If you and your company are looking for an on-premises Docker image registry, you cannot go wrong with Harbor. With Harbor you not only get a solid solution for housing your images, you gain the ability (along with the addition of the Clair) of scanning your images for vulnerabilities. Given how more and more Docker images are being found with issues, having the ability to scan them, before they are used for the deployment of containers, can be a real boon to any company looking to up their container security.
The key features of Harbor include:
- Security and vulnerability analysis
- Content signing and validation
- Extensible API and web UI
- Image replication
- Role-based access control
Let’s get Harbor up and running.
What You’ll Need
Here’s what you’ll need for a successful Harbor installation:
- A running instance of Ubuntu Server 18.04.
- A user account with sudo privileges.
Docker and Docker Compose
Before we actually install Harbor, there are a number of dependencies to take care of. Let’s get everything ready.
The first tool to install is Docker itself. Open a terminal window and issue the command:
sudo apt-get install docker.io
Once Docker is installed, you need to add your user to the docker group with the command:
sudo usermod -aG docker $USER
Log out and log back in (so the changes will take effect).
Next, we need to install the docker-compose command. As this cannot be installed via the standard repositories, it is taken care of with the following commands:
sudo curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-
uname -m -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
The next dependency to install is NGINX. If your instance of Ubuntu Server 18.04 already has Apache installed, it will interfere with the installation of NGINX. To get around this, stop and disable it with the following commands:
sudo systemctl stop apache2
sudo systemctl disable apache2
With Apache out of the way, install NGINX with the command:
sudo apt-get install nginx
Start and enable NGINX with the commands:
sudo systemctl start nginx
sudo systemctl enable nginx
Download and Install Harbor
With the dependencies taken care of, it’s time to install Harbor. Download the Harbor offline installer with the command:
NOTE: Make sure to visit the Harbor release page to check for the latest version.
Unpack the downloaded Harbor file with the command:
tar xvzf harbor-offline-installer-v1.8.1.tgz
The above command will create a new directory, named harbor. Change into that directory with the command:
Creating SSL Keys
Harbor cannot function properly without SSL. Because of this, you need to add SSL keys. If this is a production environment, you should purchase keys from a reputable CA. Since this is a test case, we’ll create self-signed keys.
NOTE: I’ll be demonstrating with the IP address 192.168.1.203. Make sure to substitute the IP address of your Harbor server in the commands and configurations below.
Since we are going the self-signed route, we need to modify the /etc/ssl/openssl.cnf file. Open that file for editing with the command:
sudo nano /etc/ssl/openssl.cnf
Locate the [v3_ca] section in that file and add the following line (Figure A):
subjectAltName = IP:192.168.1.203
Generate the self-signed certificates with the command:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Make sure to answer the questions (using the IP address or domain of your Harbor server for the Common Name). Next, generate the signing request with the command:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.1.203 -out 192.168.1.203
Again, answer the necessary questions.
Create a configuration file for the Subject Alternate name with the command:
In that file, paste the following:
subjectAltName = IP:192.168.1.203
Save and close the file.
Generate the certificate with the command:
openssl x509 -req -days 3650 -in 192.168.1.203 -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.1.203
With the key generation complete, we need to copy the newly-generated certificates into the proper directory. First, create the directory with the command:
sudo mkdir -p /etc/docker/certs.d/192.168.1.203
Now copy the keys with the command:
sudo cp *.crt *.key /etc/docker/certs.d/192.168.1.203
Configuring the Harbor Installer
Before running the installation command, a few edits must be made to the harbor.yml file. Open that file for editing with the command:
The following options must be edited:
- hostname — set this to either the IP address or the domain of your hosting server.
- port — set this to 8080.
- harbor_admin_password — set this to a strong, unique password.
- password (in the database configuration section) — change this to a strong, unique password.
Because we are using SSL, it is also necessary to uncomment (remove the leading # characters) the following lines:
Make sure to edit the paths of the keys to reflect:
The SSL section should look similar to that shown in Figure B.
Save and close that file.
It’s time to install Harbor. We’ll be installing the service with Clair support (for the scanning of vulnerabilities). To do this, issue the command:
sudo ./install.sh --with-clair
The installation takes a bit of time, so be patient until the harbor services are started (Figure C) and you are returned your bash prompt.
The installation should complete without errors. When it does, open a browser and point it to https://SERVER_IP/harbor (Where SERVER_IP is the IP address or domain of your Harbor server). You will be prompted for the admin user credentials (username is admin and password is the password you set in the harbor.yml file).
Once you’ve successfully logged in, you are ready to start using Harbor as your on-premises Docker registry.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.