VMware Harbor (https://goharbor.io/) is an open source container registry platform created by VMware. The registry has a number of enterprise features such as role based access control (RBAC), audit logging, replication as well as integrated image vulnerability scanning with CoreOS’ clair. This blog post will walk through getting VMware Harbor up and running as well as pushing and pulling images.

Harbor Installation

The following steps detail the installation process for a CentOS 7 server. Install epel-release to access additional packages such as docker compose and docker.

yum -y install epel-release

Install docker and docker-compose for running the Harbor containers

yum -y install docker docker-compose

Start the docker service and enable it to start on boot

systemctl enable docker && systemctl start docker

Download and extract the Harbor installer bundle

wget https://storage.googleapis.com/harbor-releases/release-1.7.0/harbor-online-installer-v1.7.5.tgz

tar -xzf harbor-online-installer-v1.7.5.tgz

Change directory to the unpacked Harbor bundle

cd harbor

We’ll create a new directory for storing the SSL certificate key pair that we’ll generate

mkdir -p /opt/harbor/ssl

The following command generates the self-signed SSL certificate that we’ll use for the Harbor instance.

openssl req -subj '/CN=harbor.grt.local/O=GRT/C=US' -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout /opt/harbor/ssl/harbor.key -out /opt/harbor/ssl/harbor.crt

SSL Certificate

SSL certificates need to be utilized to ensure all communication with Harbor is TLS encrypted. In this example a self-signed certificate will be generated to show the configuration process.

The harbor installer utilizes the “harbor.cfg” configuration file to the settings used during the Harbor deployment and is located in the harbor directory. The following settings are the handful that we’ll update for this basic deployment of Harbor.

hostname: Harbor instance hostname
ui_url_protocl: Harbor UI protocl (http|https)
ssl_cert: The file path for the SSL certificate public key
ssl_cert_key: The file path for the SSL certificate private key
harbor_admin_password: The password for the harbor admin user
db_password: The root password for the postgres database

The following sed commands can be used to update the values of the settings mentioned above.

sed -i 's/^hostname.*/hostname = harbor.grt.local/' harbor.cfg
sed -i 's/ui_url_protocol.*/ui_url_protocol = https/' harbor.cfg
sed -i 's\ssl_cert =.*\ssl_cert = /opt/harbor/ssl/harbor.crt\' harbor.cfg
sed -i 's\ssl_cert_key.*\ssl_cert_key = /opt/harbor/ssl/harbor.key\' harbor.cfg
sed -i 's/harbor_admin_password.*/harbor_admin_password = SuperPassword/' harbor.cfg
sed -i 's/db_password.*/db_password = SuperPassword/' harbor.cfg

Run the Harbor install script to setup Harbor

sudo ./install.sh

Once the installation has completed we should be able to access the Harbor web ui by browsing to https://harbor_host_name in a web browser. The username is “admin” and the password is what was specified during the installation.

The homepage will show information about the harbor installation such as the number of projects, images, the amount of available storage and more.

Working with Docker Images

Now that Harbor has been installed and is running, the next step is to push and pull images to and from the registry.

Login

The Harbor instance is currently configured for local user authentication. This means that a login needs to be performed before images can be pushed or pulled from the Harbor instance.

SSL Certificate Error

The SSL certificate in this example is self-signed and will not be trusted from the docker client when it attempts to perform the docker login command. We need to download the SSL certificate and add it to the designated trusted location on the client system. In my particular case I’m using a Mac so I’ve provided the instructions for that platform.

openssl s_client -servername harbor.grt.local -connect harbor.grt.local:443 </dev/null 2>/dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > harbor.crt

security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain harbor.crt

I was prompted for my credentials to allow the certificate to be added to the keychain. The last step that needed to be performed was to restart the docker client on my machine to pick up the changes.

With all of that complete we can now log into our Harbor instance using the following credentials.

Username: admin
Password: set during installation

docker login harbor.grt.local

Tag Image

Now that we’ve logged into the Harbor instance we need to tag a Docker image with information about the location of the registry. For this example we can just download the extremely small busybox docker image from Docker hub.

Run the docker pull command to download the busybox image

docker pull busybox

With the image downloaded to our local machine we can run the docker tag command to tag the docker image with the {harbor_hostname}{harbor_repository_name}{image}:{tag} format as shown in the screenshot below.

docker tag busybox:latest harbor.grt.local/library/busybox:harbor

We can view the new tag for the image by running the docker images command from the command line.

AHD-MBP13-040:kube-labs martez.reed$ docker images
REPOSITORY                         TAG                 IMAGE ID            CREATED             SIZE
harbor.grt.local/library/busybox   harbor              af2f74c517aa        2 days ago          1.2MB
busybox                            latest              af2f74c517aa        2 days ago          1.2MB

Push Image

The image has been tagged appropriately and now it can be pushed to the harbor registry using the docker push command.

docker push harbor.grt.local/library/busybox:harbor

Pull Image

With the image now uploaded to the registry, the image can be pulled from the registry using the docker pull command.

docker pull harbor.grt.local/library/busybox:harbor

We can see in Harbor that the image was pulled one time from the registry as denoted by the “1” seen in the screenshot below.

This was a quick introduction to using VMware Harbor as a registry for container images. In later post we’ll look at Harbor features such as Role Based Access Control (RBAC), projects, audit logging, LDAP authentication, image vulnerability scanning and more.

References

Docker login error

https://community.pivotal.io/s/article/Docker-Login-Error-certificate-signed-by-unknown-authority-with-VMware-Harbor-and-UAA

Docker TLS certificates

https://docs.docker.com/docker-for-mac/#add-tls-certificates