DEV Community

giveitatry
giveitatry

Posted on

How to Install Harbor: A Secure Container Registry

#docker #harbor

What is Harbor?

Harbor is an open-source container registry that secures artifacts with policies and role-based access control, ensures images are scanned and free from vulnerabilities, and signs images as trusted. Developed by VMware and now part of the CNCF (Cloud Native Computing Foundation), Harbor is designed to enhance the capabilities of Docker Hub by offering more control, security, and performance for enterprise-level container image management.

Key Features of Harbor:

  • Role-based access control (RBAC)
  • Image vulnerability scanning (using Trivy)
  • Content signing and verification
  • Audit logs
  • Replication across multiple registries
  • LDAP/AD authentication
  • RESTful API for integration

Harbor Installation Guide

This step-by-step guide helps you install Harbor on a Linux server using Docker and Docker Compose.

Prerequisites:

  • A Linux server (Ubuntu recommended)
  • Root or sudo access
  • A domain name pointed to your server (e.g., harbor.example.com)

Step 1: Install Docker Engine

Update your package lists and install Docker dependencies:

sudo apt-get update
sudo apt-get install ca-certificates curl
Enter fullscreen mode Exit fullscreen mode

Add Docker's official GPG key and set up the repository:

sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Enter fullscreen mode Exit fullscreen mode

Install Docker Engine and Docker Compose:

sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Enter fullscreen mode Exit fullscreen mode

Step 2: Download Harbor Installer

Get the latest Harbor installer package:

wget https://github.com/goharbor/harbor/releases/download/v2.13.1/harbor-online-installer-v2.13.1.tgz
tar xzvf harbor-online-installer-v2.13.1.tgz
cd harbor
Enter fullscreen mode Exit fullscreen mode

Step 3: Set Up TLS Certificates

Install Certbot to Obtain TLS Certificates: 

sudo snap install certbot --classic
Enter fullscreen mode Exit fullscreen mode

Generate a certificate for your Harbor domain:

sudo certbot certonly --standalone -d <your-harbor-domain>
Enter fullscreen mode Exit fullscreen mode

Configure Harbor

Copy the configuration template and edit it:

cp harbor.yml.tmpl harbor.yml
Enter fullscreen mode Exit fullscreen mode

Edit harbor.yml:

  • Set your hostname (your Harbor domain).
  • Provide paths to your TLS certificate and key from Certbot.
  • Set the initial admin password and DB password.
  • Enable strong_ssl_ciphers.
  • Enable internal TLS and set path to /opt/harbor/internal-certs.

Auto-Renewal for TLS Certificates

Pre-renewal script (stop nginx):

sudo nano /etc/letsencrypt/renewal-hooks/pre/harbor.sh
Enter fullscreen mode Exit fullscreen mode

Insert:

#!/bin/bash
/usr/bin/docker stop nginx
Enter fullscreen mode Exit fullscreen mode

Make it executable:

chmod 755 /etc/letsencrypt/renewal-hooks/pre/harbor.sh
Enter fullscreen mode Exit fullscreen mode

Post-renewal script (start nginx):

sudo nano /etc/letsencrypt/renewal-hooks/post/harbor.sh
Enter fullscreen mode Exit fullscreen mode

Insert:

#!/bin/bash
/usr/bin/docker start nginx
Enter fullscreen mode Exit fullscreen mode

Make it executable:

chmod 755 /etc/letsencrypt/renewal-hooks/post/harbor.sh
Enter fullscreen mode Exit fullscreen mode

Generate Internal TLS Certificates

Create directory for internal certs:

sudo mkdir /opt/harbor
Enter fullscreen mode Exit fullscreen mode

Run the Harbor tool to generate certs:

docker run -v /opt/harbor:/opt/harbor goharbor/prepare:v2.13.1 gencert -p /opt/harbor/internal-certs --day 36500
Enter fullscreen mode Exit fullscreen mode

Step 4: Install Harbor

Run the installation script:

./install.sh --with-trivy
Enter fullscreen mode Exit fullscreen mode

Start Harbor services:

docker compose up -d
Enter fullscreen mode Exit fullscreen mode

Step 5: Initial Harbor Setup

Visit your Harbor instance at https://<your-harbor-domain>. Login using:

  • Username: admin
  • Password: as set in harbor.yml

Security tip: Immediately change your admin password in the UI.

Create Projects and Robot Accounts:

  • Create separate projects for your CI/CD pipelines.
  • For each project, create a robot account for automated image push.
  • Enable automatic image scanning on push to enhance security.

Step 6: Set Harbor to Run as a Systemd Service

To make Harbor survive server reboots, create a systemd service:

sudo nano /etc/systemd/system/harbor.service
Enter fullscreen mode Exit fullscreen mode

Insert:

[Unit]
Description=Harbor Container Registry
Requires=docker.service
After=docker.service

[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/root/harbor
ExecStart=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down
TimeoutStartSec=0

[Install]
WantedBy=multi-user.target
Enter fullscreen mode Exit fullscreen mode

Enable and start the service:

sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable harbor.service
sudo systemctl start harbor.service
Enter fullscreen mode Exit fullscreen mode

Conclusion

Harbor provides a powerful and secure alternative to public Docker registries, especially suited for organizations needing compliance, control, and integration in CI/CD pipelines. By installing Harbor on your server with Docker and enabling features like TLS, image scanning, and robot accounts, you ensure a secure and robust container image workflow.

Top comments (0)