Harbor is an open-source cloud native registry that stores, signs, and scans container images for vulnerabilities. If you’re looking for enterprise Docker image registry, then Harbor is the right tool for you. It has some of the best features only available in commercial Registry products like Quay.
Harbor fills a gap for applications and organizations that cannot use a public or cloud-based registry. You’ll enjoy a consistent experience across all clouds platforms. This guide will walk you through the installation of Harbor on any system with Docker support.
Features of Harbor Registry
- Multi-tenant support
- Security and vulnerability analysis support
- Extensible API and web UI
- Content signing and validation
- Image replication across multiple Harbor instances
- Identity integration and role-based access control
What You’ll Need
You need an operating system with support for docker and following system requirements:
|CPU||minimal 2 CPU||4 CPU is preferred|
|Mem||minimal 4GB||8GB is preferred|
|Disk||minimal 40GB||160GB is preferred|
|Docker engine||version 17.06.0-ce+ or higher|
|Docker Compose||version 1.18.0 or higher|
|Openssl||latest is preferred|
Step 1: Install Docker Engine
Follow our guides below on installation of Docker Engine.
Step 2: Install Docker Compose
Our next installation is for docker-compose command. This is not available on system repositories. Follow instructions shared in our previous guide below.
Step 3: Download and Install Harbor
curl -s https://api.github.com/repos/goharbor/harbor/releases/latest | grep -o 'https://storage[a-zA-Z.-]*/[a-zA-Z0-9+-]*/[a-zA-Z0-9.+-]*/[a-zA-Z0-9.+-]*' | wget -qi -
You can also pull the latest Harbor release from the downloads page.
Unpack downloaded Harbor file.
tar xvzf harbor-offline-installer*.tgz
Change into harbor created after file unpacking.
Harbor Installation without SSL
In the first setup, we’ll consider installation without TLS/SSL. Edit harbor configuration file, and set like below.
$ nano harbor.yml .... # The IP address or hostname to access admin UI and registry service. hostname: registry.computingforgeeks.com harbor_admin_password: [email protected]$d # Harbor DB configuration database: password: [email protected]$d
Harbor Installation with Let’s Encrypt SSL
if your server has a public IP, you can use Let’s Encrypt free SSL certificate.
Start by installing certbot-auto tool.
wget https://dl.eff.org/certbot-auto chmod +x certbot-auto sudo mv certbot-auto /usr/local/bin
Then obtain SSL certificate.
export DOMAIN="registry.computingforgeeks.com" export EMAIL="[email protected]" certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
Configure https related config.
hostname: registry.computingforgeeks.com harbor_admin_password: [email protected]$d # Harbor DB configuration database: password: [email protected]$d http: port: 80 https: port: 443 certificate: /etc/letsencrypt/live/registry.computingforgeeks.com/fullchain.pem private_key: /etc/letsencrypt/live/registry.computingforgeeks.com/privkey.pem
Install Harbor Docker image registry
Once harbor.yml and storage backend (optional) are configured, install and start Harbor using the
$ sudo ./install.sh
Note that the default installation does not include Notary or Clair service. These services are used for vulnerability scanning.
To see installer options, run:
$ ./install.sh --help Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients. Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. Please set --with-clair if needs enable Clair in Harbor Please set --with-chartmuseum if needs enable Chartmuseum in Harbor
Example, enable Clair and Chartmuseum:
$ sudo ./install.sh -with-notary --with-clair --with-chartmuseum
To include Notary service, you must enable and configure https in harbor.yml.
[Step 0]: checking installation environment ... Note: docker version: 19.03.1 Note: docker-compose version: 1.24.1 [Step 1]: loading Harbor images ... Loaded image: goharbor/harbor-core:v1.8.1 Loaded image: goharbor/harbor-registryctl:v1.8.1 Loaded image: goharbor/redis-photon:v1.8.1 Loaded image: goharbor/notary-server-photon:v0.6.1-v1.8.1 Loaded image: goharbor/chartmuseum-photon:v0.8.1-v1.8.1 Loaded image: goharbor/harbor-db:v1.8.1 Loaded image: goharbor/harbor-jobservice:v1.8.1 Loaded image: goharbor/nginx-photon:v1.8.1 Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-v1.8.1 Loaded image: goharbor/harbor-migrator:v1.8.1 Loaded image: goharbor/prepare:v1.8.1 Loaded image: goharbor/harbor-portal:v1.8.1 Loaded image: goharbor/harbor-log:v1.8.1 Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.8.1 Loaded image: goharbor/clair-photon:v2.0.8-v1.8.1 [Step 2]: preparing environment ... prepare base dir is set to /root/harbor Generated configuration file: /config/log/logrotate.conf Generated configuration file: /config/nginx/nginx.conf Generated configuration file: /config/core/env Generated configuration file: /config/core/app.conf Generated configuration file: /config/registry/config.yml Generated configuration file: /config/registryctl/env Generated configuration file: /config/db/env Generated configuration file: /config/jobservice/env Generated configuration file: /config/jobservice/config.yml Generated and saved secret to file: /secret/keys/secretkey Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt Generated configuration file: /config/clair/postgres_env Generated configuration file: /config/clair/config.yaml Generated configuration file: /config/clair/clair_env Create config folder: /config/chartserver Generated configuration file: /config/chartserver/env Generated configuration file: /compose_location/docker-compose.yml Clean up the input dir [Step 3]: starting Harbor ... ✔ ----Harbor has been installed and started successfully.---- Now you should be able to visit the admin portal at http://registry.computingforgeeks.com. For more details, please visit https://github.com/goharbor/harbor .
Harbor log files are stored in the directory /var/log/harbor/:
$ ls -1 /var/log/harbor/ chartmuseum.log clair.log core.log jobservice.log portal.log postgresql.log proxy.log redis.log registryctl.log registry.log
Step 4: Access Harbor
After the installation has succeeded, access Harbor web console on https://registry_domain.
Username: admin Password: Set-in-harbor.yml
You should get to Harbor web dashboard.
With Let’s Encrypt SSL:
Step 5: Managing Harbor’s lifecycle
List running Harbor service containers:
$ sudo docker-compose ps Name Command State Ports --------------------------------------------------------------------------------------------- chartmuseum /docker-entrypoint.sh Up (healthy) 9999/tcp clair /docker-entrypoint.sh Up (healthy) 6060/tcp, 6061/tcp harbor-core /harbor/start.sh Up (healthy) harbor-db /entrypoint.sh postgres Up (healthy) 5432/tcp harbor-jobservice /harbor/start.sh Up harbor-log /bin/sh -c /usr/local/bin/ ... Up (healthy) 127.0.0.1:1514->10514/tcp harbor-portal nginx -g daemon off; Up (healthy) 80/tcp nginx nginx -g daemon off; Up (healthy) 0.0.0.0:80->80/tcp redis docker-entrypoint.sh redis ... Up 6379/tcp registry /entrypoint.sh /etc/regist ... Up (healthy) 5000/tcp registryctl /harbor/start.sh Up (healthy)
You can use docker-compose to manage the lifecycle of Harbor. See examples below.
$ sudo docker-compose stop topping nginx ... Stopping harbor-jobservice ... done Stopping harbor-portal ... done Stopping clair ... done Stopping chartmuseum ... done Stopping harbor-core ... done Stopping harbor-db ... done Stopping redis ... done Stopping registry ... done Stopping registryctl ... done Stopping harbor-log ... done
Restarting Harbor after stopping:
$ sudo docker-compose start Starting log ... done Starting registry ... done Starting registryctl ... done Starting postgresql ... done Starting core ... done Starting portal ... done Starting redis ... done Starting jobservice ... done Starting proxy ... done Starting clair ... done Starting chartmuseum ... done
Updating Harbor’s configuration:
To change Harbor’s configuration, first, stop existing Harbor instance and update harbor.yml. Then run prepare script to populate the configuration. Then re-create and start Harbor’s instance:
$ sudo docker-compose down -v $ nano harbor.yml $ sudo prepare $ sudo docker-compose up -d
When Harbor is installed with Notary, Clair and chart repository service:
$ sudo docker-compose down -v $ nano harbor.yml $ sudo ./prepare --with-notary --with-clair --with-chartmuseum $ sudo docker-compose up -d
For troubleshooting, check the log file of container service in question in directory /var/log/harbor.
$ tail -n 100 /var/log/harbor/clair.log
Visit Harbor user guide page to learn more on usage.
More Harbor guides: