Deploy using Docker Compose

In this topic, you’ll learn how to use Docker Compose to get up and running with a stand-alone Anchore Enterprise deployment for trial, demonstration, and review purposes only.

Important supported deployments of Anchore Enterprise should use the Helm-based deployment which enables easier scaling, modular deployment, and fine-grained configuration.

If you would like to gain a deeper understanding of Anchore and its concepts, review the Overview topic prior to deployment of Anchore Enterprise.

Configuration Files for Docker Compose:

Requirements

The following instructions assume you are using a system running Docker v1.12 or higher, and a version of Docker Compose that supports at least v2 of the docker-compose configuration format.

  • A stand-alone deployment requires at least 4GB of RAM, and enough disk space available to support the largest container images or source repositories that you intend to analyze. It is recommended to consider three times the largest source repository or container image size. For small testing, like basic Linux distro images or database images, between 5GB and 10GB of disk space should be sufficient.
  • To access Anchore Enterprise, you need a valid license.yaml file that has been issued to you by Anchore. If you do not have a license yet, visit the Anchore Contact page to request one.

Step 1: Ensure you can authenticate to DockerHub to pull the images

You’ll need authenticated access to the anchore/enterprise and anchore/enterprise-ui repositories on DockerHub. Anchore support should have granted your DockerHub user access when you received your license.

# docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username: <your_dockerhub_account>
Password: <your_dockerhub_password>

Step 2: Download compose, copy license, and start.

Now, ensure the license.yaml file you got from Anchore Sales/Support is in the directory where you want to run the containers from, then download the compose file and start it. You can use the link at the top of this page, or use curl or wget to download it as shown in the following example.

# cp <path/to/your/license.yaml> ./license.yaml
# curl https://docs.anchore.com/current/docs/deployment/docker_compose/docker-compose.yaml > docker-compose.yaml
# docker-compose up -d

Step 3: Install AnchoreCTL

Next, we’ll install the lightweight Anchore Enterprise client tool, quickly test using the version operation, and set up a few environment variables to allow it to interact with your quickstart deployment using the following process:

# curl -sSfL  https://anchorectl-releases.anchore.io/anchorectl/install.sh  | sh -s -- -b /usr/local/bin v5.3.0

# ./anchorectl version
Application:        anchorectl
Version:            5.3.0
SyftVersion:        v0.97.1
BuildDate:          2023-11-21T22:09:54Z
GitCommit:          f7604438b45f7161c11145999897d4ae3efcb0c8
GitDescription:     v5.3.0
Platform:           linux/amd64
GoVersion:          go1.21.1
Compiler:           gc

# export ANCHORECTL_URL="http://localhost:8228"
# export ANCHORECTL_USERNAME="admin"
# export ANCHORECTL_PASSWORD="foobar"

NOTE: for this quickstart, we’re installing the tool in your local directory ./ and will be using environment variables throughout. To more permanently install and configure anchorectl to remove the need for setting environment variables and putting the tool in a globally accessible path, see Installing AnchoreCTL.

Step 4: Verify service availability

After a few minutes (depending on system speed) Anchore Enterprise and Anchore UI services should be up and running, ready to use. You can verify the containers are running with docker-compose, as shown in the following example.

# docker-compose ps
             Name                           Command                  State               Ports         
-------------------------------------------------------------------------------------------------------
anchorequickstart_analyzer_1          /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp              
anchorequickstart_anchore-db_1        docker-entrypoint.sh postgres    Up             5432/tcp              
anchorequickstart_api_1               /docker-entrypoint.sh anch ...   Up (healthy)   0.0.0.0:8228->8228/tcp
anchorequickstart_catalog_1           /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp              
anchorequickstart_notifications_1     /docker-entrypoint.sh anch ...   Up (healthy)   0.0.0.0:8668->8228/tcp
anchorequickstart_policy-engine_1     /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp              
anchorequickstart_queue_1             /docker-entrypoint.sh anch ...   Up (healthy)   8228/tcp              
anchorequickstart_rbac-authorizer_1   /docker-entrypoint.sh anch ...   Up (healthy)   8089/tcp, 8228/tcp    
anchorequickstart_rbac-manager_1      /docker-entrypoint.sh anch ...   Up (healthy)   0.0.0.0:8229->8228/tcp
anchorequickstart_reports_1           /docker-entrypoint.sh anch ...   Up (healthy)   0.0.0.0:8558->8228/tcp
anchorequickstart_reports_worker_1    /docker-entrypoint.sh anch ...   Up (healthy)   0.0.0.0:55427->8228/tcp
anchorequickstart_ui-redis_1          docker-entrypoint.sh redis ...   Up             6379/tcp              
anchorequickstart_ui_1                /docker-entrypoint.sh node ...   Up             0.0.0.0:3000->3000/tcp

You can then run a command to get the status of the Anchore Enterprise services:


# ./anchorectl system status
 ✔ Status system
┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE         │ HOST ID            │ URL                         │ UP   │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ analyzer        │ anchore-quickstart │ http://analyzer:8228        │ true │ available      │ 530        │ 5.3.0        │
│ policy_engine   │ anchore-quickstart │ http://policy-engine:8228   │ true │ available      │ 530        │ 5.3.0        │
│ apiext          │ anchore-quickstart │ http://api:8228             │ true │ available      │ 530        │ 5.3.0        │
│ reports         │ anchore-quickstart │ http://reports:8228         │ true │ available      │ 530        │ 5.3.0        │
│ reports_worker  │ anchore-quickstart │ http://reports-worker:8228  │ true │ available      │ 530        │ 5.3.0        │
│ simplequeue     │ anchore-quickstart │ http://queue:8228           │ true │ available      │ 530        │ 5.3.0        │
│ rbac_manager    │ anchore-quickstart │ http://rbac-manager:8228    │ true │ available      │ 530        │ 5.3.0        │
│ notifications   │ anchore-quickstart │ http://notifications:8228   │ true │ available      │ 530        │ 5.3.0        │
│ rbac_authorizer │ anchore-quickstart │ http://rbac-authorizer:8228 │ true │ available      │ 530        │ 5.3.0        │
│ catalog         │ anchore-quickstart │ http://catalog:8228         │ true │ available      │ 530        │ 5.3.0        │
└─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘

Note: The first time you run Anchore Enterprise, vulnerability data will sync to the system in a few minutes. If the on-prem feed service is also used, it will take a while for the vulnerability data to get synced into the system (two plus hours in many cases, depending on network speed). For the best experience, wait until the core vulnerability data feeds have completed before proceeding. You can check the status of your feed sync using AnchoreCTL:

# ./anchorectl feed list
 ✔ List feed
┌─────────────────┬─────────────────┬─────────┬──────────────────────┬──────────────┐
│ FEED            │ GROUP           │ ENABLED │ LAST SYNC            │ RECORD COUNT │
├─────────────────┼─────────────────┼─────────┼──────────────────────┼──────────────┤
│ vulnerabilities │ alpine:3.10     │ true    │ 2022-08-26T14:08:51Z │ 2331         │
│ vulnerabilities │ alpine:3.11     │ true    │ 2022-08-26T14:08:51Z │ 2665         │
│ vulnerabilities │ alpine:3.12     │ true    │ 2022-08-26T14:08:51Z │ 3205         │
│ vulnerabilities │ alpine:3.13     │ true    │ 2022-08-26T14:08:51Z │ 3656         │
│ vulnerabilities │ alpine:3.14     │ true    │ 2022-08-26T14:08:51Z │ 4097         │
│ vulnerabilities │ alpine:3.15     │ true    │ 2022-08-26T14:08:51Z │ 4479         │
│ vulnerabilities │ alpine:3.16     │ true    │ 2022-08-26T14:08:51Z │ 4763         │
│ vulnerabilities │ alpine:3.2      │ true    │ 2022-08-26T14:08:51Z │ 306          │
│ vulnerabilities │ alpine:3.3      │ true    │ 2022-08-26T14:08:51Z │ 471          │
│ vulnerabilities │ alpine:3.4      │ true    │ 2022-08-26T14:08:51Z │ 683          │
│ vulnerabilities │ alpine:3.5      │ true    │ 2022-08-26T14:08:51Z │ 903          │
│ vulnerabilities │ alpine:3.6      │ true    │ 2022-08-26T14:08:51Z │ 1077         │
│ vulnerabilities │ alpine:3.7      │ true    │ 2022-08-26T14:08:51Z │ 1462         │
│ vulnerabilities │ alpine:3.8      │ true    │ 2022-08-26T14:08:51Z │ 1675         │
│ vulnerabilities │ alpine:3.9      │ true    │ 2022-08-26T14:08:51Z │ 1962         │
│ vulnerabilities │ amzn:2          │ true    │ 2022-08-26T14:08:51Z │ 925          │
│ vulnerabilities │ amzn:2022       │ true    │ 2022-08-26T14:08:51Z │ 124          │
│ vulnerabilities │ debian:10       │ true    │ 2022-08-26T14:08:51Z │ 28893        │
│ vulnerabilities │ debian:11       │ true    │ 2022-08-26T14:08:51Z │ 26431        │
│ vulnerabilities │ debian:12       │ true    │ 2022-08-26T14:08:51Z │ 25660        │
│ vulnerabilities │ debian:7        │ true    │ 2022-08-26T14:08:51Z │ 20455        │
│ vulnerabilities │ debian:8        │ true    │ 2022-08-26T14:08:51Z │ 24058        │
│ vulnerabilities │ debian:9        │ true    │ 2022-08-26T14:08:51Z │ 28240        │
│ vulnerabilities │ debian:unstable │ true    │ 2022-08-26T14:08:51Z │ 31740        │
│ vulnerabilities │ github:composer │ true    │ 2022-08-26T14:08:51Z │ 1000         │
│ vulnerabilities │ github:gem      │ true    │ 2022-08-26T14:08:51Z │ 473          │
│ vulnerabilities │ github:go       │ true    │ 2022-08-26T14:08:51Z │ 566          │
│ vulnerabilities │ github:java     │ true    │ 2022-08-26T14:08:51Z │ 2057         │
│ vulnerabilities │ github:npm      │ true    │ 2022-08-26T14:08:51Z │ 2585         │
│ vulnerabilities │ github:nuget    │ true    │ 2022-08-26T14:08:51Z │ 216          │
│ vulnerabilities │ github:python   │ true    │ 2022-08-26T14:08:51Z │ 1244         │
│ vulnerabilities │ github:rust     │ true    │ 2022-08-26T14:08:51Z │ 289          │
│ vulnerabilities │ nvd             │ true    │ 2022-08-26T14:08:51Z │ 193942       │
│ vulnerabilities │ ol:5            │ true    │ 2022-08-26T14:08:51Z │ 1255         │
│ vulnerabilities │ ol:6            │ true    │ 2022-08-26T14:08:51Z │ 1666         │
│ vulnerabilities │ ol:7            │ true    │ 2022-08-26T14:08:51Z │ 1837         │
│ vulnerabilities │ ol:8            │ true    │ 2022-08-26T14:08:51Z │ 1028         │
│ vulnerabilities │ ol:9            │ true    │ 2022-08-26T14:08:51Z │ 56           │
│ vulnerabilities │ rhel:5          │ true    │ 2022-08-26T14:08:51Z │ 7827         │
│ vulnerabilities │ rhel:6          │ true    │ 2022-08-26T14:08:51Z │ 8352         │
│ vulnerabilities │ rhel:7          │ true    │ 2022-08-26T14:08:51Z │ 7847         │
│ vulnerabilities │ rhel:8          │ true    │ 2022-08-26T14:08:51Z │ 4198         │
│ vulnerabilities │ rhel:9          │ true    │ 2022-08-26T14:08:51Z │ 1097         │
│ vulnerabilities │ sles:11         │ true    │ 2022-08-26T14:08:51Z │ 594          │
│ vulnerabilities │ sles:11.1       │ true    │ 2022-08-26T14:08:51Z │ 6125         │
│ vulnerabilities │ sles:11.2       │ true    │ 2022-08-26T14:08:51Z │ 3291         │
│ vulnerabilities │ sles:11.3       │ true    │ 2022-08-26T14:08:51Z │ 7081         │
│ vulnerabilities │ sles:11.4       │ true    │ 2022-08-26T14:08:51Z │ 6583         │
│ vulnerabilities │ sles:12         │ true    │ 2022-08-26T14:08:51Z │ 5918         │
│ vulnerabilities │ sles:12.1       │ true    │ 2022-08-26T14:08:51Z │ 6206         │
│ vulnerabilities │ sles:12.2       │ true    │ 2022-08-26T14:08:51Z │ 7625         │
│ vulnerabilities │ sles:12.3       │ true    │ 2022-08-26T14:08:51Z │ 9395         │
│ vulnerabilities │ sles:12.4       │ true    │ 2022-08-26T14:08:51Z │ 9428         │
│ vulnerabilities │ sles:12.5       │ true    │ 2022-08-26T14:08:51Z │ 9810         │
│ vulnerabilities │ sles:15         │ true    │ 2022-08-26T14:08:51Z │ 8500         │
│ vulnerabilities │ sles:15.1       │ true    │ 2022-08-26T14:08:51Z │ 8168         │
│ vulnerabilities │ sles:15.2       │ true    │ 2022-08-26T14:08:51Z │ 7684         │
│ vulnerabilities │ sles:15.3       │ true    │ 2022-08-26T14:08:51Z │ 7830         │
│ vulnerabilities │ sles:15.4       │ true    │ 2022-08-26T14:08:51Z │ 7435         │
│ vulnerabilities │ ubuntu:12.04    │ true    │ 2022-08-26T14:08:51Z │ 14963        │
│ vulnerabilities │ ubuntu:12.10    │ true    │ 2022-08-26T14:08:51Z │ 5652         │
│ vulnerabilities │ ubuntu:13.04    │ true    │ 2022-08-26T14:08:51Z │ 4127         │
│ vulnerabilities │ ubuntu:14.04    │ true    │ 2022-08-26T14:08:51Z │ 29362        │
│ vulnerabilities │ ubuntu:14.10    │ true    │ 2022-08-26T14:08:51Z │ 4456         │
│ vulnerabilities │ ubuntu:15.04    │ true    │ 2022-08-26T14:08:51Z │ 6240         │
│ vulnerabilities │ ubuntu:15.10    │ true    │ 2022-08-26T14:08:51Z │ 6513         │
│ vulnerabilities │ ubuntu:16.04    │ true    │ 2022-08-26T14:08:51Z │ 26480        │
│ vulnerabilities │ ubuntu:16.10    │ true    │ 2022-08-26T14:08:51Z │ 8647         │
│ vulnerabilities │ ubuntu:17.04    │ true    │ 2022-08-26T14:08:51Z │ 9157         │
│ vulnerabilities │ ubuntu:17.10    │ true    │ 2022-08-26T14:08:51Z │ 7943         │
│ vulnerabilities │ ubuntu:18.04    │ true    │ 2022-08-26T14:08:51Z │ 20984        │
│ vulnerabilities │ ubuntu:18.10    │ true    │ 2022-08-26T14:08:51Z │ 8400         │
│ vulnerabilities │ ubuntu:19.04    │ true    │ 2022-08-26T14:08:51Z │ 8669         │
│ vulnerabilities │ ubuntu:19.10    │ true    │ 2022-08-26T14:08:51Z │ 8431         │
│ vulnerabilities │ ubuntu:20.04    │ true    │ 2022-08-26T14:08:51Z │ 14810        │
│ vulnerabilities │ ubuntu:20.10    │ true    │ 2022-08-26T14:08:51Z │ 9996         │
│ vulnerabilities │ ubuntu:21.04    │ true    │ 2022-08-26T14:08:51Z │ 11343        │
│ vulnerabilities │ ubuntu:21.10    │ true    │ 2022-08-26T14:08:51Z │ 12673        │
│ vulnerabilities │ ubuntu:22.04    │ true    │ 2022-08-26T14:08:51Z │ 12992        │
└─────────────────┴─────────────────┴─────────┴──────────────────────┴──────────────┘

As soon as you see RecordCount values set for all vulnerability groups, the system is fully populated and ready to present vulnerability results. Note that feed syncs are incremental, so the next time you start up Anchore Enterprise it will be ready immediately. The AnchoreCTL includes a useful utility that will block until the feeds have completed a successful sync:


# ./anchorectl system wait
 ✔ API available                                                                                        system
 ✔ Services available                        [10 up]                                                    system
 ✔ Vulnerabilities feed ready                                                                           system

Step 4: Start using Anchore

To get started, you can add a few images to Anchore Enterprise using AnchoreCTL. Once complete, you can also run an additional AnchoreCTL command to monitor the analysis state of the added images, waiting until the images move into an ‘analyzed’ state.

# ./anchorectl image add docker.io/library/alpine:latest
 ✔ Added Image                                                                                                              docker.io/library/alpine:latest
Image:
  status:           not-analyzed (active)
  tag:              docker.io/library/alpine:latest
  digest:           sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
  id:               9c6f0724472873bb50a2ae67a9e7adcb57673a183cea8b06eb778dca859181b5

# ./anchorectl image add docker.io/library/nginx:latest
 ✔ Added Image                                                                                                              docker.io/library/nginx:latest
Image:
  status:           not-analyzed (active)
  tag:              docker.io/library/nginx:latest
  digest:           sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
  id:               2b7d6430f78d432f89109b29d88d4c36c868cdbf15dc31d2132ceaa02b993763
  distro:           debian@11 (amd64)
  layers:           6

# ./anchorectl image list
 ✔ Fetched images
┌───────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────┬──────────────┬────────┐
│ TAG                                                   │ DIGEST                                                                  │ ANALYSIS     │ STATUS │
├───────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────┼──────────────┼────────┤
│ docker.io/library/alpine:latest                       │ sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 │ analyzed     │ active │
│ docker.io/library/nginx:latest                        │ sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc │ not_analyzed │ active │
└───────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────┴──────────────┴────────┘

# ./anchorectl image add docker.io/library/nginx:latest --force --wait
 ⠏ Adding Image                                                                                                              docker.io/library/nginx:latest
 ⠼ Analyzing Image                           [analyzing]                                                                     docker.io/library/nginx:latest
...
...
 ✔ Analyzed Image                                                                                                            docker.io/library/nginx:latest
Image:
  status:           analyzed (active)
  tags:             docker.io/library/nginx:latest
  digest:           sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc
  id:               2b7d6430f78d432f89109b29d88d4c36c868cdbf15dc31d2132ceaa02b993763
  distro:           debian@11 (amd64)
  layers:           6

# ./anchorectl image list
 ✔ Fetched images
┌───────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────────────────┬──────────┬────────┐
│ TAG                                                   │ DIGEST                                                                  │ ANALYSIS │ STATUS │
├───────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────────────────┼──────────┼────────┤
│ docker.io/library/alpine:latest                       │ sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870 │ analyzed │ active │
│ docker.io/library/nginx:latest                        │ sha256:89020cd33be2767f3f894484b8dd77bc2e5a1ccc864350b92c53262213257dfc │ analyzed │ active │
└───────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────┴──────────┴────────┘

Now that some images are in place, you can point your browser at the Anchore Enterprise UI by directing it to http://localhost:3000/.

Enter the username admin and password foobar to log in. These are some of the features you can use in the browser:

  • Navigate images
  • Inspect image contents
  • Perform security scans
  • Review compliance policy evaluations
  • Edit compliance policies with a complete policy editor UI
  • Manage accounts, users, and RBAC assignments
  • Review system events

Note: This document is intended to serve as a quickstart guide. Before moving further with Anchore Enterprise, it is highly recommended to read the Overview sections to gain a deeper understanding of fundamentals, concepts, and proper usage.

Enable Microsoft Windows Image Support

To enable scanning of Microsoft Windows images, you’ll have to configure the system to deploy a feed service and set up the proper drivers to collect vulnerability data for Microsoft Windows.

For more information, see: Enable Microsoft Windows Scanning.

Next Steps

Now that you have Anchore Enterprise running, you can begin to learn more about Anchore capabilities, architecture, concepts, and more.

Optional: Enabling Prometheus Monitoring

  1. Uncomment the following section at the bottom of the docker-compose.yaml file:

    #  # Uncomment this section to add a prometheus instance to gather metrics. This is mostly for quickstart to demonstrate prometheus metrics exported
    #  prometheus:
    #    image: docker.io/prom/prometheus:latest
    #    depends_on:
    #      - api
    #    volumes:
    #      - ./anchore-prometheus.yml:/etc/prometheus/prometheus.yml:z
    #    logging:
    #      driver: "json-file"
    #      options:
    #        max-size: 100m
    #    ports:
    #      - "9090:9090"
    #
    
  2. For each service entry in the docker-compose.yaml, change the following to enable metrics in the API for each service

    ANCHORE_ENABLE_METRICS=false
    

    to

    ANCHORE_ENABLE_METRICS=true
    
  3. Download the example prometheus configuration into the same directory as the docker-compose.yaml file, with name anchore-prometheus.yml:

    curl https://docs.anchore.com/current/docs/quickstart/anchore-prometheus.yml > anchore-prometheus.yml
    docker compose up -d
    

    Result: You should see a new container started and can access prometheus via your browser on http://localhost:9090.

Optional: Enabling Swagger UI

  1. Uncomment the following section at the bottom of the docker-compose.yaml file:

    #  # Uncomment this section to run a swagger UI service, for inspecting and interacting with the system API via a browser (http://localhost:8080 by default, change if needed in both sections below)
    #  swagger-ui-nginx:
    #    image: docker.io/nginx:latest
    #    depends_on:
    #      - api
    #      - swagger-ui
    #    ports:
    #      - "8080:8080"
    #    volumes:
    #      - ./anchore-swaggerui-nginx.conf:/etc/nginx/nginx.conf:z
    #    logging:
    #      driver: "json-file"
    #      options:
    #        max-size: 100m
    #  swagger-ui:
    #    image: docker.io/swaggerapi/swagger-ui
    #    environment:
    #      - URL=http://localhost:8080/v2/openapi.json
    #    logging:
    #      driver: "json-file"
    #      options:
    #        max-size: 100m
    
  2. Download the nginx configuration into the same directory as the docker-compose.yaml file, with name anchore-swaggerui-nginx.conf:

    curl https://docs.anchore.com/current/docs/deployment/anchore-swaggerui-nginx.conf > anchore-swaggerui-nginx.conf
    docker compose up -d
    

    Result: You should see a new container started, and have access Swagger UI via your browser on http://localhost:8080.

Last modified February 19, 2024