Harbor Introduction and Practical Implementation

With the emergence of container technologies such as Docker, traditional delivery methods have been transformed. By packaging applications and their runtime environments into Docker images, the gap between development and production environments is eliminated, greatly improving delivery efficiency.

Harbor is an enterprise‑grade Docker image registry that provides a secure, scalable solution for storing and distributing Docker images. Built on top of the open‑source Docker Distribution project, Harbor adds features required by enterprises, such as image replication, vulnerability scanning, role‑based access control, LDAP/AD integration, garbage collection, Notary support, a graphical portal, auditing, RESTful APIs, and easy deployment options.

Key Features

Role based access control: Users and repositories are organized via projects, and permissions (Guest, Developer, Admin) can be assigned per project.

Policy based images replication: Images can be replicated between multiple registry instances with auto‑retry, supporting load balancing, high availability, multi‑datacenter, hybrid and multi‑cloud scenarios.

Vulnerability Scanning: Harbor regularly scans images and warns users of known vulnerabilities.

LDAP/AD support: Integration with existing enterprise LDAP/AD for authentication and user management.

Image deletion & garbage collection: Unused images can be removed and storage reclaimed.

Notary: Ensures image authenticity.

Graphical user portal: Users can browse, search repositories and manage projects via a web UI.

Auditing: All repository operations are tracked.

RESTful API: Provides APIs for most administrative operations, facilitating integration with external systems.

Easy deployment: Both online and offline installers are available.

Harbor’s architecture consists of multiple optional components. For example, the vulnerability scanning module can be omitted if an organization uses alternative scanning tools.

The latest version (v1.2) architecture diagram is shown in the article (image omitted).

Docker Image Permission Management

In an enterprise, different roles (e.g., testers, developers, project managers) require different image permissions. Harbor implements project‑based permission control with roles such as Guest (read‑only), Developer (read/write), and Admin (project manager with additional privileges).

Reference Process for Docker Image Management

Images can be stored in a single Harbor instance or split across multiple instances for development, testing, and production. The article provides a reference workflow diagram (image omitted).

A production image typically goes through four stages:

1) After code submission, the CI system builds the image and pushes it to the Dev Registry. 2) After developer self‑testing, the image is pushed to the Test Registry. 3) After QA testing, the image is pushed to the Staging Registry. 4) After approval, the image is pushed to the Product Registry.

Docker Image Remote Replication

Harbor supports policy‑based image replication across multiple instances, with error retry and incremental sync capabilities. This feature currently only replicates images, not users or replication rules.

High‑Availability Load Balancing Solution

The default Harbor installer provides a single‑node deployment, which is unsuitable for production due to a single point of failure. A high‑availability design can be built using image replication combined with Keepalived and HAProxy for traffic load balancing. Two Harbor instances share a MySQL database (provided by DBA with its own HA solution). Replication rules must avoid self‑replication; a simple code check can skip replication when the target instance is the source.

Automated Image Deletion

Harbor stores images on local disks, which can run out of space as images accumulate. Automated cleanup can be achieved with a cron job that calls Harbor’s RESTful API. The typical steps are:

Retrieve all projects and their IDs.

List repositories for each project.

List tags for each repository and count them.

If the tag count exceeds a threshold, sort and delete the oldest tags (note: this does not delete the image itself).

Delete the image using the following commands:

docker-compose stop；

docker run -it --name gc --rm --volumes-from registry vmware/registry:2.6.1-photon garbage-collect /etc/registry/config.yml；

docker-compose start；

Integration with Company OA System

Harbor’s native login requires user registration, which is inconvenient for enterprise users. By integrating with the company’s OA system, users can log in with their existing credentials. Harbor is written in Go and uses the Beego web framework, which allows custom filters for authentication.

Key integration steps:

beego.InsertFilter("/*", beego.BeforeRouter, PageFilter)

// Implement PageFilter to handle OA authentication

Summary and Outlook

Harbor has an active open‑source community and is widely adopted by enterprises. While the official project does not provide a definitive high‑availability deployment guide, users can design solutions that fit their environments, such as the one described above. Future work may include deeper CI/CD integration, using distributed storage (e.g., Ceph) as the backend, and other enhancements.