update user guide (#1983)

* update user guide

* update user guide

* update user guide

* update user guide

* update user guide

* fix refer

* update user guide gc

* update user guide

* update user guide

* update user guide

* update user guide

docs/user_guide.md

@@ -1,5 +1,5 @@
-#User Guide
-##Overview
+# User Guide  
+## Overview  
 This guide walks you through the fundamentals of using Harbor. You'll learn how to use Harbor to:  
 
 * Manage your projects.
@@ -7,14 +7,15 @@ This guide walks you through the fundamentals of using Harbor. You'll learn how
 * Replicate projects to a remote registry.
 * Search projects and repositories.
 * Manage Harbor system if you are the system administrator:
- + Manage users.
- + Manage destinations.
- + Manage replication policies.
+  * Manage users.
+  * Manage destinations.
+  * Manage replication policies.
+  * Manage configuration.
 * Pull and push images using Docker client.
 * Delete repositories and images.
+* Content trust.  
 
-
-##Role Based Access Control
+## Role Based Access Control(RBAC)  
 
 ![rbac](img/rbac.png)
 
@@ -27,16 +28,16 @@ Harbor manages images through projects. Users can be added into one project as a
 Besides the above three roles, there are two system-wide roles:  
 
 * **SysAdmin**: "SysAdmin" has the most privileges. In addition to the privileges mentioned above, "SysAdmin" can also list all projects, set an ordinary user as administrator and delete users. The public project "library" is also owned by the administrator.  
-* **Anonymous**: When a user is not logged in, the user is considered as an "anonymous" user. An anonymous user has no access to private projects and has read-only access to public projects.  
+* **Anonymous**: When a user is not logged in, the user is considered as an "Anonymous" user. An anonymous user has no access to private projects and has read-only access to public projects.  
 
-##User account
+## User account
 Harbor supports two authentication modes:  
 
 * **Database(db_auth)**  
 
 	Users are stored in the local database.  
 	
-	A user can self register himself/herself in Harbor in this mode. To disable user self-registration, refer to the [installation guide](installation_guide_ova.md). When self-registration is disabled, the system administrator can add users in Harbor.  
+	A user can register himself/herself in Harbor in this mode. To disable user self-registration, refer to the [installation guide](installation_guide.md) for initial configuration, or disable this feature in [Administrator Options](#administrator-options). When self-registration is disabled, the system administrator can add users into Harbor.  
 	
 	When registering or adding a new user, the username and email must be unique in the Harbor system. The password must contain at least 8 characters with 1 lowercase letter, 1 uppercase letter and 1 numeric character.  
 	
@@ -51,11 +52,11 @@ Harbor supports two authentication modes:
 
 	Under this authentication mode, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly.  
 	
-	When an LDAP/AD user logs in by *username* and *password*, Harbor binds to the LDAP/AD server with the **"LDAP Search DN"** and **"LDAP Search Password"** described in [installation guide](installation_guide_ova.md). If it successes, Harbor looks up the user under the LDAP entry **"LDAP Base DN"** including substree. The attribute (such as uid, cn) specified by **"LDAP UID"** is used to match a user with the *username*. If a match is found, the user's *password* is verified by a bind request to the LDAP/AD server.  
+	When an LDAP/AD user logs in by *username* and *password*, Harbor binds to the LDAP/AD server with the **"LDAP Search DN"** and **"LDAP Search Password"** described in [installation guide](installation_guide.md). If it succeeded, Harbor looks up the user under the LDAP entry **"LDAP Base DN"** including substree. The attribute (such as uid, cn) specified by **"LDAP UID"** is used to match a user with the *username*. If a match is found, the user's *password* is verified by a bind request to the LDAP/AD server.  
 	
-	Self-registration, changing password and resetting password are not supported anymore under LDAP/AD authentication mode because the users are managed by LDAP or AD.  
+	Self-registration, changing password and resetting password are not supported under LDAP/AD authentication mode because the users are managed by LDAP or AD.  
 
-##Managing projects
+## Managing projects
 A project in Harbor contains all repositories of an application. No images can be pushed to Harbor before the project is created. RBAC is applied to a project. There are two types of projects in Harbor:  
 
 * **Public**: All users have the read privilege to a public project, it's convenient for you to share some repositories with others in this way.
@@ -73,70 +74,96 @@ All logs can be listed by clicking "Logs". You can apply a filter by username, o
 
 ![browse project](img/new_project_log.png)  
 
-##Managing members of a project 
-###Adding members
+## Managing members of a project  
+### Adding members  
 You can add members with different roles to an existing project.  
 
 ![browse project](img/new_add_member.png)
 
-###Updating and removing members
-You can update or remove a member by clicking the icon on the right.  
+### Updating and removing members
+You can update or remove a member by clicking the icon on the left.  
 
 ![browse project](img/new_remove_update_member.png)
 
-##Replicating images
+## Replicating images  
 Images replication is used to replicate repositories from one Harbor instance to another.  
 
-The function is project-oriented, and once the system administrator set a policy to one project, all repositories under the project will be replicated to the remote registry. Each repository will start a job to run. If the project does not exist on the remote registry, a new project will be created automatically, but if it already exists and the user configured in policy has no write privilege to it, the process will fail. When a new repository is pushed to this project or an existing repository is deleted from this project, the same operation will also be replicated to the destination. The member information will not be replicated.  
+The function is project-oriented, and once the system administrator set a rule to one project, all repositories under the project will be replicated to the remote registry. Each repository will start a job to run. If the project does not exist on the remote registry, a new project will be created automatically, but if it already exists and the user configured in policy has no write privilege to it, the process will fail. When a new repository is pushed to this project or an existing repository is deleted from this project, the same operation will also be replicated to the destination. The member information will not be replicated.  
 
 There may be a bit of delay during replication according to the situation of the network. If replication job fails due to the network issue, the job will be re-scheduled a few minutes later.  
 
 **Note:** The replication feature is incompatible between Harbor instance before version 0.3.5(included) and after version 0.3.5.  	
 
-Start replication by creating a policy. Click "Add New Policy" on the "Replication" tab, fill the necessary fields, if there is no destination in the list, you need to create one, and then click "OK", a policy for this project will be created. If  "Enable" is chosen, the project will be replicated to the remote immediately.  
+Start replication by creating a rule. Click "Add Replication Rule" on the "Replication" tab, fill in the necessary fields, if there is no endpoint in the list, you need to create one, and then click "OK", a rule for this project will be created. If  "Enable" is chosen, the project will be replicated to the remote immediately.  
 
-![browse project](img/new_create_policy.png)
+![browse project](img/new_create_rule.png)
 
-You can enable, disable or delete a policy in the policy list view. Only policies which are disabled can be edited and only policies which are disabled and have no running jobs can be deleted. If a policy is disabled, the running jobs under it will be stopped.  
+You can enable, disable or delete a rule in the rule list view. Only rules which are disabled can be edited and only rules which are disabled and have no running jobs can be deleted. If a rule is disabled, the running jobs under it will be stopped.  
 
-Click a policy, jobs which belong to this policy will be listed. A job represents the progress which will replicate a repository of one project to the remote.  
+Click a rule, jobs which belong to this rule will be listed. A job represents the progress of replicating the repository to the remote instance.  
 
-![browse project](img/new_policy_list.png)
+![browse project](img/new_rule_list.png)
 
-##Searching projects and repositories
-Entering a keyword in the search field at the top lists all matching projects and repositories. The search result includes both public and private repositories you have access privilege to.  
+## Searching projects and repositories  
+Entering a keyword in the search field at the top lists all matching projects and repositories. The search result includes both public and private repositories you have access to.  
 
 ![browse project](img/new_search.png)
 
-##Administrator options
-###Managing user
-Administrator can add "administrator" role to an ordinary user by toggling the switch under "Administrator". To delete a user, click on the recycle bin icon.  
+## Administrator options  
+### Managing user  
+Administrator can add "Administrator" role to an ordinary user by click button on the left and select "Set as Administrator". To delete a user, select "Delete". 
 
 ![browse project](img/new_set_admin_remove_user.png)
 
-###Managing destination
-You can list, add, edit and delete destinations in the "Destination" tab. Only destinations which are not referenced by any policies can be edited.  
+### Managing endpoint  
+You can list, add, edit and delete endpoints in the "Endpoints" tab. Only endpoints which are not referenced by any enabled rules can be edited.  
 
-![browse project](img/new_manage_destination.png)
+![browse project](img/new_manage_endpoint.png)
 
-###Managing replication
-You can list, edit, enable and disable policies in the "Replication" tab. Make sure the policy is disabled before you edit it.  
+### Managing replication  
+You can list, edit, enable and disable rules in the "Replication" tab. Make sure the policy is disabled before you edit it.  
 
 ![browse project](img/new_manage_replication.png)
 
-##Pulling and pushing images using Docker client
+### Managing authentication
+You can change authentication mode between **Database**(default) and **LDAP** before any user is added, when there is at least one user(besides admin) in Harbor, you cannot change the authentication mode.  
+![browse project](img/new_auth.png)
+When using LDAP mode, user's self-registration is disabled. The parameters of LDAP server must be filled in. For more information, refer to [User account](#user-account).   
+![browse project](img/ldap_auth.png)
+
+### Managing project creation
+Use the **Project Creation** drop-down menu to set which users can create projects. Select **Everyone** to allow all users to create projects. Select **Admin Only** to allow only users with the Administrator role to create projects.  
+![browse project](img/new_proj_create.png)
+
+### Managing self-registration
+You can manage whether a user can sign up for a new account. This option is not available if you use LDAP authentication.  
+![browse project](img/new_self_reg.png)
+
+### Managing verification of remote certificate
+You  can choose whether to verify remote endpoint's certification. You may need to disable certificate verification if the remote registry uses a self-signed or an untrusted certificate.  
+![browse project](img/new_remote_cert.png)
+
+### Managing email settings
+You can change Harbor's email settings, the mail server is used to send out responses to users who request to reset their password.  
+![browse project](img/new_config_email.png)
+
+## Pulling and pushing images using Docker client  
 
 **NOTE: Harbor only supports Registry V2 API. You need to use Docker client 1.6.0 or higher.**  
 
-Harbor supports HTTP by default and Docker client tries to connect to Harbor using HTTPS first, so if you encounter an error as below when you pull or push images, you need to add '--insecure-registry' option to /etc/default/docker (ubuntu) or /etc/sysconfig/docker (centos) and restart Docker:    
-*FATA[0000] Error response from daemon: v1 ping attempt failed with error:  
-Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527.   
-If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add   
-`--insecure-registry myregistrydomain.com:5000` to the daemon's arguments.  
-In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;  
-simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt*  
+Harbor supports HTTP by default and Docker client tries to connect to Harbor using HTTPS first, so if you encounter an error as below when you pull or push images, you need to add '--insecure-registry' option to ```/etc/default/docker``` (ubuntu) or ```/etc/sysconfig/docker``` (centos) and restart Docker:    
+  
 
-###Pulling images
+```Error response from daemon: Get https://myregistrydomain.com/v1/users/: dial tcp myregistrydomain.com:443 getsockopt: connection refused.```   
+  
+
+If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add   
+`--insecure-registry myregistrydomain.com` to the daemon's start up arguments.  
+  
+
+In the case of HTTPS, if you have access to the registry's CA certificate, simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com/ca.crt .   
+
+### Pulling images  
 If the project that the image belongs to is private, you should sign in first:  
 
 ```sh
@@ -149,9 +176,9 @@ You can now pull the image:
 $ docker pull 10.117.169.182/library/ubuntu:14.04  
 ```
 
-**Note: Replace "10.117.169.182" with the IP address or domain name of your Harbor node.**
+**Note: Replace "10.117.169.182" with the IP address or domain name of your Harbor node. You cannot pull a unsigned image if you enabled content trust.**
 
-###Pushing images
+### Pushing images  
 Before pushing an image, you must create a corresponding project on Harbor web UI. 
 
 First, log in from Docker client:  
@@ -174,16 +201,17 @@ $ docker push 10.117.169.182/demo/ubuntu:14.04
 
 **Note: Replace "10.117.169.182" with the IP address or domain name of your Harbor node.**
 
-##Deleting repositories
+###  Deleting repositories  
 
 Repository deletion runs in two steps.  
 
 First, delete a repository in Harbor's UI. This is soft deletion. You can delete the entire repository or just a tag of it. After the soft deletion, 
 the repository is no longer managed in Harbor, however, the files of the repository still remain in Harbor's storage.  
 
-![browse project](img/new_delete_repository.png)
+![browse project](img/new_delete_repo.png)
+![browse project](img/new_delete_tag.png)
 
-**CAUTION: If both tag A and tag B refer to the same image, after deleting tag A, B will also get deleted.**  
+**CAUTION: If both tag A and tag B refer to the same image, after deleting tag A, B will also get deleted. if you enabled content trust, you need to use notary command line tool to delete the tag's signature before you delete an image.**  
 
 Next, delete the actual files of the repository using the registry's garbage collection(GC). Make sure that no one is pushing images or Harbor is not running at all before you perform a GC. If someone were pushing an image while GC is running, there is a risk that the image's layers will be mistakenly deleted which results in a corrupted image. So before running GC, a preferred approach is to stop Harbor first.  
 
@@ -191,15 +219,32 @@ Run the below commands on the host which Harbor is deployed on to preview what f
 
 ```sh
 $ docker-compose stop
-$ docker run -it --name gc --rm --volumes-from registry registry:2.6.0 garbage-collect --dry-run /etc/registry/config.yml
+
+$ docker run -it --name gc --rm --volumes-from registry vmware/registry:photon-2.6.0 garbage-collect --dry-run /etc/registry/config.yml
+
 ```  
 **NOTE:** The above option "--dry-run" will print the progress without removing any data.  
 
 Verify the result of the above test, then use the below commands to perform garbage collection and restart Harbor. 
 
 ```sh
-$ docker run -it --name gc --rm --volumes-from registry registry:2.6.0 garbage-collect  /etc/registry/config.yml
+
+$ docker run -it --name gc --rm --volumes-from registry vmware/registry:photon-2.6.0 garbage-collect  /etc/registry/config.yml
+
 $ docker-compose start
 ```  
 
 For more information about GC, please see [GC](https://github.com/docker/docker.github.io/blob/master/registry/garbage-collection.md).  
+
+### Content trust  
+If you want to enable content trust to ensure that images are signed, please set two environment variables in the command line before pushing or pulling any image:
+```sh
+export DOCKER_CONTENT_TRUST=1
+export DOCKER_CONTENT_TRUST_SERVER=https://10.117.169.182:4443
+```
+If you are using a self-signed cert, make sure to copy the CA cert into ```/etc/docker/certs.d/10.117.169.182``` and ```$HOME/.docker/tls/10.117.169.182:4443/```. When an image is signed, it is indicated in the Web UI.  
+**Note: Replace "10.117.169.182" with the IP address or domain name of your Harbor node. In order to use content trust, HTTPS must be enabled in Harbor.**  
+  
+
+When an image is signed, it has a tick shown in UI; otherwise, a cross sign(X) is displayed instead.  
+![browse project](img/content_trust.png)