Quickstart
Introduction
In this section, you’ll learn how to get up and running with a stand-alone Anchore Enterprise installation for trial, demonstration, and review with Docker Compose.
Note: If your intent is to gain a deeper understanding of Anchore and its concepts, we recommend navigating to the Overview section prior to conducting an installation of Anchore Enterprise.
Configuration Files for this Quickstart:
-
(Optional) Prometheus Configuration for Monitoring. See Enabling Prometheus Monitoring
-
(Optional) Swagger UI Nginx Proxy to browse the API with a Swagger UI. See Enabling Swagger UI
Requirements
The following instructions assume you are using a system running Docker v1.12 or higher, and a version of Docker Compose that supports at least v2 of the docker-compose configuration format.
- A stand-alone installation requires at least 4GB of RAM, and enough disk space available to support the largest container images you intend to analyze (we recommend 3x largest container image size). For small images/testing (like basic Linux distro images or database images), between 5GB and 10GB of disk space should be sufficient.
- To access the Anchore Enterprise, you need a valid
license.yaml
file that has been issued to you by Anchore. If you do not have a license yet, visit this page for instructions on how to request one.
Step 1: Ensure you can authenticate to DockerHub to pull the images
You’ll need authenticated access to the anchore/enterprise
and anchore/enterprise-ui
repositories on DockerHub. Anchore support should have granted your DockerHub user access when you received your license.
# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: <your_dockerhub_account>
Password: <your_dockerhub_password>
Step 2: Download compose, copy license, and start.
Now, ensure the license.yaml file you got from Anchore Sales/Support is in the directory where you want to run the containers from, then download the compose file and start it. You can use the link at the top of this page, or use curl or wget to download it as shown below.
# cp <path/to/your/license.yaml> ./license.yaml
# curl https://docs.anchore.com/current/docs/quickstart/docker-compose.yaml > docker-compose.yaml
# docker-compose up -d
Step 3: Verify service availability
After a few minutes (depending on system speed) Anchore Enterprise and Anchore UI services should be up and running, ready to use. You can verify the containers are running with docker-compose:
# docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------------------
anchorequickstart_analyzer_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_anchore-db_1 docker-entrypoint.sh postgres Up 5432/tcp
anchorequickstart_api_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8228->8228/tcp
anchorequickstart_catalog_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_notifications_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8668->8228/tcp
anchorequickstart_policy-engine_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_queue_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_rbac-authorizer_1 /docker-entrypoint.sh anch ... Up (healthy) 8089/tcp, 8228/tcp
anchorequickstart_rbac-manager_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8229->8228/tcp
anchorequickstart_reports_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8558->8228/tcp
anchorequickstart_ui-redis_1 docker-entrypoint.sh redis ... Up 6379/tcp
anchorequickstart_ui_1 /docker-entrypoint.sh node ... Up 0.0.0.0:3000->3000/tcp
You can run a command to get the status of the Anchore Enterprise services:
# docker-compose exec api anchore-cli system status
Service rbac_manager (anchore-quickstart, http://rbac-manager:8228): up
Service apiext (anchore-quickstart, http://api:8228): up
Service analyzer (anchore-quickstart, http://analyzer:8228): up
Service simplequeue (anchore-quickstart, http://queue:8228): up
Service catalog (anchore-quickstart, http://catalog:8228): up
Service reports (anchore-quickstart, http://reports:8228): up
Service notifications (anchore-quickstart, http://notifications:8228): up
Service rbac_authorizer (anchore-quickstart, http://rbac-authorizer:8228): up
Service policy_engine (anchore-quickstart, http://policy-engine:8228): up
Engine DB Version: 0.0.4
Engine Code Version: 2.3.0
Note: The first time you run Anchore Enterprise, it will take a while (2+ hours in many cases, depending on network speed) for the vulnerability data to get synced into the system. For the best experience, wait until the core vulnerability data feeds have completed before proceeding. You can check the status of your feed sync using the CLI:
# docker-compose exec api anchore-cli system feeds list
Feed Group LastSync RecordCount
github github:composer pending None
github github:gem pending None
github github:java pending None
github github:npm pending None
github github:nuget pending None
github github:python pending None
nvdv2 nvdv2:cves pending None
vulnerabilities alpine:3.10 2020-04-27T19:49:45.186409 1725
vulnerabilities alpine:3.11 2020-04-27T19:49:59.993730 1904
vulnerabilities alpine:3.3 2020-04-27T19:50:16.213013 457
vulnerabilities alpine:3.4 2020-04-27T19:50:20.128136 681
vulnerabilities alpine:3.5 2020-04-27T19:50:25.876762 875
vulnerabilities alpine:3.6 2020-04-27T19:50:33.361682 1051
vulnerabilities alpine:3.7 2020-04-27T19:50:42.354798 1395
vulnerabilities alpine:3.8 2020-04-27T19:50:54.311199 1486
vulnerabilities alpine:3.9 2020-04-27T19:51:07.340326 1558
vulnerabilities amzn:2 2020-04-27T19:51:20.726861 327
vulnerabilities centos:5 2020-04-27T19:51:31.586422 1347
vulnerabilities centos:6 2020-04-27T19:51:57.345700 1403
vulnerabilities centos:7 2020-04-27T19:52:26.350592 1063
vulnerabilities centos:8 2020-04-27T19:52:59.187517 215
vulnerabilities debian:10 2020-04-27T19:53:08.194067 22580
vulnerabilities debian:11 2020-04-27T19:56:03.833415 19681
vulnerabilities debian:7 2020-04-27T19:58:44.907852 20455
vulnerabilities debian:8 pending 12500
vulnerabilities debian:9 pending None
vulnerabilities debian:unstable pending None
vulnerabilities ol:5 pending None
vulnerabilities ol:6 pending None
vulnerabilities ol:7 pending None
vulnerabilities ol:8 pending None
vulnerabilities rhel:5 pending None
vulnerabilities rhel:6 pending None
vulnerabilities rhel:7 pending None
vulnerabilities rhel:8 pending None
vulnerabilities ubuntu:12.04 pending None
vulnerabilities ubuntu:12.10 pending None
vulnerabilities ubuntu:13.04 pending None
vulnerabilities ubuntu:14.04 pending None
vulnerabilities ubuntu:14.10 pending None
vulnerabilities ubuntu:15.04 pending None
vulnerabilities ubuntu:15.10 pending None
vulnerabilities ubuntu:16.04 pending None
vulnerabilities ubuntu:16.10 pending None
vulnerabilities ubuntu:17.04 pending None
vulnerabilities ubuntu:17.10 pending None
vulnerabilities ubuntu:18.04 pending None
vulnerabilities ubuntu:18.10 pending None
vulnerabilities ubuntu:19.04 pending None
vulnerabilities ubuntu:19.10 pending None
vulnerabilities ubuntu:20.04 pending None
As soon as you see RecordCount values set for all vulnerability groups, the system is fully populated and ready to present vulnerability results. Note that feed syncs are incremental, so the next time you start up Anchore Enterprise it will be ready immediately. The CLI tool includes a useful utility that will block until the feeds have completed a successful sync:
# docker-compose exec api anchore-cli system wait
Starting checks to wait for anchore-engine to be available timeout=-1.0 interval=5.0
API availability: Checking anchore-engine URL (http://localhost:8228)...
API availability: Success.
Service availability: Checking for service set (catalog,apiext,policy_engine,simplequeue,analyzer)...
Service availability: Success.
Feed sync: Checking sync completion for feed set (vulnerabilities)...
Feed sync: Checking sync completion for feed set (vulnerabilities)...
...
...
Feed sync: Success.
Step 4: Start using Anchore
To get started, you can add a few images to Anchore Enterprise using the CLI. Once complete, you can also run an additional CLI command to monitor the analysis state of the added images, waiting until the images move into an ‘analyzed’ state.
# docker-compose exec api anchore-cli image add docker.io/library/alpine:latest
...
...
# docker-compose exec api anchore-cli image add docker.io/library/nginx:latest
...
...
# docker-compose exec api anchore-cli image list
Full Tag Image Digest Analysis Status
docker.io/library/alpine:latest sha256:39eda93d15866957feaee28f8fc5adb545276a64147445c64992ef69804dbf01 analyzed
docker.io/library/nginx:latest sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 analyzing
# docker-compose exec api anchore-cli image wait docker.io/library/nginx:latest
...
...
# docker-compose exec api anchore-cli image list
Full Tag Image Digest Analysis Status
docker.io/library/alpine:latest sha256:39eda93d15866957feaee28f8fc5adb545276a64147445c64992ef69804dbf01 analyzed
docker.io/library/nginx:latest sha256:cccef6d6bdea671c394956e24b0d0c44cd82dbe83f543a47fdc790fadea48422 analyzed
Now that some images are in place, you can point your browser at the Anchore Enterprise UI by directing it to http://localhost:3000/.
Enter the username admin and password foobar to log in. These are some of the features you can use in the browser:
- Navigate images
- Inspect image contents
- Perform security scans
- Review compliance policy evaluations
- Edit compliance policies with a complete policy editor UI
- Manage accounts, users, and RBAC assignments
- Review system events
Note: This document is intended to serve as a quickstart guide. Before moving further with Anchore Enterprise, it is highly recommended to read the Overview sections to gain a deeper understanding of fundamentals, concepts, and proper usage.
Enabling Windows Image Support
To enable scanning of Windows images, you’ll have to configure more of the system to deploy a feed service and setup the proper drivers to collect vulnerability data for Windows.
See: Enabling Windows
Next Steps
Now that you have Anchore Enterprise running, you can begin to learn more about Anchore Enterprise Architecture, Anchore Concepts, and Anchore Usage.
- To learn more about Anchore Enterprise, go to Overview
- To learn more about Anchore Concepts, go to Concepts
- To learn more about other installation methods, go to Installation
- To learn more about using Anchore Usage, go to Usage
Optional: Enabling Prometheus Monitoring
-
Uncomment the following section at the bottom of the docker-compose.yaml file:
# # Uncomment this section to add a prometheus instance to gather metrics. This is mostly for quickstart to demonstrate prometheus metrics exported # prometheus: # image: docker.io/prom/prometheus:latest # depends_on: # - api # volumes: # - ./anchore-prometheus.yml:/etc/prometheus/prometheus.yml:z # logging: # driver: "json-file" # options: # max-size: 100m # ports: # - "9090:9090" #
-
For each service entry in the docker-compose.yaml, change the following to enable metrics in the API for each service
ANCHORE_ENABLE_METRICS=false
to
ANCHORE_ENABLE_METRICS=true
-
Download the example prometheus configuration into the same directory as the docker-compose.yaml file, with name anchore-prometheus.yml
curl https://docs.anchore.com/current/docs/quickstart/anchore-prometheus.yml > anchore-prometheus.yml docker-compose up -d
You should see a new container started and can access prometheus via your browser on
http://localhost:9090
Optional: Enabling Swagger UI
-
Uncomment the following section at the bottom of the docker-compose.yaml file:
# # Uncomment this section to run a swagger UI service, for inspecting and interacting with the system API via a browser (http://localhost:8080 by default, change if needed in both sections below) # swagger-ui-nginx: # image: docker.io/nginx:latest # depends_on: # - api # - swagger-ui # ports: # - "8080:8080" # volumes: # - ./anchore-swaggerui-nginx.conf:/etc/nginx/nginx.conf:z # logging: # driver: "json-file" # options: # max-size: 100m # swagger-ui: # image: docker.io/swaggerapi/swagger-ui # environment: # - URL=http://localhost:8080/v1/swagger.json # logging: # driver: "json-file" # options: # max-size: 100m
-
Download the nginx configuration into the same directory as the docker-compose.yaml file, with name anchore-swaggerui-nginx.conf
curl https://docs.anchore.com/current/docs/quickstart/anchore-swaggerui-nginx.conf > anchore-swaggerui-nginx.conf docker-compose up -d
You should see a new container started and can access swagger UI via your browser on
http://localhost:8080
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.