Your containers have become an absolute necessity for your company. Without them, you couldn’t be nearly as agile as needed to keep up with the ever-rising demands placed on your business. Because of this, you might well be deploying more and more services, by way of containers.

That means you might be pulling down more and more images from various sources. With the rising number of vulnerabilities found in images today, you could easily fall prey to a vulnerability that could cause your company problems. In some cases … big problems.

How do you avoid that? You make use of a Docker registry capable of scanning those images. One such registry is Harbor. In the first part of this series, I walked you through the process of installing Harbor on Ubuntu 18.04. (Read: “Install the Docker Harbor Registry Server on Ubuntu 18.04”). This time around, I’ll show you how to successfully upload and scan images to Harbor.

What You’ll Need

The only things you’ll need to make this work are:

  • A running instance of Harbor with Clair support.
  • Images to upload and scan.
  • A user account on the Harbor server.

The images to be uploaded can be those you’ve created yourself or those you’ve pulled down from various registries (such as Docker Hub).

With those pieces at the ready, let’s get to work.

Installing Certificates

In order to push images to your Harbor registry, from machines on your network, each machine must have a copy of the Harbor server SSL certificates. In the test case I outlined in the original piece, I used self-signed certificates. I’ll continue with that example here. If you’ve purchased certificates from a trusted CA, you’ll only have to modify the names of the certificates copies.

Here are the steps to copy the certificates:

  1. Secure shell into your Harbor server (or log in if you have physical access).
  2. Gain root access with the command sudo -s.
  3. Change into the certificate directory with the command cd /etc/docker/certs.d/SERVER_IP (Where SERVER_IP is the IP address of your server).
  4. Copy the ca.cert key to the client with the command scp ca.cert USER@CLIENT_IP:/home/USER (Where USER is a username on the client machine and CLIENT_IP is the IP address of the client machine).
  5. Copy the ca.crt key to the client with the command scp ca.crt USER@CLIENT_IP:/home/USER (Where USER is a username on the client machine and CLIENT_IP is the IP address of the client machine).
  6. Copy the ca.key key the client with the command scp ca.key USER@CLIENT_IP:/home/USER (Where USER is a username on the client machine and CLIENT_IP is the IP address of the client machine).
  7. SSH to the client machine with the command ssh USER@CLIENT_IP (Where USER is a username on the client machine and CLIENT_IP is the IP address of the client machine).
  8. Create the new certificate directory with the command sudo mkdir -p /etc/docker/certs.d/SERVER_IP (Where SERVER_IP is the IP address of the Harbor server).
  9. Copy the files with the command sudo cp ca.* /etc/docker/certs.d/SERVER_IP (Where SERVER_IP is the IP address of the Harbor server).

Your client is now ready to upload images to the harbor server. Make sure to do this for any client on your network that needs to be able to upload images to the Harbor server.

Tagging Images

Before an image can be pushed to the Harbor server, it must be first tagged. A Docker image tag is a piece of attached data that conveys useful information about an image. Say, for example, you have different developers working from one image, but each creates something completely different. Each of those developers could tag their image with their username, so the purpose of each image is clear. Or maybe you create similar images for different purposes (like security, dev, web, database, etc.). By tagging these images, you don’t have to guess the purpose they serve.

To tag an image, such that it can be then pushed to the Harbor registry, you’d issue a command like so:

Where:

  • IMAGE is the name of the base image being used.
  • SERVER_IP is the IP address of the Harbor server.
  • PROJECT_NAME is the name of the Project on the Harbor server.
  • TAG: is the name of the tag you want to add.

Say, for example, developer jack is using the official ubuntu image, and wants to tag it so it can be sent to the test project on the Harbor server at IP address 192.168.1.75. The command for this would be:

With the image tagged, it’s ready to be pushed to the Harbor server.

Pushing the Image

Now it’s time to push that tagged image to the Harbor server. Before you can successfully do this, you must log into the Harbor server from the client. To do this, open a terminal window on the client and issue the command:

docker login SERVER_IP

Where SERVER_IP is the IP address of the Harbor server.

You will be prompted for your Harbor user account credentials. If you don’t already have a user account, have the Harbor server admin create one for you. Once you’ve successfully authenticated, you’re ready to push your image. Do so with the command:

docker push SERVER_IP/PROJECT_NAME/IMAGE:TAG

  • SERVER_IP is the IP address of the Harbor server.
  • PROJECT_NAME is the name of the Project on the Harbor server.
  • IMAGE is the name of the image.
  • TAG: is the tag associated with the image.

To push our example tagged image from above, the command would be:

docker push 192.168.1.75/test/ubuntu:jack

Once the push completes, the image is ready to be scanned.

Scanning an Image

Log into the Harbor registry and make your way to the project housing the newly-pushed image. You should see the tagged image listed (Figure A).

Figure A: Our test image is ready for us.

Click on the image name. This will reveal the tagged image (Figure B).

Our tagged image.

Click the checkbox associated with the tagged image and then click SCAN. Once you’ve clicked SCAN, the image will be queued and then scanned. Depending on the size and complexity of the image, the scan can take some time.

When the scan completes, click the tag name to reveal the scan results. You should see a listing of all relevant CVE entries, along with their severity, associated package, and current version of the package (Figure C).

The results of the image scan.

With the results in hand, you can then determine if the image is safe enough to be used. If it is not, you can act accordingly (by either scrapping the image or resolving the vulnerabilities).

And that’s how you scan a Docker image for vulnerabilities, with the Harbor Registry. If you’re serious about using Docker containers for your business, you should treat the security of those images with a measure of caution.

Feature image by Gerd Altmann from Pixabay.