ScriptsApr 11, 2026·1 min read

Harbor — Cloud Native Trusted Container Registry

Harbor is a CNCF-graduated open-source container registry that stores, signs, and scans container images. Vulnerability scanning, RBAC, replication, and OCI support.

SC
Script Depot · Community
Quick Use

Use it first, then decide how deep to go

This block should tell both the user and the agent what to copy, install, and apply first.

# Download installer
wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-offline-installer-v2.11.0.tgz
tar xvf harbor-offline-installer-v2.11.0.tgz
cd harbor

# Configure
cp harbor.yml.tmpl harbor.yml
# Edit harbor.yml with your hostname

# Install
sudo ./install.sh

Open http://your-hostname — login with admin/Harbor12345 and push your first image.

Intro

Harbor is an open-source, CNCF-graduated trusted cloud-native container registry that stores, signs, and scans content. It extends the open-source Docker Distribution by adding the functionality usually required by users such as security, identity, and management — making it the go-to choice for enterprises running private container registries.

With 28.2K+ GitHub stars and Apache-2.0 license, Harbor is used by thousands of organizations including financial institutions, telecommunications companies, and government agencies for secure, compliant container image management.

What Harbor Does

  • Container Registry: Store and distribute Docker and OCI images
  • Vulnerability Scanning: Integrated Trivy/Clair for continuous image security scanning
  • Image Signing: Notary and Cosign integration for trusted content verification
  • RBAC: Role-based access control with projects and LDAP/AD/OIDC integration
  • Replication: Sync images between Harbor instances and public registries
  • Webhooks: Notify external systems on push, pull, scan, delete events
  • Helm Chart Repository: Store Helm charts alongside container images
  • Image Signing: Sign images with Cosign for supply chain security
  • Garbage Collection: Automatic cleanup of untagged/unused blobs
  • Audit Logging: Track all operations for compliance
  • Quotas: Set storage quotas per project

Architecture

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  Docker CLI  │────▶│  Harbor      │────▶│  Storage     │
│  / kubectl   │     │  (Portal +   │     │  (Local/S3/  │
└──────────────┘     │   Core +     │     │   GCS/Swift) │
                     │   Registry)  │     └──────────────┘
                     └──────┬───────┘
                            │
              ┌─────────────┼─────────────┐
              │             │             │
       ┌──────┴──┐   ┌─────┴───┐   ┌─────┴───┐
       │PostgreSQL│  │  Redis  │   │  Trivy  │
       │ (Metadata│  │ (Cache) │   │ (Scan)  │
       └──────────┘  └─────────┘   └─────────┘

Installation

Docker Compose (Recommended)

# Download
wget https://github.com/goharbor/harbor/releases/download/v2.11.0/harbor-offline-installer-v2.11.0.tgz
tar xvf harbor-offline-installer-v2.11.0.tgz
cd harbor

# Configure harbor.yml
hostname: registry.yourdomain.com
http:
  port: 80
https:
  port: 443
  certificate: /etc/harbor/ssl/cert.pem
  private_key: /etc/harbor/ssl/key.pem

harbor_admin_password: YourSecurePassword
database:
  password: root123
data_volume: /data

trivy:
  ignore_unfixed: false
  skip_update: false
  insecure: false

# Install
sudo ./install.sh --with-trivy

Helm Chart (Kubernetes)

helm repo add harbor https://helm.goharbor.io
helm install harbor harbor/harbor 
  --namespace harbor --create-namespace 
  --set expose.type=ingress 
  --set expose.tls.auto.commonName=registry.yourdomain.com 
  --set externalURL=https://registry.yourdomain.com 
  --set trivy.enabled=true

Usage

Push Images

# Login
docker login registry.yourdomain.com
Username: admin
Password: YourPassword

# Tag image
docker tag myapp:latest registry.yourdomain.com/myproject/myapp:latest

# Push
docker push registry.yourdomain.com/myproject/myapp:latest

# Pull
docker pull registry.yourdomain.com/myproject/myapp:latest

With Kubernetes

# Create image pull secret
apiVersion: v1
kind: Secret
metadata:
  name: harbor-creds
type: kubernetes.io/dockerconfigjson
stringData:
  .dockerconfigjson: |
    {"auths": {"registry.yourdomain.com": {"username":"user","password":"pass","auth":"base64-encoded"}}}

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp
spec:
  template:
    spec:
      imagePullSecrets:
        - name: harbor-creds
      containers:
        - name: myapp
          image: registry.yourdomain.com/myproject/myapp:latest

Key Features

Vulnerability Scanning

Push image → Automatic Trivy scan
  → CVE report with severity levels
  → Fail deployment if CVSS > threshold
  → Dashboard showing scan history

Configure scan policies per project:

  • Auto-scan on push
  • Prevent pulling vulnerable images
  • Schedule periodic re-scans

Projects & RBAC

Projects (Namespace equivalent):
├── engineering
│   ├── Members: Alice (Admin), Bob (Developer), Charlie (Guest)
│   ├── Quota: 100GB
│   └── Policies: Require scan, block critical CVEs
├── staging
│   └── Members: Ops team
└── public
    └── Anyone can pull

Roles: Project Admin, Master, Developer, Guest, Limited Guest.

Replication

# Sync from Docker Hub to Harbor
Rule: Replicate Docker Hub nginx
  Source: docker.io/library/nginx
  Destination: registry.yourdomain.com/library/nginx
  Trigger: Scheduled (every 6 hours)
  Filters: tag = "1.*.*-alpine"

# Sync between Harbor instances
Rule: Backup to DR site
  Source: registry.primary.com
  Destination: registry.dr.com
  Trigger: On push

Supported remote registries:

  • Docker Hub, GitHub Container Registry, GCR, ECR, ACR
  • Quay, JFrog Artifactory
  • Other Harbor instances
  • Helm chart repositories

Image Signing with Cosign

# Sign image
cosign sign --key cosign.key registry.yourdomain.com/myproject/myapp:v1.0

# Verify
cosign verify --key cosign.pub registry.yourdomain.com/myproject/myapp:v1.0

# Harbor shows signature status in UI

Retention Policies

Project: production
Retention Rules:
  - Retain latest 10 pulled images
  - Retain images tagged "release-*" for 1 year
  - Delete images older than 30 days untagged
  - Run cleanup every Sunday at 02:00

Harbor vs Alternatives

Feature Harbor Docker Registry Nexus JFrog Artifactory
Open Source Yes Yes Yes (OSS) No (paid)
Vulnerability scan Trivy/Clair No IQ (paid) Xray (paid)
RBAC Yes No Yes Yes
Replication Yes No Yes Yes
Helm charts Yes No Yes Yes
OCI compliant Yes Yes Yes Yes
Web UI Beautiful None Yes Yes
Multi-registry Yes No Yes Yes

常见问题

Q: Harbor 和 Docker Registry 区别? A: Docker Registry 只是存储和分发镜像的基础组件(无认证、无 UI)。Harbor 在其之上增加了 Web UI、RBAC、漏洞扫描、镜像签名、复制等企业功能。生产环境强烈推荐 Harbor。

Q: 需要多少存储空间? A: 取决于镜像数量和大小。Harbor 使用 deduplication,相同的 layer 只存储一次。典型企业部署建议 500GB 起步,可以随时扩展到 TB 级。

Q: 支持多副本/高可用部署吗? A: 支持。通过 Helm chart 可以部署 HA 架构:多副本 Harbor 组件、外部 PostgreSQL 集群、外部 Redis、共享存储(S3/NFS)。大型企业部署每天处理数百万次 pull 请求。

来源与致谢

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Longhorn — Cloud Native Distributed Block Storage for Kubernetes

Longhorn is a lightweight, reliable distributed block storage system for Kubernetes. Persistent volumes with replication, snapshots, backups, and disaster recovery.

Script Depot

VictoriaMetrics — Fast Cost-Effective Time Series Database

VictoriaMetrics is a fast, cost-effective, and scalable monitoring solution and time series database. Drop-in Prometheus replacement with 7x better compression and scale to billions of metrics.

Script Depot

Trivy — All-in-One Security Scanner for Containers & Code

Trivy is an open-source, comprehensive security scanner that finds vulnerabilities, misconfigurations, secrets, and SBOM issues in containers, Kubernetes, code repos, and clouds.

Script Depot
Home🔍Search👤Me