Deploying Harbor Docker Registry 1.5.2

In this guide we will walk through the canonical deployment of the Harbor Docker Registry on a fresh Ubuntu 16.04 host. Harbor can be installed on any system with Docker support. Read more about getting started and using Harbor below.

Introduction

Harbor is an open source cloud native registry that stores, signs, and scans container images for vulnerabilities. Harbor solves common challenges by delivering trust, compliance, performance, and interoperability. It fills a gap for organizations and applications that cannot use a public or cloud-based registry, or want a consistent experience across clouds. Additional information about the Harbor project can be found on the official website.

Prerequisites

In the following walkthrough, we assume that you have the following things prepared ahead of time:

Preparation

1. Download Harbor online-installer

wget https://storage.googleapis.com/harbor-releases/release-1.5.0/harbor-online-installer-v1.5.2.tgz

2. Download Docker installer

wget https://releases.rancher.com/install-docker/17.03.sh

3. Install docker

sudo sh 17.03.sh

4. Add user to docker group (unless running as root)

sudo usermod -aG docker $(whoami)

5. Install docker-compose tool

curl -L https://github.com/docker/compose/releases/download/1.21.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

sudo chmod a+x /usr/local/bin/docker-compose

Installation of Harbor Docker Registry

1. Unpack harbor installer

tar xzf harbor-online-installer-v1.5.2.tgz

2. Modify harbor.cfg and change values for hostname, set ui_url_protocol to https and set the value of clair_db_password

cd harbor
vim harbor.cfg

3. Copy SSL Certificates. Note that the server.crt should be a full-chain certificate as the docker client doesn’t contain root CA certs

cp my.server.crt /data/cert/server.crt
cp my.server.key /data/cert/server.key

4. Change SSL Ciphers to something more secure and add strict transport security

vim common/templates/nginx/nginx.https.conf



  # ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';

  ssl_ciphers 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4';
  add_header Strict-Transport-Security "max-age=16000000; includeSubDomains" always;

5. Run Installer

sudo ./prepare.sh --with-notary --with-clair
sudo ./install.sh --with-notary --with-clair

Note: If you need to change the configuration

sudo docker-compose -f ./docker-compose.yml -f ./docker-compose.notary.yml -f ./docker-compose.clair.yml [start,stop,up,down,rm]

Usage

First, login to the registry

docker login registry.host.name

Then you can push images

docker push registry.host.name/<PROJECT>/<IMAGE-NAME>:<TAG>

Kubernetes

Before we can use the images from our private registry, we need to create a secret in the kubernetes cluster that holds the authorization token for that registry.

kubectl create secret docker-registry registry-cred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>

To use the secret in a Pod definition:

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image>
  imagePullSecrets:
  - name: registry-cred