CNCF’s Cloud-Native Stack Gets a Private Container Registry from VMware
The Cloud Native Computing Foundation has taken on VMware’s Harbor container registry as a Sandbox-level hosted project.
Harbor is a registry for storing container images. For container management, the software also offers security and compliance support for user management, vulnerability checking, access control, activity monitoring, and replication between instances.
Typically, container registries are offered as a service, either by cloud providers or software vendors such as Docker. Harbor can be set up in-house, and thus be closer to the development environment, and more deeply intertwined with existing security practices.
“In a multicloud world that we are moving toward, the portability of the service gives users more confidence, so as they look at the different infrastructure offerings to run a cloud-native environment, they know this service isn’t going to change, whatever cloud they choose,” said Clint Kitson, VMware cloud-native engineering director, in an interview with The New Stack.
This software can be run in-house by organizations that can’t use a cloud-based registry, or for a multicloud deployment, as to provide a consistent container deployment pattern across clouds.
The synchronization feature is one that many users have deployed, said Haining (Henry) Zhang, VMware chief architect for cloud-native research and development in China, during a 2017 presentation of the technology. You set up a replication policy for a particular image, and it will be synchronized to target destinations.
“When you push a new image to Harbor, it will be incrementally replicated to the other sites,” Zhang said. “This is very useful and loved by many users.”
- 4,743 GitHub stars
- 1,369 forks
- 91 contributors
- 4,968 commits
- 49 releases
The control offered by a private repository also helps if you need to ensure that the exact same image built over time, unlike with a public repository, where the image may get updated with bug fixes or other changes. Harbor is set up to operate in a scale-out fashion, to ensure no bottlenecks take place. Multiple copies of the registry can be set up, which can either share the same storage resources, or each use their own storage resources. This approach works well for geographically distributed clusters, Zhang said.
In addition to storing containers, the software can also periodically scan container images to look for known vulnerabilities, through the integration of Red Hat’s Clair vulnerability scanning service. Users can also apply the policy to vulnerability management, blocking any dependency downloads that have known vulnerability.
The digital signing capabilities allow organizations to set up a trusted development and deployment process, ensuring the content run in production is what it should be, Kitson said.
Harbor also has these features, according to the project’s GitHub page:
- Role-based access control: Users are given permissions to access certain projects. Some users can just pull images while developers, for instance, can both pull and push images.
- LDAP/AD support: Harbor can interface with Lightweight Directory Access Protocol or Microsoft Active Directory installations for user authentication and management.
- Notary: Image authenticity can be ensured through a digital signing service, to ensure content trust.
- Graphical user portal is available to browse and search repositories as well as manage projects.
- Auditing: All repository actions are logged.
- Application Programming Interface: Harbor provides a set of RESTful APIs that covers most administrative operations.
Harbor can be easily set up in any Kubernetes environment, through the use of a Helm chart, which will also stand-up all the dependent services, and manages them over the lifetime of the application. The development team is working on a Kubernetes controller for Harbor, which will allow the software to be completely self-managed, expanding the service as needed, Kitson noted.
“We want Harbor to be something that is operated by Kubernetes. We would love to have a customer resource that would be managed by users or admins,” Kitson said.
For the individual user, the software can also be easily installed on a laptop through a Docker Compose file.
Harbor started as an internal VMware project in China in 2014 and was initially used for internal projects. The company released the project code as open source in 2016. Pivotal Container Service (PKS) and vSphere Integrated Containers already use Harbor in production environments.
Thus far, the software has been used by over 300 parties, including companies such as China Mobile, JD.com, Rancher, OnStar Shanghai, Talking Data, Tencent Cloud, Tenxcloud, and TrendMicro have all used the technology. Chinese start-up Caicloud is offering container services that are powered by Harbor.
The CNCF has been adopting open source technologies that work together to provide vendor-neutral cloud computing, starting with the Kubernetes container orchestration engine. Harbor is the 24th project to be shepherded by the CNCF. The CNCF Sandbox is a home for early-stage projects.
Previously, VMware has also donated the Open vSwitch and the IO Visor project to the Linux Foundation.
VMware is not alone if offering open source container registries. Red Hat also offers Quay, from its acquisition of CoreOS earlier this year.
The Cloud Native Computing Foundation, Red Hat and VMware are sponsors of The New Stack.
Feature image via Pixabay.