespace/gitlab-klar-analyzer
   variables:
     CLAIR_DB_IMAGE: $CI_REGISTRY/namespace/clair-vulnerabilities-db
  5. Disconnect your internet connection
  6. Test on your local GitLab instance

Note: If you encounter the following error during the container scan:

Can't pull image: Get http://gitlab.<yourname>:5000/v2/ubuntu-latest/manifests/latest: dial tcp 127.0.0.1:5000: connect: connection refused

Then you'll need to update your /etc/hosts file and use an internal IP address instead of 127.0.0.1. For example, I have the following internal IP address always accessible on my machine:

vboxnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	ether 0a:00:27:00:00:00
	inet 192.168.99.1 netmask 0xffffff00 broadcast 192.168.99.255

And in my /etc/hosts, I had to use the following:

192.168.99.1 gitlab.adamc

What does success look like, and how can we measure that?

The Klar analyzer is able to scan Docker images in an air-gapped environment.

The number of GitLab Ultimate buyers that have limited Internet connectivity on their on-premises instances who started to use Container Scanning tool and gave positive feedback.

What is the type of buyer?

GitLab Ultimate users

Links / references

Product Management - @NicoleSchwartz

Edited by Olivier Gonzalez