8ab45d439b
allow Harbor to run when dockerd is running with --selinux-enabled
example AVC denials:
type=AVC msg=audit(1488384855.681:154671): avc: denied { read } for pid=454 comm="registry" name="config.yml" dev="dm-8" ino=12583048 scontext=system_u:system_r:svirt_lxc_net_t:s0:c298,c958 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384855.681:154671): avc: denied { open } for pid=454 comm="registry" path="/etc/registry/config.yml" dev="dm-8" ino=12583048 scontext=system_u:system_r:svirt_lxc_net_t:s0:c298,c958 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384855.687:154672): avc: denied { append } for pid=350 comm=72733A6D61696E20513A526567 name="registry.log" dev="dm-5" ino=4315920 scontext=system_u:system_r:svirt_lxc_net_t:s0:c599,c800 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384856.895:154702): avc: denied { remove_name } for pid=708 comm="mysqld" name="4691d4d62464.lower-test" dev="dm-12" ino=402656159 scontext=system_u:system_r:svirt_lxc_net_t:s0:c149,c797 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1488384856.926:154703): avc: denied { lock } for pid=708 comm="mysqld" path="/var/lib/mysql/ibdata1" dev="dm-12" ino=402656097 scontext=system_u:system_r:svirt_lxc_net_t:s0:c149,c797 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384857.958:154736): avc: denied { open } for pid=924 comm="harbor_jobservi" path="/etc/jobservice/app.conf" dev="dm-8" ino=142 scontext=system_u:system_r:svirt_lxc_net_t:s0:c102,c158 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384858.089:154737): avc: denied { read } for pid=1017 comm="nginx" name="nginx.conf" dev="dm-8" ino=4194445 scontext=system_u:system_r:svirt_lxc_net_t:s0:c847,c996 tcontext=system_u:object_r:default_t:s0 tclass=file
type=AVC msg=audit(1488384858.089:154737): avc: denied { open } for pid=1017 comm="nginx" path="/etc/nginx/nginx.conf" dev="dm-8" ino=4194445 scontext=system_u:system_r:svirt_lxc_net_t:s0:c847,c996 tcontext=system_u:object_r:default_t:s0 tclass=file
|
||
|---|---|---|
| .github | ||
| contrib | ||
| docs | ||
| make | ||
| src | ||
| tests | ||
| tools | ||
| .gitignore | ||
| .travis.yml | ||
| AUTHORS | ||
| CHANGELOG.md | ||
| CONTRIBUTING.md | ||
| LICENSE | ||
| Makefile | ||
| NOTICE | ||
| partners.md | ||
| README.md | ||
| ROADMAP.md | ||
Harbor
Project Harbor is an enterprise-class registry server that stores and distributes Docker images. Harbor extends the open source Docker Distribution by adding the functionalities usually required by an enterprise, such as security, identity and management. As an enterprise private registry, Harbor offers better performance and security. Having a registry closer to the build and run environment improves the image transfer efficiency. Harbor supports the setup of multiple registries and has images replicated between them. In addition, Harbor offers advanced security features, such as user management, access control and activity auditing.
Features
- Role based access control: Users and repositories are organized via 'projects' and a user can have different permission for images under a project.
- Policy based image replication: Images can be replicated (synchronized) between multiple registry instances. Great for load balancing, high availability, multi-datacenter, hybrid and multi-cloud scenarios.
- LDAP/AD support: Harbor integrates with existing enterprise LDAP/AD for user authentication and management.
- Image deletion & garbage collection: Images can be deleted and their space can be recycled.
- Graphical user portal: User can easily browse, search repositories and manage projects.
- Auditing: All the operations to the repositories are tracked.
- RESTful API: RESTful APIs for most administrative operations, easy to integrate with external systems.
- Easy deployment: Provide both an online and offline installer. Besides, a virtual appliance for vSphere platform (OVA) is available.
Install & Run
System requirements:
On a Linux host: docker 1.10.0+ and docker-compose 1.6.0+ .
On vSphere: vCenter 5.5+ for deployment of Harbor's virtual appliance.
Download binaries of Harbor release and follow Installation & Configuration Guide to install Harbor.
Refer to User Guide for more details on how to use Harbor.
Community
Slack: Join Harbor's community here: VMware {code}, Channel: #harbor.
Email: harbor@ vmware.com .
WeChat Group: Add WeChat id connect1688 to join WeChat discussion group.
More info on partners and users.
Contribution
We welcome contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a pull request. For any questions about the CLA process, please refer to our FAQ. Contact us for any questions: harbor @vmware.com .
License
Harbor is available under the Apache 2 license.
This project uses open source components which have additional licensing terms. The official docker images and licensing terms for these open source components can be found at the following locations:
- Photon OS 1.0: docker image, license
- Docker Registry 2.5: docker image, license
- MySQL 5.6: docker image, license
- NGINX 1.11.5: docker image, license