Harbor — secure shelter for your Dockers from VMWare

It’s been a while since my first acquaintance with Docker and Docker registries. I must say — Docker team is doing great job as far as features, speed and quality of the product. Community also creates and extend Docker platform with wide variety of solutions.

Since very beginning Docker introduced DockerHub — public registry for images. And it helped a lot with adopting and expansion of the platform. Although DockerHub gives you access to all official images and community contributions there is always necessity to store more and more of your own images.

Of course you can use DockerHub, but you can have only one private repo, otherwise you’ll need to pay. Also there are some third-party solutions like BinTray, Twistlock etc. These solutions work well if you need just to keep you private images and you have not very big amount of repositories (probably up 100 repos).

But when you need to manage not only yours images but also your customers — it may become too expensive.

Docker Registry

Now appears on the scene — Docker Secure Registry. Docker Registry — great solution with support of various backends for storage (File System, AWS, Azure, Swift, Google Cloud), authorization (LDAP, Token, Basic) and many many more.

Once we started adopting Docker on my current project — we deployed simple Docker registry and where pretty happy with it.

At that time our registry wasn’t secure (we ran it on some internal host:5000, obviously we used self-signed certificates) and we needed to configure all our Docker hosts to trust this insecure registry (Docker team is very serious about security). From time to time we needed to clean up hard disk because Docker registry didn’t have routine to cleanup obsolete images.

About a year ago we started exposing our images publicly, with pull-only access to some of our customers and with that setup it worked OK. We’ve set up couple users with Basic Auth and everyone was happy.

Recently we added a few features in our product which allow customers to upload images to our registry. And at first it worked well, because everyone used different names, there were no naming collisions (because we where building names of the repositories for customers).

Two-three months ago we started looking for Docker Registry solution with Authentication Server. There are not so many of such. Product that we have chosen called Harbor from VMWare.

Harbor

Harbor — is open-source Token Authentication Service for Docker Registry. It allows you to create/invite users, or users can sign up on their own. Harbor implements Token Authentication Specification.

As far as permissions and ACL — there are three abstractions. Project, Members and Images. Each Project has Members (Admin, Developer or Guest). Guest can only pull, Developer — pull/push and admin manage permissions, add new users etc.

Deployment

Looks like project is in active development and in high demand. ~2000 stars, ~450 Open Issues, but still in pretty good shape. You can deploy in two different ways: offline and online mode. You can download tar package copy it over to you linux box, run installation script and that’s it. You have your own Docker Registry. It’s not secure though. To make it secure you need to terminate ssl on your load balancer or proxy server. Or you can use Let’s Encrypt to generate certificate for your domain if you haven’t done it yet.

Also if you are using Kubernetes Harbor has separate deployment routine for it. It’s really nice — because on production we use Kubernetes for deploying our containers.

REST API

One of the features that we were looking for is REST API. We need programmatically manage projects and users, set permissions from our application. And this was crucial for us. Harbor has nicely documented API in Swagger — another plus.

Configuration

Harbor deploys it’s own instance of registry when you are using deployment script. You can configure it to be used with AWS, Azure, Google Cloud etc. Or any other configuration options available for Docker Registry. But it doesn’t mean that you can’t have already installed registry and configure it to be used as Registry backend for Harbor UI.

The End

If you are looking for Docker Registry for your company or for you own project — Harbor is definitely worth checking. It has all necessary feature, easy installation scripts, all components bundled in. You can install it in 5 minutes and start playing with it.