harbor/docs/installation_guide.md

647 lines
30 KiB
Markdown
Raw Normal View History

Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document *.asc key * Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap
2019-12-12 18:35:30 +01:00
# Harbor Installation and Configuration Guide
2019-10-21 19:27:28 +02:00
There are two possibilities when installing Harbor.
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
- **Online installer:** The online installer downloads the Harbor images from Docker hub. For this reason, the installer is very small in size.
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
- **Offline installer:** Use the offline installer if the host to which are are deploying Harbor does not have a connection to the Internet. The offline installer contains pre-built images so it is larger than the online installer.
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
You download the installers from the **[official release](https://github.com/goharbor/harbor/releases)** page.
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
This guide describes how to install and configure Harbor by using either the online or offline installer. The installation processes are almost the same.
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
If you are upgrading from a previous version of Harbor, you might need to update the configuration file and migrate your data to fit the database schema of the later version. For information about upgrading, see the **[Harbor Upgrade and Migration Guide](migration_guide.md)**.
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
In addition, the Harbor community created instructions describing how to deploy Harbor on Kubernetes. If you want to deploy Harbor to Kubernetes, see [Harbor on Kubernetes](kubernetes_deployment.md).
2017-04-14 12:10:07 +02:00
## Harbor Components
2019-10-21 19:27:28 +02:00
The table below lists the components that are deployed when you deploy Harbor.
|Component|Version|
|---|---|
|Postgresql|9.6.10-1.ph2|
|Redis|4.0.10-1.ph2|
|Clair|2.0.8|
|Beego|1.9.0|
|Chartmuseum|0.9.0|
|Docker/distribution|2.7.1|
|Docker/notary|0.6.1|
|Helm|2.9.1|
|Swagger-ui|3.22.1|
2019-10-21 19:27:28 +02:00
## Deployment Prerequisites for the Target Host
2019-10-21 19:27:28 +02:00
Harbor is deployed as several Docker containers. You can therefore deploy it on any Linux distribution that supports Docker. The target host requires Docker, and Docker Compose to be installed.
### Hardware
2019-10-21 19:27:28 +02:00
The following table lists the minimum and recommended hardware configurations for deploying Harbor.
|Resource|Minimum|Recommended|
|---|---|---|
2019-10-21 19:27:28 +02:00
|CPU|2 CPU|4 CPU|
|Mem|4 GB|8 GB|
|Disk|40 GB|160 GB|
### Software
2019-10-21 19:27:28 +02:00
The following table lists the software versions that must be installed on the target host.
|Software|Version|Description|
|---|---|---|
2019-10-21 19:27:28 +02:00
|Docker engine|version 17.06.0-ce+ or higher|For installation instructions, see [docker engine doc](https://docs.docker.com/engine/installation/)|
|Docker Compose|version 1.18.0 or higher|For installation instructions, see [docker compose doc](https://docs.docker.com/compose/install/)|
|Openssl|latest is preferred|Used to generate certificate and keys for Harbor|
### Network ports
2019-10-21 19:27:28 +02:00
Harbor requires that the following ports be open on the target host.
|Port|Protocol|Description|
|---|---|---|
2019-10-21 19:27:28 +02:00
|443|HTTPS|Harbor portal and core API accept HTTPS requests on this port. You can change this port in the configuration file.|
|4443|HTTPS|Connections to the Docker Content Trust service for Harbor. Only required if Notary is enabled. You can change this port in the configuration file.|
|80|HTTP|Harbor portal and core API accept HTTP requests on this port. You can change this port in the configuration file.|
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
## Installation Procedure
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
The installation procedure involves the following steps:
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
1. Download the installer.
2. Configure the **harbor.yml** file.
3. Run the **install.sh** script with the appropriate options to install and start Harbor.
2017-04-14 12:10:07 +02:00
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document *.asc key * Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap
2019-12-12 18:35:30 +01:00
## Download and Unpack the Installer
2017-04-14 12:10:07 +02:00
2019-10-21 19:27:28 +02:00
1. Go to the [Harbor releases page](https://github.com/goharbor/harbor/releases).
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document *.asc key * Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap
2019-12-12 18:35:30 +01:00
1. Download either the online or offline installer for the version you want to install.
1. Optionally download the corresponding `*.asc` file to verify that the package is genuine.
The `*.asc` file is an OpenPGP key file. Perform the following steps to verify that the downloaded bundle is genuine.
1. Obtain the public key for the `*.asc` file.
<pre>gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 644FF454C0B4115C</pre>
You should see the message ` public key "Harbor-sign (The key for signing Harbor build) <jiangd@vmware.com>" imported`
1. Verify that the package is genuine by running one of the following commands.
- Online installer: <pre>gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-online-installer-<i>version</i>.tgz.asc</pre>
- Offline installer: <pre>gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-offline-installer-<i>version</i>.tgz.asc</pre>
The `gpg` command verifies that the signature of the bundle matches that of the `*.asc` key file. You should see confirmation that the signature is correct.
<pre>
gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in 'harbor-offline-installer-v1.10.0-rc2.tgz'
gpg: Signature made Fri, Dec 6, 2019 5:04:17 AM WEST
gpg: using RSA key 644FF454C0B4115C
gpg: using pgp trust model
gpg: Good signature from "Harbor-sign (The key for signing Harbor build) &lt;jiangd@vmware.com&gt; [unknown]
</pre>
2019-10-21 19:27:28 +02:00
1. Use `tar` to extract the installer package:
2017-04-14 12:10:07 +02:00
2019-10-21 19:35:57 +02:00
- Online installer:<pre>bash $ tar xvf harbor-online-installer-<em>version</em>.tgz</pre>
- Offline installer:<pre>bash $ tar xvf harbor-offline-installer-<em>version</em>.tgz</pre>
2019-10-21 19:27:28 +02:00
## Configure Harbor
2019-10-21 19:27:28 +02:00
You set system level parameters for Harbor in the `harbor.yml` file that is contained in the installer package. These parameters take effect when you run the `install.sh` script to install or reconfigure Harbor.
2019-10-21 19:27:28 +02:00
After the initial deployment and after you have started Harbor, you perform additional configuration in the Harbor Web Portal.
2019-10-21 19:27:28 +02:00
### Required Parameters
2019-10-22 16:17:39 +02:00
The table below lists the parameters that must be set when you deploy Harbor. By default, all of the required parameters are uncommented in the `harbor.yml` file. The optional parameters are commented with `#`. You do not necessarily need to change the values of the required parameters from the defaults that are provided, but these parameters must remain uncommented. At the very least, you must update the `hostname` parameter.
**IMPORTANT**: Harbor does not ship with any certificates. In versions up to and including 1.9.x, by default Harbor uses HTTP to serve registry requests. This is acceptable only in air-gapped test or development environments. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS.
2019-10-21 17:03:22 +02:00
You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. For information about how to create a CA, and how to use a CA to sign a server certificate and a client certificate, see **[Configuring Harbor with HTTPS Access](configure_https.md)**.
<table width="100%" border="0">
2019-10-21 16:45:08 +02:00
<caption>
2019-10-21 19:27:28 +02:00
Required Parameters for Harbor Deployment
2019-10-21 16:45:08 +02:00
</caption>
<tr>
<th scope="col">Parameter</th>
<th scope="col">Sub-parameters</th>
<th scope="col">Description and Additional Parameters </th>
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top"><code>hostname</code></td>
<td valign="top">None</td>
2019-10-21 19:27:28 +02:00
<td valign="top">Specify the IP address or the fully qualified domain name (FQDN) of the target host on which to deploy Harbor. This is the address at which you access the Harbor Portal and the registry service. For example, <code>192.168.1.10</code> or <code>reg.yourdomain.com</code>. The registry service must be accessible to external clients, so do not specify <code>localhost</code>, <code>127.0.0.1</code>, or <code>0.0.0.0</code> as the hostname.</td>
2019-10-21 17:03:22 +02:00
</tr>
<tr>
<td valign="top"><code>https</code></td>
<td valign="top">&nbsp;</td>
2019-10-22 17:20:22 +02:00
<td valign="top"><p>Use HTTPS to access the Harbor Portal and the token/notification service. Always use HTTPS in production environments and environments that are not air-gapped.</p>
2019-10-21 17:03:22 +02:00
</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>port</code></td>
2019-10-21 19:27:28 +02:00
<td valign="top">The port number for HTTPS. The default is 443.</td>
2019-10-21 17:03:22 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>certificate</code></td>
2019-10-21 19:27:28 +02:00
<td valign="top">The path to the SSL certificate.</td>
2019-10-21 17:03:22 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>private_key</code></td>
2019-10-21 19:27:28 +02:00
<td valign="top">The path to the SSL key.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top"><code>harbor_admin_password</code></td>
<td valign="top">None</td>
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document *.asc key * Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap
2019-12-12 18:35:30 +01:00
<td valign="top">Set an initial password for the Harbor system administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator's password is set in the Harbor Portal. The default username and password are <code>admin</code> and <code>Harbor12345</code>.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top"><code>database</code></td>
<td valign="top">&nbsp;</td>
2019-10-22 16:17:39 +02:00
<td valign="top">Use a local PostgreSQL database. You can optionally configure an external database, in which case you can disable this option.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top">&nbsp;</td>
<td valign="top"><code>password</code></td>
2019-10-21 19:27:28 +02:00
<td valign="top">Set the root password for the local database. You must change this password for production deployments.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top">&nbsp;</td>
<td valign="top"><code>max_idle_conns</code></td>
2019-10-21 19:27:28 +02:00
<td valign="top">The maximum number of connections in the idle connection pool. If set to &lt;=0 no idle connections are retained. The default value is 50. If it is not configured the value is 2.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top">&nbsp;</td>
<td valign="top"><code>max_open_conns</code></td>
<td valign="top">The maximum number of open connections to the database. If &lt;= 0 there is no limit on the number of open connections. The default value is 100 for the max connections to the Harbor database. If it is not configured the value is 0.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top"><code>data_volume</code></td>
<td valign="top">None</td>
2019-10-22 16:17:39 +02:00
<td valign="top">The location on the target host in which to store Harbor's data. You can optionally configure external storage, in which case disable this option and enable <code>storage_service</code>. The default is <code>/data</code>.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-22 16:17:39 +02:00
<td valign="top"><code>clair</code></td>
<td valign="top"><code>updaters_interval</code></td>
<td valign="top">Set an interval for Clair updates, in hours. Set to 0 to disable the updates. The default is 12 hours.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-22 16:17:39 +02:00
<td valign="top"><code>jobservice</code></td>
2019-10-21 17:03:22 +02:00
<td valign="top"><code>max_job_workers</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">The maximum number of replication workers in the job service. For each image replication job, a worker synchronizes all tags of a repository to the remote destination. Increasing this number allows more concurrent replication jobs in the system. However, since each worker consumes a certain amount of network/CPU/IO resources, set the value of this attribute based on the hardware resource of the host. The default is 10.</td>
</tr>
<tr>
<td valign="top"><code>notification</code></td>
<td valign="top"><code>webhook_job_max_retry</code></td>
<td valign="top">Set the maximum number of retries for web hook jobs. The default is 10.</td>
</tr>
<tr>
<td valign="top"><code>chart</code></td>
<td valign="top"><code>absolute_url</code></td>
<td valign="top">Set to <code>enabled</code> for Chart to use an absolute URL. Set to <code>disabled</code> for Chart to use a relative URL.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top"><code>log</code></td>
<td valign="top">&nbsp;</td>
2019-10-21 19:27:28 +02:00
<td valign="top">Configure logging.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top">&nbsp;</td>
<td valign="top"><code>level</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">Set the logging level to <code>debug</code>, <code>info</code>, <code>warning</code>, <code>error</code>, or <code>fatal</code>. The default is <code>info</code>.</td>
2019-10-21 16:45:08 +02:00
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top">&nbsp;</td>
<td valign="top"><code>local</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">Set the log retention parameters:<ul>
<li><code>rotate_count</code>: Log files are rotated <code>rotate_count</code> times before being removed. If count is 0, old versions are removed rather than rotated. The default is 50.</li>
<li><code>rotate_size</code>: Log files are rotated only if they grow bigger than <code>rotate_size</code> bytes. Use <code>k</code> for kilobytes, <code>M</code> for megabytes, and <code>G</code> for gigabytes. <code>100</code>, <code>100k</code>, <code>100M</code> and <code>100G</code> are all valid values. The default is 200M.</li>
<li><code>location</code>: Set the directory in which to store the logs. The default is <code>/var/log/harbor</code>.</li>
2019-10-21 16:45:08 +02:00
</ul></td>
</tr>
<tr>
2019-10-21 17:03:22 +02:00
<td valign="top">&nbsp;</td>
<td valign="top"><code>external_endpoint</code></td>
<td valign="top">Enable this option to forward logs to a syslog server.
2019-10-21 16:45:08 +02:00
<ul>
<li><code>protocol</code>: Transport protocol for the syslog server. Default is TCP.</li>
<li><code>host</code>: The URL of the syslog server.</li>
<li><code>port</code>: The port on which the syslog server listens</li>
</ul> </td>
</tr>
2019-10-22 16:17:39 +02:00
<tr>
<td valign="top"><code>proxy</code></td>
<td valign="top">&nbsp;</td>
2019-10-22 17:20:22 +02:00
<td valign="top">Configure proxies to be used by Clair, the replication jobservice, and Harbor. Leave blank if no proxies are required.</td>
2019-10-22 16:17:39 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>http_proxy</code></td>
<td valign="top">Configure an HTTP proxy, for example, <code>http://my.proxy.com:3128</code>.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>https_proxy</code></td>
<td valign="top">Configure an HTTPS proxy, for example, <code>http://my.proxy.com:3128</code>.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>no_proxy</code></td>
<td valign="top">Configure when not to use a proxy, for example, <code>127.0.0.1,localhost,core,registry</code>.</td>
</tr>
2019-10-21 16:45:08 +02:00
</table>
2019-10-21 17:03:22 +02:00
### Optional parameters
2019-10-22 16:17:39 +02:00
The following table lists the additional, optional parameters that you can set to configure your Harbor deployment beyond the minimum required settings. To enable a setting, you must uncomment it in `harbor.yml` by deleting the leading `#` character.
2019-10-21 20:17:11 +02:00
2019-10-21 17:50:40 +02:00
<table width="100%" border="0">
<caption>
Optional Parameters for Harbor
</caption>
<tr>
<th scope="col">Parameter</th>
<th scope="col">Sub-Parameters</th>
<th scope="col">Description and Additional Parameters </th>
</tr>
<tr>
<td valign="top"><code>http</code></td>
<td valign="top">&nbsp;</td>
<td valign="top">Do not use HTTP in production environments. Using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>port</code></td>
<td valign="top">Port number for HTTP</td>
</tr>
<tr>
<td valign="top"><code>external_url</code></td>
<td valign="top">None</td>
2019-10-21 20:17:11 +02:00
<td valign="top">Enable this option to use an external proxy. When enabled, the hostname is no longer used.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<tr>
<td valign="top"><code>storage_service</code></td>
2019-10-21 17:50:40 +02:00
<td valign="top">&nbsp;</td>
2019-10-22 16:17:39 +02:00
<td valign="top">By default, Harbor stores images and charts on your local filesystem. In a production environment, you might want to use another storage backend instead of the local filesystem. The parameters listed below are the configurations for the registry. See *Configuring Storage Backend* below for more information about how to configure a different backend.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>ca_bundle</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">The path to the custom root CA certificate, which is injected into the trust store of registry and chart repository containers. This is usually needed if internal storage uses a self signed certificate.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
2019-10-22 16:17:39 +02:00
<td valign="top"><code>filesystem</code></td>
<td valign="top">The default is <code>filesystem</code>, but you can set <code>azure</code>, <code>gcs</code>, <code>s3</code>, <code>swift</code> and <code>oss</code>. For information about how to configure other backends, see <a href="#backend">Configuring a Storage Backend</a> below. Set <code>maxthreads</code> to limit the number of threads to the external provider. The default is 100.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>redirect</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">Set <code>disable</code> to <code>true</code> when you want to disable registry redirect</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top"><code>external_database</code></td>
<td valign="top">&nbsp;</td>
2019-10-21 20:17:11 +02:00
<td valign="top">Configure external database settings, if you disable the local database option. Harbor currently only supports POSTGRES.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>harbor</code></td>
2019-10-21 20:17:11 +02:00
<td valign="top"><p>Configure an external database for Harbor data.</p>
2019-10-21 17:50:40 +02:00
<ul>
2019-10-21 20:17:11 +02:00
<li><code>host</code>: Hostname of the Harbor database.</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the core Harbor database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.</li>
2019-10-21 17:50:40 +02:00
<li><code>max_idle_conns</code>: The maximum number of connections in the idle connection pool. If &lt;=0 no idle connections are retained. The default value is 2.</li>
<li><code>max_open_conns</code>: The maximum number of open connections to the database. If &lt;= 0 there is no limit on the number of open connections. The default value is 0.</li>
</ul> </td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>clair</code></td>
2019-10-21 20:17:11 +02:00
<td valign="top">Configure an external database for Clair.
2019-10-21 17:50:40 +02:00
<ul>
2019-10-21 20:17:11 +02:00
<li><code>host</code>: Hostname of the Clair database</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the Clair database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.</li>
2019-10-21 17:50:40 +02:00
</ul> </td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>notary_signer</code></td>
2019-10-21 20:17:11 +02:00
<td valign="top">Configure an external database for the Notary signer database
2019-10-21 17:50:40 +02:00
<ul>
2019-10-21 20:17:11 +02:00
<li><code>host</code>: Hostname of the Notary signer database</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the Notary signer database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.</li>
2019-10-21 17:50:40 +02:00
</ul> </td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>notary_server</code></td>
<td valign="top"><ul>
2019-10-22 16:17:39 +02:00
<li><code>host</code>: Hostname of the Notary server database.</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the Notary server database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.e</li>
2019-10-21 17:50:40 +02:00
</ul> </td>
</tr>
<tr>
<td valign="top"><code>external_redis</code></td>
<td valign="top">&nbsp;</td>
2019-10-22 16:17:39 +02:00
<td valign="top">Configure an external Redis instance.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>host</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">Hostname of the external Redis instance.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>port</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">Redis instance port.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>password</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">Password to connect to the external Redis instance.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>registry_db_index</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">Database index for Harbor registry.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>jobservice_db_index</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">Database index for jobservice.</td>
2019-10-21 17:50:40 +02:00
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>chartmuseum_db_index</code></td>
2019-10-22 16:17:39 +02:00
<td valign="top">Database index for Chart museum.</td>
2019-10-21 17:50:40 +02:00
</tr>
</table>
2017-04-14 12:10:07 +02:00
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document *.asc key * Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap
2019-12-12 18:35:30 +01:00
**NOTE**: The `harbor.yml` file includes options to configure a UAA CA certificate. This authentication mode is not recommended and is not documented.
2019-10-22 16:17:39 +02:00
<a id="backend"></a>
### Configuring a Storage Backend
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
By default Harbor uses local storage for the registry, but you can optionally configure the `storage_service` setting so that Harbor uses external storage. For information about how to configure the storage backend of a registry for different storage providers, see the [Registry Configuration Reference](https://docs.docker.com/registry/configuration/#storage) in the Docker documentation. For example, if you use Openstack Swift as your storage backend, the parameters might resemble the following:
``` yaml
storage_service:
ca_bundle:
swift:
username: admin
password: ADMIN_PASS
authurl: http://keystone_addr:35357/v3/auth
tenant: admin
domain: default
region: regionOne
container: docker_images"
redirect:
disable: false
2017-04-14 12:10:07 +02:00
```
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document *.asc key * Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap
2019-12-12 18:35:30 +01:00
## Installing and starting Harbor
2019-10-22 16:17:39 +02:00
Once you have configured **harbor.yml** optionally set up a storage backend, you install and start Harbor by using the `install.sh` script. Note that it might take some time for the online installer to download all of the `Harbor images from Docker hub.
You can install Harbor in different configurations:
2019-10-22 16:17:39 +02:00
- Just Harbor, without Notary, Clair, or Chart Repository Service
- Harbor with Notary
- Harbor with Clair
- Harbor with Chart Repository Service
- Harbor with two or all three of Notary, Clair, and Chart Repository Service
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
### Default installation without Notary, Clair, or Chart Repository Service
2019-10-22 16:17:39 +02:00
The default Harbor installation does not include Notary or Clair service.
2017-04-14 12:10:07 +02:00
``` sh
2017-04-14 12:10:07 +02:00
$ sudo ./install.sh
```
2019-10-22 16:17:39 +02:00
If the installation succeeds, you can open a browser to visit the Harbor Portal at `http://reg.yourdomain.com`, changing `reg.yourdomain.com` to the hostname that you configured in `harbor.yml`. If you did not change them, the default administrator username and password are `admin` and `Harbor12345`.
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
Log in to the admin portal and create a new project, for example, `myproject`. You can then use docker commands to log in and push images to Harbor. By default, the registry server listens on port 80:
2017-04-14 12:10:07 +02:00
```sh
$ docker login reg.yourdomain.com
$ docker push reg.yourdomain.com/myproject/myrepo:mytag
```
2019-10-21 17:03:22 +02:00
### Installation with Notary
2019-10-22 16:17:39 +02:00
To install Harbor with the Notary service, add the `--with-notary` parameter when you run `install.sh`:
2017-04-14 12:10:07 +02:00
```sh
$ sudo ./install.sh --with-notary
```
2019-10-22 16:17:39 +02:00
**Note**: For installation with Notary, you must use Harbor with HTTPS.
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
For more information about Notary and Docker Content Trust, see [Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) in the Docker documentation.
2017-04-14 12:10:07 +02:00
2019-10-21 17:03:22 +02:00
### Installation with Clair
2019-10-22 16:17:39 +02:00
To install Harbor with Clair service, add the `--with-clair` parameter when you run `install.sh`:
```sh
$ sudo ./install.sh --with-clair
```
2019-10-22 16:17:39 +02:00
For more information about Clair, see the [Clair documentation](https://coreos.com/clair/docs/2.0.1/).
2019-10-22 16:17:39 +02:00
### Installation with Chart Repository Service
2019-10-22 16:17:39 +02:00
To install Harbor with chart repository service, add the `--with-chartmuseum` parameter when you run ```install.sh```:
```sh
$ sudo ./install.sh --with-chartmuseum
```
2019-10-22 16:17:39 +02:00
### Installation with Notary, Clair, and Chart Repository Service
If you want to install all three of Notary, Clair and chart repository service, you must specify all of the parameters in the same command:
```sh
$ sudo ./install.sh --with-notary --with-clair --with-chartmuseum
```
Doc updates for 1.10 (#10029) * Updated doc to include Limited Guest * Added example for limited guest. * Updated vulnerability scanning docs for 1.10. * Updated GC docs to reflect new position in UI * Updated project quota doc to reflect new position in UI * Added some doc about tag immutability * Fixed index * Formatting * Added new replication endpoints * Added project quota webhook * Review comments from Alex * Clarified Clair requirement for additional scanners * Some formatting and edits in vulnerability section * Updated tag retention doc to reflect new UI * Updated tag immutability to reflect new UI * New screencaps * Updated robot accounts doc for new UI and rewrote * Formatting * Updated webhooks doc for new UI * Formatting * Updated Logs doc for new UI * Formatting * New screencaps * Added tag immutability to permissions document * Corrected immutability permissions * Added explanation for project quotas * Fixed typo * Linked to new compatibility list document * Comments from Alex * Comments from Steven and Wang * Removed mention of the ellipsis in project menu * Reverting some screencaps to remove ellipsis * Reverted log screencaps to remove ellipsis * Minor rewording * Fixed caps * More cap fixing * Added info about self-registration, rewrote db auth doc * Attempting to document *.asc key * Added that negligible vulnerabilities are ignored, rewrote * Formatting * Added scanner permissions to table * Clarified labelling and replication * Rewrote replication docs * Formatting * Typo * Rearranged content * Updated ASC key docs * formatting * Minor rewording * Rewrote LDAP section * minor edits * Added OIDC groups, rewrote OIDC docs * formatting * Mentioned memberof for OIDC. * Comments from steven * Added info about insecure registries * Added tag immutability example * Removed UAA from install guide * Cleaned up headers * More clean up of headers * Recommended not to use UAA * Added user-generated CLI secret * Adding stray screencap
2019-12-12 18:35:30 +01:00
<a id="connect_http"></a>
## Connecting to Harbor via HTTP
**IMPORTANT:** If your installation of Harbor uses HTTP rather than HTTPS, you must add the option `--insecure-registry` to your client's Docker daemon. By default, the daemon file is located at `/etc/docker/daemon.json`.
For example, add the following to your `daemon.json` file:
<pre>
{
"insecure-registries" : ["<i>myregistrydomain.com</i>:5000", "0.0.0.0"]
}
</pre>
After you update `daemon.json`, you must restart both Docker Engine and Harbor.
1. Restart Docker Engine.
`systemctl restart docker`
1. Stop Harbor.
`docker-compose down -v`
1. Restart Harbor.
`docker-compose up -d`
2019-10-22 16:17:39 +02:00
## Using Harbor
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
For information on how to use Harbor, see the **[Harbor User Guide](user_guide.md)** .
2017-04-14 12:10:07 +02:00
2019-10-22 16:27:22 +02:00
## Managing Harbor Lifecycle
2019-10-22 16:17:39 +02:00
You can use `docker-compose` to manage the lifecycle of Harbor. Some useful commands are listed below. You must run the commands in the same directory as `docker-compose.yml`.
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
### Stop Harbor:
``` sh
2017-04-14 12:10:07 +02:00
$ sudo docker-compose stop
Stopping nginx ... done
Stopping harbor-portal ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping registry ... done
Stopping redis ... done
Stopping registryctl ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
2017-04-14 12:10:07 +02:00
```
2019-10-22 16:17:39 +02:00
### Restart Harbor after Stopping:
``` sh
2017-04-14 12:10:07 +02:00
$ sudo docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting core ... done
Starting portal ... done
Starting redis ... done
Starting jobservice ... done
Starting proxy ... done
```
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
### Reconfigure Harbor
To reconfigure Harbor, stop the existing Harbor instance and update `harbor.yml`. Then run `prepare` script to populate the configuration. Finally re-create and start the Harbor instance.
``` sh
2017-04-14 12:10:07 +02:00
$ sudo docker-compose down -v
$ vim harbor.yml
$ sudo prepare
$ sudo docker-compose up -d
```
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
### Other Commands
Remove Harbor's containers while keeping the image data and Harbor's database files on the file system:
``` sh
2017-04-14 12:10:07 +02:00
$ sudo docker-compose down -v
```
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
Remove Harbor's database and image data for a clean re-installation:
``` sh
2017-04-14 12:10:07 +02:00
$ rm -r /data/database
$ rm -r /data/registry
```
2019-10-22 16:17:39 +02:00
### Managing the Harbor Lifecycle with Notary, Clair and Chart Repository Service
If you want to install Notary, Clair and chart repository service together, you should include all the components in the prepare commands:
``` sh
$ sudo docker-compose down -v
$ vim harbor.yml
$ sudo prepare --with-notary --with-clair --with-chartmuseum
$ sudo docker-compose up -d
```
2017-04-14 12:10:07 +02:00
Please check the [Docker Compose command-line reference](https://docs.docker.com/compose/reference/) for more on docker-compose.
2019-10-22 16:17:39 +02:00
## Persistent Data and Log Files
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
By default, registry data is persisted in the host's `/data/` directory. This data remains unchanged even when Harbor's containers are removed and/or recreated. You can edit the `data_volume` in `harbor.yml` file to change this directory.
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
In addition, Harbor uses `rsyslog` to collect the logs for each container. By default, these log files are stored in the directory `/var/log/harbor/` on the target host. You can change the log directory in `harbor.yml`.
2017-04-14 12:10:07 +02:00
2019-10-22 16:19:43 +02:00
## Configuring Harbor to Listen on a Customized Port
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
By default, Harbor listens on port 443(HTTPS) and 80(HTTP, if configured) for both Harbor portal and Docker commands. You can reconfigure the default ports in `harbor.yml`
2017-04-14 12:10:07 +02:00
2019-10-22 16:19:43 +02:00
## Configure Harbor with an External Database
2019-10-22 16:17:39 +02:00
Currently, Harbor only supports PostgreSQL database. To user an external database, uncomment the `external_database` section in `harbor.yml` and fill the necessary information. You must create four databases for Harbor core, Clair, Notary server, and Notary signer. And the tables are generated automatically when Harbor starts up.
2019-10-22 16:19:43 +02:00
## Manage User Settings
2019-10-22 16:17:39 +02:00
User settings are handled separately system settings. All user settings are configured in the Harbor portal or by HTTP requests at the command line. For information about using HTTP requests to configure user settings, see [Configure User Settings at the Command Line](configure_user_settings.md) to config user settings.
2017-04-17 06:56:49 +02:00
2019-10-22 16:19:43 +02:00
## Performance Tuning
2019-10-22 16:17:39 +02:00
By default, Harbor limits the CPU usage of the Clair container to 150000 to avoid it using up all CPU resources. This is defined in the `docker-compose.clair.yml` file. You can modify this file based on your hardware configuration.
2017-04-14 12:10:07 +02:00
## Troubleshooting
2019-10-22 16:17:39 +02:00
### Harbor Doesn't Start or Functions Incorrectly
When Harbor does not function correctly, run the following commands to find out if all of Harbor's containers in **UP** status:
2017-04-14 12:10:07 +02:00
```
$ sudo docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up
harbor-db /entrypoint.sh postgres Up 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 80/tcp
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
```
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
If a container is not in the `Up` state, check the log file for that container in `/var/log/harbor`. For example, if the `harbor-core` container is not running, look at the `core.log` log file.
### Using nginx or Load Balancing
2017-04-14 12:10:07 +02:00
2019-10-22 16:17:39 +02:00
When setting up Harbor behind an `nginx` proxy or elastic load balancing, look for the following line in `common/config/nginx/nginx.conf` and, if the proxy already has similar settings, remove it from the sections `location /`, `location /v2/` and `location /service/`.
``` sh
2017-04-14 12:10:07 +02:00
proxy_set_header X-Forwarded-Proto $scheme;
```
2019-10-22 16:17:39 +02:00
Then re-deploy Harbor per the instructions in "Managing Harbor Lifecycle.