You can setup Clair as a combined deployment.
You will need an Arm based instance from a cloud service provider or any Arm server running Linux.
The instructions are tested on Ubuntu. Other Linux distributions are possible with some modifications.
In combined deployment, all Clair services run in a single OS process. This is the easiest deployment model to configure.
tar -xvf clair-v4.5.1.tar.gz
docker-compose.yaml to setup the database
You need a postgres database for Clair to store all vulnerabilities specific to containers.
Because postgres runs inside a private container network and Clair runs on
localhost, you need to expose postgres port 5432 to
Use a text editor to open
docker-compose.yaml and search for the
Add the 2 lines to the
clair-database section of the compose file:
clair-database section should look like this:
docker compose to start the database service:
sudo docker compose up -d clair-database
You can view the running postgres service with Docker:
The output will be similar to:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f4f1cba58e9e postgres:12 "docker-entrypoint.s…" 29 seconds ago Up 20 seconds (healthy) 0.0.0.0:5432->5432/tcp, :::5432->5432/tcp clair-database
Clair uses a configuration file to configure the indexer, matcher and notifier.
In combined mode, you need to configure the indexer, matcher and notifier to communicate with postgres exposed on port 5432 of
Use a text editor to open and modify the configuration file at
Find the value of
connstring 3 times in the file. There is a
connstring for the indexer, matcher and notifier.
In each case, replace the
connstring with the new value:
connstring: host=localhost port=5432 user=clair dbname=indexer sslmode=disable
connstring: host=localhost port=5432 user=clair dbname=matcher sslmode=disable
connstring: host=localhost port=5432 user=clair dbname=notifier sslmode=disable
Generate the Clair binary with go:
go build ./cmd/clair
This will create a
clair binary in the top directory.
Run the Clair combined deployment:
./clair -conf "./local-dev/clair/config.yaml" -mode "combo"
The log in the terminal confirms that Clair is running successfully as a combined deployment.
You can now open a new terminal and submit the manifest to generate the vulnerability report.