神刀安全网

Docker Private Registry Using Harbor

As we all know most of the companies have started using Docker extensively. Docker is a great tool for deploying your applications. Docker has a public registry called the Docker Hub to store Docker images. While Docker lets you upload your Docker creations to the Docker Hub for free, anything you upload is public. This might not be the best option for your project if you want to store private images and have better control over who can access/modify them. We had a similar need in one of our internal microservices setups and this article talks about how we fulfilled it.

Our requirements were

  • Have a registry deployed and accessible only inside the company network
  • Have fine-grained access control measures at the project and user level
  • Integration with our LDAP server for authentication

One option we had was to run a Docker Private Registry locally which could be setup in two ways:

  • Insecure Private Registry – This solution was of not much use as it does not provide any security.
  • Secure Private Registry – This solution provides native authentication but does not support LDAP due to this bug .

We finally settled on the Harbor open source project which uses Nginx as a proxy server and also supports LDAP integration.

Overview

Harbor is an enterprise-class registry server, which extends the open source Docker Registry server by adding the functionality usually required by an enterprise such as security, control, and management. Project Harbor is initiated by VMware China R&D as a Cloud Application Accelerator (CAA) project.

Harbor provides the features listed below:

  • Role Based Access Control : Users and Docker repositories are organized via “projects”. A user can have different permission for images under a project.
  • Graphical user portal : Users can easily browse, search Docker repositories, manage projects/namespaces.
  • AD/LDAP support : Harbor integrates with existing enterprise AD/LDAP for user authentication and management.
  • Auditing : All the operations to the repositories are tracked.
  • Internationalization : Already localized for English, Chinese, German and Russian. More languages can be added.
  • RESTful API : RESTful APIs for most administrative operations, easing integration with external management platforms.

Installation

System Requirements:  Harbor only works with docker 1.10+ and docker-compose 1.6.0+, Python 2.7 and an internet-connected host.

Installing Harbor from source code

1) Getting the source code

$ git clone https://github.com/vmware/harbor

2) Configuring Harbor

Make changes to configuration parameters located in the file harbor.cfg .

  • Hostname : The target host’s hostname, which is used to access the UI and the registry service. It should be the IP address or the fully qualified domain name (FQDN) of your target machine.
    hostname = yourregistry.domain.com 

  • ui_url_protocol : ( http or https ) The protocol used to access the UI and the token/notification service. By default, this is http.
    ui_url_protocol = https 

  • auth_mode : The type of authentication that is used. By default it is db_auth , i.e. the credentials are stored in a database. For LDAP authentication, set this to ldap_auth

    .

    auth_mode : The type of authentication that is used. By default it is db_auth , i.e. the credentials are stored in a database. For LDAP authentication, set this to ldap_auth

    .

    auth_mode = ldap_auth 

  • ldap_url : The LDAP endpoint URL. Only used when auth_mode

    is set to ldap_auth.

    ldap_url = ldaps://ldap.mydomain.com 

  • ldap_basedn

    : The basedn template for verifying the user’s credentials against LDAP.

    ldap_basedn = uid=%s,ou=people,dc=mydomain,dc=com 

3) Getting a certificate

Obtain the domain certificates for the hostname mentioned above. The certificate usually contains a .crt file and a .key file, for example, yourregistry.domain.com.crt and yourregistry.domain.com.key .

4) Configuring Nginx

  • Change the directory to Deploy/config/nginx in Harbor project.

    cdDeploy/config/nginx 

  • Create a new directory cert/, if it does not exist. Then copy yourregistry.domain.com.crt and yourregistry.domain.com.key

    to cert/

    cpyourregistry.domain.com.crtcert/ 

    cpyourregistry.domain.com.keycert/ 

  • Rename the existing configuration file of Nginx:

    mvnginx.confnginx.conf.bak 

  • Copy the template nginx.https.conf

    as the new configuration file:

    cpnginx.https.confnginx.conf 

  • Edit the file nginx.conf and replace two occurrences of harbordomain.com

    to your own host name, such as youreg.yourdomain.com.

    server {   listen 443 ssl;   server_nameharbordomain.com;    ...    server {   listen 80;   server_nameharbordomain.com;   rewrite ^/(.*) https://$server_name$1 permanent; 

  • Then look for the SSL section to make sure the files of your certificates match the names in the config file. Do not change the path of the files.

    ...    # SSL  ssl_certificate /etc/nginx/cert/yourdomain.com.crt;  ssl_certificate_key /etc/nginx/cert/yourdomain.com.key; 

  • Save your changes in nginx.conf.  

5) Building and starting Harbor

Once harbor.cfg and storage backend (optional) are configured, build and start Harbor as follows. Note that the docker-compose process can take a while.

$ cdDeploy<strong><strong> </strong></strong> 

$ ./prepare     Generatedconfigurationfile: ./config/ui/env     Generatedconfigurationfile: ./config/ui/app.conf     Generatedconfigurationfile: ./config/registry/config.yml     Generatedconfigurationfile: ./config/db/env     Theconfigurationfilesareready, pleaseuse docker-composeto starttheservice. 

$ sudodocker-composeup -d 

6) After setting up Harbor, you can verify it by the follow steps:

  • Open a browser and enter the address: https://yourregistry.yourdomain.com . It should display the user interface of Harbor.
  • Log in to the admin portal and create a new project, e.g. myproject
  • You can then use docker commands to login and push images to the private registry.
    $ dockerloginyourregistry.yourdomain.com   $ dockerpushyourregistry.yourdomain.com/myproject/myrepo 

Problems faced during the setup

One of the problems we faced after setting up Harbor was that any user whose email ID was greater than 30 chars was unable to login to the registry because of the insufficient data type size for email in the database schema. I have fixed the issue in the Github Harbor project.

https://github.com/vmware/harbor/pull/197#event-659745425

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Docker Private Registry Using Harbor

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址