1 Harbor overview
Harbor is an open source trusted cloud native registry project for storing, signing, and scanning content. Harbor extends open source Docker Distribution by adding features that users typically need, such as security, identity, and administration. Making the registry more similar to the build and run environment can improve image transfer efficiency. Harbor supports copying images between registries and also provides advanced security features such as user management, access control, and activity auditing.
2 Harbor features
- Cloud-native Registry: Harbor supports container images and Helm diagrams that can be used as a registry for cloud-native environments such as container-native runtimes and choreography platforms.
- Role-based access control: Users access different repositories through projects, and users can have different permissions for descending or Helm charts under projects.
- Policy-based replication: Images and charts can be copied (synchronized) across multiple registry instances based on policy using filters (repositories, labels, and labels). Harbor automatically retries the replication if it encounters any errors. This can be used to assist with load balancing, achieve high availability, and facilitate multi-data center deployments in hybrid and cloudy scenarios.
- Vulnerability scanning: Harbor periodically scans images for vulnerabilities and performs policy checks to prevent the deployment of vulnerable images.
- LDAP/AD support: Harbor integrates with existing enterprise LDAP/AD for user authentication and management, and supports importing LDAP groups into Harbor, which can then be granted privileges for specific projects.
- OIDC support: Harbor utilizes OpenID Connect (OIDC) to authenticate the identity of a user authenticated by an external authorization server or identity provider. Single sign-on can be enabled to log into the Harbor portal.
- Mirror deletion and garbage collection: System administrators can run garbage collection jobs so that mirrors (suspended listings and unreferenced BLOBs) can be removed and their space can be periodically freed.
- Notarization: Use Docker Content Trust (with notarization) support to sign container images to ensure authenticity and provenance. In addition, you can activate policies that prevent the deployment of unsigned images.
- Graphical interface: Users can easily browse, search repositories and manage items.
- Auditing: Tracks all actions to the repository through logging.
- RESTful apis: Provide RESTful apis to help manage operations and integrate with external systems. Embedded Swagger UI can be used to explore and test apis.
- Easy to deploy: Harbor can be deployed with Docker Compose and Helm Chart, and the Harbor Operator has recently been added.
Architectural design of 3 Harbor
Harbor uses nginx’s proxy to access Registry and core services, and then to the database and job services, which do mirror replication. Webhook in the core service does user authentication and some callback work. Registery stores docker images and handles upload and download commands. Docker pull/push requests from users need to carry legitimate tokens. The database stores user permissions, audit logs, and mirror group information. The Log controller monitors the running of Harbor and collects logs of subcomponents.
4 Harbor high availability deployment
4.1 Dual-Master Replication Scheme
Projects in HarborA will be copied to HarborB synchronously, and HarborB’s will be copied to HarborB. Nginx does load balancing, and can request to HarborA and HarborB. Whether HarborA is down or HarborB is down, another node can provide services.
4.2 Environment Preparation
Prepare three nodes.
| node | The IP address |
|---|---|
| Master1 | 192.168.3.183 |
| Worker1 | 192.168.3.182 |
| Worker2 | 192.168.3.181 |
Install the harbor
Note the docker and Harbor versions match
- Download harbor zip and unzip it:
Tar XVF - harbor - offline installer - v1.6.0. TGZ - Change the hostname in the harbor. CFG file to the IP address
- Install the harbor:
sh install.sh. Error:* Need to install docker-compose(1.7.1+) by yourself first and run this script again. - Install the docker – compose
[root@jxd-worker2 harbor]# mv docker-compose- linux-x86_64-1.22.0 /usr/local/bin/docker-compose [root@jxd-worker2 harbor]# chmod +x /usr/local/bin/docker-compose [root@jxd-worker2 harbor]# docker-compose --version docker-compose Version 1.22.0, build f46880feCopy the code- Error: Port 80 is occupied. The solution
reference
Harbor’s Github warehouse