Upstream
/
harbor
mirror of https://github.com/goharbor/harbor.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Rewrote lifecycle doc

This commit is contained in:
Stuart Clements 2019-12-18 15:32:50 +01:00
parent 81d669a2d5
commit 424ed5aa29
19 changed files with 97 additions and 1391 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
docs/harbor-doc-reorg/_index.md
View File

@ -6,31 +6,28 @@ This is the main table of contents for the Harbor documentation.
This section describes how to install Harbor and perform the required initial configurations. These day 1 operations are performed by the Harbor Administrator.
- [Installing Harbor](install_config/installation/_index.md)
- [Test Harbor with the Demo Server](install_config/installation/demo_server.md)
- [Harbor Compatibility List](install_config/installation/harbor_compatibility_list.md)
- [Harbor Installation Prerequisites](install_config/installation/installation_prereqs.md)
- [Download the Harbor Installer](install_config/installation/download_installer.md)
- [Configure HTTPS Access to Harbor](install_config/installation/configure_https.md)
- [Configure the Harbor YML File](install_config/installation/configure_yml_file.md)
- [Run the Installer Script](install_config/installation/run_installer_script.md)
- [Troubleshooting Harbor Installation](install_config/installation/troubleshoot_installation.md)
- [Post-Installation Configuration](install_config/configuration/_index.md)
- [Reconfigure Harbor and Manage the Harbor Lifecycle](install_config/configuration/reconfigure_manage_lifecycle.md)
- [Customize the Harbor Token Service](install_config/configuration/customize_token_service.md)
- [Configure Notary Content Trust](install_config/configuration/configure_notary_content_trust.md)
- [Initial Configuration in the Harbor UI](install_config/configuration/initial_config_ui.md)
- [Configure Authentication](install_config/configuration/configure_authentication.md)
- [Administrator Options](install_config/configuration/general_settings.md)
- [Installing Harbor](install_config/_index.md)
- [Test Harbor with the Demo Server](install_config/demo_server.md)
- [Harbor Compatibility List](install_config/harbor_compatibility_list.md)
- [Harbor Installation Prerequisites](install_config/installation_prereqs.md)
- [Download the Harbor Installer](install_config/download_installer.md)
- [Configure HTTPS Access to Harbor](install_config/configure_https.md)
- [Configure the Harbor YML File](install_config/configure_yml_file.md)
- [Run the Installer Script](install_config/run_installer_script.md)
- [Troubleshooting Harbor Installation](install_config/troubleshoot_installation.md)
- [Reconfigure Harbor and Manage the Harbor Lifecycle](install_config/reconfigure_manage_lifecycle.md)
- [Customize the Harbor Token Service](install_config/customize_token_service.md)
## [Harbor Administration](administration/_index.md)
This section describes how to use and maintain Harbor after deployment. These day 2 operations are performed by the Harbor Administrator.
- [Configure Authentication](administration/configure_authentication.md)
- [Manage Users](administration/managing_users/_index.md)
- [Harbor Role Based Access Control (RBAC)](administration/managing_users/configure_rbac.md)
- [User Permissions By Role](administration/managing_users/user_permissions_by_role.md)
- [Configure Harbor User Settings at the Command Line](administration/managing_users/configure_user_settings_cli.md)
- [Administrator Options](install_config/general_settings.md)
- [Configure Project Settings](administration/configure_project_settings/_index.md)
- [Set Project Quotas](administration/configure_project_settings/set_project_quotas.md)
- [Configuring Replication](administration/configuring_replication/_index.md)

58
docs/harbor-doc-reorg/install_config/_index.md
View File

@ -1,11 +1,53 @@
# Harbor Installation and Configuration
This section describes how to get Harbor up and running.
- [Installing Harbor](installation/_index.md)
- [Post-Installation Configuration](configuration/_index.md)
- [Initial Configuration in the Harbor UI](configuration/initial_config_ui.md)
[Back to table of contents](../_index.md)
----------
[Back to table of contents](../_index.md)
# Harbor Installation and Configuration
This section describes how to perform a new installation of Harbor.
If you are upgrading from a previous version of Harbor, you might need to update the configuration file and migrate your data to fit the database schema of the later version. For information about upgrading, see [Upgrading Harbor](../../administration/upgrade/_index.md).
You can also use Helm to install Harbor on a Kubernetes cluster, to make it highly available. For information about installing Harbor with Helm on a Kubernetes cluster, see the [Harbor High Availability Guide](https://github.com/goharbor/harbor-helm/blob/master/docs/High%20Availability.md) in the https://github.com/goharbor/harbor-helm repository.
Before you install Harbor, you can test its functionality on a demo server that the Harbor team has made available. For information, see [Test Harbor with the Demo Server](demo_server.md).
You can use Harbor with different 3rd party replication adapters, OIDC adapters, and scanner adapters. For information about the supported adapters, see the [Harbor Compatibility List](harbor_compatibility_list.md).
## Installation Process
The standard Harbor installation process involves the following stages:
1. Make sure that your target host meets the [Harbor Installation Prerequisites](installation_prereqs.md).
1. [Download the Harbor Installer](download_installer.md)
1. [Configure HTTPS Access to Harbor](configure_https.md)
1. [Configure the Harbor YML File](configure_yml_file.md)
1. [Run the Installer Script](run_installer_script.md)
If installation fails, see [Troubleshooting Harbor Installation
](troubleshoot_installation.md).
## Post-Installation Configuration
For information about how manage your deployed Harbor instance, see [Reconfigure Harbor and Manage the Harbor Lifecycle](reconfigure_manage_lifecycle.md).
By default, Harbor uses its own private key and certificate to authenticate with Docker. For information about how to optionally customize your configuration to use your own key and certificate, see [Customize the Harbor Token Service](customize_token_service.md).
## Harbor Components
The table below lists the components that are deployed when you deploy Harbor.
|Component|Version|
|---|---|
|Postgresql|9.6.10-1.ph2|
|Redis|4.0.10-1.ph2|
|Clair|2.0.8|
|Beego|1.9.0|
|Chartmuseum|0.9.0|
|Docker/distribution|2.7.1|
|Docker/notary|0.6.1|
|Helm|2.9.1|
|Swagger-ui|3.22.1|
----------
[Back to table of contents](../../_index.md)

12
docs/harbor-doc-reorg/install_config/configuration/_index.md
View File

@ -1,12 +0,0 @@
# Post-Installation Configuration
After you have deployed Harbor, you must perform certain post-deployment configuration operations.
- [Customize the Harbor Token Service](customize_token_service.md)
- [Configure Notary Content Trust](configure_notary_content_trust.md)
- [Reconfigure Harbor and Manage the Harbor Lifecycle](reconfigure_manage_lifecycle.md)
- [Access Harbor Logs](access_logs.md)
----------
[Back to table of contents](../../_index.md)

170
docs/harbor-doc-reorg/install_config/configuration/configure_authentication.md
View File

@ -1,170 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Authentication Modes and User Accounts
Harbor supports different modes for authenticating users and managing user accounts.
- [Database Authentication](#db_auth)
- [LDAP/Active Directory Authentication](#ldap_auth)
- [OIDC Provider Authentication](#oidc_auth)
**NOTE**: The Harbor interface offers an option to configure UAA authentication. This authentication mode is not recommended and is not documented in this guide.
<a id="db_auth"></a>
## Database Authentication
In database authentication mode, user accounts are stored in the local database. By default, only the Harbor system administrator can create user accounts to add users to Harbor. You can optionally configure Harbor to allow self-registration.
**IMPORTANT**: If you create users in the database, Harbor is locked in database mode. You cannot change to a different authentication mode after you have created local users.
1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.
1. Under **Administration**, go to **Configuration** and select the **Authentication** tab.
1. Leave **Auth Mode** set to the default **Database** option.
![Database authentication](../../img/db_auth.png)
1. Optionally select the **Allow Self-Registration** check box.
![Enable self-registration](../../img/new_self_reg.png)
If you enable self registration option, users can register themselves in Harbor. Self-registration is disabled by default. If you enable self-registration, unregistered users can sign up for a Harbor account by clicking **Sign up for an account** in the Harbor log in page.
![Enable self-registration](../../img/self-registration-login.png)
<a id="ldap_auth"></a>
## LDAP/Active Directory Authentication
If you select LDAP/AD authentication, users whose credentials are stored in an external LDAP or AD server can log in to Harbor directly. In this case, you do not create user accounts in Harbor.
**IMPORTANT**: You can change the authentication mode from database to LDAP only if no local users have been added to the database. If there is at least one user other than `admin` in the Harbor database, you cannot change the authentication mode.
Because the users are managed by LDAP or AD, self-registration, creating users, deleting users, changing passwords, and resetting passwords are not supported in LDAP/AD authentication mode.
If you want to manage user authentication by using LDAP groups, you must enable the `memberof` feature on the LDAP/AD server. With the `memberof` feature, the LDAP/AD user entity's `memberof` attribute is updated when the group entity's `member` attribute is updated, for example by adding or removing an LDAP/AD user from the LDAP/AD group. This feature is enabled by default in Active Directory. For information about how to enable and verify `memberof` overlay in OpenLDAP, see [this technical note]( https://technicalnotes.wordpress.com/2014/04/19/openldap-setup-with-memberof-overlay/).
1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.
1. Under **Administration**, go to **Configuration** and select the **Authentication** tab.
1. Use the **Auth Mode** drop-down menu to select **LDAP**.
![LDAP authentication](../../img/select_ldap_auth.png)
1. Enter the address of your LDAP server, for example `ldaps://10.162.16.194`.
1. Enter information about your LDAP server.
- **LDAP Search DN** and **LDAP Search Password**: When a user logs in to Harbor with their LDAP username and password, Harbor uses these values to bind to the LDAP/AD server. For example, `cn=admin,dc=example.com`.
- **LDAP Base DN**: Harbor looks up the user under the LDAP Base DN entry, including the subtree. For example, `dc=example.com`.
- **LDAP Filter**: The filter to search for LDAP/AD users. For example, `objectclass=user`.
- **LDAP UID**: An attribute, for example `uid`, or `cn`, that is used to match a user with the username. If a match is found, the user's password is verified by a bind request to the LDAP/AD server.
- **LDAP Scope**: The scope to search for LDAP/AD users. Select from **Subtree**, **Base**, and **OneLevel**.
![Basic LDAP configuration](../../img/ldap_auth.png)
1. If you want to manage user authentication with LDAP groups, configure the group settings.
- **LDAP Group Base DN**: The base DN from which to lookup a group in LDAP/AD. For example, `ou=groups,dc=example,dc=com`.
- **LDAP Group Filter**: The filter to search for LDAP/AD groups. For example, `objectclass=groupOfNames`.
- **LDAP Group GID**: The attribute used to name an LDAP/AD group. For example, `cn`.
- **LDAP Group Admin DN**: All LDAP/AD users in this group DN have Harbor system administrator privileges.
- **LDAP Group Membership**: The user attribute usd to identify a user as a member of a group. By default this is `memberof`.
- **LDAP Scope**: The scope to search for LDAP/AD groups. Select from **Subtree**, **Base**, and **OneLevel**.
![LDAP group configuration](../../img/ldap_groups.png)
1. Uncheck **LDAP Verify Cert** if the LDAP/AD server uses a self-signed or untrusted certificate.
![LDAP certificate verification](../../img/ldap_cert_test.png)
1. Click **Test LDAP Server** to make sure that your configuration is correct.
1. Click **Save** to complete the configuration.
<a id="oidc_auth"></a>
## OIDC Provider Authentication
If you select OpenID Connect (OIDC) authentication, users log in to the Harbor interface via an OIDC single sign-on (SSO) provider, such as Okta, KeyCloak, or dex. In this case, you do not create user accounts in Harbor.
**IMPORTANT**: You can change the authentication mode from database to OIDC only if no local users have been added to the database. If there is at least one user other than `admin` in the Harbor database, you cannot change the authentication mode.
Because the users are managed by the OIDC provider, self-registration, creating users, deleting users, changing passwords, and resetting passwords are not supported in OIDC authentication mode.
### Configure Your OIDC Provider
You must configure your OIDC provider so that you can use it with Harbor. For precise information about how to perform these configurations, see the documentation for your OIDC provider.
- Set up the users and groups that will use the OIDC provider to log in to Harbor. You do not need to assign any specific OIDC roles to users or groups as these do not get mapped to Harbor roles.
- The URL of the OIDC provider endpoint, known as the Authorization Server in OAuth terminology, must service the well-known URI for its configuration document. For more information about the configuration document, see the [OpenID documentation] (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest).
- To manage users by using OIDC groups, create a custom group claim that contains all of the user groups that you want to register in Harbor. The group claim must be mapped in the ID token that is sent to Harbor when users log in. You can enable the `memberof` feature on the OIDC provider. With the `memberof` feature, the OIDC user entity's `memberof` attribute is updated when the group entity's `member` attribute is updated, for example by adding or removing an OIDC user from the OIDC group.
- Register Harbor as a client application with the OIDC provider. Associate Harbor's callback URI to the client application as a `redirectURI`. This is the address to which the OIDC provider sends ID tokens.
### Configure an OIDC Provider in Harbor
Before configuring an OIDC provider in Harbor, make sure that your provider is configured correctly according to the preceding section.
1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.
1. Under **Administration**, go to **Configuration** and select the **Authentication** tab.
1. Use the **Auth Mode** drop-down menu to select **OIDC**.
![LDAP authentication](../../img/select_oidc_auth.png)
1. Enter information about your OIDC provider.
- **OIDC Provider Name**: The name of the OIDC provider.
- **OIDC Provider Endpoint**: The URL of the endpoint of the OIDC provider.
- **OIDC Client ID**: The client ID with which Harbor is registered as client application with the OIDC provider.
- **OIDC Client Secret**: The secret for the Harbor client application.
- **Group Claim Name**: The name of a custom group claim that you have configured in your OIDC provider, that includes the groups to add to Harbor.
- **OIDC Scope**: A comma-separated string listing the scopes to be used during authentication.
The OIDC scope must contain `openid` and usually also contains `profile` and `email`. To obtain refresh tokens it should also contain `offline_access`. If you are using OIDC groups, a scope must identify the group claim. Check with your OIDC provider administrator for precise details of how to identify the group claim scope, as this differs from vendor to vendor.
![OIDC settings](../../img/oidc_auth_setting.png)
1. Uncheck **Verify Certificate** if the OIDC Provider uses a self-signed or untrusted certificate.
1. Verify that the Redirect URI that you configured in your OIDC provider is the same as the one displayed at the bottom of the page.
![OIDC certificate verification, URI, and test ](../../img/oidc_cert_verification.png)
1. Click **Test OIDC Server** to make sure that your configuration is correct.
1. Click **Save** to complete the configuration.
### Log In to Harbor via an OIDC Provider
When the Harbor system administrator has configured Harbor to authenticate via OIDC a **Login via OIDC Provider** button appears on the Harbor login page.
![oidc_login](../../img/oidc_login.png)
**NOTE:** When Harbor is configured authentication via OIDC, the **Username** and **Password** fields are reserved for the local Harbor system administrator to log in.
1. As a Harbor user, click the **Login via OIDC Provider** button.
This redirects you to the OIDC Provider for authentication.
1. If this is the first time that you are logging in to Harbor with OIDC, specify a user name for Harbor to associate with your OIDC username.
![Specify Harbor username for OIDC](../../img/oidc_onboard_dlg.png)
This is the user name by which you are identified in Harbor, which is used when adding you to projects, assigning roles, and so on. If the username is already taken, you are prompted to choose another one.
1. After the OIDC provider has authenticated you, you are redirected back to Harbor.
### Using OIDC from the Docker or Helm CLI
After you have authenticated via OIDC and logged into the Harbor interface for the first time, you can use the Docker or Helm CLI to access Harbor.
The Docker and Helm CLIs cannot handle redirection for OIDC, so Harbor provides a CLI secret for use when logging in from Docker or Helm. This is only available when Harbor uses OIDC authentication.
1. Log in to Harbor with an OIDC user account.
1. Click your username at the top of the screen and select **User Profile**.
![Access user profile](../../img/user_profile.png)
1. Click the clipboard icon to copy the CLI secret associated with your account.
![Copy CLI secret](../../img/profile_dlg.png)
1. Optionally click the **...** icon in your user profile to display buttons for automatically generating or manually creating a new CLI secret.
![Copy CLI secret](../../img/generate_create_new_secret.png)
A user can only have one CLI secret, so when a new secret is generated or create, the old one becomes invalid.
1. If you generated a new CLI secret, click the clipboard icon to copy it.
You can now use your CLI secret as the password when logging in to Harbor from the Docker or Helm CLI.
<pre>
sh docker login -u testuser -p <i>cli_secret</i> jt-test.local.goharbor.io
</pre>
**NOTE**: The CLI secret is associated with the OIDC ID token. Harbor will try to refresh the token, so the CLI secret will be valid after the ID token expires. However, if the OIDC Provider does not provide a refresh token or the refresh fails, the CLI secret becomes invalid. In this case, log out and log back in to Harbor via your OIDC provider so that Harbor can get a new ID token. The CLI secret will then work again.
----------
[Back to table of contents](../../_index.md)

34
docs/harbor-doc-reorg/install_config/configuration/configure_notary_content_trust.md
View File

@ -1,34 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Configure Notary Content Trust
In harbor.yml, make sure https is enabled, and the attributes `ssl_cert` and `ssl_cert_key` are pointed to valid certificates. For more information about generating https certificate please refer to: [Configuring HTTPS for Harbor](configure_https.md)
### Copy Root Certificate
Suppose the Harbor instance is hosted on a machine `192.168.0.5`
If you are using a self-signed certificate, make sure to copy the CA root cert to `/etc/docker/certs.d/192.168.0.5/` and `~/.docker/tls/192.168.0.5:4443/`
### Enable Docker Content Trust
It can be done via setting environment variables:
```
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://192.168.0.5:4443
```
### Set alias for notary (optional)
Because by default the local directory for storing meta files for notary client is different from docker client. If you want to use notary client to manipulate the keys/meta files generated by Docker Content Trust, please set the alias to reduce the effort:
```
alias notary="notary -s https://192.168.0.5:4443 -d ~/.docker/trust --tlscacert /etc/docker/certs.d/192.168.0.5/ca.crt"
```
----------
[Back to table of contents](../../_index.md)

66
docs/harbor-doc-reorg/install_config/configuration/customize_token_service.md
View File

@ -1,66 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Customize the Harbor Token Service
Harbor requires Docker client to access the Harbor registry with a token. The procedure to generate a token is like [Docker Registry v2 authentication](https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md). Firstly, you should make a request to the token service for a token. The token is signed by the private key. After that, you make a new request with the token to the Harbor registry, Harbor registry will verify the token with the public key in the rootcert bundle. Then Harbor registry will authorize the Docker client to push/pull images.
By default, Harbor uses default private key and certificate in authentication. Also, you can customize your configuration with your own key and certificate with the following steps:
1.If you already have a certificate, go to step 3.
2.If not, you can generate a root certificate using openSSL with following commands:
**1)Generate a private key:**
```sh
$ openssl genrsa -out private_key.pem 4096
```
**2)Generate a certificate:**
```sh
$ openssl req -new -x509 -key private_key.pem -out root.crt -days 3650
```
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank. Following are what you're asked to enter.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, server FQDN or YOUR name) []:
Email Address []:
After you execute these two commands, you will see private_key.pem and root.crt in the **current directory**, just type "ls", you'll see them.
3.Refer to [Installation Guide](https://github.com/goharbor/harbor/blob/master/docs/installation_guide.md) to install Harbor, After you execute ./prepare, Harbor generates several config files. We need to replace the original private key and certificate with your own key and certificate.
4.Replace the default key and certificate. Assume that you key and certificate are in the directory /root/cert, following are what you should do:
```
$ cd config/ui
$ cp /root/cert/private_key.pem private_key.pem
$ cp /root/cert/root.crt ../registry/root.crt
```
5.After these, go back to the make directory, you can start Harbor using following command:
```
$ docker-compose up -d
```
6.Then you can push/pull images to see if your own certificate works. Please refer [User Guide](https://github.com/goharbor/harbor/blob/master/docs/user_guide.md) for more info.
----------
[Back to table of contents](../../_index.md)

32
docs/harbor-doc-reorg/install_config/configuration/general_settings.md
View File

@ -1,32 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Administrator Options
## Managing Project Creation
Use the **Project Creation** drop-down menu to set which users can create projects. Select **Everyone** to allow all users to create projects. Select **Admin Only** to allow only users with the Administrator role to create projects.
![browse project](../../img//new_proj_create.png)
## Managing Email Settings
You can change Harbor's email settings, the mail server is used to send out responses to users who request to reset their password.
![browse project](../../img//new_config_email.png)
## Managing Registry Read Only
You can change Harbor's registry read only settings, read only mode will allow 'docker pull' while preventing 'docker push' and the deletion of repository and tag.
![browse project](../../img//read_only.png)
If it set to true, deleting repository, tag and pushing image will be disabled.
![browse project](../../img//read_only_enable.png)
```
$ docker push 10.117.169.182/demo/ubuntu:14.04
The push refers to a repository [10.117.169.182/demo/ubuntu]
0271b8eebde3: Preparing
denied: The system is in read only mode. Any modification is prohibited.
```
----------
[Back to table of contents](../../_index.md)

8
docs/harbor-doc-reorg/install_config/configuration/initial_config_ui.md
View File

@ -1,8 +0,0 @@
# Initial Configuration in the Harbor UI
- [Configure Authentication](configure_authentication.md)
- [Other General Settings](general_settings.md)
----------
[Back to table of contents](../../_index.md)

80
docs/harbor-doc-reorg/install_config/configuration/reconfigure_manage_lifecycle.md
View File

@ -1,80 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Reconfigure Harbor and Manage the Harbor Lifecycle
You can use `docker-compose` to manage the lifecycle of Harbor. Some useful commands are listed below. You must run the commands in the same directory as `docker-compose.yml`.
### Stop Harbor:
``` sh
$ sudo docker-compose stop
Stopping nginx ... done
Stopping harbor-portal ... done
Stopping harbor-jobservice ... done
Stopping harbor-core ... done
Stopping registry ... done
Stopping redis ... done
Stopping registryctl ... done
Stopping harbor-db ... done
Stopping harbor-log ... done
```
### Restart Harbor after Stopping:
``` sh
$ sudo docker-compose start
Starting log ... done
Starting registry ... done
Starting registryctl ... done
Starting postgresql ... done
Starting core ... done
Starting portal ... done
Starting redis ... done
Starting jobservice ... done
Starting proxy ... done
```
### Reconfigure Harbor
To reconfigure Harbor, stop the existing Harbor instance and update `harbor.yml`. Then run `prepare` script to populate the configuration. Finally re-create and start the Harbor instance.
``` sh
$ sudo docker-compose down -v
$ vim harbor.yml
$ sudo prepare
$ sudo docker-compose up -d
```
### Other Commands
Remove Harbor's containers while keeping the image data and Harbor's database files on the file system:
``` sh
$ sudo docker-compose down -v
```
Remove Harbor's database and image data for a clean re-installation:
``` sh
$ rm -r /data/database
$ rm -r /data/registry
```
### Managing the Harbor Lifecycle with Notary, Clair and Chart Repository Service
If you want to install Notary, Clair and chart repository service together, you should include all the components in the prepare commands:
``` sh
$ sudo docker-compose down -v
$ vim harbor.yml
$ sudo prepare --with-notary --with-clair --with-chartmuseum
$ sudo docker-compose up -d
```
Please check the [Docker Compose command-line reference](https://docs.docker.com/compose/reference/) for more on docker-compose.
----------
[Back to table of contents](../../_index.md)

47
docs/harbor-doc-reorg/install_config/installation/_index.md
View File

@ -1,47 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Installing Harbor
This section describes how to perform a new installation of Harbor.
If you are upgrading from a previous version of Harbor, you might need to update the configuration file and migrate your data to fit the database schema of the later version. For information about upgrading, see [Upgrading Harbor](../../administration/upgrade/_index.md).
You can also use Helm to install Harbor on a Kubernetes cluster, to make it highly available. For information about installing Harbor with Helm on a Kubernetes cluster, see the [Harbor High Availability Guide](https://github.com/goharbor/harbor-helm/blob/master/docs/High%20Availability.md) in the https://github.com/goharbor/harbor-helm repository.
Before you install Harbor, you can test its functionality on a demo server that the Harbor team has made available. For information, see [Test Harbor with the Demo Server](demo_server.md).
You can use Harbor with different 3rd party replication adapters, OIDC adapters, and scanner adapters. For information about the supported adapters, see the [Harbor Compatibility List](harbor_compatibility_list.md).
## Installation Process
The standard Harbor installation process involves the following stages:
1. Make sure that your target host meets the [Harbor Installation Prerequisites](installation_prereqs.md).
1. [Download the Harbor Installer](download_installer.md)
1. [Configure HTTPS Access to Harbor](configure_https.md)
1. [Configure the Harbor YML File](configure_yml_file.md)
1. [Run the Installer Script](run_installer_script.md)
If installation fails, see [Troubleshooting Harbor Installation
](troubleshoot_installation.md).
## Harbor Components
The table below lists the components that are deployed when you deploy Harbor.
|Component|Version|
|---|---|
|Postgresql|9.6.10-1.ph2|
|Redis|4.0.10-1.ph2|
|Clair|2.0.8|
|Beego|1.9.0|
|Chartmuseum|0.9.0|
|Docker/distribution|2.7.1|
|Docker/notary|0.6.1|
|Helm|2.9.1|
|Swagger-ui|3.22.1|
----------
[Back to table of contents](../../_index.md)

187
docs/harbor-doc-reorg/install_config/installation/configure_https.md
View File

@ -1,187 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Configure HTTPS Access to Harbor
By default, Harbor does not ship with certificates. It is possible to deploy Harbor without security, so that you can connect to it over HTTP. However, using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS.
To configure HTTPS, you must create SSL certificates. You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. This section describes how to use [OpenSSL](https://www.openssl.org/) to create a CA, and how to use your CA to sign a server certificate and a client certificate. You can use other CA providers, for example [Let's Encrypt](https://letsencrypt.org/).
The procedures below assume that your Harbor registry's hostname is `yourdomain.com`, and that its DNS record points to the host on which you are running Harbor.
## Generate a Certificate Authority Certificate
In a production environment, you should obtain a certificate from a CA. In a test or development environment, you can generate your own CA. To generate a CA certficate, run the following commands.
1. Generate a CA certificate private key.
```
openssl genrsa -out ca.key 4096
```
1. Generate the CA certificate.
Adapt the values in the `-subj` option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (`CN`) attribute.
```
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key ca.key \
-out ca.crt
```
## Generate a Server Certificate
The certificate usually contains a `.crt` file and a `.key` file, for example, `yourdomain.com.crt` and `yourdomain.com.key`.
1. Generate a private key.
```
openssl genrsa -out yourdomain.com.key 4096
```
1. Generate a certificate signing request (CSR).
Adapt the values in the `-subj` option to reflect your organization. If you use an FQDN to connect your Harbor host, you must specify it as the common name (`CN`) attribute and use it in the key and CSR filenames.
```
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key yourdomain.com.key \
-out yourdomain.com.csr
```
1. Generate an x509 v3 extension file.
Regardless of whether you're using either an FQDN or an IP address to connect to your Harbor host, you must create this file so that you can generate a certificate for your Harbor host that complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements. Replace the `DNS` entries to reflect your domain.
```
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
```
1. Use the `v3.ext` file to generate a certificate for your Harbor host.
Replace the `yourdomain.com` in the CRS and CRT file names with the Harbor host name.
```
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in yourdomain.com.csr \
-out yourdomain.com.crt
```
## Provide the Certificates to Harbor and Docker
After generating the `ca.crt`, `yourdomain.com.crt`, and `yourdomain.com.key` files, you must provide them to Harbor and to Docker, and reconfigure Harbor to use them.
1. Copy the server certificate and key into the certficates folder on your Harbor host.
```
cp yourdomain.com.crt /data/cert/
```
```
cp yourdomain.com.key /data/cert/
```
1. Convert `yourdomain.com.crt` to `yourdomain.com.cert`, for use by Docker.
The Docker daemon interprets `.crt` files as CA certificates and `.cert` files as client certificates.
```
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
```
1. Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first.
```
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
```
```
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
```
```
cp ca.crt /etc/docker/certs.d/yourdomain.com/
```
If you mapped the default `nginx` port 443 to a different port, create the folder `/etc/docker/certs.d/yourdomain.com:port`, or `/etc/docker/certs.d/harbor_IP:port`.
1. Restart Docker Engine.
`systemctl restart docker`
You might also need to trust the certificate at the OS level. See [Troubleshooting Harbor Installation
](troubleshoot_installation.md#https) for more information.
The following example illustrates a configuration that uses custom certificates.
```
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
```
## Deploy or Reconfigure Harbor
If you have not yet deployed Harbor, see [Configure the Harbor YML File](configure_yml_file.md) for information about how to configure Harbor to use the certificates by specifying the `hostname` and `https` attributes in `harbor.yml`.
If you already deployed Harbor with HTTP and want to reconfigure it to use HTTPS, perform the following steps.
1. Run the `prepare` script to enable HTTPS.
Harbor uses an `nginx` instance as a reverse proxy for all services. You use the `prepare` script to configure `nginx` to use HTTPS. The `prepare` is in the Harbor installer bundle, at the same level as the `install.sh` script.
```
./prepare
```
1. If Harbor is running, stop and remove the existing instance.
Your image data remains in the file system, so no data is lost.
```
docker-compose down -v
```
1. Restart Harbor:
```
docker-compose up -d
```
## Verify the HTTPS Connection
After setting up HTTPS for Harbor, you can verify the HTTPS connection by performing the following steps.
* Open a browser and enter https://yourdomain.com. It should display the Harbor interface.
Some browsers might show a warning stating that the Certificate Authority (CA) is unknown. This happens when using a self-signed CA that is not from a trusted third-party CA. You can import the CA to the browser to remove the warning.
* On a machine that runs the Docker daemon, check the `/etc/docker/daemon.json` file to make sure that the `-insecure-registry` option is not set for https://yourdomain.com.
* Log into Harbor from the Docker client.
```
docker login yourdomain.com
```
If you've mapped `nginx` 443 port to a different port,add the port in the `login` command.
```
docker login yourdomain.com:port
```
## What to Do Next ##
- If the verification succeeds, continue to set up Harbor by following the instructions in [Post-Installation Configuration](../configuration/_index.md) and [Initial Configuration in the Harbor UI](../configuration/initial_config_ui.md), or continue using Harbor.
- If installation fails, see [Troubleshooting Harbor Installation
](troubleshoot_installation.md).
----------
[Back to table of contents](../../_index.md)

327
docs/harbor-doc-reorg/install_config/installation/configure_yml_file.md
View File

@ -1,327 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Configure the Harbor YML File
You set system level parameters for Harbor in the `harbor.yml` file that is contained in the installer package. These parameters take effect when you run the `install.sh` script to install or reconfigure Harbor.
After the initial deployment and after you have started Harbor, you perform additional configuration in the Harbor Web Portal.
## Required Parameters
The table below lists the parameters that must be set when you deploy Harbor. By default, all of the required parameters are uncommented in the `harbor.yml` file. The optional parameters are commented with `#`. You do not necessarily need to change the values of the required parameters from the defaults that are provided, but these parameters must remain uncommented. At the very least, you must update the `hostname` parameter.
**IMPORTANT**: Harbor does not ship with any certificates. In versions up to and including 1.9.x, by default Harbor uses HTTP to serve registry requests. This is acceptable only in air-gapped test or development environments. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS.
You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. For information about how to create a CA, and how to use a CA to sign a server certificate and a client certificate, see [Configuring Harbor with HTTPS Access](configure_https.md).
<table width="100%" border="0">
<caption>
Required Parameters for Harbor Deployment
</caption>
<tr>
<th scope="col">Parameter</th>
<th scope="col">Sub-parameters</th>
<th scope="col">Description and Additional Parameters </th>
</tr>
<tr>
<td valign="top"><code>hostname</code></td>
<td valign="top">None</td>
<td valign="top">Specify the IP address or the fully qualified domain name (FQDN) of the target host on which to deploy Harbor. This is the address at which you access the Harbor Portal and the registry service. For example, <code>192.168.1.10</code> or <code>reg.yourdomain.com</code>. The registry service must be accessible to external clients, so do not specify <code>localhost</code>, <code>127.0.0.1</code>, or <code>0.0.0.0</code> as the hostname.</td>
</tr>
<tr>
<td valign="top"><code>http</code></td>
<td valign="top">&nbsp;</td>
<td valign="top">Do not use HTTP in production environments. Using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>port</code></td>
<td valign="top">Port number for HTTP, for both Harbor portal and Docker commands. The default is 80.</td>
</tr>
<tr>
<td valign="top"><code>https</code></td>
<td valign="top">&nbsp;</td>
<td valign="top">Use HTTPS to access the Harbor Portal and the token/notification service. Always use HTTPS in production environments and environments that are not air-gapped.
</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>port</code></td>
<td valign="top">The port number for HTTPS, for both Harbor portal and Docker commands. The default is 443.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>certificate</code></td>
<td valign="top">The path to the SSL certificate.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>private_key</code></td>
<td valign="top">The path to the SSL key.</td>
</tr>
<tr>
<td valign="top"><code>harbor_admin_password</code></td>
<td valign="top">None</td>
<td valign="top">Set an initial password for the Harbor system administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator's password is set in the Harbor Portal. The default username and password are <code>admin</code> and <code>Harbor12345</code>.</td>
</tr>
<tr>
<td valign="top"><code>database</code></td>
<td valign="top">&nbsp;</td>
<td valign="top">Use a local PostgreSQL database. You can optionally configure an external database, in which case you can disable this option.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>password</code></td>
<td valign="top">Set the root password for the local database. You must change this password for production deployments.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>max_idle_conns</code></td>
<td valign="top">The maximum number of connections in the idle connection pool. If set to &lt;=0 no idle connections are retained. The default value is 50. If it is not configured the value is 2.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>max_open_conns</code></td>
<td valign="top">The maximum number of open connections to the database. If &lt;= 0 there is no limit on the number of open connections. The default value is 100 for the max connections to the Harbor database. If it is not configured the value is 0.</td>
</tr>
<tr>
<td valign="top"><code>data_volume</code></td>
<td valign="top">None</td>
<td valign="top">The location on the target host in which to store Harbor's data. This data remains unchanged even when Harbor's containers are removed and/or recreated. You can optionally configure external storage, in which case disable this option and enable <code>storage_service</code>. The default is <code>/data</code>.</td>
</tr>
<tr>
<td valign="top"><code>clair</code></td>
<td valign="top"><code>updaters_interval</code></td>
<td valign="top">Set an interval for Clair updates, in hours. Set to 0 to disable the updates. The default is 12 hours.</td>
</tr>
<tr>
<td valign="top"><code>jobservice</code></td>
<td valign="top"><code>max_job_workers</code></td>
<td valign="top">The maximum number of replication workers in the job service. For each image replication job, a worker synchronizes all tags of a repository to the remote destination. Increasing this number allows more concurrent replication jobs in the system. However, since each worker consumes a certain amount of network/CPU/IO resources, set the value of this attribute based on the hardware resource of the host. The default is 10.</td>
</tr>
<tr>
<td valign="top"><code>notification</code></td>
<td valign="top"><code>webhook_job_max_retry</code></td>
<td valign="top">Set the maximum number of retries for web hook jobs. The default is 10.</td>
</tr>
<tr>
<td valign="top"><code>chart</code></td>
<td valign="top"><code>absolute_url</code></td>
<td valign="top">Set to <code>enabled</code> for Chart to use an absolute URL. Set to <code>disabled</code> for Chart to use a relative URL.</td>
</tr>
<tr>
<td valign="top"><code>log</code></td>
<td valign="top">&nbsp;</td>
<td valign="top">Configure logging. Harbor uses `rsyslog` to collect the logs for each container.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>level</code></td>
<td valign="top">Set the logging level to <code>debug</code>, <code>info</code>, <code>warning</code>, <code>error</code>, or <code>fatal</code>. The default is <code>info</code>.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>local</code></td>
<td valign="top">Set the log retention parameters:<ul>
<li><code>rotate_count</code>: Log files are rotated <code>rotate_count</code> times before being removed. If count is 0, old versions are removed rather than rotated. The default is 50.</li>
<li><code>rotate_size</code>: Log files are rotated only if they grow bigger than <code>rotate_size</code> bytes. Use <code>k</code> for kilobytes, <code>M</code> for megabytes, and <code>G</code> for gigabytes. <code>100</code>, <code>100k</code>, <code>100M</code> and <code>100G</code> are all valid values. The default is 200M.</li>
<li><code>location</code>: Set the directory in which to store the logs. The default is <code>/var/log/harbor</code>.</li>
</ul></td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>external_endpoint</code></td>
<td valign="top">Enable this option to forward logs to a syslog server.
<ul>
<li><code>protocol</code>: Transport protocol for the syslog server. Default is TCP.</li>
<li><code>host</code>: The URL of the syslog server.</li>
<li><code>port</code>: The port on which the syslog server listens</li>
</ul> </td>
</tr>
<tr>
<td valign="top"><code>proxy</code></td>
<td valign="top">&nbsp;</td>
<td valign="top">Configure proxies to be used by Clair, the replication jobservice, and Harbor. Leave blank if no proxies are required.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>http_proxy</code></td>
<td valign="top">Configure an HTTP proxy, for example, <code>http://my.proxy.com:3128</code>.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>https_proxy</code></td>
<td valign="top">Configure an HTTPS proxy, for example, <code>http://my.proxy.com:3128</code>.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>no_proxy</code></td>
<td valign="top">Configure when not to use a proxy, for example, <code>127.0.0.1,localhost,core,registry</code>.</td>
</tr>
</table>
### Optional parameters
The following table lists the additional, optional parameters that you can set to configure your Harbor deployment beyond the minimum required settings. To enable a setting, you must uncomment it in `harbor.yml` by deleting the leading `#` character.
<table width="100%" border="0">
<caption>
Optional Parameters for Harbor
</caption>
<tr>
<th scope="col">Parameter</th>
<th scope="col">Sub-Parameters</th>
<th scope="col">Description and Additional Parameters </th>
</tr>
<tr>
<td valign="top"><code>external_url</code></td>
<td valign="top">None</td>
<td valign="top">Enable this option to use an external proxy. When enabled, the hostname is no longer used.</td>
</tr>
<tr>
<tr>
<td valign="top"><code>storage_service</code></td>
<td valign="top">&nbsp;</td>
<td valign="top">By default, Harbor stores images and charts on your local filesystem. In a production environment, you might want to use another storage backend instead of the local filesystem. The parameters listed below are the configurations for the registry. See *Configuring Storage Backend* below for more information about how to configure a different backend.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>ca_bundle</code></td>
<td valign="top">The path to the custom root CA certificate, which is injected into the trust store of registry and chart repository containers. This is usually needed if internal storage uses a self signed certificate.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>filesystem</code></td>
<td valign="top">The default is <code>filesystem</code>, but you can set <code>azure</code>, <code>gcs</code>, <code>s3</code>, <code>swift</code> and <code>oss</code>. For information about how to configure other backends, see <a href="#backend">Configuring a Storage Backend</a> below. Set <code>maxthreads</code> to limit the number of threads to the external provider. The default is 100.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>redirect</code></td>
<td valign="top">Set <code>disable</code> to <code>true</code> when you want to disable registry redirect</td>
</tr>
<tr>
<td valign="top"><code>external_database</code></td>
<td valign="top">&nbsp;</td>
<td valign="top">Configure external database settings, if you disable the local database option. Currently, Harbor only supports PostgreSQL database. You must create four databases for Harbor core, Clair, Notary server, and Notary signer. The tables are generated automatically when Harbor starts up.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>harbor</code></td>
<td valign="top"><p>Configure an external database for Harbor data.</p>
<ul>
<li><code>host</code>: Hostname of the Harbor database.</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the core Harbor database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.</li>
<li><code>max_idle_conns</code>: The maximum number of connections in the idle connection pool. If &lt;=0 no idle connections are retained. The default value is 2.</li>
<li><code>max_open_conns</code>: The maximum number of open connections to the database. If &lt;= 0 there is no limit on the number of open connections. The default value is 0.</li>
</ul> </td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>clair</code></td>
<td valign="top">Configure an external database for Clair.
<ul>
<li><code>host</code>: Hostname of the Clair database</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the Clair database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.</li>
</ul> </td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>notary_signer</code></td>
<td valign="top">Configure an external database for the Notary signer database
<ul>
<li><code>host</code>: Hostname of the Notary signer database</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the Notary signer database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.</li>
</ul> </td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>notary_server</code></td>
<td valign="top"><ul>
<li><code>host</code>: Hostname of the Notary server database.</li>
<li><code>port</code>: Database port.</li>
<li><code>db_name</code>: Database name.</li>
<li><code>username</code>: Username to connect to the Notary server database.</li>
<li><code>password</code>: Password for the account you set in <code>username</code>.</li>
<li><code>ssl_mode</code>: Enable SSL mode.e</li>
</ul> </td>
</tr>
<tr>
<td valign="top"><code>external_redis</code></td>
<td valign="top">&nbsp;</td>
<td valign="top">Configure an external Redis instance.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>host</code></td>
<td valign="top">Hostname of the external Redis instance.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>port</code></td>
<td valign="top">Redis instance port.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>password</code></td>
<td valign="top">Password to connect to the external Redis instance.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>registry_db_index</code></td>
<td valign="top">Database index for Harbor registry.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>jobservice_db_index</code></td>
<td valign="top">Database index for jobservice.</td>
</tr>
<tr>
<td valign="top">&nbsp;</td>
<td valign="top"><code>chartmuseum_db_index</code></td>
<td valign="top">Database index for Chart museum.</td>
</tr>
</table>
**NOTE**: The `harbor.yml` file includes options to configure a UAA CA certificate. This authentication mode is not recommended and is not documented.
<a id="backend"></a>
### Configuring a Storage Backend
By default Harbor uses local storage for the registry, but you can optionally configure the `storage_service` setting so that Harbor uses external storage. For information about how to configure the storage backend of a registry for different storage providers, see the [Registry Configuration Reference](https://docs.docker.com/registry/configuration/#storage) in the Docker documentation. For example, if you use Openstack Swift as your storage backend, the parameters might resemble the following:
``` yaml
storage_service:
ca_bundle:
swift:
username: admin
password: ADMIN_PASS
authurl: http://keystone_addr:35357/v3/auth
tenant: admin
domain: default
region: regionOne
container: docker_images"
redirect:
disable: false
```
## What to Do Next ##
To install Harbor, [Run the Installer Script](run_installer_script.md).
----------
[Back to table of contents](../../_index.md)

60
docs/harbor-doc-reorg/install_config/installation/demo_server.md
View File

@ -1,60 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Test Harbor with the Demo Server
The Harbor team has made available a demo Harbor instance that you can use to experiment with Harbor and test its functionalities.
When using the demo server, please take note of the conditions of use.
## Conditions of Use of the Demo Server ##
- The demo server is reserved for experimental use only, to allow you to test Harbor functionality.
- Do not upload sensitive images to the demo server.
- The demo server is not a production environment. The Harbor team is not responsible for any loss of data, functionality, or service that might result from its use.
- The demo server is cleaned and reset every two days.
- The demo server only allows you to test user functionalities. You cannot test administrator functionalities. To test administrator functionalities and advanced features, set up a Harbor instance.
- Do not push images >100MB to the demo server, as it has limited storage capacity.
If you encounter any problems while using the demo server, open an [issue on Github](https://github.com/goharbor/harbor/issues) or contact the Harbor team on [Slack](https://github.com/goharbor/harbor#community).
## Access the Demo Server ##
1. Go to [https://demo.goharbor.io](https://demo.goharbor.io).
1. Click **Sign up for an account**.
1. Create a user account by providing a username, your email address, your name, and a password.
1. Log in to the Harbor interface using the account you created.
1. Explore the default project, `library`.
1. Click **New Project** to create your own project.
For information about how to create a project, see [Create a Project](../../working_with_projects/create_projects.md).
1. Open a Docker client and log in to Harbor with the credentials that you created above.
```
docker login demo.goharbor.io
```
1. Create a very simple `Dockerfile` with the following contents.
```
FROM busybox:latest
```
1. Build an image from this Dockerfile and tag it.
```
docker build -t demo.goharbor.io/your-project/test-image .
```
1. Push the image to your project in Harbor.
```
docker push demo.goharbor.io/your-project/test-image
```
1. In the Harbor interface, go to **Projects** > *your_project* > **Repositories** to view the image repository that you pushed to your Harbor project.
## What to Do Next ##
See the [Harbor Installation Prerequisites](installation_prereqs.md).
----------
[Back to table of contents](../../_index.md)

55
docs/harbor-doc-reorg/install_config/installation/download_installer.md
View File

@ -1,55 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Download the Harbor Installer
You download the Harbor installers from the [official releases](https://github.com/goharbor/harbor/releases) page. Download either the online installer or the offline installer.
- **Online installer:** The online installer downloads the Harbor images from Docker hub. For this reason, the installer is very small in size.
- **Offline installer:** Use the offline installer if the host to which are are deploying Harbor does not have a connection to the Internet. The offline installer contains pre-built images, so it is larger than the online installer.
The installation processes are almost the same for both the online and offline installers.
## Download and Unpack the Installer
1. Go to the [Harbor releases page](https://github.com/goharbor/harbor/releases).
1. Download either the online or offline installer for the version you want to install.
1. Optionally download the corresponding `*.asc` file to verify that the package is genuine.
The `*.asc` file is an OpenPGP key file. Perform the following steps to verify that the downloaded bundle is genuine.
1. Obtain the public key for the `*.asc` file.
<pre>gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys 644FF454C0B4115C</pre>
You should see the message ` public key "Harbor-sign (The key for signing Harbor build) <jiangd@vmware.com>" imported`
1. Verify that the package is genuine by running one of the following commands.
- Online installer: <pre>gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-online-installer-<i>version</i>.tgz.asc</pre>
- Offline installer: <pre>gpg -v --keyserver hkps://keyserver.ubuntu.com --verify harbor-offline-installer-<i>version</i>.tgz.asc</pre>
The `gpg` command verifies that the signature of the bundle matches that of the `*.asc` key file. You should see confirmation that the signature is correct.
<pre>
gpg: armor header: Version: GnuPG v1
gpg: assuming signed data in 'harbor-offline-installer-v1.10.0-rc2.tgz'
gpg: Signature made Fri, Dec 6, 2019 5:04:17 AM WEST
gpg: using RSA key 644FF454C0B4115C
gpg: using pgp trust model
gpg: Good signature from "Harbor-sign (The key for signing Harbor build) &lt;jiangd@vmware.com&gt; [unknown]
</pre>
1. Use `tar` to extract the installer package:
- Online installer:<pre>bash $ tar xvf harbor-online-installer-<em>version</em>.tgz</pre>
- Offline installer:<pre>bash $ tar xvf harbor-offline-installer-<em>version</em>.tgz</pre>
## Next Steps
- To secure the connections to Harbor, see [Configure HTTPS Access to Harbor](configure_https.md).
- To configure your Harbor installation, see [Configure the Harbor YML File](configure_yml_file.md).
----------
[Back to table of contents](../../_index.md)

58
docs/harbor-doc-reorg/install_config/installation/harbor_compatibility_list.md
View File

@ -1,58 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Harbor Compatibility List
This document provides compatibility information for all Harbor components.
## Replication Adapters
| | Registries | Pull Mode | Push Mode | Introduced in Release | Automated Pipeline Covered |
|-----|------------------|-----------|-----------|-----------------------|---------------------------|
| [Harbor](https://goharbor.io/)| ![Harbor](../../img/replication_adapters/harbor_logo.png)|![Y](../../img/replication_adapters/right.png)|![Y](../../img/replication_adapters/right.png)| V1.8 | Y |
| [distribution](https://github.com/docker/distribution) | ![distribution](../../img/replication_adapters/distribution.png)|![Y](../../img/replication_adapters/right.png)|![Y](../../img/replication_adapters/right.png)| V1.8 | Y |
| [docker hub](https://hub.docker.com/) | ![docker hub](../../img/replication_adapters/docker_hub.png)|![Y](../../img/replication_adapters/right.png)|![Y](../../img/replication_adapters/right.png)| V1.8 | Y |
| [Huawei SWR](https://www.huaweicloud.com/en-us/product/swr.html) | ![Huawei SWR](../../img/replication_adapters/hw.png)|![Y](../../img/replication_adapters/right.png)|![Y](../../img/replication_adapters/right.png)| V1.8 | N |
| [GCR](https://cloud.google.com/container-registry/) | ![GCR](../../img/replication_adapters/gcr.png)|![Y](../../img/replication_adapters/right.png)|![Y](../../img/replication_adapters/right.png)| V1.9 | Y |
| [ECR](https://aws.amazon.com/ecr/) | ![ECR](../../img/replication_adapters/ecr.png)|![Y](../../img/replication_adapters/right.png)|![Y](../../img/replication_adapters/right.png)| V1.9 | Y |
| [ACR](https://azure.microsoft.com/en-us/services/container-registry/) | ![ACR](../../img/replication_adapters/acr.png)|![Y](../../img/replication_adapters/right.png)|![Y](../../img/replication_adapters/right.png)| V1.9 | N |
| [AliCR](https://www.alibabacloud.com/product/container-registry) | ![AliCR](../../img/replication_adapters/ali-cr.png)|![Y](../../img/replication_adapters/right.png)|![Y](../../img/replication_adapters/right.png)| V1.9 | N |
| [Helm Hub](https://hub.helm.sh/) | ![Helm Hub](../../img/replication_adapters/helm-hub.png)|![Y](../../img/replication_adapters/right.png)| N/A | V1.9 | N |
| [Artifactory](https://jfrog.com/artifactory/) | ![Artifactory](../../img/replication_adapters/artifactory.png)|![Y](../../img/replication_adapters/right.png)| ![Y](../../img/replication_adapters/right.png) | V1.10 | N |
| [Quay](https://github.com/quay/quay) | ![Quay](../../img/replication_adapters/quay.png)|![Y](../../img/replication_adapters/right.png)| ![Y](../../img/replication_adapters/right.png) | V1.10 | N |
| [GitLab Registry](https://docs.gitlab.com/ee/user/packages/container_registry/) | ![GitLab Registry](../../img/replication_adapters/gitlab.png)|![Y](../../img/replication_adapters/right.png)| ![Y](../../img/replication_adapters/right.png) | V1.10 | N |
**Notes**:
* `Pull` mode replicates artifacts from the specified source registries into Harbor.
* `Push` mode replicates artifacts from Harbor to the specified target registries.
## OIDC Adapters
| | OIDC Providers | Officially Verified | End User Verified | Verified in Release |
|---|-----------------|---------------------|---------------------|-----------------------|
| [Google Identity](https://developers.google.com/identity/protocols/OpenIDConnect) | ![google identity](../../img/OIDC/google_identity.png)| ![Y](../../img/replication_adapters/right.png) | |V1.9|
| [Dex](https://github.com/dexidp/dex) | ![dex](../../img/OIDC/dex.png) | ![Y](../../img/replication_adapters/right.png)| | V1.9 |
| [Ping Identity](https://www.pingidentity.com) | ![ping identity](../../img/OIDC/ping.png) | | ![Y](../../img/replication_adapters/right.png)| V1.9 |
| [Keycloak](https://www.keycloak.org/) | ![Keycloak](../../img/OIDC/keycloak.png) | ![Y](../../img/replication_adapters/right.png) | | V1.10 |
| [Auth0](https://auth0.com/) | ![Auth0](../../img/OIDC/auth0.png) | ![Y](../../img/replication_adapters/right.png) | | V1.10 |
## Scanner Adapters
| | Scanners | Providers | Evaluated | As Default | Onboard in Release |
|---|----------|-----------|-----------|------------|--------------------|
| [Clair](https://github.com/goharbor/harbor-scanner-clair) |![Clair](../../img/scanners/clair.png)| CentOS |![Y](../../img/replication_adapters/right.png)|![Y](../../img/replication_adapters/right.png)| v1.10 |
| [Anchore](https://github.com/anchore/harbor-scanner-adapter) |![Anchore](../../img/scanners/anchore.png) | Anchore |![Y](../../img/replication_adapters/right.png)| N | v1.10 |
| [Trivy](https://github.com/aquasecurity/harbor-scanner-trivy)|![Trivy](../../img/scanners/trivy.png)| Aqua |![Y](../../img/replication_adapters/right.png)| N | v1.10 |
| [CSP](https://github.com/aquasecurity/harbor-scanner-aqua) |![Aqua](../../img/scanners/aqua.png)| Aqua | N | N | v1.10 |
| [DoSec](https://github.com/dosec-cn/harbor-scanner/blob/master/README_en.md)|![DoSec](../../img/scanners/dosec.png) | DoSec | N | N | v1.10 |
**Notes:**
* `Evaluated` means that the scanner implementation has been officially tested and verified.
* `As Default` means that the scanner is provided as a default option and can be deployed together with the main Harbor components by providing extra options during installation. You must install other scanners manually.
----------
[Back to table of contents](../../_index.md)

45
docs/harbor-doc-reorg/install_config/installation/installation_prereqs.md
View File

@ -1,45 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Harbor Installation Prerequisites
Harbor is deployed as several Docker containers. You can therefore deploy it on any Linux distribution that supports Docker. The target host requires Docker, and Docker Compose to be installed.
### Hardware
The following table lists the minimum and recommended hardware configurations for deploying Harbor.
|Resource|Minimum|Recommended|
|---|---|---|
|CPU|2 CPU|4 CPU|
|Mem|4 GB|8 GB|
|Disk|40 GB|160 GB|
### Software
The following table lists the software versions that must be installed on the target host.
|Software|Version|Description|
|---|---|---|
|Docker engine|Version 17.06.0-ce+ or higher|For installation instructions, see [Docker Engine documentation](https://docs.docker.com/engine/installation/)|
|Docker Compose|Version 1.18.0 or higher|For installation instructions, see [Docker Compose documentation](https://docs.docker.com/compose/install/)|
|Openssl|Latest is preferred|Used to generate certificate and keys for Harbor|
### Network ports
Harbor requires that the following ports be open on the target host.
|Port|Protocol|Description|
|---|---|---|
|443|HTTPS|Harbor portal and core API accept HTTPS requests on this port. You can change this port in the configuration file.|
|4443|HTTPS|Connections to the Docker Content Trust service for Harbor. Only required if Notary is enabled. You can change this port in the configuration file.|
|80|HTTP|Harbor portal and core API accept HTTP requests on this port. You can change this port in the configuration file.|
## What to Do Next ##
[Download the Harbor Installer](download_installer.md).
----------
[Back to table of contents](../../_index.md)

114
docs/harbor-doc-reorg/install_config/installation/run_installer_script.md
View File

@ -1,114 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Run the Installer Script
Once you have configured `harbor.yml` and optionally set up a storage backend, you install and start Harbor by using the `install.sh` script. Note that it might take some time for the online installer to download all of the Harbor images from Docker hub.
You can install Harbor in different configurations:
- Just Harbor, without Notary, Clair, or Chart Repository Service
- Harbor with Notary
- Harbor with Clair
- Harbor with Chart Repository Service
- Harbor with two or all three of Notary, Clair, and Chart Repository Service
## Default installation without Notary, Clair, or Chart Repository Service
The default Harbor installation does not include Notary or Clair service. Run the following command
```
sudo ./install.sh
```
If the installation succeeds, you can open a browser to visit the Harbor interface at `http://reg.yourdomain.com`, changing `reg.yourdomain.com` to the hostname that you configured in `harbor.yml`. If you did not change them in `harbor.yml`, the default administrator username and password are `admin` and `Harbor12345`.
Log in to the admin portal and create a new project, for example, `myproject`. You can then use Docker commands to log in to Harbor, tag images, and push them to Harbor.
```
docker login reg.yourdomain.com
```
```
docker push reg.yourdomain.com/myproject/myrepo:mytag
```
**IMPORTANT:**
- If your installation of Harbor uses HTTPS, you must provide the Harbor certificates to the Docker client. For information, see [Configure HTTPS Access to Harbor](configure_https.md#provide-the-certificates-to-harbor-and-docker).
- If your installation of Harbor uses HTTP, you must add the option `--insecure-registry` to your client's Docker daemon and restart the Docker service. For more information, see [Connecting to Harbor via HTTP](#connect_http) below.
## Installation with Notary
To install Harbor with the Notary service, add the `--with-notary` parameter when you run `install.sh`:
```
sudo ./install.sh --with-notary
```
**NOTE**: For installation with Notary, you must configure Harbor to use HTTPS.
For more information about Notary and Docker Content Trust, see [Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) in the Docker documentation.
## Installation with Clair
To install Harbor with Clair service, add the `--with-clair` parameter when you run `install.sh`:
```
sudo ./install.sh --with-clair
```
For more information about Clair, see the [Clair documentation](https://coreos.com/clair/docs/2.0.1/).
By default, Harbor limits the CPU usage of the Clair container to 150000 to avoid it using up all CPU resources. This is defined in the `docker-compose.clair.yml` file. You can modify this file based on your hardware configuration.
## Installation with Chart Repository Service
To install Harbor with chart repository service, add the `--with-chartmuseum` parameter when you run `install.sh`:
```
sudo ./install.sh --with-chartmuseum
```
## Installation with Notary, Clair, and Chart Repository Service
If you want to install all three of Notary, Clair and chart repository service, specify all of the parameters in the same command:
```
sudo ./install.sh --with-notary --with-clair --with-chartmuseum
```
<a id="connect_http"></a>
## Connecting to Harbor via HTTP
**IMPORTANT:** If your installation of Harbor uses HTTP rather than HTTPS, you must add the option `--insecure-registry` to your client's Docker daemon. By default, the daemon file is located at `/etc/docker/daemon.json`.
For example, add the following to your `daemon.json` file:
<pre>
{
"insecure-registries" : ["<i>myregistrydomain.com</i>:5000", "0.0.0.0"]
}
</pre>
After you update `daemon.json`, you must restart both Docker Engine and Harbor.
1. Restart Docker Engine.
`systemctl restart docker`
1. Stop Harbor.
`docker-compose down -v`
1. Restart Harbor.
`docker-compose up -d`
## What to Do Next ##
- If the installation succeeds, continue to set up Harbor by following the instructions in [Post-Installation Configuration](../configuration/_index.md) and [Initial Configuration in the Harbor UI](../configuration/initial_config_ui.md).
- If you deployed Harbor with HTTP and you want to secure the connections to Harbor, see [Configure HTTPS Access to Harbor](configure_https.md).
- If installation fails, see [Troubleshooting Harbor Installation
](troubleshoot_installation.md).
----------
[Back to table of contents](../../_index.md)

72
docs/harbor-doc-reorg/install_config/installation/troubleshoot_installation.md
View File

@ -1,72 +0,0 @@
[Back to table of contents](../../_index.md)
----------
# Troubleshooting Harbor Installation
The following sections help you to solve problems when installing Harbor.
## Access Harbor Logs
By default, registry data is persisted in the host's `/data/` directory. This data remains unchanged even when Harbor's containers are removed and/or recreated, you can edit the `data_volume` in `harbor.yml` file to change this directory.
In addition, Harbor uses `rsyslog` to collect the logs of each container. By default, these log files are stored in the directory `/var/log/harbor/` on the target host for troubleshooting, also you can change the log directory in `harbor.yml`.
## Harbor Does Not Start or Functions Incorrectly
If Harbor does not start or functions incorrectly, run the following command to check whether all of Harbor's containers are in the `Up` state.
```
sudo docker-compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up
harbor-db /entrypoint.sh postgres Up 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 80/tcp
nginx nginx -g daemon off; Up 0.0.0.0:443->443/tcp, 0.0.0.0:4443->4443/tcp, 0.0.0.0:80->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
```
If a container is not in the `Up` state, check the log file for that container in `/var/log/harbor`. For example, if the `harbor-core` container is not running, look at the `core.log` log file.
## Using `nginx` or Load Balancing
If Harbor is running behind an `nginx` proxy or elastic load balancing, open the file `common/config/nginx/nginx.conf` and search for the following line.
```
proxy_set_header X-Forwarded-Proto $scheme;
```
If the proxy already has similar settings, remove it from the sections `location /`, `location /v2/` and `location /service/` and redeploy Harbor. For instructions about how to redeploy Harbor, see [Reconfigure Harbor and Manage the Harbor Lifecycle](../configuration/reconfigure_manage_lifecycle.md).
<a id="https"></a>
## Troubleshoot HTTPS Connections
If you use an intermediate certificate from a certificate issuer, merge the intermediate certificate with your own certificate to create a certificate bundle. Run the following command.
```
cat intermediate-certificate.pem >> yourdomain.com.crt
```
When the Docker daemon runs on certain operating systems, you might need to trust the certificate at the OS level. For example, run the following commands.
- Ubuntu:
```
cp yourdomain.com.crt /usr/local/share/ca-certificates/yourdomain.com.crt
update-ca-certificates
```
- Red Hat (CentOS etc):
```
cp yourdomain.com.crt /etc/pki/ca-trust/source/anchors/yourdomain.com.crt
update-ca-trust
```
----------
[Back to table of contents](../../_index.md)

34
docs/harbor-doc-reorg/working_with_projects/pulling_pushing_images.md
View File

@ -1,3 +1,7 @@
[Back to table of contents](../_index.md)
----------
# Pulling and Pushing Images in the Docker Client
**NOTE**: Harbor only supports the Registry V2 API. You must use Docker client 1.6.0 or higher.
@ -91,3 +95,33 @@ Kubernetes users can easily deploy pods with images stored in Harbor. The setti
1. When your Harbor instance is hosting http and the certificate is self signed. You need to modify daemon.json on each work node of your cluster, for details please refer to: https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry
2. If your pod references an image under private project, you need to create a secret with the credentials of user who has permission to pull image from this project, for details refer to: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Configure Notary Content Trust
In harbor.yml, make sure https is enabled, and the attributes `ssl_cert` and `ssl_cert_key` are pointed to valid certificates. For more information about generating https certificate please refer to: [Configuring HTTPS for Harbor](configure_https.md)
### Copy Root Certificate
Suppose the Harbor instance is hosted on a machine `192.168.0.5`
If you are using a self-signed certificate, make sure to copy the CA root cert to `/etc/docker/certs.d/192.168.0.5/` and `~/.docker/tls/192.168.0.5:4443/`
### Enable Docker Content Trust
It can be done via setting environment variables:
```
export DOCKER_CONTENT_TRUST=1
export DOCKER_CONTENT_TRUST_SERVER=https://192.168.0.5:4443
```
### Set alias for notary (optional)
Because by default the local directory for storing meta files for notary client is different from docker client. If you want to use notary client to manipulate the keys/meta files generated by Docker Content Trust, please set the alias to reduce the effort:
```
alias notary="notary -s https://192.168.0.5:4443 -d ~/.docker/trust --tlscacert /etc/docker/certs.d/192.168.0.5/ca.crt"
```
----------
[Back to table of contents](../_index.md)