Harbor Registry Using a Harbor registry, you can host container images in a local, private Docker registry. Harbor is an extension of the basic Docker registry that implements access controls, identity Kubernetes resources can connect to a Harbor Registry to retrieve container images on other systems. This chapter contains the following topic: • Using Harbor Registry in Tenant Clusters, on page 1 • Using in Tenant Clusters, on page 2 Using Harbor Registry in Tenant Clusters Follow these steps to create a new tenant cluster with access to the Harbor registry: Step 1 Obtain the Ingress Root CA Certificate

Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 ©2018 VMware, Inc. TEST FVT STAG ING PROD DEV SVT Verify Registry Registry Registry Registry UT Build Commit Environment image image image image Image Management through Pipeline Distributions Multiple Chart�� Helm Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd

Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 ©2018 VMware, Inc. TEST FVT STAG ING PROD DEV SVT Verify Registry Registry Registry Registry UT Build Commit Environment image image image image Image Management through Pipeline Distributions Multiple Chart�� Helm Chart�� ������������� Harbor�� API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd

Harbor Deep Dive Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 goharbor.io Initiated by VMware https://github.com/go harbor/harbor/ Apache 2.0 license An open source trusted cloud native registry project HARBOR More integrations in future Harbor Project History Harbor Community Harbor and chart Harbor Architecture API Routing API Routing Core Service (API/Auth/GUI) Image Registry Trusted Content Vulnerability Scanning Job Service Admin Service Harbor components 3rd

reserved. 采用开源Harbor Registry实现高效安全的容 器镜像运维 姜坦 VMware中国研发中心资深研发工程师 Runtime Package Cluster 开场 1 镜像运维 2 开源企业级镜像仓库-Harbor 3 集成Harbor 4 总结 议程 4 Registry 镜像 Images Push Push Pull • 镜像存储仓库 • 分发镜像的媒介 • 访问控制和镜像管理较佳节点 Registry – 镜像管理的重要部件 • 基础镜像 ubuntu:latest 可能在不同构建时间会有差别 • 即使 ubuntu:14.04 也可能会有改变（补丁不同） • apt-get (curl, wget..) 无法保证安装同样的软件包 • ADD 依赖构建时候的文件 定期更新漏洞数据库 安全考虑 镜像分发 9 • 容器镜像通常从registry分发 • 在大规模集群场景下，Registry 是镜像分发瓶颈 – I/O – 网络带宽 • 扩展 registry 服务 – 多实例 registry 共享存储 – 多实例 registry 不共享存储 1 镜像运维 2 开源企业级镜像仓库-Harbor

2017 VMware Inc. All rights reserved. ��Harbor�����Registry������ ����� ��� VMware���������� ���� • VMware�������������������� • Harbor�������Registry����� • Cloud Foundry������������� • ������� • High Availability of Registry Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry Lifecycle of Containers Stop Start Restart Run Commit Dockerfile Build tag tar archive Save Load Push Registry Images Pull Registry Images 6 Push Pull • Repository for storing images • Intermediary for shipping

1 Harbor James Zabala Maintainer Harbor Focus Harbor is a trusted cloud native registry that stores, signs, and scans content. The mission is to provide cloud native environments the ability to confidently Distribution 6 Registry Robustness / High Availability 4 Agenda 1 Containers 101 2 Introduction to Harbor 3 Image Consistency 4 Image Security 5 Image Distribution 6 Registry Robustness / High Run Commit Dockerfile Build tag tar archive Save Load Push Registry Images Pull Lifecycle of Containers and Images Registry Images 7 Push Pull • Repository for storing images • Intermediary

Harbor开源企业级容器Registry项目创始人 • Cloud Foundry中国社区最早技术布道师之一 • 多年全栈工程师 • 《区块链技术指南》、《软件定义存储》作者之一 亨利笔记 《区块链技术指南》 《软件定义存储》 Introducing Project Harbor • An open source enterprise-class registry server. (launched Build-Ship-Run Build-Ship-Run through Registry Cloud • Registry is a key component of devops Harbor : Enterprise-Class Private Registry Why does one need a private registry? • Efficiency • LAN vs WAN • integration • Lightweight and easy deployment 14 Project Harbor - Microservices Architecture Basic Registry (Docker Distribution) Docker Client Revers e Proxy (Nginx) API Harbor Browser Auth UI

VS. What is Docker Registry • Docker Registry : 官方镜像 存储、管理和分发工具 • 最新实现是distribution， 实现了registry2.0协议 • 官方仓库: hub.docker.com • 国内一般采用加速器 docker push 启动一个registry docker run -d -p 5000:5000 5000:5000 --restart=always --name registry registry:2 I am here! From Docker 2016 survey Private Registry • 便于集成到内部CI/CD系统中； • 对镜像更灵活全面地掌控； • 数据传输性能更好； • 出于安全考虑。 vs. Features of • VMware中国团队开源的企业级镜像仓库项目，聚焦镜 High Availability Harbor • 开发运维一体化流水线的 核心组件； • 单一Registry实例无法满足 企业内部大量节点上传和 下载的性能需求。 核心 Harbor Architecture • Proxy(Nginx) • Registry • Core Services – UI – Token Service – Webhook

com/vmware/harbor。其目 。其目 标是帮助用户迅速搭建一个企业级的 标是帮助用户迅速搭建一个企业级的Dockerregistry服务。它以 服务。它以Docker公司开源的 公司开源的registry为基础，提供了管理 为基础，提供了管理UI， ， 基于角色的访问控制 基于角色的访问控制(Role Based Access Control)， ，AD/LDAP集成、以及审计日志 集成、以及审计日志(Auditlogging) 要暴露 proxy （ （ 即 即 Nginx）的服务端口 ）的服务端口 Proxy：由 ：由Nginx 服务器构成的反向代理。 服务器构成的反向代理。 Registry：由 ：由Docker官方的开源 官方的开源 registry 镜像构成的容器实例。 镜像构成的容器实例。 UI：即架构中的 ：即架构中的 core services， ， 构成此容器的代码是 构成此容器的代码是 Harbor e安装 安装 g、 、Harbor 和 和 docker registry 关系： 关系：Harbor实质上是对 实质上是对 docker registry 做了封装，扩展了自己的业务模块 做了封装，扩展了自己的业务模块 3、 、Harbor 认证过程 认证过程 a、 、dockerdaemon从 从docker registry拉取镜像。 拉取镜像。 b、如果 、如果dockerregistry需要进行授权时，