This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

File Storage Configuration

Anchore Enterprise uses a local directory for image analysis operations including downloading layers and unpacking the image content for the analysis process.

For configuration of local storage for scratch space, see Scratch.

In many cases the images will share a number of common layers, especially if images are built form a consistent set of base images. Anchore Enterprise can cache image layers to improve analysis time, see Layer Caching.

1 - Scratch Configuration

Anchore Enterprise uses a local directory for image analysis operations including downloading layers and unpacking the image content for the analysis process.

Analysis Process

Once an image is submitted to Anchore Enterprise for centralized analysis the system will attempt to retrieve metadata about the image from the Docker registry and if successful will download the image and queue the image for analysis. Anchore Enterprise can run one or more analyzer services to scale out processing of images. The next available analyzer worker will process the image.

Docker Images are made up of one or more layers, which are described in the manifest. The manifest lists the layers which are typically stored as gzipped compressed TAR files.

As part of image analysis Anchore Enterprise will:

  • Download all layers that comprise an image
  • Extract the layers to a temporary file system location
  • Perform analysis on the contents of the image including:
    • Digest of every file (SHA1, SHA256 and MD5)
    • File attributes (size, owner, permissions, etc.)
    • Operating System package manifest
    • Software library package manifest (NPM, GEM, Java, Python, NuGet)
    • Scan for secret materials (api keys, private keys, etc.)

Following the analysis the extracted layers and downloaded layer tar files are deleted.

Configuration of Scratch Space

By default Anchore Enterprise uses the /tmp directory within the container to download and extract images. You may wish to define a temporary directory or a volume mounted specifically for scratch image data. This can be configured in the config.yaml:

tmp_dir: '/scratch'

In this example a volume has been mounted as /scratch within the container and config.yaml updated to use /scratch as the temporary directory for image analysis.

With the layer cache disabled the temporary directory should be sized to at least 3 times the uncompressed image size to be analyzed. To understand layer caching, see Layer Caching

2 - Layer Caching Configuration

To speed up analysis, Anchore Enterprise can be configured to cache image layers, eliminating the need to download the same layer for many different images.

Configure Layer Caching

Enable the layer cache so the analyzer service stores downloaded layers locally for reuse.

To enable layer caching, adjust the layer_cache_max_gigabytes parameter in the analyzer section of the Anchore Enterprise Helm values file, for example:

anchoreConfig:
  analyzer:
    layer_cache_max_gigabytes: 4

For docker-compose environments it looks as follows in the config-enterprise.yaml/config.yaml:

services:
  analyzer:
    layer_cache_enable: ${ANCHORE_LAYER_CACHE_ENABLED}
    layer_cache_max_gigabytes: ${ANCHORE_LAYER_CACHE_SIZE_GB}

You can set it in the config.yaml if you have it bind-mounted into your container(s) via the docker-compose file, or you can set the environment variables as follows:

services:
  analyzer:
    environment:
      ANCHORE_LAYER_CACHE_ENABLED: true
      ANCHORE_LAYER_CACHE_SIZE_GB: 4

In the above, the layer cache is set to 4 gigabytes.

  • The minimum size for the cache is 1 gigabyte.
  • The cache uses a least recently used (LRU) policy.
  • The cache files will be stored in the anchore_layercache directory of the /tmp_dir volume.