[lunar.lab] Install Harbor Container Registry as Docker Containers

This is an installation note of Harbor container registry for lunar.lab. Keeping in mind to minimize footprint due to resource constraint, I decided to install Harbor service in bootstrap machine VM which I already deployed (See here for the article: https://dy.si/TAg1M72).

• Official documentation followed for this purpose can be found here: https://goharbor.io/docs/2.5.0/install-config/
• List of software version:
• Harbor 2.5.0
• Docker Engine 20.10.16
• Docker Compose 2.5.0
• For a more proper way to deploy Harbor in TKG, you may want to check this official documentation:
• TKGm: https://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid/1.5/vmware-tanzu-kubernetes-grid-15/GUID-packages-harbor-registry.html
• TKGs: https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-2B3F2498-7BE3-4179-9F92-C83902061D42.html  

The installation notes already explained in the official documentation above, I just add notes based on my experience and finding.

Step 1 - Harbor Installation Prerequisites

My bootstrap machine already have OpenSSL and Docker Engine installed, so I just need to install Docker Compose. But somehow this installation did not work and when try to install Harbor found error message like this:

docker: Error response from daemon: error while creating mount source path '/data/secret': mkdir /data: read-only file system.

Did a little Googling and found this thread:

https://stackoverflow.com/questions/45764477/docker-compose-error-while-creating-mount-source-path

There's no clear explanation what happened. But I follow the suggestion and then it did work.

sudo snap remove --purge docker

sudo rm -R /var/lib/docker

sudo apt-get remove docker docker-engine docker.io

sudo apt-get update

sudo apt-get install ca-certificates curl gnupg lsb-release

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get update

sudo apt-get install docker-ce docker-ce-cli containerd.io

wget https://github.com/docker/compose/releases/download/v2.5.0/docker-compose-linux-x86_64

sudo mv docker-compose-linux-x86_64 /usr/bin/docker-compose

sudo chmod +x /usr/bin/docker-compose

docker-compose -v

Step 2 - Download the Harbor Installer

Go to Harbor release page https://github.com/goharbor/harbor/releases and look for the correct version which you want to use. I made a really fool mistake which cost me a lot of time. 😢 I downloaded the installer from Github page, then installed it with option to also install Trivy for CVE scanning. It did NOT work! 🤒

Only after several hours of troubleshooting I found out that I downloaded the wrong installer. The top most release in Github is version 1.10.11 which do not include Trivy. I need to scroll down a bit to find v2.5.0, the correct highest version. All works with this correct installer. 😁

What a silly mistake! Don't be like me! 😜

Another thing, I download the offline installer just to avoid hitting docker pull rate limit.

wget https://github.com/goharbor/harbor/releases/download/v2.5.0/harbor-offline-installer-v2.5.0.tgz

Step 3 - Configure HTTPS Access to Harbor

For this step, check this article from Cormac Hogan: https://cormachogan.com/2020/12/01/deploying-harbor-v2-1-0-step-by-step/. Look for Certificates and Keys section where he share shell scripts he created to speed things up within this step. 

Step 4 - Configure the Harbor YML File

I only configure four parameters:

• hostname
• path to cert and key files for https
• http proxy
• harbor admin password (not shown below)

# The IP address or hostname to access admin UI and registry service.

# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.

hostname: harbor-01a.corp.local

----------------------------------------

# https related config

https:

  # https port for harbor, default is 443

  port: 443

  # The path of cert and key files for nginx

  certificate: /data/cert/harbor-01a.corp.local.crt

  private_key: /data/cert/harbor-01a.corp.local.key

----------------------------------------

# Global proxy

# Config http proxy for components, e.g. http://my.proxy.com:3128

proxy:

  http_proxy: 'http://192.168.110.1:3128'

  https_proxy: 'http://192.168.110.1:3128'

  no_proxy:

  components:

    - core

    - jobservice

    - trivy

Step 5 - Configure Enabling Internal TLS

I skipped this.

Step 6 - Run the Installer Script

Quite straight forward, I did install with Trivy, Notary, and chartmuseum enabled.

sudo ./install.sh --with-trivy --with-notary --with-chartmuseum

Verify Harbor installation

sudo docker ps -a

I found all these containers running.

Step 7 - Test Harbor Installation Verification

• Open browser and access Harbor address, login with username and password configured in Step 4.
• Create New Project, configure as Public.
• Open the project, go to Repositories. Here I can find Docker command to tag image for my created project and to push that tagged image to this project.

• From my bootstrap machine, tag and push image to Harbor image registry.

• Back to browser, refresh created project. I can see the container image I just pushed listed there.

• Click on the container image and I can find the pull command. I then try to pull image from my Harbor image registry. Since I only have one machine with Docker, I remove the same images first and then pull from my Harbor registry.

All seems to be working! That's it from now!