Securing containers with Anchore

Secure Containers

My Needs Are Not Being Met

The Anchore Engine is accessible from a Python-based command-line interface (CLI) program, and I'll use the pip Python package manager to install it. More usage details are on the GitHub page [7] if you get stuck, or check the "Troubleshooting" box in this article. First, you should make sure pip is accessible so you can install the anchorecli package:

$ apt install python-pip
$ pip install anchorecli

Running the second command resulted in some missing pip dependencies, which I fixed by installing the named package before entering

$ pip install wheel
$ pip install anchorecli

which indicated (Figure 4) that all was indeed well again.

Figure 4: Happiness is when pip dependencies are met.

Password123

To prevent saving your credentials to a file, you have to set the environment variables manually each time you log in to a terminal to use Anchore:

$ export ANCHORE_CLI_USER=admin
$ export ANCHORE_CLI_PASS=foobar

Alter the variables as you see fit; you'll use these credentials (the default values are shown) to connect to the Anchore API. Additionally, you can explicitly set the URL of the Anchore service,

$ export ANCHORE_CLI_URL=http://myserver.example.com:8228/v1

although I didn't have to take this step.

Ready Player One

The next step (if you can't get the next commands to work, check out the "Troubleshooting" box) adds an image to Anchore:

$ anchore-cli image add docker.io/library/debian:latest

Figure 5 shows that the stock Debian OS image has been accepted by Anchore and is currently showing not_analyzed in the Analysis Status line; that is, Anchore has retrieved that image and is processing it now, checking each package and version for known CVEs and compiling a list of each file that is present.

Figure 5: Adding Debian's image to Anchore.

If you want to check which images were pulled into Anchore, you run the image list command,

$ anchore-cli image list

which also reports the status of the images (Figure 6), so you can see whether it's been analyzed after recently being subsumed by Anchore.

Figure 6: The image list command shows the status of your Anchore images. The highlighted status shows that one image is not finished processing and isn't ready to offer any CVE information just yet.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus