You set system level parameters for Harbor in the `harbor.yml` file that is contained in the installer package. These parameters take effect when you run the `install.sh` script to install or reconfigure Harbor.
The table below lists the parameters that must be set when you deploy Harbor. By default, all of the required parameters are uncommented in the `harbor.yml` file. The optional parameters are commented with `#`. You do not necessarily need to change the values of the required parameters from the defaults that are provided, but these parameters must remain uncommented. At the very least, you must update the `hostname` parameter.
**IMPORTANT**: Harbor does not ship with any certificates. In versions up to and including 1.9.x, by default Harbor uses HTTP to serve registry requests. This is acceptable only in air-gapped test or development environments. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS.
You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. For information about how to create a CA, and how to use a CA to sign a server certificate and a client certificate, see [Configuring Harbor with HTTPS Access](configure-https.md).
<thscope="col">Description and Additional Parameters </th>
</tr>
<tr>
<tdvalign="top"><code>hostname</code></td>
<tdvalign="top">None</td>
<tdvalign="top">Specify the IP address or the fully qualified domain name (FQDN) of the target host on which to deploy Harbor. This is the address at which you access the Harbor Portal and the registry service. For example, <code>192.168.1.10</code> or <code>reg.yourdomain.com</code>. The registry service must be accessible to external clients, so do not specify <code>localhost</code>, <code>127.0.0.1</code>, or <code>0.0.0.0</code> as the hostname.</td>
</tr>
<tr>
<tdvalign="top"><code>http</code></td>
<tdvalign="top"> </td>
<tdvalign="top">Do not use HTTP in production environments. Using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>port</code></td>
<tdvalign="top">Port number for HTTP, for both Harbor portal and Docker commands. The default is 80.</td>
</tr>
<tr>
<tdvalign="top"><code>https</code></td>
<tdvalign="top"> </td>
<tdvalign="top">Use HTTPS to access the Harbor Portal and the token/notification service. Always use HTTPS in production environments and environments that are not air-gapped.
</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>port</code></td>
<tdvalign="top">The port number for HTTPS, for both Harbor portal and Docker commands. The default is 443.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>certificate</code></td>
<tdvalign="top">The path to the SSL certificate.</td>
<tdvalign="top">Set an initial password for the Harbor system administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator's password is set in the Harbor Portal. The default username and password are <code>admin</code> and <code>Harbor12345</code>.</td>
</tr>
<tr>
<tdvalign="top"><code>database</code></td>
<tdvalign="top"> </td>
<tdvalign="top">Use a local PostgreSQL database. You can optionally configure an external database, in which case you can disable this option.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>password</code></td>
<tdvalign="top">Set the root password for the local database. You must change this password for production deployments.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>max_idle_conns</code></td>
<tdvalign="top">The maximum number of connections in the idle connection pool. If set to <=0 no idle connections are retained. The default value is 50. If it is not configured the value is 2.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>max_open_conns</code></td>
<tdvalign="top">The maximum number of open connections to the database. If <= 0 there is no limit on the number of open connections. The default value is 100 for the max connections to the Harbor database. If it is not configured the value is 0.</td>
</tr>
<tr>
<tdvalign="top"><code>data_volume</code></td>
<tdvalign="top">None</td>
<tdvalign="top">The location on the target host in which to store Harbor's data. This data remains unchanged even when Harbor's containers are removed and/or recreated. You can optionally configure external storage, in which case disable this option and enable <code>storage_service</code>. The default is <code>/data</code>.</td>
<tdvalign="top">Set the flag to <code>true</code> to display only fixed vulnerabilities. The default value is <code>false</code></td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>skip_update</code></td>
<tdvalign="top">You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. If the flag is enabled you have to manually download the `trivy.db` file and mount it in the <code>/home/scanner/.cache/trivy/db/trivy.db</code> path in container. The default value is <code>false</code></td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>insecure</code></td>
<tdvalign="top">Set the flag to <code>true</code> to skip verifying registry certificate. The default value is <code>false</code></td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>github_token</code></td>
<tdvalign="top">Set the GitHub access token to download Trivy DB. Trivy DB is downloaded by Trivy from the GitHub release page. Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000 requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult https://developer.github.com/v3/#rate-limiting .You can create a GitHub token by following the instuctions in https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line</td>
<tdvalign="top">The maximum number of replication workers in the job service. For each image replication job, a worker synchronizes all tags of a repository to the remote destination. Increasing this number allows more concurrent replication jobs in the system. However, since each worker consumes a certain amount of network/CPU/IO resources, set the value of this attribute based on the hardware resource of the host. The default is 10.</td>
<tdvalign="top">Set the maximum number of retries for web hook jobs. The default is 10.</td>
</tr>
<tr>
<tdvalign="top"><code>chart</code></td>
<tdvalign="top"><code>absolute_url</code></td>
<tdvalign="top">Set to <code>enabled</code> for Chart to use an absolute URL. Set to <code>disabled</code> for Chart to use a relative URL.</td>
</tr>
<tr>
<tdvalign="top"><code>log</code></td>
<tdvalign="top"> </td>
<tdvalign="top">Configure logging. Harbor uses `rsyslog` to collect the logs for each container.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>level</code></td>
<tdvalign="top">Set the logging level to <code>debug</code>, <code>info</code>, <code>warning</code>, <code>error</code>, or <code>fatal</code>. The default is <code>info</code>.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>local</code></td>
<tdvalign="top">Set the log retention parameters:<ul>
<li><code>rotate_count</code>: Log files are rotated <code>rotate_count</code> times before being removed. If count is 0, old versions are removed rather than rotated. The default is 50.</li>
<li><code>rotate_size</code>: Log files are rotated only if they grow bigger than <code>rotate_size</code> bytes. Use <code>k</code> for kilobytes, <code>M</code> for megabytes, and <code>G</code> for gigabytes. <code>100</code>, <code>100k</code>, <code>100M</code> and <code>100G</code> are all valid values. The default is 200M.</li>
<li><code>location</code>: Set the directory in which to store the logs. The default is <code>/var/log/harbor</code>.</li>
The following table lists the additional, optional parameters that you can set to configure your Harbor deployment beyond the minimum required settings. To enable a setting, you must uncomment it in `harbor.yml` by deleting the leading `#` character.
<tablewidth="100%"border="0">
<caption>
Optional Parameters for Harbor
</caption>
<tr>
<thscope="col">Parameter</th>
<thscope="col">Sub-Parameters</th>
<thscope="col">Description and Additional Parameters </th>
</tr>
<tr>
<tdvalign="top"><code>external_url</code></td>
<tdvalign="top">None</td>
<tdvalign="top">Enable this option to use an external proxy. When enabled, the hostname is no longer used.</td>
</tr>
<tr>
<tr>
<tdvalign="top"><code>storage_service</code></td>
<tdvalign="top"> </td>
<tdvalign="top">By default, Harbor stores images and charts on your local filesystem. In a production environment, you might want to use another storage backend instead of the local filesystem. The parameters listed below are the configurations for the registry. See *Configuring Storage Backend* below for more information about how to configure a different backend.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>ca_bundle</code></td>
<tdvalign="top">The path to the custom root CA certificate, which is injected into the trust store of registry and chart repository containers. This is usually needed if internal storage uses a self signed certificate.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>filesystem</code></td>
<tdvalign="top">The default is <code>filesystem</code>, but you can set <code>azure</code>, <code>gcs</code>, <code>s3</code>, <code>swift</code> and <code>oss</code>. For information about how to configure other backends, see <ahref="#backend">Configuring a Storage Backend</a> below. Set <code>maxthreads</code> to limit the number of threads to the external provider. The default is 100.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>redirect</code></td>
<tdvalign="top">Set <code>disable</code> to <code>true</code> when you want to disable registry redirect</td>
<tdvalign="top">Configure external database settings, if you disable the local database option. Currently, Harbor only supports PostgreSQL database. You must create four databases for Harbor core, Clair, Notary server, and Notary signer. The tables are generated automatically when Harbor starts up.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>harbor</code></td>
<tdvalign="top"><p>Configure an external database for Harbor data.</p>
<ul>
<li><code>host</code>: Hostname of the Harbor database.</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the core Harbor database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.</li>
<li><code>max_idle_conns</code>: The maximum number of connections in the idle connection pool. If <=0 no idle connections are retained. The default value is 2.</li>
<li><code>max_open_conns</code>: The maximum number of open connections to the database. If <= 0 there is no limit on the number of open connections. The default value is 0.</li>
</ul></td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>clair</code></td>
<tdvalign="top">Configure an external database for Clair.
<ul>
<li><code>host</code>: Hostname of the Clair database</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the Clair database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.</li>
</ul></td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>notary_signer</code></td>
<tdvalign="top">Configure an external database for the Notary signer database
<ul>
<li><code>host</code>: Hostname of the Notary signer database</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the Notary signer database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.</li>
</ul></td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>notary_server</code></td>
<tdvalign="top"><ul>
<li><code>host</code>: Hostname of the Notary server database.</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the Notary server database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.e</li>
</ul></td>
</tr>
<tr>
<tdvalign="top"><code>external_redis</code></td>
<tdvalign="top"> </td>
<tdvalign="top">Configure an external Redis instance.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>host</code></td>
<tdvalign="top">Hostname of the external Redis instance.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>port</code></td>
<tdvalign="top">Redis instance port.</td>
</tr>
<tr>
<tdvalign="top"> </td>
<tdvalign="top"><code>password</code></td>
<tdvalign="top">Password to connect to the external Redis instance.</td>
By default Harbor uses local storage for the registry, but you can optionally configure the `storage_service` setting so that Harbor uses external storage. For information about how to configure the storage backend of a registry for different storage providers, see the [Registry Configuration Reference](https://docs.docker.com/registry/configuration/#storage) in the Docker documentation. For example, if you use Openstack Swift as your storage backend, the parameters might resemble the following: