What is Harbor?
Harbor is an open-source container registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. Developed by VMware and now part of the CNCF (Cloud Native Computing Foundation), Harbor is designed to enhance the capabilities of Docker Hub by offering more control, security, and performance for enterprise-level container image management.
Key Features of Harbor:
- Role-based access control (RBAC)
- Image vulnerability scanning (using Trivy)
- Content signing and verification
- Audit logs
- Replication across multiple registries
- LDAP/AD authentication
- RESTful API for integration
Harbor Installation Guide
This step-by-step guide helps you install Harbor on a Linux server using Docker and Docker Compose.
Prerequisites:
- A Linux server (Ubuntu recommended)
- Root or sudo access
- A domain name pointed to your server (e.g.,
harbor.example.com
)
Step 1: Install Docker Engine
Update your package lists and install Docker dependencies:
sudo apt-get update
sudo apt-get install ca-certificates curl
Add Docker's official GPG key and set up the repository:
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Install Docker Engine and Docker Compose:
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Step 2: Download Harbor Installer
Get the latest Harbor installer package:
wget https://github.com/goharbor/harbor/releases/download/v2.13.1/harbor-online-installer-v2.13.1.tgz
tar xzvf harbor-online-installer-v2.13.1.tgz
cd harbor
Step 3: Set Up TLS Certificates
Install Certbot to Obtain TLS Certificates:
sudo snap install certbot --classic
Generate a certificate for your Harbor domain:
sudo certbot certonly --standalone -d <your-harbor-domain>
Configure Harbor
Copy the configuration template and edit it:
cp harbor.yml.tmpl harbor.yml
Edit harbor.yml
:
- Set your
hostname
(your Harbor domain). - Provide paths to your TLS certificate and key from Certbot.
- Set the initial admin password and DB password.
- Enable
strong_ssl_ciphers
. - Enable internal TLS and set path to
/opt/harbor/internal-certs
.
Auto-Renewal for TLS Certificates
Pre-renewal script (stop nginx):
sudo nano /etc/letsencrypt/renewal-hooks/pre/harbor.sh
Insert:
#!/bin/bash
/usr/bin/docker stop nginx
Make it executable:
chmod 755 /etc/letsencrypt/renewal-hooks/pre/harbor.sh
Post-renewal script (start nginx):
sudo nano /etc/letsencrypt/renewal-hooks/post/harbor.sh
Insert:
#!/bin/bash
/usr/bin/docker start nginx
Make it executable:
chmod 755 /etc/letsencrypt/renewal-hooks/post/harbor.sh
Generate Internal TLS Certificates
Create directory for internal certs:
sudo mkdir /opt/harbor
Run the Harbor tool to generate certs:
docker run -v /opt/harbor:/opt/harbor goharbor/prepare:v2.13.1 gencert -p /opt/harbor/internal-certs --day 36500
Step 4: Install Harbor
Run the installation script:
./install.sh --with-trivy
Start Harbor services:
docker compose up -d
Step 5: Initial Harbor Setup
Visit your Harbor instance at https://<your-harbor-domain>
. Login using:
-
Username:
admin
-
Password: as set in
harbor.yml
Security tip: Immediately change your admin password in the UI.
Create Projects and Robot Accounts:
- Create separate projects for your CI/CD pipelines.
- For each project, create a robot account for automated image push.
- Enable automatic image scanning on push to enhance security.
Step 6: Set Harbor to Run as a Systemd Service
To make Harbor survive server reboots, create a systemd service:
sudo nano /etc/systemd/system/harbor.service
Insert:
[Unit]
Description=Harbor Container Registry
Requires=docker.service
After=docker.service
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/root/harbor
ExecStart=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down
TimeoutStartSec=0
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable harbor.service
sudo systemctl start harbor.service
Conclusion
Harbor provides a powerful and secure alternative to public Docker registries, especially suited for organizations needing compliance, control, and integration in CI/CD pipelines. By installing Harbor on your server with Docker and enabling features like TLS, image scanning, and robot accounts, you ensure a secure and robust container image workflow.
Top comments (0)