How to Install Secure Private Docker Registry - Harbor, and Use It

When dealing with Docker, sooner or later we have to find a way to store images and share it between machines. Default solution is Docker Hub, but it can get quite expensive, and we don’t have enough control over it.

As an alternative, we can use free Harbor, an enterprise-class Docker registry. Atfter installing it on our server, we can store as many Docker images as we want (and disk space allow).

We can install it with HTTPS so there will be no need to add --insecure-registry flag to Docker. It will save us a lot of time in the future.


Installation

I prefer installing it on separate, clean server.
We are going to run all commands as root.

0 . Prerequisites
Before we start, we need to have installed:

  • Python 2.7+ (apt-get install python on Ubuntu)
  • Docker engine 1.10+ (guide)
  • Docker Compose 1.6.0+ (guide)

1 . Download online installer, get the newest version on Harbor releases page, e.g.

1
wget https://github.com/vmware/harbor/releases/download/v1.1.2/harbor-online-installer-v1.1.2.tgz

2 . Extract it

1
tar -xf harbor-online-installer-1.1.2.tgz

3 . Generate your own SSL certificate (replace reg.example.com with your host’s FQDN.

1
2
3
mkdir cert
cd cert
openssl req -sha256 -x509 -days 365 -nodes -newkey rsa:4096 -keyout reg.example.com.key -out reg.example.com.crt

In the creator we can choose default options except for Common name, don’t forget to input your host’s FQDN:

1
2
3
4
5
6
7
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg city) []:
Organization Name (e.g, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:reg.example.com
Email Address []:

3 . Change directory and edit harbor.cfg file

1
2
cd harbor
vim harbor.cfg

Change hostname to the host’s IP (not localhost) or FQDN and enable https

1
2
hostname = reg.example.com
ui_url_protocol = https

Set certificate path.

1
2
ssl_cert = /root/cert/reg.example.com.crt
ssl_cert_key = /root/cert/reg.example.com.key

4 . Intall Harbor

1
./install.sh

5 . Run it in background.

1
docker-compose up -d

Web UI

After going to our FQDN in the browser, we can see working application

harbor dashboard

The default password for admin is Harbor12345.
Don’t forget to change it in Account Settings
account settings option

Host configuration

On every machine where we want to connect to the server we need to do the following:

1 . On server copy certificate content

1
cat cert/reg.example.com.crt

2 . Paste it to the host in the following file:

1
2
mkdir -p /etc/docker/certs.d/reg.example.com
vim /etc/docker/certs.d/reg.example.com/ca.crt

3 . Link file to system certificates.
On Ubuntu:

1
2
ln -s /etc/docker/certs.d/reg.example.com/ca.crt /usr/local/share/ca-certificates/reg.example.com
update-ca-certificates

On CentOS:

1
2
ln -s /etc/docker/certs.d/reg.example.com/ca.crt /etc/pki/ca-trust/source/anchors/reg.example.com.crt
update-ca-trust

Usage

Now we can login to the registry

1
docker login reg.example.com

Use the same password as for web UI.

In Harbor projects tab, create a new project.

new project form

Tagging

To push the image to the project, we first have to tag it using the following schema:

1
host/project/image:tag `

To achieve it, we can tag an existing image:

1
docker tag myimage reg.example.com/myproject/myimage:mytag

Or specify tag during build using -t flag:

1
docker build -t reg.example.com/myproject/myimage:mytag .

If we’re using Docker Compose, we can also specify a name in docker-compose.yml file:

1
2
3
myimage:
build: .
image: reg.example.com/myproject/myimage:mytag

Pushing an image
1
docker push reg.example.com/myproject/myimage

Conclusion

Harbor is really powerful and easy to use and manage.
Its upkeep can be dirt cheap if we’re using a server which we’re paying for only when it’s running, especially compared to Docker Hub with $7 for only 5 private repositories.