How to Install and Use Harbor: A Step‑by‑Step Private Docker Registry Guide
This guide walks through preparing a CentOS 7.6 host, generating self‑signed certificates, installing Docker CE, configuring a Docker registry mirror, downloading and installing Harbor, and demonstrates how to push, scan, sign, and pull images while troubleshooting common issues.
Overview
Harbor is an enterprise‑grade private Docker image registry that provides a management UI, image scanning, signing, replication, and audit logging, helping improve pull speed and meet security requirements.
1. Installation preparation
Target host details:
IP: 192.168.199.164
OS: CentOS 7.6
CPU: 4 cores
Memory: 6 GB
Hostname: xianchao.lucky.me
Set hostname and update /etc/hosts:
hostnamectl set-hostname xianchao.lucky.me</code><code>cat /etc/hosts</code><code>192.168.199.164 xianchao.lucky.me2. Generate self‑signed certificates for HTTPS
Create a directory for SSL files and generate a 3072‑bit CA key and certificate (valid 3 years):
mkdir -p /data/ssl</code><code>cd /data/ssl</code><code>openssl genrsa -out ca.key 3072</code><code>openssl req -new -x509 -days 1095 -key ca.key -out ca.pemWhen prompted, use the following values (defaults can be left empty):
Country Name (2 letter code) [XX]: CN</code><code>State or Province Name []: BJ</code><code>Locality Name []: BJ</code><code>Organization Name []:</code><code>Organizational Unit Name []:</code><code>Common Name []: xianchao.lucky.me</code><code>Email Address []:Generate a certificate for the host name:
openssl genrsa -out xianchao.lucky.me.key 3072</code><code>openssl req -new -key xianchao.lucky.me.key -out xianchao.lucky.me.csr</code><code>openssl x509 -req -in xianchao.lucky.me.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out xianchao.lucky.me.pem -days 1095Verify the certificate:
openssl x509 -noout -text -in xianchao.lucky.me.pemTrust the self‑signed CA:
cd /data/ssl</code><code>cp ca.pem /etc/pki/ca-trust/source/anchors/</code><code>update-ca-trust enable && update-ca-trust extract3. Install Docker CE
Create installation directory and install Docker CE from Alibaba Cloud mirrors:
mkdir /data/install</code><code>cd /data/install</code><code>yum install -y yum-utils device-mapper-persistent-data lvm2</code><code>yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repoInstall and start Docker:
yum install docker-ce -y</code><code>systemctl start docker</code><code>systemctl enable docker</code><code>docker versionConfigure Docker registry mirror (optional):
cat /etc/docker/daemon.json</code><code>{"registry-mirrors": ["http://6e9e5b27.m.daocloud.io"]}</code><code>systemctl daemon-reload</code><code>systemctl restart docker.service4. Install Docker‑Compose
yum install docker-compose -y5. Install Harbor
Download the offline installer (v1.4.0) from the official GitHub releases or a domestic mirror:
curl -LO 'https://storage.googleapis.com/harbor-releases/harbor-offline-installer-v1.5.4.tgz'Extract the package:
tar zxvf harbor-offline-installer-v1.4.0.tgz</code><code>cd harborEdit harbor.cfg to match the generated certificates and hostname:
hostname = xianchao.lucky.me</code><code>ui_url_protocol = https</code><code>ssl_cert = /data/ssl/xianchao.lucky.me.pem</code><code>ssl_cert_key = /data/ssl/xianchao.lucky.me.keyInstall Harbor with Notary and Clair (vulnerability scanning) enabled: ./install.sh --with-notary --with-clair After successful installation you can access the UI at https://xianchao.lucky.me with default credentials admin / Harbor12345.
6. Using Harbor
Log in to the web UI and adjust system settings (e.g., restrict project creation to admins, disable auto‑registration).
Push an image:
docker pull centos</code><code>docker tag centos:latest xianchao.lucky.me/library/centos:v1</code><code>docker login -u admin -p Harbor12345 xianchao.lucky.me</code><code>docker push xianchao.lucky.me/library/centos:v1After pushing, you can view the image in the library/centos project (screenshots omitted).
Scan the image for vulnerabilities (Clair) and enable content trust to enforce signed images. If a high‑severity vulnerability is found, Harbor can block pulling the image.
Example of a blocked pull due to a high‑severity vulnerability:
Error response from daemon: unknown: The severity of vulnerability of the image: "high" is equal or higher than the threshold in project setting: "high".To allow the pull, disable the “block high‑severity images” option in project settings, then retry the pull command.
7. Additional notes
The guide also shows how to remove an image, re‑push, and handle signing configuration.
Images illustrating the UI and scan results are included below:
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Full-Stack DevOps & Kubernetes
Focused on sharing DevOps, Kubernetes, Linux, Docker, Istio, microservices, Spring Cloud, Python, Go, databases, Nginx, Tomcat, cloud computing, and related technologies.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.