In this topic, you’ll learn how to use Docker Compose to get up and running with a stand-alone Anchore Enterprise deployment for trial, demonstration, and review purposes only.
Important supported deployments of Anchore Enterprise should use the Helm-based deployment which enables easier scaling, modular deployment, and fine-grained configuration.
If you would like to gain a deeper understanding of Anchore and its concepts, review the Overview topic prior to deployment of Anchore Enterprise.
Configuration Files for Docker Compose:
(Optional) Prometheus Configuration File for Monitoring. See Enabling Prometheus Monitoring
(Optional) Swagger UI Nginx Proxy to browse the API with a Swagger UI. See Enabling Swagger UI
Requirements
The following instructions assume you are using a system running Docker v1.12 or higher, and a version of Docker Compose that supports at least v2 of the docker compose configuration format.
- A stand-alone deployment requires at least 4GB of RAM, and enough disk space available to support the largest container images or source repositories that you intend to analyze. It is recommended to consider three times the largest source repository or container image size. For small testing, like basic Linux distro images or database images, between 5GB and 10GB of disk space should be sufficient.
- To access Anchore Enterprise, you need a valid
license.yaml
file that has been issued to you by Anchore. If you do not have a license yet, visit the Anchore Contact page to request one.
Step 1: Ensure you can authenticate to DockerHub to pull the images
You’ll need authenticated access to the anchore/enterprise
and anchore/enterprise-ui
repositories on DockerHub. Anchore support should have granted your DockerHub user access when you received your license.
# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: <your_dockerhub_account>
Password: <your_dockerhub_password>
Step 2: Download compose, copy license, and start.
Now, ensure the license.yaml file you got from Anchore Sales/Support is in the directory where you want to run the containers from, then download the compose file and start it. You can use the link at the top of this page, or use curl or wget to download it as shown in the following example.
# cp <path/to/your/license.yaml> ./license.yaml
# curl https://docs.anchore.com/current/docs/deployment/docker_compose/docker-compose.yaml > docker-compose.yaml
# docker compose up -d
Step 3: Install AnchoreCTL
Next, we’ll install the lightweight Anchore Enterprise client tool, quickly test using the version
operation, and set up a few environment variables to allow it to interact with your quickstart deployment using the following process:
# curl -sSfL https://anchorectl-releases.anchore.io/anchorectl/install.sh | sh -s -- -b /usr/local/bin v5.9.0
# ./anchorectl version
Application: anchorectl
Version: 5.9.0
SyftVersion: v0.97.1
BuildDate: 2023-11-21T22:09:54Z
GitCommit: f7604438b45f7161c11145999897d4ae3efcb0c8
GitDescription: v5.9.0
Platform: linux/amd64
GoVersion: go1.21.1
Compiler: gc
# export ANCHORECTL_URL="http://localhost:8228"
# export ANCHORECTL_USERNAME="admin"
# export ANCHORECTL_PASSWORD="foobar"
NOTE: for this quickstart, we’re installing the tool in your local directory ./
and will be using environment variables throughout. To more permanently install and configure anchorectl
to remove the need for setting environment variables and putting the tool in a globally accessible path, see Installing AnchoreCTL.
Step 4: Verify service availability
After a few minutes (depending on system speed) Anchore Enterprise and Anchore UI services should be up and running, ready to use. You can verify the containers are running with docker compose, as shown in the following example.
# docker compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------------------
anchorequickstart_analyzer_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_anchore-db_1 docker-entrypoint.sh postgres Up 5432/tcp
anchorequickstart_api_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8228->8228/tcp
anchorequickstart_catalog_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_notifications_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8668->8228/tcp
anchorequickstart_policy-engine_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_queue_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_reports_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8558->8228/tcp
anchorequickstart_reports_worker_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:55427->8228/tcp
anchorequickstart_ui-redis_1 docker-entrypoint.sh redis ... Up 6379/tcp
anchorequickstart_ui_1 /docker-entrypoint.sh node ... Up 0.0.0.0:3000->3000/tcp
You can then run a command to get the status of the Anchore Enterprise services:
# ./anchorectl system status
✔ Status system
┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE │ HOST ID │ URL │ UP │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ analyzer │ anchore-quickstart │ http://analyzer:8228 │ true │ available │ 590 │ 5.9.0 │
│ policy_engine │ anchore-quickstart │ http://policy-engine:8228 │ true │ available │ 590 │ 5.9.0 │
│ apiext │ anchore-quickstart │ http://api:8228 │ true │ available │ 590 │ 5.9.0 │
│ reports │ anchore-quickstart │ http://reports:8228 │ true │ available │ 590 │ 5.9.0 │
│ reports_worker │ anchore-quickstart │ http://reports-worker:8228 │ true │ available │ 590 │ 5.9.0 │
│ simplequeue │ anchore-quickstart │ http://queue:8228 │ true │ available │ 590 │ 5.9.0 │
│ notifications │ anchore-quickstart │ http://notifications:8228 │ true │ available │ 590 │ 5.9.0 │
│ catalog │ anchore-quickstart │ http://catalog:8228 │ true │ available │ 590 │ 5.9.0 │
└─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘
Note: The first time you run Anchore Enterprise, vulnerability data will sync to the system in a few minutes. If the on-prem feed service is also used, it will take a while for the vulnerability data to get synced into the system (two plus hours in many cases, depending on network speed). For the best experience, wait until the core vulnerability data feeds have completed before proceeding. You can check the status of your feed sync using AnchoreCTL:
# ./anchorectl feed list
✔ List feed
┌─────────────────┬─────────────────┬─────────┬──────────────────────┬──────────────┐
│ FEED │ GROUP │ ENABLED │ LAST SYNC │ RECORD COUNT │
├─────────────────┼─────────────────┼─────────┼──────────────────────┼──────────────┤
│ vulnerabilities │ alpine:3.10 │ true │ 2022-08-26T14:08:51Z │ 2331 │
│ vulnerabilities │ alpine:3.11 │ true │ 2022-08-26T14:08:51Z │ 2665 │
│ vulnerabilities │ alpine:3.12 │ true │ 2022-08-26T14:08:51Z │ 3205 │
│ vulnerabilities │ alpine:3.13 │ true │ 2022-08-26T14:08:51Z │ 3656 │
│ vulnerabilities │ alpine:3.14 │ true │ 2022-08-26T14:08:51Z │ 4097 │
│ vulnerabilities │ alpine:3.15 │ true │ 2022-08-26T14:08:51Z │ 4479 │
│ vulnerabilities │ alpine:3.16 │ true │ 2022-08-26T14:08:51Z │ 4763 │
│ vulnerabilities │ alpine:3.2 │ true │ 2022-08-26T14:08:51Z │ 306 │
│ vulnerabilities │ alpine:3.3 │ true │ 2022-08-26T14:08:51Z │ 471 │
│ vulnerabilities │ alpine:3.4 │ true │ 2022-08-26T14:08:51Z │ 683 │
│ vulnerabilities │ alpine:3.5 │ true │ 2022-08-26T14:08:51Z │ 903 │
│ vulnerabilities │ alpine:3.6 │ true │ 2022-08-26T14:08:51Z │ 1077 │
│ vulnerabilities │ alpine:3.7 │ true │ 2022-08-26T14:08:51Z │ 1462 │
│ vulnerabilities │ alpine:3.8 │ true │ 2022-08-26T14:08:51Z │ 1675 │
│ vulnerabilities │ alpine:3.9 │ true │ 2022-08-26T14:08:51Z │ 1962 │
│ vulnerabilities │ amzn:2 │ true │ 2022-08-26T14:08:51Z │ 925 │
│ vulnerabilities │ amzn:2022 │ true │ 2022-08-26T14:08:51Z │ 124 │
│ vulnerabilities │ debian:10 │ true │ 2022-08-26T14:08:51Z │ 28893 │
│ vulnerabilities │ debian:11 │ true │ 2022-08-26T14:08:51Z │ 26431 │
│ vulnerabilities │ debian:12 │ true │ 2022-08-26T14:08:51Z │ 25660 │
│ vulnerabilities │ debian:7 │ true │ 2022-08-26T14:08:51Z │ 20455 │
│ vulnerabilities │ debian:8 │ true │ 2022-08-26T14:08:51Z │ 24058 │
│ vulnerabilities │ debian:9 │ true │ 2022-08-26T14:08:51Z │ 28240 │
│ vulnerabilities │ debian:unstable │ true │ 2022-08-26T14:08:51Z │ 31740 │
│ vulnerabilities │ github:composer │ true │ 2022-08-26T14:08:51Z │ 1000 │
│ vulnerabilities │ github:gem │ true │ 2022-08-26T14:08:51Z │ 473 │
│ vulnerabilities │ github:go │ true │ 2022-08-26T14:08:51Z │ 566 │
│ vulnerabilities │ github:java │ true │ 2022-08-26T14:08:51Z │ 2057 │
│ vulnerabilities │ github:npm │ true │ 2022-08-26T14:08:51Z │ 2585 │
│ vulnerabilities │ github:nuget │ true │ 2022-08-26T14:08:51Z │ 216 │
│ vulnerabilities │ github:python │ true │ 2022-08-26T14:08:51Z │ 1244 │
│ vulnerabilities │ github:rust │ true │ 2022-08-26T14:08:51Z │ 289 │
│ vulnerabilities │ nvd │ true │ 2022-08-26T14:08:51Z │ 193942 │
│ vulnerabilities │ ol:5 │ true │ 2022-08-26T14:08:51Z │ 1255 │
│ vulnerabilities │ ol:6 │ true │ 2022-08-26T14:08:51Z │ 1666 │
│ vulnerabilities │ ol:7 │ true │ 2022-08-26T14:08:51Z │ 1837 │
│ vulnerabilities │ ol:8 │ true │ 2022-08-26T14:08:51Z │ 1028 │
│ vulnerabilities │ ol:9 │ true │ 2022-08-26T14:08:51Z │ 56 │
│ vulnerabilities │ rhel:5 │ true │ 2022-08-26T14:08:51Z │ 7827 │
│ vulnerabilities │ rhel:6 │ true │ 2022-08-26T14:08:51Z │ 8352 │
│ vulnerabilities │ rhel:7 │ true │ 2022-08-26T14:08:51Z │ 7847 │
│ vulnerabilities │ rhel:8 │ true │ 2022-08-26T14:08:51Z │ 4198 │
│ vulnerabilities │ rhel:9 │ true │ 2022-08-26T14:08:51Z │ 1097 │
│ vulnerabilities │ sles:11 │ true │ 2022-08-26T14:08:51Z │ 594 │
│ vulnerabilities │ sles:11.1 │ true │ 2022-08-26T14:08:51Z │ 6125 │
│ vulnerabilities │ sles:11.2 │ true │ 2022-08-26T14:08:51Z │ 3291 │
│ vulnerabilities │ sles:11.3 │ true │ 2022-08-26T14:08:51Z │ 7081 │
│ vulnerabilities │ sles:11.4 │ true │ 2022-08-26T14:08:51Z │ 6583 │
│ vulnerabilities │ sles:12 │ true │ 2022-08-26T14:08:51Z │ 5918 │
│ vulnerabilities │ sles:12.1 │ true │ 2022-08-26T14:08:51Z │ 6206 │
│ vulnerabilities │ sles:12.2 │ true │ 2022-08-26T14:08:51Z │ 7625 │
│ vulnerabilities │ sles:12.3 │ true │ 2022-08-26T14:08:51Z │ 9395 │
│ vulnerabilities │ sles:12.4 │ true │ 2022-08-26T14:08:51Z │ 9428 │
│ vulnerabilities │ sles:12.5 │ true │ 2022-08-26T14:08:51Z │ 9810 │
│ vulnerabilities │ sles:15 │ true │ 2022-08-26T14:08:51Z │ 8500 │
│ vulnerabilities │ sles:15.1 │ true │ 2022-08-26T14:08:51Z │ 8168 │
│ vulnerabilities │ sles:15.2 │ true │ 2022-08-26T14:08:51Z │ 7684 │
│ vulnerabilities │ sles:15.3 │ true │ 2022-08-26T14:08:51Z │ 7830 │
│ vulnerabilities │ sles:15.4 │ true │ 2022-08-26T14:08:51Z │ 7435 │
│ vulnerabilities │ ubuntu:12.04 │ true │ 2022-08-26T14:08:51Z │ 14963 │
│ vulnerabilities │ ubuntu:12.10 │ true │ 2022-08-26T14:08:51Z │ 5652 │
│ vulnerabilities │ ubuntu:13.04 │ true │ 2022-08-26T14:08:51Z │ 4127 │
│ vulnerabilities │ ubuntu:14.04 │ true │ 2022-08-26T14:08:51Z │ 29362 │
│ vulnerabilities │ ubuntu:14.10 │ true │ 2022-08-26T14:08:51Z │ 4456 │
│ vulnerabilities │ ubuntu:15.04 │ true │ 2022-08-26T14:08:51Z │ 6240 │
│ vulnerabilities │ ubuntu:15.10 │ true │ 2022-08-26T14:08:51Z │ 6513 │
│ vulnerabilities │ ubuntu:16.04 │ true │ 2022-08-26T14:08:51Z │ 26480 │
│ vulnerabilities │ ubuntu:16.10 │ true │ 2022-08-26T14:08:51Z │ 8647 │
│ vulnerabilities │ ubuntu:17.04 │ true │ 2022-08-26T14:08:51Z │ 9157 │
│ vulnerabilities │ ubuntu:17.10 │ true │ 2022-08-26T14:08:51Z │ 7943 │
│ vulnerabilities │ ubuntu:18.04 │ true │ 2022-08-26T14:08:51Z │ 20984 │
│ vulnerabilities │ ubuntu:18.10 │ true │ 2022-08-26T14:08:51Z │ 8400 │
│ vulnerabilities │ ubuntu:19.04 │ true │ 2022-08-26T14:08:51Z │ 8669 │
│ vulnerabilities │ ubuntu:19.10 │ true │ 2022-08-26T14:08:51Z │ 8431 │
│ vulnerabilities │ ubuntu:20.04 │ true │ 2022-08-26T14:08:51Z │ 14810 │
│ vulnerabilities │ ubuntu:20.10 │ true │ 2022-08-26T14:08:51Z │ 9996 │
│ vulnerabilities │ ubuntu:21.04 │ true │ 2022-08-26T14:08:51Z │ 11343 │
│ vulnerabilities │ ubuntu:21.10 │ true │ 2022-08-26T14:08:51Z │ 12673 │
│ vulnerabilities │ ubuntu:22.04 │ true │ 2022-08-26T14:08:51Z │ 12992 │
└─────────────────┴─────────────────┴─────────┴──────────────────────┴──────────────┘
As soon as you see RecordCount values set for all vulnerability groups, the system is fully populated and ready to present vulnerability results. Note that feed syncs are incremental, so the next time you start up Anchore Enterprise it will be ready immediately. The AnchoreCTL includes a useful utility that will block until the feeds have completed a successful sync:
# ./anchorectl system wait
✔ API available system
✔ Services available [10 up] system
✔ Vulnerabilities feed ready system
Step 4: Start using Anchore
To get started, you can add a few images to Anchore Enterprise using AnchoreCTL. Once complete, you can also run an additional AnchoreCTL command to monitor the analysis state of the added images, waiting until the images move into an ‘analyzed’ state.
# ./anchorectl image add docker.io/library/alpine:latest
✔ Added Image docker.io/library/alpine:latest
Image:
status: not-analyzed (active)
tag: docker.io/library/alpine:latest
digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
id: 9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5
# ./anchorectl image add docker.io/library/nginx:latest
✔ Added Image docker.io/library/nginx:latest
Image:
status: not-analyzed (active)
tag: docker.io/library/nginx:latest
digest: sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
id: 2b7d6430f78d432f89109b29d88d4c36c868cdbf15dc31d2132ceaa02b993763
distro: debian@11 (amd64)
layers: 6
# ./anchorectl image list
✔ Fetched images
┌───────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────┬──────────────┬────────┐
│ TAG │ DIGEST │ ANALYSIS │ STATUS │
├───────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────┼──────────────┼────────┤
│ docker.io/library/alpine:latest │ sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 │ analyzed │ active │
│ docker.io/library/nginx:latest │ sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc │ not_analyzed │ active │
└───────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────┴──────────────┴────────┘
# ./anchorectl image add docker.io/library/nginx:latest --force --wait
⠏ Adding Image docker.io/library/nginx:latest
⠼ Analyzing Image [analyzing] docker.io/library/nginx:latest
...
...
✔ Analyzed Image docker.io/library/nginx:latest
Image:
status: analyzed (active)
tags: docker.io/library/nginx:latest
digest: sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
id: 2b7d6430f78d432f89109b29d88d4c36c868cdbf15dc31d2132ceaa02b993763
distro: debian@11 (amd64)
layers: 6
# ./anchorectl image list
✔ Fetched images
┌───────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────┬──────────┬────────┐
│ TAG │ DIGEST │ ANALYSIS │ STATUS │
├───────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────┼──────────┼────────┤
│ docker.io/library/alpine:latest │ sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 │ analyzed │ active │
│ docker.io/library/nginx:latest │ sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc │ analyzed │ active │
└───────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────┴──────────┴────────┘
Now that some images are in place, you can point your browser at the Anchore Enterprise UI by directing it to http://localhost:3000/.
Enter the username admin and password foobar to log in. These are some of the features you can use in the browser:
- Navigate images
- Inspect image contents
- Perform security scans
- Review compliance policy evaluations
- Edit compliance policies with a complete policy editor UI
- Manage accounts, users, and RBAC assignments
- Review system events
Note: This document is intended to serve as a quickstart guide. Before moving further with Anchore Enterprise, it is highly recommended to read the Overview sections to gain a deeper understanding of fundamentals, concepts, and proper usage.
Enable Microsoft Windows Image Support
To enable scanning of Microsoft Windows images, you’ll have to configure the system to deploy a feed service and set up the proper drivers to collect vulnerability data for Microsoft Windows.
For more information, see: Enable Microsoft Windows Scanning.
Next Steps
Now that you have Anchore Enterprise running, you can begin to learn more about Anchore capabilities, architecture, concepts, and more.
- To learn more about Anchore Enterprise, see Overview
- To learn more about Anchore capabilities, see Capabilities
- To learn more about Anchore architecture, see Architecture
- To learn more about Anchore concepts, see Concepts
- To learn more about other deployment methods, see Deployment
- To learn more about using Anchore, start with Vulnerability Management
Optional: Enabling Prometheus Monitoring
Uncomment the following section at the bottom of the docker-compose.yaml file:
# # Uncomment this section to add a prometheus instance to gather metrics. This is mostly for quickstart to demonstrate prometheus metrics exported # prometheus: # image: docker.io/prom/prometheus:latest # depends_on: # - api # volumes: # - ./anchore-prometheus.yml:/etc/prometheus/prometheus.yml:z # logging: # driver: "json-file" # options: # max-size: 100m # ports: # - "9090:9090" #
For each service entry in the docker-compose.yaml, change the following to enable metrics in the API for each service
ANCHORE_ENABLE_METRICS=false
to
ANCHORE_ENABLE_METRICS=true
Download the example prometheus configuration into the same directory as the docker-compose.yaml file, with name anchore-prometheus.yml:
curl https://docs.anchore.com/current/docs/deployment/anchore-prometheus.yml > anchore-prometheus.yml docker compose up -d
Result: You should see a new container started and can access prometheus via your browser on
http://localhost:9090
.
Optional: Enabling Swagger UI
Uncomment the following section at the bottom of the docker-compose.yaml file:
# # Uncomment this section to run a swagger UI service, for inspecting and interacting with the system API via a browser (http://localhost:8080 by default, change if needed in both sections below) # swagger-ui-nginx: # image: docker.io/nginx:latest # depends_on: # - api # - swagger-ui # ports: # - "8080:8080" # volumes: # - ./anchore-swaggerui-nginx.conf:/etc/nginx/nginx.conf:z # logging: # driver: "json-file" # options: # max-size: 100m # swagger-ui: # image: docker.io/swaggerapi/swagger-ui # environment: # - URL=http://localhost:8080/v2/openapi.json # logging: # driver: "json-file" # options: # max-size: 100m
Download the nginx configuration into the same directory as the docker-compose.yaml file, with name anchore-swaggerui-nginx.conf:
curl https://docs.anchore.com/current/docs/deployment/anchore-swaggerui-nginx.conf > anchore-swaggerui-nginx.conf docker compose up -d
Result: You should see a new container started, and have access Swagger UI via your browser on
http://localhost:8080
.