Harbor

on

Container Image Registry

A container image registry is a centralized repository used to store and manage container images. Container images are lightweight, standalone, and executable software packages that contain all the necessary components to run an application, including the code, runtime, libraries, and system tools.

A container image registry allows users to upload (push) and download (pull) container images to and from the repository. This way, developers can easily share their applications and collaborate efficiently across different environments and teams.

Container image registries are essential for various reasons:

  • Image Distribution: Registries serve as a distribution mechanism for container images, making it easy for developers to share their applications with others.
  • Versioning and Tagging: Registries support versioning and tagging of container images, allowing users to track different versions of an application and choose specific versions to deploy.
  • Sharing and Collaboration: Registries facilitate sharing and collaboration among development teams, making it simple to distribute tested and approved images across different environments.
  • Caching: Local registries can act as caching mechanisms, reducing the time it takes to pull images multiple times from external registries. This improves deployment speed and efficiency.
  • Security and Compliance: Some registries offer built-in features for security scanning and image signing, helping ensure that container images are free from vulnerabilities and tampering.
  • Private Registries: Organizations can set up private registries within their infrastructure to maintain control over their container images and prevent unauthorized access.

Several Container Image Registries

There are several container image registries available, each offering unique features and capabilities. Some of the most notable container image registries include:

  • Docker Hub: Docker Hub is one of the largest and most well-known public container image registries. It hosts a vast collection of container images for various software applications and environments. Docker Hub allows users to store and share their container images publicly, and it also supports private repositories for more restricted access.
  • Harbor: Harbor is an open-source cloud-native registry that provides enhanced security features, including vulnerability scanning, image signing, and role-based access control (RBAC). Harbor is often used in enterprise environments where strict security and control over container images are essential.
  • Quay.io: Quay.io is a cloud-based container registry that offers features like image replication, vulnerability scanning, and support for multiple cloud platforms. It provides both public and private repositories for hosting container images.
  • Google Container Registry (GCR): Google Container Registry is a managed container registry service provided by Google Cloud Platform. It integrates seamlessly with other Google Cloud services and offers features like image vulnerability scanning and IAM (Identity and Access Management) controls for access management.
  • Amazon Elastic Container Registry (ECR): Amazon ECR is a fully managed container registry service provided by Amazon Web Services (AWS). It is tightly integrated with other AWS services and offers secure and scalable storage for container images.
  • Azure Container Registry (ACR): Azure Container Registry is a managed container registry service provided by Microsoft Azure. It allows users to store, manage, and deploy container images in a secure and scalable environment.
  • JFrog Artifactory: JFrog Artifactory is a universal binary repository manager that supports various package types, including container images. It provides a secure and centralized repository for storing and managing container images, along with other software artifacts.
  • GitLab Container Registry: GitLab provides an integrated container registry as part of its DevOps platform. It allows users to store and manage container images within their GitLab projects, making it convenient for continuous integration and deployment workflows.


Why Harbor

Harbor is an open source registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. Harbor, a CNCF Graduated project, delivers compliance, performance, and interoperability to help you consistently and securely manage artifacts across cloud native compute platforms like Kubernetes and Docker.

Harbor offers the following key features:

  • Container Image Management: Harbor allows users to upload (push) and download (pull) container images, similar to other container registries like Docker Hub.
  • Role-Based Access Control (RBAC): Harbor supports RBAC, enabling administrators to define fine-grained access control for users and teams, ensuring that the right people have the appropriate permissions.
  • Security Scanning: It provides built-in vulnerability scanning for container images, helping users identify potential security issues and ensuring that images used in production are free from known vulnerabilities.
  • Image Replication: Harbor allows you to replicate container images between multiple Harbor instances, which is useful for creating distributed setups or maintaining backups and disaster recovery.
  • Notary Support: Harbor supports Notary, an implementation of The Update Framework (TUF), which provides image signing and verification. This adds an extra layer of security by ensuring image authenticity and integrity.
  • Graphical User Interface (GUI): Harbor offers a web-based user interface that simplifies the management and monitoring of container images and user permissions.


Setting up Harbor in the Remote VM


Step 1: Create a VM (Ubuntu)

We will host Harbor in our remote Virtual Machine. For this, I have created a Google VM Instance with ubuntu operating system. We can go with a very minimal configuration such as E2 Series - E2 Micro
(2 vCPU,  1 core, 1 GB memory).

Machine Types





Disk Types






Allow both HTTP and HTTPS 

(Though we are going to use HTTP only)



Enable port - 5000





Start the VM and Copy the public IP Address. 

In our case it's 
34.133.63.114




Step 2: Setup Harbor in the VM

.

Install docker & docker-compose

SSH into the VM. Run the below commands:

Command:
sudo apt-get update
sudo apt install -y docker.io docker-compose

Verify that the installation is successful:





Install Harbor

Command:
sudo wget https://github.com/goharbor/harbor/releases/download/v2.4.1/harbor-offline-installer-v2.4.1.tgz

sudo tar -xvf harbor-offline-installer-v2.4.1.tgz

Configure Harbor with the public IP and Port

Command:
cd harbor
sudo cp harbor.yml.tmpl harbor.yml
sudo nano harbor.yml
  1. Make entry for the host name and port number
    (host name is the public IP of your VM, and PORT I have choose 5000, In my case it will be 34.133.63.114:5000)
  2. Comment lines for HTTPS, as we are not going to use the SSL
  3. Set a a password. I choose Harbor12345
  4. Remaining you can leave as it is.










Save the file

Install Harbor

Command:
sudo ./install.sh

Once Harbor is started, you should be able to access the portal using
http://public ip:port














Allow non-https request in client for docker


Make configuration to communicate with Non-HTTPS (HTTP) repositories

  1. Open docker desktop
  2. Go to menu - Settings
  3. Click on menu - Docker Engine
  4. Make entry for "insecure-registries" for the Harbor







Login to the newly created registry from the CLI. 

Open the CLI and run the below command: Use docker login with docker login <public ip>:<port>

Command:
docker login http://34.133.63.114:5000
The default user name is admin and password is what we configured in the harbor.yaml
Username: admin
Password: Harbor12345








Now let's create a private repository (Project) through the Harbor Portal

  1. Login to Harbor Portal (http://34.133.63.114:5000) with default username: admin & password as configured (Harbor12345)
  2. Go to the menu - Project. You will see a default project with name "library" is already created.
  3. Create a new private project (reposiroty)
    1. Click on new Project
    2. give a name (I have given myprivaterepo)
    3. click on ok











Now you should see a new pivate repo is created with name myprivaterepo. Click on there. You can see the syntax of Push














Let's push one image to the repository

pull a new image - hello-world. This one we will push to the repo

docker pull hello-world

You can see the images when you do docker images






Now push the image to the remote repository in 2 steps:

  1. create a tag
    docker tag hello-world:latest 34.133.63.114:5000/myprivaterepo/myownhelloworld:latest
  2. push the image
    docker push 34.133.63.114:5000/myprivaterepo/myownhelloworld:latest
Now you should be able to see the image is pushed to the new repository.





Refresh the portal, You will see the new image pushed.














Pull the image from the repo

Let's remove the image if you have in your local

Command:
docker rmi -f <image id>









Pull the image from the private repository
Command:
docker pull 34.133.63.114:5000/myprivaterepo/myownhelloworld:latest








Here we are able to push and pull using our own hosted docker registry.


Comments

Post a Comment