This document discusses container image management in enterprises and introduces Project Harbor, an open source container registry. It covers key topics like container image basics, Project Harbor features, maintaining consistency of images between environments, security and access control of images, image distribution strategies, and high availability of container registries. Project Harbor provides an enterprise-grade private registry with features for user management, image replication, security, and integration with systems like LDAP. It aims to help organizations securely manage the distribution and storage of container images.

1. © 2017 VMware Inc. All rights reserved.
Secure and Efficient Container Image
Management in Enterprise
Henry Zhang
Chief Architect, Cloud Native Apps
R&D, VMware China

2. About Me
• Chief Architect, VMware China R&D
– Current focus: Cloud Native Apps, Blockchain, IoT
• Creator and Architect of Project Harbor, an open source enterprise
class container registry
• Full stack engineer
• Coauthor of two books (in Chinese):
– Blockchain Technical Guides
– Software Defined Storage: Principle, Practice and Ecosystem

3. Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry

4. Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry

5. Registry
Lifecycle of Containers and Images
5
Images
Containers
Dockerfile
tar archive
Run
Stop
Start
Restart
Commit
Build
tag
Push
Pull
Save
Load
Images

6. Registry
Images
6
Push Pull
• Repository for storing images
• Intermediary for shipping and distributing images
• Ideal for access control and other image management
Registry - Key Component to Manage Images

7. Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry

8. Project Harbor
• An open source enterprise-class registry server.
• Initiated by VMware China, adopted by users worldwide.
• Apache 2 license.
• https://github.com/vmware/harbor/
8

9. Key Features
• User management & access control
– RBAC: admin, developer, guest
– AD/LDAP integration
• Policy based image replication
• Web UI
• Audit and logs
• Restful API for integration
• Lightweight and easy deployment
9

10. Users, Partners and Developers
200+
• Developers
• Users
2200+10K+
Downloads Stars Users
49
Contributors
600+
Forks
6
Partners
10

11. Harbor Architecture
11
Registry v2
Docker
client
Nginx
API
Harbor
Browser
Auth
UI
DB
AD /
LDAP
Admin
Server
Log
Collector
Replication
job service
Notary
client
Remote
Harbor
Instance
Notary

12. Image replication (synchronization)
12
Project
Images
Policy
Image
Project
Images
Initial replication
Image
incremental replication
(including image deletion)

13. Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry

14. Consistency of Container Images
• Container images are used throughout the life cycle of
software development
– Dev
– Test
– Staging
– Production
• Consistency must be maintained
– Version control
– Issue tracking
– Troubleshooting
– Auditing
14

15. Same Dockerfile Always Builds Same Image?
• Base image ubuntu:latest could be changed between builds
• ubuntu:14.04 could also be changed due to patching
• apt-get (curl, wget..) cannot guarantee always to install the
same packages
• ADD depends on the build time environment to add files
15
Example:
FROM ubuntu
RUN apt-get install –y python
ADD app.jar /myapp/app.jar

16. Shipping Images in Binary Format for Consistency
16
Dev Registry
Test Registry
Staging Registry Production
Registry
images
CI
Git
images
images
images
images
images
Images are synchronized between environments
by using Harbor registry.

17. Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry

18. Access Control to Images
• Organizations often keep images within their own organizations
– Intellectual property stays in organization
– Efficiency: LAN vs WAN
• People with different roles should have different access
– Developer – Read/Write
– Tester – Read Only
• Different environments should enforce different rules
– Dev/test env – many people can access
– Production – a limited number of people can access
• Can be integrated with internal user management system
– LDAP/Active Directory
18

19. Example: Role Based Access Control in Harbor
19
Project
Members Images
Guest:
Developer:
Admin:
${Project}/ubuntu:14.04
${Project}/nginx:1.8, 1.9
${Project}/golang:1.6.2
${Project}/redis:3.0
…...
docker pull ...
docker pull/push ...

20. Other security considerations
• Enable content trust by installing Notary service
– Image is signed by publisher’s private key during pushing
– Image is verified using publisher’s public key during pulling
• Perform vulnerability scanning
– Identify images with vulnerabilities during pushing
– Prevent images with vulnerabilities from being pulled
– Regular scanning based on updated vulnerability database
20

21. Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry

22. Image Distribution
• Container images are usually distributed from a registry.
• Registry becomes the bottleneck for a large cluster of nodes
– I/O
– Network
• Scaling out an registry server
– Multiple instances of registry sharing same storage
– Multiple instances of independent registry sharing no storage
22

23. Image Distribution via Master-Slave Replication
23Master – Slave model
Docker
Client
push
Docker
host
Docker
host
pull
Docker
host
Docker
host
Docker
host
Docker
host
• Load balancing
• Works well with geographically
distributed clients

24. Hierarchical Image Distribution
24
Hierarchical
Docker
Client
push

25. Agenda
1 Container Image Basics
2 Project Harbor Introduction
3 Consistency of Images
4 Security
5 Image Distribution
6 High Availability of Registry

26. High Availability of Registry
• To remove single point of failure on registry
• Three models to achieve HA
– Shared storage
– Replication ( no shared storage )
– Using other HA platform
26

27. Shared Storage
LB
Request
Registry instances
Registries using Shared Storage

28. Image replication between registries
28
LB
Request

29. VMware ESXi-1
Docker Volume Driver for
vSphere
VMware ESXi-2
Docker Volume Driver for
vSphere
VMware ESXi-3
Docker Volume Driver for
vSphere
Shared Storage
Virtual SAN
Docker Volume -1
Docker Host VM
Harbor
vSphere Docker Volume
Plugin
Docker Volume -2 Docker Volume-3
Other Docker
Volume s
Registry HA on vSphere

30. VMware ESXi-1
Docker Volume Driver for
vSphere
VMware ESXi-2
Docker Volume Driver for
vSphere
VMware ESXi-3
Docker Volume Driver for
vSphere
Shared Storage
Virtual SAN
Docker Volume -1
Docker Host VM
Harbor
vSphere Docker Volume
Plugin
Docker Volume -2 Docker Volume-3
Other Docker
Volume s
Registry HA on vSphere
Docker Host VM
Harbor
vSphere Docker Volume
Plugin
X

31. Summary
• Container image is the static part of container
lifecycle
• Registry is the key component to manage images
• Organizations usually need a private registry
– Security
– Efficiency
31

32. Thank you!
https://github.com/vmware/harbor