You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

How do I install Harbor container registry on CentOS / Debian / Ubuntu Linux?. Harbor is an open-source cloud native registry that stores, signs, and scans container images for vulnerabilities. If you’re looking for enterprise Docker image registry, then Harbor is the right tool for you. It has some of the best features only available in commercial Registry products like Quay.

Harbor fills a gap for applications and organizations that cannot use a public or cloud-based registry. You’ll enjoy a consistent experience across all clouds platforms. This guide will walk you through the installation of Harbor on any system with Docker support.

Features of Harbor Registry

  • Multi-tenant support
  • Security and vulnerability analysis support
  • Extensible API and web UI
  • Content signing and validation
  • ​Image replication across multiple Harbor instances
  • ​Identity integration and role-based access control

What You’ll Need

You need an operating system with support for docker and following system requirements:

Hardware

ResourceCapacityDescription
CPUminimal 2 CPU4 CPU is preferred
Memminimal 4GB8GB is preferred
Diskminimal 40GB160GB is preferred

Software

SoftwareVersion
Docker engineversion 17.06.0-ce+ or higher
Docker Composeversion 1.18.0 or higher
Openssllatest is preferred

Network ports

PortProtocol
443HTTPS
4443HTTPS
80HTTP

Let’s now start the installation of Harbor on Linux system – CentOS, Ubuntu & Debian Linux distribution.

Storage Preparation (Optional)

I’ll be using a secondary disk as data store for all container images – /dev/sdb

$ lsblk 
NAME                   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda                      8:0    0  100G  0 disk 
├─sda1                   8:1    0    1G  0 part /boot
└─sda2                   8:2    0   74G  0 part 
  ├─rhel-root          253:0    0   10G  0 lvm  /
  ├─rhel-swap          253:1    0   16G  0 lvm  [SWAP]
  ├─rhel-home          253:2    0    4G  0 lvm  /home
  ├─rhel-var           253:3    0   20G  0 lvm  /var
  ├─rhel-var_log       253:4    0   10G  0 lvm  /var/log
  ├─rhel-var_log_audit 253:5    0    2G  0 lvm  /var/log/audit
  ├─rhel-tmp           253:6    0    8G  0 lvm  /tmp
  └─rhel-var_tmp       253:7    0    4G  0 lvm  /var/tmp
sdb                      8:16   0  200G  0 disk 
sr0                     11:0    1 1024M  0 rom  

Let’s prepare and mount this disk.

sudo parted -s -a optimal -- /dev/sdb mklabel gpt
sudo parted -s -a optimal -- /dev/sdb mkpart primary 0% 100%
sudo parted -s -- /dev/sdb align-check optimal 1
sudo pvcreate /dev/sdb1
sudo vgcreate vg0 /dev/sdb1
sudo lvcreate -n harbor -l +100%FREE vg0
sudo mkfs.xfs /dev/vg0/harbor
sudo mkdir /data
echo "/dev/vg0/harbor /data xfs defaults 0 0" | sudo tee -a /etc/fstab

Mount and confirm:

$ sudo mount -a
$ df -hT /data/
Filesystem             Type  Size  Used Avail Use% Mounted on
/dev/mapper/vg0-harbor xfs   200G  1.5G  199G   1% /data

Step 1: Install Docker Engine

Follow our guides below on installation of Docker Engine.

Install Docker and Docker Compose on Debian 10 Buster

How to install Docker CE on Ubuntu / Debian / CentOS 

How to install Docker on Fedora

Install Docker CE on CentOS 8 | RHEL 8

Step 2: Install Docker Compose

Our next installation is for docker-compose command. This is not available on system repositories. Follow instructions shared in our previous guide below.

How To Install Latest Docker Compose on Linux

Step 3: Download and Install Harbor

Download harbor

curl -s https://api.github.com/repos/goharbor/harbor/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep '\.tgz$' | wget -i -

You can also pull the latest Harbor release from the downloads page.

Unpack downloaded Harbor file.

tar xvzf harbor-offline-installer*.tgz

Change into harbor created after file unpacking.

cd harbor

Harbor Installation without SSL

In the first setup, we’ll consider installation without TLS/SSL. Copy configuration template:

cp harbor.yml.tmpl harbor.yml

Edit harbor configuration file, and set like below.

$ nano harbor.yml
....
# The IP address or hostname to access admin UI and registry service.
hostname: registry.computingforgeeks.com

harbor_admin_password: [email protected]$d

# Harbor DB configuration
database:
  password: [email protected]$d

Harbor Installation with Let’s Encrypt SSL

if your server has a public IP, you can use Let’s Encrypt free SSL certificate.

Start by installing certbot-auto tool.

wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
sudo mv certbot-auto /usr/local/bin

Then obtain SSL certificate.

export DOMAIN="registry.computingforgeeks.com"
export EMAIL="[email protected]"
certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

Configure https related config.

hostname: registry.computingforgeeks.com
harbor_admin_password: [email protected]$d

# Harbor DB configuration
database:
  password: [email protected]$d

http:
  port: 80

https:
  port: 443
  certificate: /etc/letsencrypt/live/registry.computingforgeeks.com/fullchain.pem
  private_key: /etc/letsencrypt/live/registry.computingforgeeks.com/privkey.pem

Harbor Installation with Self Signed SSL Certificates

For Self signed certificates, create certificate configuration file – Modify the file to match your values.

$ cd /etc/pki/tls/certs
$ sudo vim harbor_certs.cnf
[ req ]  
default_bits       = 4096
default_md         = sha512
default_keyfile    = harbor_registry.key
prompt             = no
encrypt_key        = no
distinguished_name = req_distinguished_name

# distinguished_name
[ req_distinguished_name ]  
countryName            = "KE" 
localityName           = "Nairobi"
stateOrProvinceName    = "Nairobi"
organizationName       = "Computingforgeeks"
commonName             = "registry.computingforgeeks.com"
emailAddress           = "[email protected]"

Generate key and csr:

sudo openssl req -out harbor_registry.csr -newkey rsa:4096 --sha512 -nodes -keyout harbor_registry.key -config harbor_certs.cnf

Create self-singed certificate with 10 years expiration date:

sudo openssl x509 -in harbor_registry.csr -out harbor_registry.crt -req -signkey harbor_registry.key -days 3650

To view certificate details use the command:

$ openssl x509 -text -noout -in harbor_registry.crt

Configure https related config.

hostname: registry.computingforgeeks.com
harbor_admin_password: [email protected]$d

# Harbor DB configuration
database:
  password: [email protected]$d

http:
  port: 80

https:
  port: 443
  certificate: ./harbor_registry.crt
  private_key: ./harbor_registry.key

Install Harbor Docker image registry

Once harbor.yml and storage backend (optional) are configured, install and start Harbor using the install.sh script. 

$ sudo ./install.sh

Note that the default installation does not include Notary or Clair service. These services are used for vulnerability scanning.

To see installer options, run:

$ ./install.sh --help
Note: Please set hostname and other necessary attributes in harbor.yml first. DO NOT use localhost or 127.0.0.1 for hostname, because Harbor needs to be accessed by external clients.
Please set --with-notary if needs enable Notary in Harbor, and set ui_url_protocol/ssl_cert/ssl_cert_key in harbor.yml bacause notary must run under https. 
Please set --with-clair if needs enable Clair in Harbor
Please set --with-chartmuseum if needs enable Chartmuseum in Harbor

Example, enable Clair and Chartmuseum:

$ sudo ./install.sh --with-notary --with-clair --with-chartmuseum

To include Notary service, you must enable and configure https in harbor.yml.

[Step 0]: checking installation environment ...

Note: docker version: 19.03.1

Note: docker-compose version: 1.24.1

[Step 1]: loading Harbor images ...
Loaded image: goharbor/harbor-core:v1.8.1
Loaded image: goharbor/harbor-registryctl:v1.8.1
Loaded image: goharbor/redis-photon:v1.8.1
Loaded image: goharbor/notary-server-photon:v0.6.1-v1.8.1
Loaded image: goharbor/chartmuseum-photon:v0.8.1-v1.8.1
Loaded image: goharbor/harbor-db:v1.8.1
Loaded image: goharbor/harbor-jobservice:v1.8.1
Loaded image: goharbor/nginx-photon:v1.8.1
Loaded image: goharbor/registry-photon:v2.7.1-patch-2819-v1.8.1
Loaded image: goharbor/harbor-migrator:v1.8.1
Loaded image: goharbor/prepare:v1.8.1
Loaded image: goharbor/harbor-portal:v1.8.1
Loaded image: goharbor/harbor-log:v1.8.1
Loaded image: goharbor/notary-signer-photon:v0.6.1-v1.8.1
Loaded image: goharbor/clair-photon:v2.0.8-v1.8.1

[Step 2]: preparing environment ...
prepare base dir is set to /root/harbor
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /secret/keys/secretkey
Generated certificate, key file: /secret/core/private_key.pem, cert file: /secret/registry/root.crt
Generated configuration file: /config/clair/postgres_env
Generated configuration file: /config/clair/config.yaml
Generated configuration file: /config/clair/clair_env
Create config folder: /config/chartserver
Generated configuration file: /config/chartserver/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir

[Step 3]: starting Harbor ...

✔ ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://registry.computingforgeeks.com. 
For more details, please visit https://github.com/goharbor/harbor .

Confirm that all containers are started.

.....
[Step 5]: starting Harbor ...
Creating network "harbor_harbor" with the default driver
Creating network "harbor_harbor-clair" with the default driver
Creating network "harbor_harbor-notary" with the default driver
Creating network "harbor_harbor-chartmuseum" with the default driver
Creating network "harbor_notary-sig" with the default driver
Creating harbor-log ... done
Creating registry      ... done
Creating registryctl   ... done
Creating harbor-db     ... done
Creating redis         ... done
Creating harbor-portal ... done
Creating chartmuseum   ... done
Creating notary-signer ... done
Creating clair         ... done
Creating harbor-core   ... done
Creating notary-server     ... done
Creating clair-adapter     ... done
Creating harbor-jobservice ... done
Creating nginx             ... done
✔ ----Harbor has been installed and started successfully.----

Harbor log files are stored in the directory /var/log/harbor/:

$ ls -1 /var/log/harbor/
chartmuseum.log
clair.log
core.log
jobservice.log
portal.log
postgresql.log
proxy.log
redis.log
registryctl.log
registry.log

Step 4: Access Harbor

After the installation has succeeded, access Harbor web console on https://registry_domain.

Login with:

Username: admin
Password: Set-in-harbor.yml

You should get to Harbor web dashboard.

With Let’s Encrypt SSL:

Step 5: Managing Harbor’s lifecycle

List running Harbor service containers:

$ sudo docker-compose ps
      Name                     Command                       State                                          Ports                               
------------------------------------------------------------------------------------------------------------------------------------------------
chartmuseum         ./docker-entrypoint.sh           Up (healthy)                                                                               
clair               ./docker-entrypoint.sh           Restarting                                                                                 
clair-adapter       /home/clair-adapter/entryp ...   Up (healthy)                                                                               
harbor-core         /harbor/entrypoint.sh            Up (health: starting)                                                                      
harbor-db           /docker-entrypoint.sh            Up (healthy)                                                                               
harbor-jobservice   /harbor/entrypoint.sh            Up (health: starting)                                                                      
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)            127.0.0.1:1514->10514/tcp                                          
harbor-portal       nginx -g daemon off;             Up (healthy)                                                                               
nginx               nginx -g daemon off;             Up (healthy)            0.0.0.0:4443->4443/tcp, 0.0.0.0:80->8080/tcp, 0.0.0.0:443->8443/tcp
notary-server       /bin/sh -c migrate-patch - ...   Up                                                                                         
notary-signer       /bin/sh -c migrate-patch - ...   Up                                                                                         
redis               redis-server /etc/redis.conf     Up (healthy)                                                                               
registry            /home/harbor/entrypoint.sh       Up (healthy)                                                                               
registryctl         /home/harbor/start.sh            Up (healthy)          

You can use docker-compose to manage the lifecycle of Harbor. See examples below.

Stopping Harbor:

$ sudo docker-compose stop
topping nginx             ...
Stopping harbor-jobservice ... done
Stopping harbor-portal     ... done
Stopping clair             ... done
Stopping chartmuseum       ... done
Stopping harbor-core       ... done
Stopping harbor-db         ... done
Stopping redis             ... done
Stopping registry          ... done
Stopping registryctl       ... done
Stopping harbor-log        ... done

Restarting Harbor after stopping:

$ sudo docker-compose start
Starting log         ... done
Starting registry    ... done
Starting registryctl ... done
Starting postgresql  ... done
Starting core        ... done
Starting portal      ... done
Starting redis       ... done
Starting jobservice  ... done
Starting proxy       ... done
Starting clair       ... done
Starting chartmuseum ... done

Updating Harbor’s configuration:

To change Harbor’s configuration, first, stop existing Harbor instance and update harbor.yml. Then run prepare script to populate the configuration. Then re-create and start Harbor’s instance:

$ sudo docker-compose down -v
$ nano harbor.yml
$ sudo prepare
$ sudo docker-compose up -d

When Harbor is installed with Notary, Clair and chart repository service:

$ sudo docker-compose down -v
$ nano harbor.yml
$ sudo ./prepare --with-notary --with-clair --with-chartmuseum
$ sudo docker-compose up -d

For troubleshooting, check the log file of container service in question in directory /var/log/harbor.

$ tail -n 100 /var/log/harbor/clair.log

Visit Harbor user guide page to learn more on usage.

More Harbor guides:

How To Integrate Harbor Registry With LDAP for user Authentication

How To Prevent users from Creating Projects in Harbor registry

Similar articles:

How To Setup Red Hat Quay Registry on CentOS / RHEL / Ubuntu

Install and Use Docker Registry on Fedora

Install and Configure Docker Registry on CentOS 7

Tags:

  • Install Harbor registry on CentOS 7
  • Install Harbor registry on CentOS 8
  • Install Harbor registry on Ubuntu 18.04
  • Install Harbor registry on Debian 10
  • Install Harbor registry on RHEL 7 / RHEL 8
You can support us by downloading this article as PDF from the Link below. Download the guide as PDF