Setting up Harbor locally — and scanning an image

I decided to have a complete system, preferably migrateable, in my pc at home. But everything has to run in a cramped 16G total system so lets see what happens.

Lets run a Harbor to stuff our custom images in. Why, because we are going to run a complete CI/CD system on our cluster (without buying ram,/ maybe).

So the harbor setup details are in this link:

We need docker and docker-compose.

yum update -y
yum install docker -y
sudo curl -L -s-uname -m -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compos

Its asking to open up some ports in the firewall, we probably did so before but lets do it again anyway.

firewall-cmd --permanent --add-port=80/tcp --add-port=443/tcp --add-port=4443/tcp
sudo firewall-cmd --reload


Move to /opt/harbor_files (or wherever you want to install), pull and unpack the harbor file.

tar xvzf harbor-offline-installer-v2.1.5.tgz
cd /opt/harbor_files/harbor

So now we need the SSL keys. Harbor loves its SSL so we are going to give it SSL, just self signed. Normally you pay for these keys.

Lets modify /etc/pki/tls/openssl.cnf file and add below part with our server ip like below.


Then typing below to generate our self signed cer we get asked a series of questions.

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Answers I used

Next we generate the signing request as below and it asks same questions again with 2 extra ones. I left the pw blank

openssl req -newkey rsa:4096 -nodes -sha256 -keyout -out
Same answers again

Now we have to generate the cert with a conf file.

echo "subjectAltName = IP:" >extfile.cnf
openssl x509 -req -days 3650 -in -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out

In the end, we should have ca.crt, ca.key and a file with our server ip.

Lets put the certificates where docker can see them,

sudo mkdir -p /etc/docker/certs.d/
sudo cp *.crt *.key /etc/docker/certs.d/

Finally, create a copy of the harbor.yml.tmpl as harbor.yml and modify the following parts. I removed the other fields I didn’t change

hostname: http related config
port: 8080
port: 443
certificate: /etc/docker/certs.d/
private_key: /etc/docker/certs.d/
harbor_admin_password: some pass
password: your db pass

We start installation with the below. We will install clair as well for vulnerability scanning.

./ --with-clair

Access from a link like the one below

Lets try to push something to harbor

  • Create a project named local
  • Pull any image locally like with docker pull nginx
  • Tag and push to our repo
docker tag nginx:latest
docker login
docker push

We might get something like this:

Error response from daemon: Get x509: cannot validate certificate for because it doesn’t contain any IP SANs

In this case we open the docker config file in /etc/docker/daemon.json (create if it doesn’t exist) and just stuff the following in it.

{ “insecure-registries” : [“”] }

After this systemctl restart docker to see the config work. We can retry our push op then.

Here it is

Since we also installed clair, we can start a scan with the pushed image

Click SCAN to start
Allright then

Lets test from another vm. We need to add the daemon config again but after we do it works.


And thats that. Thanks for reading.

Notes: I tried running the yml as a stack in my swarm but some properties like clair and jobservice became a problem.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store