Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 �������� ���:VIC�PKS GitHub Repo: https://github.com/goharbor /harbor/ Apache 2.0 ���� ������������ Project history �������� Harbor���� Harbor���� 5 Harbor���� 6 x x Agenda 7 Confidential � ©2018 Vulnerability Scanning Replication Service Level Agreement (Authorization) SLA: Tenant Mapping (Project) SLA: Flow Control Log Notary Clair Jobs Authentication API Credentials LDAP Platform

Project Harbor Introduction Open source trusted cloud native registry Henry Zhang, Chief Architect, VMware R&D China Steven Zou, Staff Engineer, VMware R&D China Nov. 2018 2 Confidential � ©2018 �������� ���:VIC�PKS GitHub Repo: https://github.com/goharbor /harbor/ Apache 2.0 ���� ������������ Project history �������� Harbor���� Harbor���� 5 Harbor���� 6 x x Agenda 7 Confidential � ©2018 Vulnerability Scanning Replication Service Level Agreement (Authorization) SLA: Tenant Mapping (Project) SLA: Flow Control Log Notary Clair Jobs Authentication API Credentials LDAP Platform

Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry Agenda 1 Container Image Basics 2 Project Harbor Introduction Agenda 1 Container Image Basics 2 Project Harbor Introduction 3 Consistency of Images 4 Security 5 Image Distribution 6 High Availability of Registry Project Harbor • An open source enterprise-class (synchronization) 13 Project Images Policy Image Project Images Initial replication Image incremental replication (including image deletion) Agenda 1 Container Image Basics 2 Project Harbor Introduction

基于角色的访问控制 18 项目 Project 成员 Members 镜像 Images Guest: Developer: Admin: ${Project}/ubuntu:14.04 ${Project}/nginx:1.8, 1.9 ${Project}/golang:1.6.2 ${Project}/redis:3.0 …... 21 • 设置自动扫描：上传即扫描 • 设置漏洞级别阈值；超过阈值的镜像 无法下载 • 设置内容信任 镜像复制 22 Project Images Policy Image Project Images 初始复制 Image 增量复制 (含镜像删除复制) 复制策略管理 用二进制格式确保镜像一致性 24

Introducing Project Harbor • An open source enterprise-class registry server. (launched Mar 2016) • Initiated by VMware China • Apache 2 license • https://github.com/vmware/harbor/ 3 Project Harbor and Harbor uses and grows with Go language from Day 1 • Go v1.3-1.7 • Beego: v1.3-1.6 • A member project of Golang Foundation 4 Harbor Users and Partners 200+ 2000 + 10K+ Downloads Stars Users 46 and English) • Audit and logs • Restful API for integration • Lightweight and easy deployment 14 Project Harbor - Microservices Architecture Basic Registry (Docker Distribution) Docker Client Revers

(Apache 2.0) • Accepted into sandbox stage in July 2018 as first container registry 9 Project Harbor Project History 10 Open Source Stats Registry features include − Multi-tenant content signing /myapp/app.jar Dockerfile Challenges Image replication (synchronization) 17 Project Images Policy Image Project Images Initial replication Image Incremental replication (including image deletion) Control (RBAC) 22 Members Images Guest: Developer: Admin: docker pull ... docker pull/push Project operation & management Settings Other security considerations • Enable content trust by installing

harbor/harbor/ Apache 2.0 license An open source trusted cloud native registry project HARBOR More integrations in future Harbor Project History Harbor Community Harbor Users and Partners (selected) x x management Multi Deployments • Docker Compose • BOSH/Pivotal Tile • Helm Chart Label • Label in project and system scopes • Mark labels to image and chart Harbor Architecture API Routing API Routing to involve day0 operation in Harbor? Website ： https://github.com/goharbor/harbor Twitter: @Project_harbor Slack: #harbor/#harbor-dev (register via slack.cncf.io) Email group ：（ Refer README on

repository that you have chosen. • For library_name, use the name of the project as displayed on the Harbor UI. The default project name is library. Note d) Verify if the helm repository is added successfully steps: a) In the left pane of the Harbor UI, click Projects, and then click on your project name. The default project name is Library. Note b) Click the Helm Charts tab. c) To push the helm chart to the

门槛高，需要具备现成的 共享存储 – 搭建难度略高 • 优点 – 门槛低，搭建简便 • 不足 – Scaling差，甚至是不能 – 镜像复制延迟，导致数据 阶段性不一致 – 添加Project时，需手工维 护复制规则 Solution2: 基于镜像复制 Solution1: 基于共享存储 Solution details • Based on CephFS •