Harbor Adopts OCI Compliance, Makes Bid to Graduate CNCF

This month’s release of Harbor 2.0 adds support for all Open Container Initiative (OCI) artifacts, making it the first OCI-compliant open source registry “capable of storing a multitude of cloud native artifacts including container images, Helm charts, OPAs, Singularity, and more,” according to the project blog post. The OCI provides a standard around the format, runtime, and the distribution of cloud native artifacts, and with the addition of OCI support to Harbor, the registry ensures compatibility with any artifact that meets the standard, but Michael Michael, director of product management at VMware and Harbor maintainer, says that storing artifacts is just the very beginning.
“The community is expanding. The number of types of cloud native artifacts is growing. As more and more artifacts are being produced by developers, you can host them in Harbor, but it’s not all about pushing or pulling an artifact into Harbor,” said Michael. “That’s basically the bare minimum for what the registry needs to do. The true, true benefits of Harbor come from the policy engine, and that’s the ability to do things like being able to scan an image for vulnerabilities, being able to set up quotas, being able to define webhooks so you can integrate Harbor with your CI/CD or other automation needs, or even get reports and alerts.”
In its blog post, the Harbor team says that existing users “should not worry; all of the familiar operations and key benefits of Harbor translate well to OCI.” Users can do everything they have been able to do historically — push, pull, delete, retag, copy, scan, and sign indexes, as well as vulnerability scanning and performing policy enforcement — and more, such as the newly added ability to delete an image tag without deleting the underlying manifest and all other associated image tags. The project also notes that, with OCI-compliance, it is now also “fully capable of handling an OCI index, a higher-level manifest representing a bundling of image manifests that’s ideal for multi-architecture scenarios.”
Harbor was first created in 2014 at VMware and donated to the Cloud Native Computing Foundation (CNCF) in July 2018, where it quickly moved from sandbox level to incubation level by November 2018. Now, the project is in the final steps of working to become the 11th project to graduate from the foundation later this year, with a vote slated for later this month. While the project has faced some scrutiny surrounding some security issues and a heterogeneous makeup of contributors, Michael says that it has addressed these issues with numerous security tests and the addition of new maintainers and contributors. In an example, Michael points to numerous contributors who have gone on to become maintainers, such as Daniel Pacak, an OSS engineer at Aqua Security, and employees of both Tencent and OVHcloud.
“We are aligned with their goals and that’s why we have maintainers from all three of those companies that are driving the vision and direction of Harbor. They want to provide the registry as a service capability for their end-users. And there wasn’t any match with what was existing out there outside of Harbor. They really loved Harbor, their users loved Harbor. So they came and partnered with us,” said Michael. “They have a stake in Harbor, they have a seat at the table. And this was all possible because of the fact that they’re willing to come and contribute in our community. So we never said no to anybody. If anybody wants to come in and help us and contribute, we’re very open.”
As for Aqua Security, another feature that comes to Harbor 2.0 is the replacement of Clair with Aqua Security’s Trivy as the default image scanner, though Michael said this was not because of Pacak’s participation, but rather because it was “the right choice.” In Harbor 1.1, Michael says, the pluggable scanning framework was introduced, and since then numerous security companies, including Aqua Security, Sysdig, and others, but Aqua Security’s Trivy stood out.
“Trivy has had the most alignment with our goals in Harbor. It is fast, it’s agile, it has a lot of features, it’s very well maintained and has frequent updates and more importantly, it has the comprehensive scanning both from an operating system standpoint as well as application packaging standpoint to align with our vision,” said Michael.
Harbor 2.0 also comes with SSL support for core Harbor features, and webhooks that can be individually triggered and come with Slack integration, not to mention dark mode. To learn more about Harbor, the project is hosting a CNCF Project Webinar on Harbor v2.0 on May 28 at 10 a.m. PDT.
The Cloud Native Computing Foundation and VMware are sponsors of The New Stack.
Feature Image by Gordon Johnson from Pixabay.