Getting Started with VMware Harbor
VMware Harbor (https://goharbor.io/) is an open source container registry platform created by VMware. The registry has a number of enterprise features such as role based access control (RBAC), audit logging, replication as well as integrated image vulnerability scanning with CoreOS’ clair. This blog post will walk through getting VMware Harbor up and running as well as pushing and pulling images.
Harbor Installation
The following steps detail the installation process for a CentOS 7 server. Install epel-release to access additional packages such as docker compose and docker.
yum -y install epel-release
Install docker and docker-compose for running the Harbor containers
yum -y install docker docker-compose
Start the docker service and enable it to start on boot
systemctl enable docker && systemctl start docker
Download and extract the Harbor installer bundle
wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-online-installer-v1.7.5.tgz tar -xzf harbor-online-installer-v1.7.5.tgz
Change directory to the unpacked Harbor bundle
cd harbor
We’ll create a new directory for storing the SSL certificate key pair that we’ll generate
mkdir -p /opt/harbor/ssl
The following command generates the self-signed SSL certificate that we’ll use for the Harbor instance.
openssl req -subj '/CN=harbor.grt.local/O=GRT/C=US' -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout /opt/harbor/ssl/harbor.key -out /opt/harbor/ssl/harbor.crt
SSL Certificate
SSL certificates need to be utilized to ensure all communication with Harbor is TLS encrypted. In this example a self-signed certificate will be generated to show the configuration process.
The harbor installer utilizes the “harbor.cfg” configuration file to the settings used during the Harbor deployment and is located in the harbor directory. The following settings are the handful that we’ll update for this basic deployment of Harbor.
hostname: Harbor instance hostname ui_url_protocl: Harbor UI protocl (http|https) ssl_cert: The file path for the SSL certificate public key ssl_cert_key: The file path for the SSL certificate private key harbor_admin_password: The password for the harbor admin user db_password: The root password for the postgres database
The following sed commands can be used to update the values of the settings mentioned above.
sed -i 's/^hostname.*/hostname = harbor.grt.local/' harbor.cfg sed -i 's/ui_url_protocol.*/ui_url_protocol = https/' harbor.cfg sed -i 's\ssl_cert =.*\ssl_cert = /opt/harbor/ssl/harbor.crt\' harbor.cfg sed -i 's\ssl_cert_key.*\ssl_cert_key = /opt/harbor/ssl/harbor.key\' harbor.cfg sed -i 's/harbor_admin_password.*/harbor_admin_password = SuperPassword/' harbor.cfg sed -i 's/db_password.*/db_password = SuperPassword/' harbor.cfg
Run the Harbor install script to setup Harbor
sudo ./install.sh
Once the installation has completed we should be able to access the Harbor web ui by browsing to https://harbor_host_name in a web browser. The username is “admin” and the password is what was specified during the installation.
The homepage will show information about the harbor installation such as the number of projects, images, the amount of available storage and more.
Working with Docker Images
Now that Harbor has been installed and is running, the next step is to push and pull images to and from the registry.
Login
The Harbor instance is currently configured for local user authentication. This means that a login needs to be performed before images can be pushed or pulled from the Harbor instance.
SSL Certificate Error
The SSL certificate in this example is self-signed and will not be trusted from the docker client when it attempts to perform the docker login command. We need to download the SSL certificate and add it to the designated trusted location on the client system. In my particular case I’m using a Mac so I’ve provided the instructions for that platform.
openssl s_client -servername harbor.grt.local -connect harbor.grt.local:443 </dev/null 2>/dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > harbor.crt
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain harbor.crt
I was prompted for my credentials to allow the certificate to be added to the keychain. The last step that needed to be performed was to restart the docker client on my machine to pick up the changes.
With all of that complete we can now log into our Harbor instance using the following credentials.
Username: admin
Password: set during installation
docker login harbor.grt.local
Tag Image
Now that we’ve logged into the Harbor instance we need to tag a Docker image with information about the location of the registry. For this example we can just download the extremely small busybox docker image from Docker hub.
Run the docker pull command to download the busybox image
docker pull busybox
With the image downloaded to our local machine we can run the docker tag command to tag the docker image with the {harbor_hostname}{harbor_repository_name}{image}:{tag} format as shown in the screenshot below.
docker tag busybox:latest harbor.grt.local/library/busybox:harbor
We can view the new tag for the image by running the docker images
command from the command line.
AHD-MBP13-040:kube-labs martez.reed$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE harbor.grt.local/library/busybox harbor af2f74c517aa 2 days ago 1.2MB busybox latest af2f74c517aa 2 days ago 1.2MB
Push Image
The image has been tagged appropriately and now it can be pushed to the harbor registry using the docker push
command.
docker push harbor.grt.local/library/busybox:harbor
Pull Image
With the image now uploaded to the registry, the image can be pulled from the registry using the docker pull
command.
docker pull harbor.grt.local/library/busybox:harbor
We can see in Harbor that the image was pulled one time from the registry as denoted by the “1” seen in the screenshot below.
This was a quick introduction to using VMware Harbor as a registry for container images. In later post we’ll look at Harbor features such as Role Based Access Control (RBAC), projects, audit logging, LDAP authentication, image vulnerability scanning and more.
References
Docker login error
https://community.pivotal.io/s/article/Docker-Login-Error-certificate-signed-by-unknown-authority-with-VMware-Harbor-and-UAA
Docker TLS certificates
https://docs.docker.com/docker-for-mac/#add-tls-certificates