User Manual
Overview
This guide will guide you through the various features of Harbor. You will learn how to use Harbor to accomplish the following tasks:
- Manage your projects
- Manage members in a project
- Synchronize a project's registry to a remote registry
- Retrieve projects and mirror sources
- If you are a system administrator, you can learn how to manage your Harbor system:
- Manage users
- Manage target images
- Manage synchronization policies (mirror synchronization between multiple registries)
- Use the docker client program to upload and download image files (docker pull/push images)
- Delete repository and image files
role-based access control
RBAC (Role Based Access Control) is supported in Harbor and currently supports four roles with different permissions:
- Guest
只读: The guest role only has permissions on a specific project . - Developer : The developer has
读写permission to a project - Project Admin : When creating a new project, this user will be automatically assigned
项目管理员the role to manage the entire project. In addition to读写privileges, project administrators also have other administrative privileges, such as adding and removing project members. - System administrator :
系统管理员has the greatest authority, that is, the default admin user of the system. In addition to the permissions mentioned above,系统管理员it also has all project permissions, and can promote an ordinary user to an administrator, and can also delete users. The system default public projectlibraryalso belongs to the system administrator. - Anonymous User : When a user is not logged in, the user is considered an anonymous user. Any anonymous user cannot access private projects and has
只读permissions to all public projects.
User Account
As a user, you can register an account through the self-registration process. Username and email address must be unique within Harbor. Password must contain at least 7 characters, which must contain one uppercase, one lowercase, and one numeric character.
If the administrator has configured LDAP/AD as the user authentication source, the registration step can be ignored. The LDAP/AD user id can be used to log into Harbor directly.
If you have forgotten your password, you can reset it by following these steps:
- Click on the login page
忘记密码 - Enter the email address you filled in during registration, and you will receive an email to change your password.
- After receiving the email, click the link in the email to jump to the password reset page
- After entering the new password, click Submit
Manage projects
A project in Harbor contains all repositories of an application. RBAC (Role Based Access Control) is applied in a project. There are two types of projects in Harbor 公开and 私有:
- Public : All users have read permission for public projects. This method is very convenient when you want to share some repositories with others.
- Private : Private projects can only be accessed by people with specific user rights. This method is also more convenient for internal teams to share.
Projects can be created after you log in to Harbor. Clicking the "Public" checkbox will make the project public.
After the project is created, the user can browse the repository, users, and some logs using the navigation tabs.
All operation logs will be 日志listed by clicking, you can search related operation logs by username, operation and date in advanced search:
Manage project members
Add members
You can use different roles to add members to existing projects.
Update and remove project members
You can update and remove members by clicking the Edit and Delete buttons.
mirror copy
If you are a system administrator, you can synchronize the image files in the repository to the remote registry (that is, your target Harbor). Currently, only Harbor instances are supported as a target repository.因此,要使用镜像复制功能,必须将Harbor在远端重新部署一份
Note: This mirror copy feature is not compatible before Harbor 0.3.5 and after 0.3.5.
Click on the project home page 复制, and click 新增策略to add a mirror copy strategy.目标URL即为远端的镜像中心
After the test connection is successful, you can click OK to mirror copy:
You can see that the replication task is in progress and display relevant information about the current replication. The bottom shows the entire replication progress for the project, along with information about replication for each repository.
Click the log on the right to view the information details of each warehouse mirror synchronization.
After the copy is completed, you can see the synced projects and mirror files in the remote Harbor.
Retrieve projects and mirror repositories
Entering a keyword in the top search box and querying will list all matching projects and mirror repository information. The search results include all private and public mirrors that you have permission to access.
Admin Options
Manage users
Administrators can add 管理员roles to ordinary users to escalate privileges, and of course delete a user.
Management target (remote Harbor)
The user can list, add and delete replication strategies, and modify the target Harbor under 管理员选项下the buttons. 目标Only those destination Harbors that are not referenced by any policy can be edited.
Manage replication
The user can list, edit and enable or disable policies under 管理员选项下the button. 复制Before editing the policy, make sure that the policy has been disabled.
Pull and push images using Docker client commands (download and upload images)
Note: Harbor only supports Registry V2 API, so your docker client version must be above 1.6.0.
Harbor supports HTTP by default, but the Docker client uses HTTPS to connect to the image repository by default, so the following error message appears when you pull or push the image:
FATA[0002] Error: Invalid registry endpoint https://localhost.com:5000/v1/: Get https://localhost.com:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry localhost.com:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/localhost.com:5000/ca.crt
You just need to add the following parameters to the startup configuration of the Docker daemon to use it. --insecure-registry ip:port(regirsty的地址) In the Ubuntu series the default configuration file is in /etc/default/docker. The default configuration file in the Centos series is in the /etc/sysconfig/dockerconfiguration example: 
In the case of HTTPS, you need to be able to access the registry's CA certificate, no additional parameters need to be configured, and the general certificate address will be placed in the following location. /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
Download image files (docker pull images)
If the image file in the project is private, log in first and then download it:
$ docker login 172.25.47.67
$ docker pull 172.25.47.67/pandora/pandora-redis:latest
Note: When users are operating, they only need to replace the above ip address with the hostname (domain name or ip) configured in harbor.cfg.
Upload images (docker push images)
Before uploading an image, you must create a corresponding project on Harbor's web interface, because the image uploaded is stored in the corresponding project.
First, log in with the docker client: 用户名密码为Harbor上面设置的用户/密码,并且相应的权限和项目是一一对应的,你的用户也只能上传属于你自己项目的镜像。
$ docker login 172.25.47.67
Tag the image:
$ docker tag ubuntu:14.04 172.25.47.67/pandora/ubuntu:14.04
Upload image:
$ docker push 172.25.47.67/pandora/ubuntu:14.04
Note: When users are operating, they only need to replace the above ip address with the hostname (domain name or ip) configured in harbor.cfg.
delete mirror repository
Deleting a mirror repository requires two steps:
First, delete an image repository on Harbor's web interface. This is a soft deletion. Harbor will no longer manage this repository, but the images in the repository will still be stored in the registry (in Harbor's storage).
Note: If both tagA and tagB point to the same image, after tagA is deleted, tagB will also be deleted.
Next, use the registry's garbage collection mechanism ( garbage collection (GC) ) to delete files. Make sure no one is uploading the image or Harbor is not running before operating the GC. If someone is pushing an image while the GC is running, there is a risk of some image layers being deleted by mistake. Therefore, it is recommended to stop Harbor before running GC.
Run the following command on the host where Harbor is deployed to preview the affected files or images.
$ docker-compose stop
$ docker run -it --name gc --rm --volumes-from deploy_registry_1 registry:2.5.0 garbage-collect --dry-run /etc/registry/config.yml
Note: The above parameter "--dry-run" will print the progress of deletion. After verifying the deleted test, you can use the following command to perform GC recovery and restart Harbor.
$ docker run -it --name gc --rm --volumes-from deploy_registry_1 registry:2.5.0 garbage-collect /etc/registry/config.yml
$ docker-compose start
For more details on GC, see Connecting GC .