« Previous 1 2 3 4 Next »
Securing containers with Anchore
Secure Containers
My Needs Are Not Being Met
The Anchore Engine is accessible from a Python-based command-line interface (CLI) program, and I'll use the pip Python package manager to install it. More usage details are on the GitHub page [7] if you get stuck, or check the "Troubleshooting" box in this article. First, you should make sure pip is accessible so you can install the anchorecli
package:
$ apt install python-pip $ pip install anchorecli
Running the second command resulted in some missing pip dependencies, which I fixed by installing the named package before entering
$ pip install wheel $ pip install anchorecli
which indicated (Figure 4) that all was indeed well again.
Figure 4: Happiness is when pip dependencies are met.
Password123
To prevent saving your credentials to a file, you have to set the environment variables manually each time you log in to a terminal to use Anchore:
$ export ANCHORE_CLI_USER=admin $ export ANCHORE_CLI_PASS=foobar
Alter the variables as you see fit; you'll use these credentials (the default values are shown) to connect to the Anchore API. Additionally, you can explicitly set the URL of the Anchore service,
$ export ANCHORE_CLI_URL=http://myserver.example.com:8228/v1
although I didn't have to take this step.
Ready Player One
The next step (if you can't get the next commands to work, check out the "Troubleshooting" box) adds an image to Anchore:
$ anchore-cli image add docker.io/library/debian:latest
Figure 5 shows that the stock Debian OS image has been accepted by Anchore and is currently showing not_analyzed in the Analysis Status line; that is, Anchore has retrieved that image and is processing it now, checking each package and version for known CVEs and compiling a list of each file that is present.
Figure 5: Adding Debian's image to Anchore.
If you want to check which images were pulled into Anchore, you run the image list command,
$ anchore-cli image list
which also reports the status of the images (Figure 6), so you can see whether it's been analyzed after recently being subsumed by Anchore.
Figure 6: The image list command shows the status of your Anchore images. The highlighted status shows that one image is not finished processing and isn't ready to offer any CVE information just yet.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Best practices when working with Docker images
Whether you are developing containerized applications or running them, observing best practices helps to obtain optimal results. -
Tools for testing container vulnerability
Vulnerable software and incorrect settings cause problems, but administrators have some tools at hand that can help with container security. -
Update your Docker containers safely
A scripted approach lets you know when to update your Docker containers. -
Dockerizing Legacy Applications
Sooner or later, you'll want to convert your legacy application to a containerized environment. Docker offers the tools for a smooth and efficient transition. -
Dialing up security for Docker containers
Docker containers are a convenient way to run almost any service, but admins need to be aware of the need to address some important security issues.