Harbor Registry — Reference, Admin Best Practices & Usage

Harbor is a CNCF-graduated, open-source container/artifact registry. Think of it as “Docker Hub you self-host,” but with the enterprise plumbing built in: RBAC, vulnerability scanning, image signing, replication, retention policies, and quotas.

1. What Harbor Gives You Over a Plain Registry

The vanilla registry:2 image is just a blob store with a push/pull API. Harbor adds the production-grade plumbing:

• Projects + RBAC: Group repos, assign roles, integrate LDAP/AD or OIDC.
• Robot accounts: Scoped, revocable credentials for CI/CD.
• Vulnerability scanning: Trivy integration with deployment gating.
• Content trust: Cosign/Notation signature verification.
• Replication: Geo-distribution and pull-through caching.
• Lifecycle Management: Tag retention, immutability, and garbage collection.

2. Architecture

Harbor uses cooperating containers: harbor-core (API), registry (OCI backend), harbor-jobservice (async tasks), harbor-db (metadata), redis, trivy-adapter, and nginx (proxy).

3. Installation (Docker Compose)

# Download installer
curl -LO https://github.com/goharbor/harbor/releases/download/vX.Y.Z/harbor-offline-installer-vX.Y.Z.tgz
tar xzvf harbor-offline-installer-vX.Y.Z.tgz
cd harbor

# Configure
cp harbor.yml.tmpl harbor.yml
# Edit hostname, TLS, admin password, and storage backend
sudo ./install.sh --with-trivy

4. Admin Best Practices

• TLS: Run behind real TLS; set external_url correctly.
• Admin Security: Change password on first login; use OIDC/LDAP.
• RBAC: One project per team; least-privilege roles.
• Automation: Use Robot accounts; rotate them regularly.
• Scanning: Enable Trivy + gate production deployments.
• Maintenance: Schedule garbage collection and verify quotas.
• HA/DR: Use Helm chart + external DB/Redis/S3 for HA.

5. Backup & Disaster Recovery

Back up the PostgreSQL DB and the Storage Backend (filesystem or S3). Test restores periodically.

6. Day-to-Day Usage

# Login
docker login registry.example.com -u 'robot$myproject+ci' -p ''

# Push
docker tag myapp:1.4.0 registry.example.com/backend/myapp:1.4.0
docker push registry.example.com/backend/myapp:1.4.0

7. Troubleshooting

|Symptom |Likely cause |

|---|---|

|Disk full despite deleting images |GC never ran — blobs persist until GC |

|Pulls intermittently fail |GC running or storage backend unreachable |

|Scans stuck/failing |Trivy adapter can’t reach the internet |