Anchore Enterprise runs a hosted data service called the Anchore Data Service. This service publishes datasets from a number of provider sources. The Data Syncer Service is a core component of Enterprise. Its job is to periodically query Anchore Data Service and download any new datasets available.
Performing a basic health check
Run $ anchorectl feed list
as admin and ensure that:
- The last sync date shown is recent and that the feed has enabled set to true.
Run $ anchorectl feed sync
as admin which will:
- Queue an update to fetch the data from the data service and propagate feed data across internal services.
- Otherwise, this runs on a regular schedule.
You can also visually check the health in the ‘System’ section of the UI when logged in as admin.
Configuration checks
Check that the feed pod/container has enough disk space:
Storage
- Ensure your data syncer pod has enough storage (Around 2 Gb of writable space) to cache the datasets to disk, this reduces database queries.
Memory
- Ensure the data syncer pod has sufficient memory (Around 2Gb of Memory), especially if you are running multiple analyzers
Network
- Ensure your data-syncer pod / container has network connectivity to hosted feed service by exec’ing into the container and then:
- If you have a network proxy deployed, you might need to configure your feed service to utilize it:
- Ensure your policy pod / container has network connectivity to your local data-syncer pod / container
- Run e.g.
curl http://anchore-data-syncer:8448/v2/datasets/vulnerability_db/5/latest
returns success to confirm connectivity.
- Run e.g.
Operational Checks and Verification
- Feed list show up empty: Check if your feed syncs are happening, there should be data_syncer events in the event log. You should see successful events in the event log. In case there are failures click on the event log and see the cause for failure.
- Data-syncer is reporting errors fetching new datasets: Check the Anchore Data Service Status Page. If the service is reporting up and running then check your firewall settings. If the service is reporting any failures please wait for the service to recover.
- I see a lot of 404’s in the data-syncer and policy engine logs as soon as the services start: This is normal, the data-syncer takes a few minutes after startup to successfully sync down the configured datasets from the Anchore Data Service. The Policy Engine Service starts asking for the latest vulnerability dataset as soon as it starts up, it takes a few minutes for the system to reconcile. (This is only true for new greenfield deployments)
- My first analyzer scan takes longer than the rest: First analyzer scan can take up to 5 minutes, this is just due to the analyzer waiting for the data-syncer to sync down a ClamAV database. Subsequent scans will be no incur this penalty.