• 《区块链技术指南》、《软件定义存储》作者之一 亨利笔记 《区块链技术指南》 《软件定义存储》 Introducing Project Harbor • An open source enterprise-class registry server. (launched Mar 2016) • Initiated by VMware China • Apache 2 license • Harbor : Enterprise-Class Private Registry Why does one need a private registry? • Efficiency • LAN vs WAN • Security • Intellectual property stays in organization • Access Control 13 Enterprise Oriented (Docker Distribution) Docker Client Revers e Proxy (Nginx) API Harbor Browser Auth UI DB (MySQL) AD / LDAP Admin Server Log Collector (rsyslog) Replication Service 15

Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry Project Harbor • An open source enterprise-class registry server. • Initiated by VMware deletion) Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry Consistency of Container Images • Container

2018 goharbor.io Initiated by VMware China, maintained by whole community Integrated into enterprise products: VIC and PKS GitHub Repo: https://github.com/go harbor/harbor/ Apache 2.0 license

SSD 网络 1 * GE(板载) 软件平台 软件名称 版本号 安装方法 备注 CentOS 7.6 https://support.huawei.co m/enterprise/zh/doc/EDO C1100088654/3e971c8d 本文档安装过程选择的环境为 “Server with GUI”，并附加了 “Development Tools”。 Docker-ce

details • Based on CephFS • External MySQL cluster • Share sessions in Redis Environment & Prerequisites • 三台VM(Ubuntu 16.04及以上版本)； • CephFS、MySQL、Redis已就绪； • Harbor v1.1.0及以上版本； • 一个域名：hub docker-compose.yml 1. 修改volumes路径 /data/xxx -> /mnt/cephfs/harbor/data/xxx 2. 删除mysql service以及其他 service对mysql service的依赖 (depends_on) 3. 修改对proxy外服务端口 ports: - 8070:80 Harbor.cfg Step4: external db & redis • common/templates/adminserver/env MYSQL_HOST=harbor_host MYSQL_PORT=3306 MYSQL_USR=harbor MYSQL_PWD=harbor_password RESET=true • common/templates/ui/env _RE

hostname：目标的主机名或者完全限定域名 ：目标的主机名或者完全限定域名 ui_url_protocol： ：http或 或https。默认为 。默认为http db_password：用于 ：用于db_auth的 的MySQL数据库的根密码。更改此密码进行任何生产用途 数据库的根密码。更改此密码进行任何生产用途 max_job_workers：（默认值为 ：（默认值为3）作业服务中的复制工作人员的最大数量。对于每个映像复制作业， 镜像构成的容器实例。 镜像构成的容器实例。 UI：即架构中的 ：即架构中的 core services， ， 构成此容器的代码是 构成此容器的代码是 Harbor 项目的主体。 项目的主体。 MySQL：由官方 ：由官方 MySQL 镜像构成的数据库容器。 镜像构成的数据库容器。 Log：运行着 ：运行着 rsyslogd 的容器，通过 的容器，通过 log-driver 的形式收集其他容器的日志 的形式收集其他容器的日志

Consistency 4 Image Security 5 Image Distribution 6 Registry Robustness / High Availability 4 Agenda 1 Containers 101 2 Introduction to Harbor 3 Image Consistency 4 Image Security 5 Image Distribution Containers and Images Agenda 1 Containers 101 2 Introduction to Harbor 3 Image Consistency 4 Image Security 5 Image Distribution 6 Registry Robustness / High Availability 8 • Created by VMware in 2014 Multi-tenant content signing and validation − Identity integration and role-based access control − Security and vulnerability analysis − Image replication between instances − Internationalization (currently

image Image Management through Pipeline Distributions Multiple teams Multiple roles Availability Security Multiple Platforms goharbor.io � VMware �� ������, ������ �������� ���:VIC�PKS GitHub Repo: Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Supporting • Helm Chart Repo • Deployments services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS

image Image Management through Pipeline Distributions Multiple teams Multiple roles Availability Security Multiple Platforms goharbor.io � VMware �� ������, ������ �������� ���:VIC�PKS GitHub Repo: Isolation • Access Control • Vulnerability • Content Trust • Replication • Control Policy SECURITY DISTRIBUTION RELIABILITY DEPLOYMENT OVERVIEW • HA Supporting • Helm Chart Repo • Deployments services Harbor Packaging Docker Kubernetes Cloud Foundry 12 Confidential � ©2018 VMware, Inc. SECURITY Isolation Access control Content Trust Vulnerability Scanning ���� NS �� ���� �� • ���������NS

• 漏洞扫描是对镜像的文件做静态分析 (Clair) • 漏洞数据来源 - Debian Security Bug Tracker - Ubuntu CVE Tracker - Red Hat Security Data - Oracle Linux Security Data - Alpine SecDB 控制策略 21 • 设置自动扫描：上传即扫描 Infrastructure Kubernetes on BOSH (Kubo) BOSH NSX Analytics Automation Security Operations Monitoring GCP Service Broker etcd worker Logging vSAN vSphere