《OpenShift / RHEL / DevSecOps 汇总目录》
说明：本文已经在 Red Hat Quay 3.12 环境中验证

说明

红帽 Quay 支持两种安装部署方式：

1. 以容器的方式安装运行，此时只要有 docker 或 podman 运行环境即可。本文针对的是这种安装运行方式。
2. 以 Operator 方式安装运行，此时要有 Kubernetes 或 OpenShift 运行环境。

一个以容器方式运行 Quay 需要一下相关组件：

1. Quay 运行环境
2. Quay 需要的 PostgreSQL 和 Redis 环境
3. Quay Config 环境（可选。能简化配置，一般建议使用）
4. Clair 和对应 PostgreSQL 环境（可选）

安装 Quay 组件

1. 执行命令，准备主机环境。说明：本文采用的是 RHEL 8 的主机。

export QUAY_HOST_IP=192.168.x.x
export QUAY_HOST_NAME=quay-server.example.com
echo "$QUAY_HOST_IP $QUAY_HOST_NAME" >> /etc/hostsexport QUAY=/data/quay
mkdir -p $QUAY/postgres-quay $QUAY/storage $QUAY/config
setfacl -m u:26:-wx $QUAY/postgres-quay
setfacl -m u:1001:-wx $QUAY/storagefirewall-cmd --permanent --add-port=80/tcp \
&& firewall-cmd --permanent --add-port=443/tcp \
&& firewall-cmd --permanent --add-port=5432/tcp \
&& firewall-cmd --permanent --add-port=5433/tcp \
&& firewall-cmd --permanent --add-port=6379/tcp \
&& firewall-cmd --reload

2. 运行 Quay 需要的 PostgreSQL 服务。

podman login registry.redhat.io
podman run -d --rm --name postgresql-quay \-e POSTGRESQL_USER=quayuser \-e POSTGRESQL_PASSWORD=quaypass \-e POSTGRESQL_DATABASE=quay \-e POSTGRESQL_ADMIN_PASSWORD=adminpass \-p 5432:5432 \-v $QUAY/postgres-quay:/var/lib/pgsql/data:Z \registry.redhat.io/rhel8/postgresql-13:1-109podman exec -it postgresql-quay /bin/bash -c 'echo "CREATE EXTENSION IF NOT EXISTS pg_trgm" | psql -d quay -U postgres'

3. 运行 Quay 需要的 Redis 服务。

podman run -d --rm --name redis \-p 6379:6379 \-e REDIS_PASSWORD=strongpassword \registry.redhat.io/rhel8/redis-6:1-110

4. 运行 Quay Config 服务。然后访问 http://quay-server.example.com:8080/，并用 quayconfig/secret 登录。

podman run --rm -it --name quay_config \-p 8080:8080 -p 8443:8443 \registry.redhat.io/quay/quay-rhel8:v3.12 config secret

5. 在配置页面中提供以下配置参数：

配置	参数	值
Server Configuration	Server Hostname	quay-server.example.com
Database	Database Type	Postgres
	Database Server	quay-server.example.com
	Username	quayuser
	Password	quaypass
	Database Name	quay
Redis	Redis Hostname	quay-server.example.com
	Redis password	strongpassword

6. 点击配置页面下方的 Validation。
7. 下载配置，并将 config.yaml 文件复制到 $QUAY/config/config.yaml 中。或通过以下方式生成 config.yaml。

cat << EOF > $QUAY/config/config.yaml
BUILDLOGS_REDIS:host: $QUAY_HOST_NAMEpassword: strongpasswordport: 6379
CREATE_NAMESPACE_ON_PUSH: true
DATABASE_SECRET_KEY: a8c2744b-7004-4af2-bcee-e417e7bdd235
DB_URI: postgresql://quayuser:quaypass@$QUAY_HOST_NAME:5432/quay
DISTRIBUTED_STORAGE_CONFIG:default:- LocalStorage- storage_path: /datastorage/registry
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:- default
FEATURE_MAILING: false
SECRET_KEY: e9bd34f4-900c-436a-979e-7530e5d74ac8
SERVER_HOSTNAME: $QUAY_HOST_NAME
SETUP_COMPLETE: true
SUPER_USERS:- quayadmin
USER_EVENTS_REDIS:host: $QUAY_HOST_NAMEpassword: strongpasswordport: 6379
EOF

8. 运行 Quay 服务。然后访问 http://quay-server.example.com/，创建一个用户 quayadmin/password。

podman run -d --rm --name=quay \-p 80:8080 -p 443:8443 \-v $QUAY/config:/conf/stack:Z \-v $QUAY/storage:/datastorage:Z \registry.redhat.io/quay/quay-rhel8:v3.12

6. 执行以下命令，向 Quay 推送 Image。

podman login --tls-verify=false $QUAY_HOST_NAME -u quayadmin -p password
podman pull quay.io/quay/busybox:latest
podman tag quay.io/quay/busybox:latest $QUAY_HOST_NAME/quayadmin/busybox:test
podman push --tls-verify=false $QUAY_HOST_NAME/quayadmin/busybox:test

配置 SSL

1. 生成根证书。

$ openssl genrsa -out rootCA.key 2048$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:REDHAT
Organizational Unit Name (eg, section) []:QUAY
Common Name (eg, your name or your server's hostname) []:quay-server.example.com
Email Address []: $ ls
rootCA.key  rootCA.pem

2. 生成 SSL 证书。

$ openssl genrsa -out ssl.key 2048$ openssl req -new -key ssl.key -out ssl.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:QUAY
Organizational Unit Name (eg, section) []:QUAY
Common Name (eg, your name or your server's hostname) []:quay-server.example.com
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3. 让根证书信任 SSL 证书。

$ cat << EOF > openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $QUAY_HOST_NAME
IP.1 = $QUAY_HOST_IP
EOF$ openssl x509 -req -in ssl.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ssl.cert -days 356 -extensions v3_req -extfile openssl.cnf

4. 复制 SSL 证书到 Quay 指定目录。

$ ls
openssl.cnf  rootCA.key  rootCA.pem  rootCA.srl  ssl.cert  ssl.csr  ssl.key$ cp ssl.cert ssl.key $QUAY/config
$ chmod 640 $QUAY/config/ssl.key

5. 在 Quay 的配置文件中添加 https 配置。

echo "PREFERRED_URL_SCHEME: https" >> $QUAY/config/config.yaml

6. 重新运行 Quay 服务。

podman stop quay
podman run -d --rm -p 80:8080 -p 443:8443  \--name=quay \-v $QUAY/config:/conf/stack:Z \-v $QUAY/storage:/datastorage:Z \registry.redhat.io/quay/quay-rhel8:v3.12

从浏览器访问 Quay

1. 确认可以从浏览器通过 https 访问 Quay 控制台。
   

从 podman 访问 Quay

1. 将根证书复制到 podman 运行节点。

ssh root@<OTHER-NODE> "echo $QUAY_HOST_IP $QUAY_HOST_NAME >> /etc/hosts"
scp rootCA.pem root@<OTHER-NODE>:/tmp

2. 将跟证书设为 podman 信任的证书。

export QUAY_HOST_NAME=quay-server.example.com
mkdir /etc/containers/certs.d/$QUAY_HOST_NAME
cp /tmp/rootCA.pem /etc/containers/certs.d/$QUAY_HOST_NAME/ca.crt

3. 验证无需 --tls-verify=false 参数即可登录并访问 Quay 服务。

podman login $QUAY_HOST_NAME -u quayadmin

配置 Clair 扫描

1. 运行 Clair 需要的 PostgreSQL 数据库。

mkdir -p $QUAY/postgres-clairv4
setfacl -m u:26:-wx $QUAY/postgres-clairv4podman run -d --name postgresql-clairv4 \-e POSTGRESQL_USER=clairuser \-e POSTGRESQL_PASSWORD=clairpass \-e POSTGRESQL_DATABASE=clair \-e POSTGRESQL_ADMIN_PASSWORD=adminpass \-p 5433:5432 \-v $QUAY/postgres-clairv4:/var/lib/pgsql/data:Z \registry.redhat.io/rhel8/postgresql-13:1-109

2. 在 Clair Config 中的 Security Scanner 中提供以下配置，然后再次下载配置文件。
   
   或者在 connfig.yaml 中添加以下内容：

SECURITY_SCANNER_V4_ENDPOINT: http://clairv4:8081
SECURITY_SCANNER_V4_PSK: aTNnNThlZGgzMmg0Yg==

3. 创建 Clair 所需配置文件 config.yaml。

$ export KEY="aTNnNThlZGgzMmg0Yg=="
$ mkdir -p /etc/clairv4/config/
$ cat << EOF > /etc/clairv4/config/config.yaml
http_listen_addr: :8081
introspection_addr: :8089
log_level: info
indexer:connstring: host=$QUAY_HOST_NAME port=5433 dbname=clair user=clairuser password=clairpass sslmode=disablescanlock_retry: 10layer_scan_concurrency: 5migrations: true
matcher:connstring: host=$QUAY_HOST_NAME port=5433 dbname=clair user=clairuser password=clairpass sslmode=disablemax_conn_pool: 100migrations: trueindexer_addr: clair-indexer
notifier:connstring: host=$QUAY_HOST_NAME port=5433 dbname=clair user=clairuser password=clairpass sslmode=disabledelivery_interval: 1mpoll_interval: 5mmigrations: true
auth:psk:key: "$KEY"iss: ["quay"]
# tracing and metrics
trace:name: "jaeger"probability: 1jaeger:agent:endpoint: "localhost:6831"service_name: "clair"
metrics:name: "prometheus"
EOF

4. 运行 Clair 服务。

podman run -d --name clairv4 \-p 8081:8081 -p 8089:8089 \-e CLAIR_CONF=/clair/config.yaml \-e CLAIR_MODE=combo \-v /etc/clairv4/config:/clair:Z \registry.redhat.io/quay/clair-rhel8:v3.12

5. 将容器镜像导入到 Quay 后可以看到。

参考

https://quay.github.io/quay-docs/master/deploy_quay/index.html
https://docs.redhat.com/en/documentation/red_hat_quay/3.12/html-single/proof_of_concept_-_deploying_red_hat_quay/index
https://docs.redhat.com/en/documentation/red_hat_quay/3.12/html-single/vulnerability_reporting_with_clair_on_red_hat_quay/index#clair-standalone-configure