 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
If you and your company are looking for an on-premises Docker image registry, you cannot go wrong with Harbor. With Harbor you not only get a solid solution for housing your images, you gain the ability (along with the addition of the Clair) of scanning your images for vulnerabilities. Given how more and more Docker images are being found with issues, having the ability to scan them, before they are used for the deployment of containers, can be a real boon to any company looking to up their container security.
The key features of Harbor include:
Let’s get Harbor up and running.
Here’s what you’ll need for a successful Harbor installation:
Before we actually install Harbor, there are a number of dependencies to take care of. Let’s get everything ready.
The first tool to install is Docker itself. Open a terminal window and issue the command:
sudo apt-get install docker.io
Once Docker is installed, you need to add your user to the docker group with the command:
sudo usermod -aG docker $USER
Log out and log back in (so the changes will take effect).
Next, we need to install the docker-compose command. As this cannot be installed via the standard repositories, it is taken care of with the following commands:
sudo curl -L https://github.com/docker/compose/releases/download/1.24.1/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
The next dependency to install is NGINX. If your instance of Ubuntu Server 18.04 already has Apache installed, it will interfere with the installation of NGINX. To get around this, stop and disable it with the following commands:
sudo systemctl stop apache2
sudo systemctl disable apache2
With Apache out of the way, install NGINX with the command:
sudo apt-get install nginx
Start and enable NGINX with the commands:
sudo systemctl start nginx
sudo systemctl enable nginx
With the dependencies taken care of, it’s time to install Harbor. Download the Harbor offline installer with the command:
wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.1.tgz
NOTE: Make sure to visit the Harbor release page to check for the latest version.
Unpack the downloaded Harbor file with the command:
tar xvzf harbor-offline-installer-v1.8.1.tgz
The above command will create a new directory, named harbor. Change into that directory with the command:
cd harbor
Harbor cannot function properly without SSL. Because of this, you need to add SSL keys. If this is a production environment, you should purchase keys from a reputable CA. Since this is a test case, we’ll create self-signed keys.
NOTE: I’ll be demonstrating with the IP address 192.168.1.203. Make sure to substitute the IP address of your Harbor server in the commands and configurations below.
Since we are going the self-signed route, we need to modify the /etc/ssl/openssl.cnf file. Open that file for editing with the command:
sudo nano /etc/ssl/openssl.cnf
Locate the [v3_ca] section in that file and add the following line (Figure A):
subjectAltName = IP:192.168.1.203
Generate the self-signed certificates with the command:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Make sure to answer the questions (using the IP address or domain of your Harbor server for the Common Name). Next, generate the signing request with the command:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.1.203 -out 192.168.1.203
Again, answer the necessary questions.
Create a configuration file for the Subject Alternate name with the command:
nano extfile.cnf
In that file, paste the following:
subjectAltName = IP:192.168.1.203
Save and close the file.
Generate the certificate with the command:
openssl x509 -req -days 3650 -in 192.168.1.203 -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.1.203
With the key generation complete, we need to copy the newly-generated certificates into the proper directory. First, create the directory with the command:
sudo mkdir -p /etc/docker/certs.d/192.168.1.203
Now copy the keys with the command:
sudo cp *.crt *.key /etc/docker/certs.d/192.168.1.203
Before running the installation command, a few edits must be made to the harbor.yml file. Open that file for editing with the command:
nano harbor.yml
The following options must be edited:
Because we are using SSL, it is also necessary to uncomment (remove the leading # characters) the following lines:
https: port: 443 certificate: /etc/ssl/certs/ca.crt private_key: /etc/ssl/certs/ca.key
Make sure to edit the paths of the keys to reflect:
certificate: /etc/docker/certs.d/192.168.1.75/ca.crt private_key: /etc/docker/certs.d/192.168.1.75/ca.key
The SSL section should look similar to that shown in Figure B.
Save and close that file.
It’s time to install Harbor. We’ll be installing the service with Clair support (for the scanning of vulnerabilities). To do this, issue the command:
sudo ./install.sh --with-clair
The installation takes a bit of time, so be patient until the harbor services are started (Figure C) and you are returned your bash prompt.
The installation should complete without errors. When it does, open a browser and point it to https://SERVER_IP/harbor (Where SERVER_IP is the IP address or domain of your Harbor server). You will be prompted for the admin user credentials (username is admin and password is the password you set in the harbor.yml file).
Once you’ve successfully logged in, you are ready to start using Harbor as your on-premises Docker registry.
