⚓ Harbor Container Registry on AlmaLinux: Enterprise-Grade Docker Registry
Welcome to enterprise container management! 🎉 Ready to secure and manage your container images like a pro? Harbor is the open-source, trusted cloud-native registry that stores, signs, and scans your containers! It’s the platform that makes Docker registry enterprise-ready! Think of it as your container fortress with built-in security! 🚀✨
🤔 Why is Harbor Important?
Harbor transforms container management! 🚀 Here’s why it’s amazing:
- 🔒 Security Scanning - Vulnerability detection built-in!
- ✍️ Image Signing - Ensure image authenticity!
- 🔄 Replication - Sync across multiple registries!
- 👥 RBAC - Fine-grained access control!
- 📦 OCI Support - Store any OCI artifacts!
- 📊 SBOM Generation - Software bill of materials!
It’s like having DockerHub Enterprise for free! 💰
🎯 What You Need
Before building your container registry, ensure you have:
- ✅ AlmaLinux 9 server
- ✅ Root or sudo access
- ✅ At least 4GB RAM (8GB recommended)
- ✅ 4 CPU cores minimum
- ✅ 40GB free disk space
- ✅ Docker and Docker Compose installed
- ✅ Love for containers! ⚓
📝 Step 1: System Preparation - Getting Ready!
Let’s prepare AlmaLinux 9 for Harbor! 🏗️
# Update system packages
sudo dnf update -y
# Install Docker
sudo dnf install -y dnf-utils
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf install -y docker-ce docker-ce-cli containerd.io
# Start Docker
sudo systemctl start docker
sudo systemctl enable docker
# Verify Docker
docker --version
# Should show: Docker version 24.x.x
# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" \
-o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
# Verify Docker Compose
docker-compose --version
# Should show: Docker Compose version v2.x.x
# Add user to docker group
sudo usermod -aG docker $USER
# Log out and back in for group changes
Configure firewall for Harbor:
# Open Harbor ports
sudo firewall-cmd --permanent --add-port=80/tcp # HTTP
sudo firewall-cmd --permanent --add-port=443/tcp # HTTPS
sudo firewall-cmd --permanent --add-port=4443/tcp # Notary
sudo firewall-cmd --reload
# Verify ports
sudo firewall-cmd --list-ports
# Should show: 80/tcp 443/tcp 4443/tcp
Perfect! System is ready! 🎯
🔧 Step 2: Installing Harbor - The Docker Way!
Let’s install Harbor using Docker Compose! 🚀
Download Harbor:
# Create Harbor directory
sudo mkdir -p /opt/harbor
cd /opt/harbor
# Download Harbor installer
HARBOR_VERSION="2.10.0" # Check latest at https://github.com/goharbor/harbor/releases
wget https://github.com/goharbor/harbor/releases/download/v${HARBOR_VERSION}/harbor-offline-installer-v${HARBOR_VERSION}.tgz
# Extract Harbor
tar xzf harbor-offline-installer-v${HARBOR_VERSION}.tgz
cd harbor
# List files
ls -la
# Should show: harbor.yml.tmpl, install.sh, prepare, etc.
Configure Harbor:
# Copy configuration template
cp harbor.yml.tmpl harbor.yml
# Edit configuration
vi harbor.yml
# Key settings to modify:
# hostname: your-server-ip or domain
# http:
# port: 80
# https: # Comment out for now if no certificates
# port: 443
# certificate: /path/to/cert
# private_key: /path/to/key
# harbor_admin_password: Harbor12345!
# database:
# password: root123
# data_volume: /data
Here’s a basic configuration:
# Minimal harbor.yml example
hostname: your-server-ip
http:
port: 80
harbor_admin_password: Harbor12345!
database:
password: root123
max_idle_conns: 100
max_open_conns: 900
data_volume: /data
trivy:
ignore_unfixed: false
skip_update: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
🌟 Step 3: Deploy Harbor - Launch Your Registry!
Time to install Harbor! 🎮
Run Installation:
# Prepare Harbor configuration
sudo ./prepare
# Install Harbor with Trivy scanner
sudo ./install.sh --with-trivy
# Installation takes 5-10 minutes
# Watch for completion message:
# ✔ ----Harbor has been installed and started successfully.----
Verify Installation:
# Check running containers
docker-compose ps
# Should see these containers running:
# harbor-core
# harbor-db
# harbor-jobservice
# harbor-log
# harbor-portal
# harbor-redis
# nginx
# registry
# registryctl
# trivy-adapter
# Check logs if needed
docker-compose logs -f
Access Harbor:
# Get your server IP
ip addr show | grep inet
# Access Harbor
# URL: http://your-server-ip
# Username: admin
# Password: Harbor12345!
Dashboard shows:
- 📊 Projects - Container namespaces
- 📦 Repositories - Image storage
- 🔍 Vulnerability - Security scanning
- 🔄 Replication - Registry sync
- 👥 Users - Access management
✅ Step 4: Creating Your First Project - Let’s Store Images!
Time to use Harbor! 🎯
Create Project:
- Login to Harbor web UI
- Click “New Project”
- Configure:
- Project Name:
myapp
- Access Level: Public/Private
- Storage Quota: -1 (unlimited)
- Vulnerability Scanning: ✓ Automatically scan
- Vulnerability Severity: Block images with High severity
- Project Name:
- Click OK
Configure Docker Client:
# For HTTP (insecure registry)
# Edit Docker daemon config
sudo vi /etc/docker/daemon.json
# Add your Harbor server
{
"insecure-registries": ["your-server-ip"]
}
# Restart Docker
sudo systemctl restart docker
# Login to Harbor
docker login your-server-ip
# Username: admin
# Password: Harbor12345!
Push Your First Image:
# Pull a test image
docker pull nginx:latest
# Tag for Harbor
docker tag nginx:latest your-server-ip/myapp/nginx:latest
# Push to Harbor
docker push your-server-ip/myapp/nginx:latest
# View in Harbor UI
# Projects → myapp → Repositories → nginx
# Click on tag to see scan results!
🌟 Step 5: Advanced Features - Enterprise Power!
Let’s explore Harbor’s enterprise features! 🎯
Enable Image Signing (Notary):
# Reinstall with Notary
cd /opt/harbor/harbor
sudo ./install.sh --with-trivy --with-notary
# Enable content trust
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://your-server-ip:4443
# Sign and push image
docker push your-server-ip/myapp/nginx:signed
# You'll be prompted to create signing keys
Setup Replication:
-
Go to Administration → Registries
-
New Endpoint:
- Provider: Docker Hub / AWS ECR / etc.
- Name:
dockerhub
- Endpoint URL:
https://hub.docker.com
- Access ID/Secret: Your credentials
-
Test Connection and OK
-
Go to Replication → New Rule:
- Name:
sync-from-dockerhub
- Replication Mode: Pull-based
- Source Registry: dockerhub
- Source Filter:
library/alpine
- Destination: myapp project
- Trigger Mode: Manual/Scheduled
- Name:
-
Save and Replicate
Configure Webhooks:
# In project settings → Webhooks
# Add webhook for image push events
# Example webhook handler
cat << 'EOF' > /usr/local/bin/harbor-webhook.py
#!/usr/bin/env python3
import json
from flask import Flask, request
app = Flask(__name__)
@app.route('/webhook', methods=['POST'])
def handle_webhook():
data = json.loads(request.data)
event_type = data['type']
if event_type == 'PUSH_ARTIFACT':
repository = data['event_data']['repository']['name']
tag = data['event_data']['resources'][0]['tag']
print(f"New image pushed: {repository}:{tag}")
# Trigger deployment pipeline
return 'OK', 200
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000)
EOF
chmod +x /usr/local/bin/harbor-webhook.py
🎮 Quick Examples
Example 1: Helm Chart Repository
# Enable ChartMuseum in Harbor
cd /opt/harbor/harbor
sudo ./install.sh --with-trivy --with-chartmuseum
# Install Helm
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# Add Harbor as Helm repository
helm repo add harbor http://your-server-ip/chartrepo/myapp \
--username admin --password Harbor12345!
# Push Helm chart
helm package mychart/
helm plugin install https://github.com/chartmuseum/helm-push
helm cm-push mychart-0.1.0.tgz harbor
# Install from Harbor
helm install myrelease harbor/mychart
Example 2: Robot Accounts for CI/CD
# Create robot account in Harbor UI
# Projects → myapp → Robot Accounts → New Robot Account
# Name: jenkins-ci
# Permissions: Push/Pull
# Copy token
# Use in CI/CD pipeline
docker login your-server-ip -u 'robot$jenkins-ci' -p 'robot-token'
docker build -t your-server-ip/myapp/app:${BUILD_NUMBER} .
docker push your-server-ip/myapp/app:${BUILD_NUMBER}
Example 3: Vulnerability Policies
# Create admission webhook for Kubernetes
cat << 'EOF' > harbor-admission.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: harbor-vulnerability-check
webhooks:
- name: vulnerability.harbor.io
clientConfig:
url: "https://your-server-ip/admission/webhook"
rules:
- apiGroups: ["apps", ""]
apiVersions: ["v1"]
resources: ["deployments", "pods"]
operations: ["CREATE", "UPDATE"]
admissionReviewVersions: ["v1", "v1beta1"]
failurePolicy: Fail
EOF
kubectl apply -f harbor-admission.yaml
# Now Kubernetes will block vulnerable images!
🚨 Fix Common Problems
Problem 1: Cannot Access Web UI
Symptom: Connection refused or timeout 😰
Fix:
# Check if containers are running
cd /opt/harbor/harbor
docker-compose ps
# Restart all services
docker-compose down
docker-compose up -d
# Check nginx logs
docker logs harbor-nginx
# Verify ports
sudo netstat -tlnp | grep -E "80|443"
# Check firewall
sudo firewall-cmd --list-all
Problem 2: Push/Pull Fails
Symptom: Authentication or connection errors 🔐
Fix:
# For "unauthorized" errors
docker logout your-server-ip
docker login your-server-ip
# For certificate errors (HTTPS)
# Copy Harbor CA certificate
sudo mkdir -p /etc/docker/certs.d/your-server-ip
sudo cp /opt/harbor/harbor/ca.crt /etc/docker/certs.d/your-server-ip/
# Restart Docker
sudo systemctl restart docker
# For "insecure registry" errors
echo '{"insecure-registries":["your-server-ip"]}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
Problem 3: Storage Full
Symptom: Cannot push images, disk space errors 💾
Fix:
# Check disk usage
df -h /data
# Run garbage collection
# In Harbor UI: Administration → Garbage Collection → Run Now
# Or via API
curl -X POST "http://your-server-ip/api/v2.0/system/gc/schedule" \
-H "Content-Type: application/json" \
-u admin:Harbor12345! \
-d '{"type":"Manual"}'
# Clean up old images
# Set retention policy in project settings
# Expand storage if needed
# Move data volume to larger disk
📋 Simple Commands Summary
Task | Command/Location | Purpose |
---|---|---|
Start Harbor | docker-compose up -d | Start all services |
Stop Harbor | docker-compose down | Stop all services |
View logs | docker-compose logs -f | Monitor logs |
Login | docker login your-server-ip | Authenticate |
Push image | docker push your-server-ip/project/image:tag | Upload image |
Pull image | docker pull your-server-ip/project/image:tag | Download image |
Garbage collection | Administration → GC | Clean storage |
User management | Administration → Users | Manage users |
View vulnerabilities | Projects → Repositories → Image | Security scan |
💡 Tips for Success
🚀 Performance Optimization
Make Harbor super fast:
# Increase workers
vi /opt/harbor/harbor/harbor.yml
# jobservice:
# max_job_workers: 20
# Redis optimization
# redis:
# registry_db_index: 1
# jobservice_db_index: 2
# chartmuseum_db_index: 3
# trivy_db_index: 5
# PostgreSQL tuning
docker exec -it harbor-db psql -U postgres
ALTER SYSTEM SET shared_buffers = '2GB';
ALTER SYSTEM SET effective_cache_size = '6GB';
# Restart Harbor
cd /opt/harbor/harbor
docker-compose down
docker-compose up -d
🔒 Security Best Practices
Keep Harbor secure:
- Enable HTTPS - Use proper certificates! 🔐
- LDAP/OIDC - Integrate authentication! 👥
- Scan everything - Block vulnerable images! 🔍
- Sign images - Use Notary! ✍️
- Audit logs - Track all activities! 📝
# Setup HTTPS with Let's Encrypt
sudo dnf install -y certbot
sudo certbot certonly --standalone -d harbor.example.com
# Update harbor.yml
# https:
# port: 443
# certificate: /etc/letsencrypt/live/harbor.example.com/fullchain.pem
# private_key: /etc/letsencrypt/live/harbor.example.com/privkey.pem
# Reconfigure Harbor
./prepare
docker-compose down
docker-compose up -d
📊 Monitoring and Backup
Keep Harbor healthy:
# Backup script
cat << 'EOF' > /usr/local/bin/backup-harbor.sh
#!/bin/bash
BACKUP_DIR="/backup/harbor"
DATE=$(date +%Y%m%d)
mkdir -p $BACKUP_DIR
# Stop Harbor
cd /opt/harbor/harbor
docker-compose down
# Backup data
tar -czf $BACKUP_DIR/harbor-data-$DATE.tar.gz /data
tar -czf $BACKUP_DIR/harbor-config-$DATE.tar.gz /opt/harbor
# Start Harbor
docker-compose up -d
# Keep only last 7 backups
find $BACKUP_DIR -name "*.tar.gz" -mtime +7 -delete
echo "Backup completed!"
EOF
chmod +x /usr/local/bin/backup-harbor.sh
# Add to cron: 0 2 * * * /usr/local/bin/backup-harbor.sh
🏆 What You Learned
You’re now a Harbor expert! 🎓 You’ve successfully:
- ✅ Installed Harbor on AlmaLinux 9
- ✅ Configured projects and repositories
- ✅ Pushed and scanned images
- ✅ Enabled vulnerability scanning
- ✅ Set up replication
- ✅ Implemented image signing
- ✅ Mastered enterprise registry
Your container registry is enterprise-ready! ⚓
🎯 Why This Matters
Harbor transforms container security! With your registry, you can:
- 🔒 Secure images - Scan and sign everything!
- 🔄 Replicate globally - Multi-region support!
- 👥 Control access - Enterprise RBAC!
- 📊 Track everything - Complete audit trail!
- 💰 Save money - Enterprise features free!
You’re not just storing containers - you’re securing your entire container supply chain! Every image is scanned, every push is tracked! 🎭
Keep deploying, keep securing, and remember - with Harbor, container management is enterprise-grade! ⭐
May your images be secure and your deployments smooth! 🚀⚓🙌