Containers

Tutorial: Install the Docker Harbor Registry Server on Ubuntu 18.04

16 Jul 2019 12:00pm, by

If you and your company are looking for an on-premises Docker image registry, you cannot go wrong with Harbor. With Harbor you not only get a solid solution for housing your images, you gain the ability (along with the addition of the Clair) of scanning your images for vulnerabilities. Given how more and more Docker images are being found with issues, having the ability to scan them, before they are used for the deployment of containers, can be a real boon to any company looking to up their container security.

The key features of Harbor include:

  • Security and vulnerability analysis
  • Content signing and validation
  • Extensible API and web UI
  • Image replication
  • Role-based access control
  • Multitenant

Let’s get Harbor up and running.

What You’ll Need

Here’s what you’ll need for a successful Harbor installation:

  • A running instance of Ubuntu Server 18.04.
  • A user account with sudo privileges.

Docker and Docker Compose

Before we actually install Harbor, there are a number of dependencies to take care of. Let’s get everything ready.

The first tool to install is Docker itself. Open a terminal window and issue the command:

sudo apt-get install docker.io

Once Docker is installed, you need to add your user to the docker group with the command:

sudo usermod -aG docker $USER

Log out and log back in (so the changes will take effect).

Next, we need to install the docker-compose command. As this cannot be installed via the standard repositories, it is taken care of with the following commands:

sudo curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-uname -s-uname -m -o /usr/local/bin/docker-compose

sudo chmod +x /usr/local/bin/docker-compose

NGINX

The next dependency to install is NGINX. If your instance of Ubuntu Server 18.04 already has Apache installed, it will interfere with the installation of NGINX. To get around this, stop and disable it with the following commands:

sudo systemctl stop apache2

sudo systemctl disable apache2

With Apache out of the way, install NGINX with the command:

sudo apt-get install nginx

Start and enable NGINX with the commands:

sudo systemctl start nginx
sudo systemctl enable nginx

Download and Install Harbor

With the dependencies taken care of, it’s time to install Harbor. Download the Harbor offline installer with the command:

wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.1.tgz

NOTE: Make sure to visit the Harbor release page to check for the latest version.

Unpack the downloaded Harbor file with the command:

tar xvzf harbor-offline-installer-v1.8.1.tgz

The above command will create a new directory, named harbor. Change into that directory with the command:

cd harbor

Creating SSL Keys

Harbor cannot function properly without SSL. Because of this, you need to add SSL keys. If this is a production environment, you should purchase keys from a reputable CA. Since this is a test case, we’ll create self-signed keys.

NOTE: I’ll be demonstrating with the IP address 192.168.1.203. Make sure to substitute the IP address of your Harbor server in the commands and configurations below.

Since we are going the self-signed route, we need to modify the /etc/ssl/openssl.cnf file. Open that file for editing with the command:

sudo nano /etc/ssl/openssl.cnf

Locate the [v3_ca] section in that file and add the following line (Figure A):

subjectAltName = IP:192.168.1.203

Figure A: The necessary openssl.cnf modification.

Generate the self-signed certificates with the command:

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt

Make sure to answer the questions (using the IP address or domain of your Harbor server for the Common Name). Next, generate the signing request with the command:

openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.1.203 -out 192.168.1.203

Again, answer the necessary questions.

Create a configuration file for the Subject Alternate name with the command:

nano extfile.cnf

In that file, paste the following:

Save and close the file.

Generate the certificate with the command:

openssl x509 -req -days 3650 -in 192.168.1.203 -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.1.203

With the key generation complete, we need to copy the newly-generated certificates into the proper directory. First, create the directory with the command:

sudo mkdir -p /etc/docker/certs.d/192.168.1.203

Now copy the keys with the command:

sudo cp *.crt *.key /etc/docker/certs.d/192.168.1.203

Configuring the Harbor Installer

Before running the installation command, a few edits must be made to the harbor.yml file. Open that file for editing with the command:

nano harbor.yml

The following options must be edited:

  • hostname — set this to either the IP address or the domain of your hosting server.
  • port — set this to 8080.
  • harbor_admin_password — set this to a strong, unique password.
  • password (in the database configuration section) — change this to a strong, unique password.

Because we are using SSL, it is also necessary to uncomment (remove the leading # characters) the following lines:

Make sure to edit the paths of the keys to reflect:

The SSL section should look similar to that shown in Figure B.

Figure B: The SSL section of the harbor.yml file.

Save and close that file.

Installing Harbor

It’s time to install Harbor. We’ll be installing the service with Clair support (for the scanning of vulnerabilities). To do this, issue the command:

sudo ./install.sh --with-clair

The installation takes a bit of time, so be patient until the harbor services are started (Figure C) and you are returned your bash prompt.

Figure C: The Harbor installation is almost complete.

The installation should complete without errors. When it does, open a browser and point it to https://SERVER_IP/harbor (Where SERVER_IP is the IP address or domain of your Harbor server). You will be prompted for the admin user credentials (username is admin and password is the password you set in the harbor.yml file).

Once you’ve successfully logged in, you are ready to start using Harbor as your on-premises Docker registry.

Feature image by len_lov from Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.