Learn how to use Harbor
•
1 like•703 views
Talk on Harbor open source container image and helm chart repository presented to Los Angeles Kubernetes meetup on September 27, 2018
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Learn how to use Harbor
Similar to Learn how to use Harbor (20)
More from Steve Wong
More from Steve Wong (11)
Recently uploaded
Recently uploaded (20)
Learn how to use Harbor
- 1. │ ©
- 2. Speaker Steve Wong Open Source Engineer VMware Community participant: – Container Storage Interface – DC/OS – Kubernetes – Mesos – REX-Ray
- 3. │ ©
- 4. │ © 4 Images Containers Stop Start Restart RunCommit Dockerfile Build tag tar archive Save Load Push Registry Images Pull
- 6. │ © • Base image ubuntu:latest could be changed between builds • ubuntu:14.04 could also be changed due to patching • apt-get (curl, wget..) cannot guarantee always to install the same packages • ADD depends on the build time environment to add files Example: FROM ubuntu RUN apt-get install –y python ADD app.jar /myapp/app.jar
- 7. │ © • Get valid results throughout the full life cycle of software development – Dev – Test – Staging – Production • Consistency in production – Version control – Issue tracking – Troubleshooting – Auditing – “Snowflake” avoidance
- 8. │ © Dev Registry CI Git Test Registry images images images Staging Registry images images Production Registry images Images are synchronized between environments by using Harbor registry.
- 9. │ ©
- 10. │ © With VMs, the hypervisor isolates guests from each other and the hypervisor itself. Docker is designed to have containers share the same kernel. Linux namespaces, cgroups, and maybe some additional distribution specific features can provide a security barrier, assuming the kernel and these features are bug- free. If Linux is bug free, or if nobody ever exploits bugs, we have nothing to worry about
- 11. │ © Linux kernel security flaw lifetimes Critical: 3 @ 5.2 years average High 44 @ 6.2 years average Medium 404 @ 5.2 years average Low: 216 @ 5.5 years average
- 12. │ ©
- 13. │ © Your own in-house code images – Intellectual property stays in organization 3rd party images – Resiliency, speed: LAN vs WAN People with different roles should have different access – Developer – Read/Write – Tester, Production – Read Only Different rules should be enforced in different environments – Dev/test env – many people can access – Production – a limited number of people can access Can be integrated with internal user management system – LDAP/Active Directory
- 14. │ © Project Members Images Guest: Developer: Admin: ${Project}/ubuntu:14.04 ${Project}/nginx:1.8, 1.9 ${Project}/golang:1.6.2 ${Project}/redis:3.0 …... docker pull ... docker pull/push ...
- 15. │ © • Enable content trust by installing Notary service – Image is signed by publisher’s private key during pushing – Image is pulled using digest • Perform vulnerability scanning – Identify images with vulnerabilities during pushing – Prevent images with vulnerabilities from being pulled – Regular scanning based on updated vulnerability database
- 16. │ © Registry Notary Image Creator Image Consumer
- 17. │ © • Static analysis of vulnerability by inspecting filesystem of container image and indexing features in database. • Rescanning is needed only and only if new detectors are added. • Update vulnerability data regularly – Debian Security Bug Tracker – Ubuntu CVE Tracker – Red Hat Security Data – Oracle Linux Security Data – Alpine SecDB
- 18. │ ©
- 19. │ ©
- 20. │ © • • • • •
- 22. │ © • •
- 23. │ ©
- 25. │ © ▪ ▪
- 26. │ ©
- 27. │ ©
- 28. │ © docker login harborvm.localdomain docker pull nginx:1.13 docker tag nginx:13 harborvm.localdomain/test/nginx:V1 docker push harborvm.localdomain/test/nginx:V1 Default admin is admin pw=Harbor12345 Create a user (e.g. steve) Create a project (e.g. test)
- 29. │ ©
- 30. │ ©