Open in app

Sign in

Write

Sign in

Harbor registry

Shyju krishnan
Cloudnloud Tech Community

--

Harbor is a free and open-source registry system designed to enhance the security and management of digital artifacts. It enforces access control policies and role-based permissions, scans files for vulnerabilities, and verifies the authenticity of files. Whether you’re using Kubernetes or Docker, Harbor provides a reliable way to store and manage your files securely, ensuring compliance and performance across various cloud-native platforms..

Why you might want a private container registry

Sharing is a good thing, but sometimes software needs to be private. Trade secrets and intellectual property are two reasons why someone might want a private repository. But sometimes speed, customization, and security might be drivers too.

Harbor Installation and Configuration

1.Download the Harbor Installer (download the offline installer)

Releases · goharbor/harbor

An open source trusted cloud native registry project that stores, signs, and scans content. - Releases ·…

github.com

2. Unzip the offline installer
3. cp harbor.yml.tmpl harbor.yml
4. Configure the Harbor YML File
→ hostname: reg.mydomain.com ( change the domain name as per your environment )
→ # external_url: https://reg.mydomain.com:8433 ( enable the line)
→ disable https option
Example

5. Execute the prepare script

root@Docker-Master:~/harbor# ./prepare
prepare base dir is set to /root/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

6. Excute the install script

#./install.sh
Creating harbor-log ... done
Creating redis         ... done
Creating registryctl   ... done
Creating harbor-portal ... done
Creating registry      ... done
Creating harbor-db     ... done
Creating harbor-core   ... done
Creating nginx             ... done
Creating harbor-jobservice ... done
root@Docker-Master:~/harbor# docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED          STATUS                    PORTS                                   NAMES
0f1396d499da   goharbor/harbor-jobservice:v2.7.3    "/harbor/entrypoint.…"   53 minutes ago   Up 53 minutes (healthy)                                           harbor-jobservice
ab502911bcd7   goharbor/nginx-photon:v2.7.3         "nginx -g 'daemon of…"   53 minutes ago   Up 53 minutes (healthy)   0.0.0.0:80->8080/tcp, :::80->8080/tcp   nginx
ea913e971a0e   goharbor/harbor-core:v2.7.3          "/harbor/entrypoint.…"   53 minutes ago   Up 53 minutes (healthy)                                           harbor-core
f7bf2c423591   goharbor/harbor-db:v2.7.3            "/docker-entrypoint.…"   53 minutes ago   Up 53 minutes (healthy)                                           harbor-db
2a86ea120ca5   goharbor/registry-photon:v2.7.3      "/home/harbor/entryp…"   53 minutes ago   Up 53 minutes (healthy)                                           registry
2b4b2b24239c   goharbor/harbor-portal:v2.7.3        "nginx -g 'daemon of…"   53 minutes ago   Up 53 minutes (healthy)                                           harbor-portal
8f95c9c92c2c   goharbor/harbor-registryctl:v2.7.3   "/home/harbor/start.…"   53 minutes ago   Up 53 minutes (healthy)                                           registryctl
455cca55086b   goharbor/redis-photon:v2.7.3         "redis-server /etc/r…"   53 minutes ago   Up 53 minutes (healthy)                                           redis
890eadd4ab47   goharbor/harbor-log:v2.7.3           "/bin/sh -c /usr/loc…"   53 minutes ago   Up 53 minutes (healthy)   127.0.0.1:1514->10514/tcp               harbor-log
b0cb5c98c1b2   nginx:latest                         "/docker-entrypoint.…"   2 hours ago      Up 2 hours                80/tcp                                  myapp.1.vnmeb0ybp2ncr3sy8yncx3dbu
root@Docker-Master:~/harbor#

Login page

Installing Harbor with Trivy

Create a directory to store Trivy config

mkdir -p ./common/config/trivy-adapter

Create the env file with environment variables:

cat << EOF > ./common/config/trivy-adapter/env
SCANNER_LOG_LEVEL=trace
SCANNER_STORE_REDIS_URL=redis://redis:6379
SCANNER_JOB_QUEUE_REDIS_URL=redis://redis:6379
SCANNER_TRIVY_CACHE_DIR=/home/scanner/.cache/trivy
SCANNER_TRIVY_REPORTS_DIR=/home/scanner/.cache/reports
SCANNER_TRIVY_VULN_TYPE=os,library
SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
SCANNER_TRIVY_IGNORE_UNFIXED=false
SCANNER_TRIVY_DEBUG_MODE=false
EOF

Create the docker-compose.override.yml file to add the trivy-adapter service

cat << EOF > ./docker-compose.override.yml
version: '2.3'
services:
  trivy-adapter:
    networks:
      - harbor
    container_name: trivy-adapter
    image: docker.io/aquasec/harbor-scanner-trivy:0.7.0
    restart: always
    cap_drop:
      - ALL
    cpu_quota: 50000
    dns_search: .
    depends_on:
      - redis
    volumes:
      - type: bind
        source: ./data/trivy-adapter/trivy
        target: /home/scanner/.cache/trivy
      - type: bind
        source: ./data/trivy-adapter/reports
        target: /home/scanner/.cache/reports
    logging:
      driver: "syslog"
      options:
        syslog-address: "tcp://127.0.0.1:1514"
        tag: "trivy-adapter"
    env_file:
      ./common/config/trivy-adapter/env
EOF

Execute docker-compose up -d

How to add the scanner
click on Interrogation Services add newscanner

Scanner status

How to pull the image on Harbor

  1. Change the insecure-registries value
root@Docker-Master:~/harbor# cat /etc/docker/daemon.json
{
  "insecure-registries": ["reg.mylab.local"]
}

root@Docker-Master:~/harbor#

2. login

root@Docker-Master:~/harbor# docker login reg.mylab.local
Username: admin
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

3. Create the image tag

 docker tag nginx:latest reg.mylab.local/test/nginx:latest

Example

4. Push the Docker image to harbor.

After the push image, you can verify from the Harbor GUI under the test project.

Kubernetes Integration
open vim /etc/containerd/config.toml

 [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.tecevolution.ae"]
    endpoint = ["http://reg.mylab.local"]
  [plugins."io.containerd.grpc.v1.cri".registry.configs."reg.mylab.local".tls]
    insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.configs."registry.tecevolution.ae".auth]
  password = "Harbor12345"
  username = "admin"

Specify the image from the harbor for deploym.

kubectl create deploy my-deploy --image=reg.mylab.local/test/nginx:latest

--

--

Shyju krishnan
Cloudnloud Tech Community

Written by Shyju krishnan

77 Followers
Writer for

Kubernetes Advocate Tech author