我的Clair pod正在定期重新启动

Question

我在我的港口用克莱尔做漏洞检查。

像Clair这样的服务会让成千上万的主机不断访问主机git服务器(https://git.launchpad.net/ubuntu-cve-tracker/)，这会使服务器饱和，因此有适当的伸缩措施，当有太多客户端同时访问它时，会导致服务器返回503错误。

以下是我在Clair pod中的错误：

{"Event":"could not pull ubuntu-cve-tracker repository","Level":"error","Location":"ubuntu.go:174",
"Time":"2021-06-25 06:38:32.859806","error":"exit status 128",
"output":"Cloning into '.'...

fatal: unable to access '[https://git.launchpad.net/ubuntu-cve-tracker/':|https://git.launchpad.net/ubuntu-cve-tracker/%27:] 
The requested URL returned error: 503\n"} 

{"Event":"an error occured when fetching update","Level":"error","Location":"updater.go:246",
"Time":"2021-06-25 06:38:32.859934","error":"could not download requested resource","updater name":"ubuntu"}

panic: runtime error: slice bounds out of range goroutine 549 [running]: github.com/coreos/clair/ext/vulnsrc/rhel.toFeatureVersions(0xc000208390, 0x2, 0xc000246070, 0x1, 0x1, 0xc0001bc200, 0x1, 0x1, 0x0, 0x908f38, ...) /go/src/github.com/coreos/clair/ext/vulnsrc/rhel/rhel.go:292 +0xc3b github.com/coreos/clair/ext/vulnsrc/rhel.parseRHSA(0x7fcc0f4a24b0, 0xc00038c0f0, 0xc00038c0f0, 0x7fcc0f4a24b0, 0xc00038c0f0, 0x8e2708, 0x4) /go/src/github.com/coreos/clair/ext/vulnsrc/rhel/rhel.go:182 +0x1c8 

根据https://bugs.launchpad.net/ubuntu-cve-tracker/+bug/1925337的说法，这是git服务器的一个错误，在那篇文章中，他们建议让克莱尔从其他来源提取数据，这意味着离线方法。那么，除了离线方法之外，有没有其他方法可以减少对git服务器进行漏洞检查的命中率？

我试图控制git服务器的点击数，但我在Clair中找不到配置。

有谁知道我们如何控制漏洞检查的命中率，或者避免重启我的pod？

另外，我发现在我的港口UI上安排一次扫描(每小时、每天或每周)，但是把扫描安排成每天有什么帮助呢？

只是在这一点上，它将尝试进行git克隆，以获得最新的CVE？

Answer 1

首先检查这是否链接到goharbor/harbor issue 14720：“当漏洞报告出现一些问题时，clair重复重新启动”，日志如下

{"Event":"Start fetching vulnerabilities","Level":"info","Location":"ubuntu.go:85","Time":"2021-04-21 19:18:24.446743","package":"Ubuntu"}
...
{"Event":"could not pull ubuntu-cve-tracker repository","Level":"error","Location":"ubuntu.go:174","Time":"2021-04-21 19:18:25.147515","error":"exit status 128","output":"Cloning into '.'...\nfatal: unable to access 'https://git.launchpad.net/ubuntu-cve-tracker/': The requested URL returned error: 503\n"}
{"Event":"an error occured when fetching update","Level":"error","Location":"updater.go:246","Time":"2021-04-21 19:18:25.147607","error":"could not download requested resource","updater name":"ubuntu"}
...
panic: runtime error: slice bounds out of range [25:24]

goroutine 327 [running]:
github.com/quay/clair/v2/ext/vulnsrc/rhel.toFeatureVersions(0xc0065215a8, 0x2, 0xc0000b4f08, 0x1, 0x1, 0xc006ef7aa0, 0x1, 0x1, 0x2, 0xc0000b4ef0, ...)
    /go/src/github.com/quay/clair/ext/vulnsrc/rhel/rhel.go:276 +0xbf8

它引用quay/clair issue 1249，但是港口案例是用PR 15032关闭的，使用CLAIRVERSION=v2.1.7