Local Dev Environment not enabling Clair

[Infrasaurus]

Got an issue trying to test Clair for a work project. I come from a Systems/Infrastructure background, so this has been a crash course in all things Git, containers, Quay, and Clair for me, and it's entirely possible (and likely!) I made a mistake somewhere.

Goal: to get Clair running in Quay, and test its security scanning capabilities against a host of images as part of a larger project.

Setup: Ubuntu 20.04 server LTS (HVM) on AWS EC2 w/ EBS storage.

Issue: following the Clair documentation, the Quay repository starts normally (usually; sometimes make local-dev-up-with-quay runs into an error with Postgres not being ready yet and requires a re-run) but does not have any configuration option to enable Security Scanning on pushed images. When I try following the Quay documentation to restart it in config mode, it then 'forgets' the entire config.yaml contents it was originally launched with, then restores it when I launch it without config mode (forgetting the config mode settings entirely). There is no option anywhere within the default Quay GUI to enable security scanning, either at the Super Admin Panel or the organization panel (since clairv4-org is manually created after the make local-dev-up-with-quay command completes successfully).

Troubleshooting Performed:

• Verified clone of Clair repository was from latest available
• Verified config.yaml and docker-compose.yaml files matched the GitHub repository line-by-line
• Created a brand new Ubuntu machine from scratch to confirm earlier containers/pulls weren't causing conflicts (see below)

Steps to reproduce:

From a fresh, brand-new, never-used Ubuntu 20.04 LTS (HVM) Server on AWS EC2, this is the entirety of commands run from very first boot:

sudo apt-get upgrade
sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo apt-key fingerprint 0EBFCD88
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
sudo groupadd docker
sudo usermod -aG docker $USER
sudo curl -L "https://github.com/docker/compose/releases/download/1.28.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
wget https://golang.org/dl/go1.15.8.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.15.8.linux-amd64.tar.gz

Add Go to my ~/.bashrc session, logoff, login via SSH, configure GitHub/SSH Key, do a docker run hello-world and go version to test things thus far, then the following:

git clone [email protected]:quay/clair.git
cd clair
make local-dev-up-with-quay

As you can see, the setup is quite literally as barebones and straightforward as possible. There literally shouldn't be anything in a basic Ubuntu server image that could be screwing this up. For what it's worth, I also tested this on a personal Ubuntu 20.04 desktop VM with the same results.

I am almost certainly missing something obvious, but on the off chance I'm not, could I get some guidance on getting the full dev environment up and running beyond what the Clair book provides? The only additional configuration it specifies is creating an admin user and clairv4-org organization before pushing images to it, but no scanning occurs and there doesn't appear to be any options in the dev environment as-is. If additional configuration is required for the dev environment, might I suggest a link to the proper docs in either Clair or Quay? As Kubernetes and Containers expand into on-prem, there will be a lot more infrastructure people crawling through here to cut their teeth on it for the first time and could do with the extra nudge in the right direction.

Thanks again for whatever assistance might be provided, I really appreciate it.

[ldelossa]

Hey there,

The local dev environment is only for testing. There should not be additional setup required other then running "make local-dev-up-with-quay". When you push a container to the local Quay instance running, security status should show up on the "tags" UI page.

You should not need to interact with Quay's config tool at all. The local dev env has all the necessary configurations baked into the ephemeral environment.

[Infrasaurus]

It worked. Fresh make local-dev-up-with-quay, fresh admin account, configured docker login, and pushed web-dvwa. Looking under "Tags" for that repository, and voila, it showed security scanning queued.

While I go bang my head through my desk for being so dense, might I suggest a note in the book for those unfamiliar with Quay, that security scanning results will be on the "Tags" section of the GUI? I went to the Quay documentation first, which focused on "Setting up Clair"; it wasn't until I looked at the "Tags" section of the documentation (following your guidance) that I see the Security Scanner results mentioned there.

Either way, thank you so much for the response. Thought I was going crazy, but it's good to know it was just my unfamiliarity with Quay's UI. Now to put it through its paces...

[ldelossa]

You are not the first one to say this. Do you want to huck a PR for that doc change over? I'll gladly accept it.