Setting up Harbor locally — and scanning an image

I decided to have a complete system, preferably migrateable, in my pc at home. But everything has to run in a cramped 16G total system so lets see what happens.

Lets run a Harbor to stuff our custom images in. Why, because we are going to run a complete CI/CD system on our cluster (without buying ram,/ maybe).

So the harbor setup details are in this link: https://goharbor.io/docs/1.10/install-config/

We need docker and docker-compose.

yum update -y
yum install docker -y
sudo curl -L https://github.com/docker/compose/releases/download/1.29.1/docker-compose-uname -s-uname -m -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compos

Its asking to open up some ports in the firewall, we probably did so before but lets do it again anyway.

firewall-cmd --permanent --add-port=80/tcp --add-port=443/tcp --add-port=4443/tcp
sudo firewall-cmd --reload

NGINX?

Move to /opt/harbor_files (or wherever you want to install), pull and unpack the harbor file.

wget https://github.com/goharbor/harbor/releases/download/v2.1.5/harbor-offline-installer-v2.1.5.tgz
tar xvzf harbor-offline-installer-v2.1.5.tgz
cd /opt/harbor_files/harbor

So now we need the SSL keys. Harbor loves its SSL so we are going to give it SSL, just self signed. Normally you pay for these keys.

Lets modify /etc/pki/tls/openssl.cnf file and add below part with our server ip like below.

subjectAltName=192.168.56.109

Then typing below to generate our self signed cer we get asked a series of questions.

openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Answers I used

Next we generate the signing request as below and it asks same questions again with 2 extra ones. I left the pw blank

openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.56.109 -out 192.168.56.109
Same answers again

Now we have to generate the cert with a conf file.

echo "subjectAltName = IP:192.168.56.109" >extfile.cnf
openssl x509 -req -days 3650 -in 192.168.56.109 -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.56.109

In the end, we should have ca.crt, ca.key and a file with our server ip.

Lets put the certificates where docker can see them,

sudo mkdir -p /etc/docker/certs.d/192.168.56.109
sudo cp *.crt *.key /etc/docker/certs.d/192.168.56.109

Finally, create a copy of the harbor.yml.tmpl as harbor.yml and modify the following parts. I removed the other fields I didn’t change

hostname: 192.168.56.109# http related config
http:
port: 8080
...
https:
port: 443
certificate: /etc/docker/certs.d/192.168.56.109/ca.crt
private_key: /etc/docker/certs.d/192.168.56.109/ca.key
...
harbor_admin_password: some pass
database:
password: your db pass

We start installation with the below. We will install clair as well for vulnerability scanning.

./install.sh --with-clair

Access from a link like the one below

https://192.168.56.109/harbor

Lets try to push something to harbor

  • Create a project named local
  • Pull any image locally like with docker pull nginx
  • Tag and push to our repo
docker tag nginx:latest 192.168.56.109:443/local/nginxmod:latest
docker login 192.168.56.109:443
docker push 192.168.56.109:443/local/nginxmod:latest

We might get something like this:

Error response from daemon: Get https://192.168.56.109:443/v2/: x509: cannot validate certificate for 192.168.56.109 because it doesn’t contain any IP SANs

In this case we open the docker config file in /etc/docker/daemon.json (create if it doesn’t exist) and just stuff the following in it.

{ “insecure-registries” : [“192.168.56.109:443”] }

After this systemctl restart docker to see the config work. We can retry our push op then.

Here it is

Since we also installed clair, we can start a scan with the pushed image

Click SCAN to start
Allright then

Lets test from another vm. We need to add the daemon config again but after we do it works.

Noice

And thats that. Thanks for reading.

Notes: I tried running the yml as a stack in my swarm but some properties like clair and jobservice became a problem.

--

--

--

Let’s talk devops, automation and architectures, everyday, all day long. https://www.linkedin.com/in/yigitirez/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Installing and Configuring InnoDB Cluster

How to Manage MySQL Database with Commands

Perfect vs Good Enough When Coding

Red4Sec Code Audit Results Are In: FLOW Protocol is Secure!

Padlock representing the security of the FLOW Protocol smart contract

Polkadot Launch: Phases 3 & 4

The URL Checker

A Brief Overview of SQL (Structured Query Language)

How to Set Up and Secure PhpMyAdmin with Apache on Ubuntu 16.04

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yiğit İrez

Yiğit İrez

Let’s talk devops, automation and architectures, everyday, all day long. https://www.linkedin.com/in/yigitirez/

More from Medium

Why You Should run TestProject agent inside Docker container?

How to setup Loki in Ubuntu 20.04

Printing Response time on apache and nginx logs

High Availability on NGINX