Mastering Harbor: Install, Configure, and Scale a Secure Docker Registry

Harbor Overview

Harbor is an enterprise‑grade Docker image registry that extends the open‑source Docker Distribution with security, identity, and management features, offering better performance, access control, and audit capabilities while keeping images within a private network.

Key Features

Role‑Based Access Control : Organize users and images into projects with fine‑grained permissions.

Image Replication : Synchronize images across multiple registry instances, ideal for load‑balancing, high‑availability, hybrid‑cloud, and multi‑cloud scenarios.

Graphical User Interface : Manage projects, namespaces, and images through a web UI.

AD/LDAP Integration : Authenticate against existing corporate directories.

Audit Logging : Record all registry operations for compliance.

Internationalization : Supports English, Chinese, German, Japanese, Russian, with more languages planned.

RESTful API : Enables deeper automation and integration with other tools.

Easy Deployment : Provides online/offline installers and OVA for vSphere.

Harbor Architecture

Harbor consists of six main components:

Proxy : Front‑end reverse proxy that receives browser and Docker client requests and forwards them to backend services.

Registry : Stores Docker images and handles push/pull commands, enforcing token‑based access control.

Core Services : Includes UI, webhook, token service, database, job services, and log collector, providing management, event notification, authentication, data storage, image replication, and log aggregation.

The relationship among these components is illustrated below:

Installation and Configuration

1. Environment Preparation

CentOS Linux release 7.3.1611 (Core)</code><code>docker-ce-18.06.1</code><code>docker-compose version 1.21.2, build a133471</code><code>harbor-v1.8.0

2. Install Docker

# Use Alibaba Cloud mirror</code><code>wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo</code><code># Install Docker</code><code>yum -y install https://mirrors.aliyun.com/docker-ce/linux/centos/7/x86_64/stable/Packages/docker-ce-18.06.3.ce-3.el7.x86_64.rpm</code><code># Optional daemon configuration</code><code>cat > /etc/docker/daemon.json <<EOF</code><code>{</code><code>    "graph": "/data/docker",</code><code>    "exec-opts": ["native.cgroupdriver=cgroupfs"],</code><code>    "insecure-registries": ["http://192.168.101.11"]</code><code>}</code><code>EOF</code><code># Start Docker and enable on boot</code><code>systemctl start docker && systemctl enable docker

3. Install docker‑compose

curl -L https://mirrors.aliyun.com/docker-toolbox/linux/compose/1.21.2/docker-compose-Linux-x86_64 -o /usr/local/bin/docker-compose</code><code>chmod +x /usr/local/bin/docker-compose

4. Install Harbor

# Download installer</code><code>wget https://storage.googleapis.com/harbor-releases/release-1.8.0/harbor-offline-installer-v1.8.1.tgz</code><code># Extract and edit configuration</code><code>tar xf harbor-offline-installer-v1.8.1.tgz -C /usr/local</code><code>cd /usr/local/harbor</code><code># Edit harbor.yml on each node</code><code># node1</code><code>vim harbor.yml   # set hostname: 192.168.101.11</code><code># node2</code><code>vim harbor.yml   # set hostname: 192.168.101.12</code><code># Run installer</code><code>./install.sh</code><code># Verify success</code><code>✔ ----Harbor has been installed and started successfully.----

5. Start/Stop Services

# Start</code><code>docker-compose up -d</code><code># Stop</code><code>docker-compose down

Testing and Verification

Pull and push an image to verify the registry:

# docker pull centos:7.6.1810</code><code># docker tag centos:7.6.1810 192.168.101.11/open/centos:7.6.1810</code><code># docker push 192.168.101.11/open/centos:7.6.1810

Access the Harbor UI via the browser to confirm the image appears, then configure synchronization rules and verify replication across nodes using the screenshots below.

High Availability with Nginx

1. Install Nginx # yum -y install nginx 2. Configure Load Balancing

# cat /etc/nginx/conf.d/hub.huoban.com.conf</code><code>upstream huoban_hub {</code><code>    server 192.168.101.11:80 max_fails=3 fail_timeout=10s;</code><code>    server 192.168.101.12:80 max_fails=3 fail_timeout=10s;</code><code>    ip_hash;</code><code>}</code><code>server {</code><code>    listen 80;</code><code>    server_name hub.huoban.com;</code><code>    rewrite ^(.*)$ https://hub.huoban.com$1 permanent;</code><code>}</code><code>server {</code><code>    listen 443 ssl;</code><code>    server_name hub.huoban.com;</code><code>    server_tokens off;</code><code>    proxy_set_header X-Real-IP $remote_addr;</code><code>    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</code><code>    location / {</code><code>        proxy_pass http://huoban_hub;</code><code>    }</code><code>    access_log /data/logs/nginx/${host}_access.log combined;</code><code>}

3. Test Access

4. Push/Pull Image Tests

# docker tag centos:7.6.1810 hub.huoban.com/open/centos:7.6.18101</code><code># docker push hub.huoban.com/open/centos:7.6.18101</code><code># docker login hub.huoban.com   # use admin credentials</code><code># docker push hub.huoban.com/open/centos:7.6.18101</code><code># docker pull hub.huoban.com/open/centos:7.6.18101

Repeat the steps on the second server to ensure HA functionality.