Harbor Container Registry

Unlimited Private Repositories and Users, with Security Scanning

VMware Harbor LogoSelf-hosting your container registry can be a good option, especially when your organization’s security policies require that your proprietary code sits in an environment you control. If your Internet connection is not especially fast, pulling images that can reach gigabytes in size from your LAN, instead of the Internet can greatly improve the productivity of your workflow.

While you could simply deploy the registry container and immediately push/pull images on any Docker host, for production use, you likely want a dashboard similar to the Docker Hub or Quay.io to manage repositories, images, and users. That’s where Harbor comes in.

Harbor is an open-source registry server you can host in your own environment, whether on-premise or in the cloud. The project is maintained by VMware, as Harbor can (optionally) be used with the Pivotal Container Service based on Kubernetes. With Harbor you can store any images that are compliant with the OCI (Open Container Initiative) standard.

Besides speed and security, what are the cost benefits of hosting your own container registry? As you are probably aware, hosted registry services typically charge based on the number of private repositories or users you need. With these pricing tiers, you can end up spending a relatively large sum of money even if your images are small & lightweight. If you use a cloud service such as Google Container Registry, you can rack up quite a large egress bandwidth bill especially if you pull your images frequently for testing and development.

As an enterprise-class registry, Harbor also includes a built-in vulnerability scanner, which can alert you to CVE (Common Vulnerabilities and Exposures) that are present in your container images. It uses the open source Clair vulnerability database, which is provided by CoreOS. Clair runs locally on your registry server, eliminating the need to transmit metadata about your container images to a third-party service such as Aqua’s MicroScanner. Local vulnerability scanning is a feature that was previously only available with commercial solutions such as Docker Trusted Registry, but Harbor changes that.

If you use LDAP/AD to manage identity within your organization, Harbor supports single-sign-on using the existing credentials stored in your LDAP database, making it easy to get your team on-boarded to Harbor Container Registry.

Why You Should Hire Us to Deploy Harbor

By default, Harbor is not configured for HTTPS, which requires an override (not recommended) in your Docker client specifying your registry server as an “insecure-registry.” The TLS settings Harbor ships with also earn only a ‘B’ on Qualys SSL Test, due to the lack of “Forward Secrecy” on modern browsers. We have tweaked the configuration files to achieve an ‘A+’ on SSL/TLS tests.

Also, if you choose to deploy Harbor in the cloud, choosing the right cloud provider is essential. To maximize your savings, we recommend going with a platform that offers plenty of storage and included bandwidth with your dedicated or VPS instance. The minimum requirements for Harbor are 2 CPU cores with 2 GB RAM and 40 GB storage, but the recommended configuration is 4 CPU cores with 8GB RAM and 160 GB storage.

For larger deployments, it makes sense to use the supported S3 or Ceph storage backing options to increase the durability & scalability of storing your container images. As Harbor itself is a containerized app, it is also possible to set up Harbor for high availability by setting up multiple instances of the application on different servers, with a load balancer in the front end, and shared DB/Storage/Redis servers in the backend.

Our team of infrastructure architects can help you plan the most cost-effective deployment of Harbor for your needs, with the level of reliability you require. We can also recommend cloud providers we have had success deploying this application for our other clients on. Contact us with any questions about Harbor, or hosting your own container registry, and we would be pleased to assist you.