Harbor registry
Harbor is a free and open-source registry system designed to enhance the security and management of digital artifacts. It enforces access control policies and role-based permissions, scans files for vulnerabilities, and verifies the authenticity of files. Whether you’re using Kubernetes or Docker, Harbor provides a reliable way to store and manage your files securely, ensuring compliance and performance across various cloud-native platforms..
Why you might want a private container registry
Sharing is a good thing, but sometimes software needs to be private. Trade secrets and intellectual property are two reasons why someone might want a private repository. But sometimes speed, customization, and security might be drivers too.
Harbor Installation and Configuration
1.Download the Harbor Installer (download the offline installer)
2. Unzip the offline installer
3. cp harbor.yml.tmpl harbor.yml
4. Configure the Harbor YML File
→ hostname: reg.mydomain.com ( change the domain name as per your environment )
→ # external_url: https://reg.mydomain.com:8433 ( enable the line)
→ disable https option
Example
5. Execute the prepare script
root@Docker-Master:~/harbor# ./prepare
prepare base dir is set to /root/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
6. Excute the install script
#./install.sh
Creating harbor-log ... done
Creating redis ... done
Creating registryctl ... done
Creating harbor-portal ... done
Creating registry ... done
Creating harbor-db ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
root@Docker-Master:~/harbor# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0f1396d499da goharbor/harbor-jobservice:v2.7.3 "/harbor/entrypoint.…" 53 minutes ago Up 53 minutes (healthy) harbor-jobservice
ab502911bcd7 goharbor/nginx-photon:v2.7.3 "nginx -g 'daemon of…" 53 minutes ago Up 53 minutes (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp nginx
ea913e971a0e goharbor/harbor-core:v2.7.3 "/harbor/entrypoint.…" 53 minutes ago Up 53 minutes (healthy) harbor-core
f7bf2c423591 goharbor/harbor-db:v2.7.3 "/docker-entrypoint.…" 53 minutes ago Up 53 minutes (healthy) harbor-db
2a86ea120ca5 goharbor/registry-photon:v2.7.3 "/home/harbor/entryp…" 53 minutes ago Up 53 minutes (healthy) registry
2b4b2b24239c goharbor/harbor-portal:v2.7.3 "nginx -g 'daemon of…" 53 minutes ago Up 53 minutes (healthy) harbor-portal
8f95c9c92c2c goharbor/harbor-registryctl:v2.7.3 "/home/harbor/start.…" 53 minutes ago Up 53 minutes (healthy) registryctl
455cca55086b goharbor/redis-photon:v2.7.3 "redis-server /etc/r…" 53 minutes ago Up 53 minutes (healthy) redis
890eadd4ab47 goharbor/harbor-log:v2.7.3 "/bin/sh -c /usr/loc…" 53 minutes ago Up 53 minutes (healthy) 127.0.0.1:1514->10514/tcp harbor-log
b0cb5c98c1b2 nginx:latest "/docker-entrypoint.…" 2 hours ago Up 2 hours 80/tcp myapp.1.vnmeb0ybp2ncr3sy8yncx3dbu
root@Docker-Master:~/harbor#
Login page
Installing Harbor with Trivy
Create a directory to store Trivy config
mkdir -p ./common/config/trivy-adapter
Create the env
file with environment variables:
cat << EOF > ./common/config/trivy-adapter/env
SCANNER_LOG_LEVEL=trace
SCANNER_STORE_REDIS_URL=redis://redis:6379
SCANNER_JOB_QUEUE_REDIS_URL=redis://redis:6379
SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy
SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports
SCANNER_TRIVY_VULN_TYPE=os,library
SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
SCANNER_TRIVY_IGNORE_UNFIXED=false
SCANNER_TRIVY_DEBUG_MODE=false
EOF
Create the docker-compose.override.yml
file to add the trivy-adapter
service
cat << EOF > ./docker-compose.override.yml
version: '2.3'
services:
trivy-adapter:
networks:
- harbor
container_name: trivy-adapter
image: docker.io/aquasec/harbor-scanner-trivy:0.7.0
restart: always
cap_drop:
- ALL
cpu_quota: 50000
dns_search: .
depends_on:
- redis
volumes:
- type: bind
source: ./data/trivy-adapter/trivy
target: /home/scanner/.cache/trivy
- type: bind
source: ./data/trivy-adapter/reports
target: /home/scanner/.cache/reports
logging:
driver: "syslog"
options:
syslog-address: "tcp://127.0.0.1:1514"
tag: "trivy-adapter"
env_file:
./common/config/trivy-adapter/env
EOF
Execute docker-compose up -d
How to add the scanner
click on Interrogation Services add newscanner
Scanner status
How to pull the image on Harbor
- Change the insecure-registries value
root@Docker-Master:~/harbor# cat /etc/docker/daemon.json
{
"insecure-registries": ["reg.mylab.local"]
}
root@Docker-Master:~/harbor#
2. login
root@Docker-Master:~/harbor# docker login reg.mylab.local
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
3. Create the image tag
docker tag nginx:latest reg.mylab.local/test/nginx:latest
Example
4. Push the Docker image to harbor.
After the push image, you can verify from the Harbor GUI under the test project.
Kubernetes Integration
open vim /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.tecevolution.ae"]
endpoint = ["http://reg.mylab.local"]
[plugins."io.containerd.grpc.v1.cri".registry.configs."reg.mylab.local".tls]
insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.configs."registry.tecevolution.ae".auth]
password = "Harbor12345"
username = "admin"
Specify the image from the harbor for deploym.
kubectl create deploy my-deploy --image=reg.mylab.local/test/nginx:latest