Mastering Harbor: Efficient, Secure Docker Image Distribution in Cloud‑Native Environments

Harbor is an enterprise‑grade Docker image registry open‑sourced by VMware, designed as a trusted cloud‑native artifact repository for storing, signing, and managing container images.

All of Harbor’s design revolves around cloud‑native principles, emphasizing the central role of images in modern applications.

Making Image Distribution More Efficient

(1) Policy‑Based Content Replication

Harbor supports multiple filters (project, tag, etc.) and trigger modes (manual, scheduled) to push and pull images. Initial full pull followed by incremental pulls can be performed, and in large clusters or multi‑datacenter setups a master‑slave (center‑edge) mode can be used.

(2) Project‑Level Caching

Harbor can cache upstream Docker Hub or other Harbor registries, alleviating rate‑limit issues. Cached artifacts behave like local ones, and policies such as quota and scanning apply. To enable caching, the project must be created with caching enabled and set as read‑only.

Pulling a cached image uses the format:

<code>docker pull &lt;harbor-host&gt;/[cache-project-name]/&lt;repository&gt;_path</code>

Example:

<code>docker pull goharbor.io/my_cache_pro/library/nginx:latest</code>

(3) P2P Image Pre‑warming

PS: This P2P is not a loan institution and will not go bust.

Harbor leverages P2P technology (Dragonfly or Kraken) to distribute selected images to a peer‑to‑peer network, allowing clients to pull directly from nearby peers.

Repository filter

Tag filter

Label filter

Vulnerability status filter

Signature status filter

Event‑based or scheduled triggers

Supported P2P backends: Dragonfly (Alibaba) and Kraken (Uber).

Making Image Distribution More Secure

Containers are opaque; without inspection, images may contain unknown vulnerabilities. Harbor enforces security through several mechanisms.

(1) Image Signing

Notary‑based signing for images

GPG‑based signing for Helm charts

(2) Vulnerability Scanning

Plugin‑based integration with scanners to generate reports and assess risk.

(3) Policy‑Based Distribution Control

Content trust to allow only authenticated images.

Severity‑based restrictions.

(4) Tag Protection Rules

Rules can prevent overwriting or deleting protected tags (e.g.,

latest

) using regex matching.

Graceful Resource Cleanup and Garbage Collection

Harbor 2.x simplifies cleanup: policies can retain immutable tags, and garbage collection frees space without affecting stored data.

High‑Availability Solutions

Content replication across independent environments.

External shared‑service HA.

Multi‑instance HA in Kubernetes.

Harbor Operator all‑in‑one HA.

Multi‑datacenter HA.

Hands‑On Harbor Installation

Prerequisites: CentOS 7.4, Kernel 3.10, Docker‑compose 1.27.4, Helm v3, Kubernetes 1.17.9, Harbor 2.1.1.

1. System Initialization and Required Software

<code># systemctl stop firewalld
# systemctl disable firewalld
# setenforce 0
# vim /etc/sysconfig/selinux   # SELINUX=disabled
# hostnamectl set-hostname harbor
# yum install -y yum-utils device-mapper-persistent-data lvm2
# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# yum install docker-ce -y
# systemctl start docker && systemctl enable docker
# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
# systemctl restart docker
# wget https://github.com/docker/compose/releases/download/1.27.4/docker-compose-Linux-x86_64
# mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose</code>

2. Offline Installation

<code># wget https://github.com/goharbor/harbor/releases/download/v2.1.1/harbor-offline-installer-v2.1.1.tgz
# tar xf harbor-offline-installer-v2.1.1.tgz -C /opt/
# cd /opt/harbor
# cp harbor.yml.tmpl harbor.yml
# # edit harbor.yml (hostname, HTTPS cert, admin password, data_volume)
# openssl genrsa -out ca.key 4096
# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Chongqing/L=Chongqing/O=harbor.coolops.cn/OU=harbor.coolops.cn/CN=harbor.coolops.cn" -key ca.key -out ca.crt
# openssl genrsa -out harbor.coolops.cn.key 4096
# openssl req -sha512 -new -subj "/C=CN/ST=Chongqing/L=Chongqing/O=harbor.coolops.cn/OU=harbor.coolops.cn/CN=harbor.coolops.cn" -key harbor.coolops.cn.key -out harbor.coolops.cn.csr
# cat > xexternalfile.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.coolops.cn
EOF
# openssl x509 -req -sha512 -days 3650 -extfile xexternalfile.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in harbor.coolops.cn.csr -out harbor.coolops.cn.crt
# openssl x509 -inform PEM -in harbor.coolops.cn.crt -out harbor.coolops.cn.cert
# ./prepare
# ./install.sh</code>

Successful installation ends with “✔ ----Harbor has been installed and started successfully.”

3. Online Installation

<code># wget https://github.com/goharbor/harbor/releases/download/v2.1.1/harbor-online-installer-v2.1.1.tgz
# tar xf harbor-online-installer-v2.1.1.tgz -C /opt/
# (follow the same steps 2‑4 as offline installation)</code>

4. Helm Chart Deployment

<code># wget https://get.helm.sh/helm-v3.0.0-linux-amd64.tar.gz
# tar zxvf helm-v3.0.0-linux-amd64.tar.gz
# mv linux-amd64/helm /usr/bin/
# helm repo add harbor https://helm.goharbor.io
# helm search repo harbor
# helm pull harbor/harbor --version 1.5.1
# tar xf harbor-1.5.1.tgz
# # edit values.yaml (ingress hosts, externalURL, harborAdminPassword, storageClass, etc.)
# helm install harbor ./harbor</code>

After all pods reach

Running

, the Harbor portal is accessible via the configured Ingress URL.