Harbor: Container registry for images and artifacts

Aalto University provides an instance of popular Harbor registry for storing and managing images and other artifacts. Service can be found at https://harbor.cs.aalto.fi.

Web login

Currently only Aalto users can login into the service. When you visit https://harbor.cs.aalto.fi you can choose between OIDC provider and local DB. Choose OIDC provider. It will take you to Microsoft sign-in page for Aalto University.

Projects

  • New projects can only be created by CS-IT (guru at cs dot aalto.fi).

  • Each project has project administrators who manages it, and members.

  • Each new member must be added to project individually. Adding existing Aalto unix groups isn’t currently possible without special request and extra work (due to a limitation of the Aalto Azure directory). If a group is very helpful to your work, ask.

  • Trivy vulnerability scanner by Aqua Security is available for all projects. You can see security vulnerabilities on each image page.

Docker access

Never use your Aalto password from the docker command line - push is via a token.

Before first time accessing registry you must install docker-credential-helpers and configure docker to use your local credential store.

To install docker-credential-helpers on Aalto Linux run:

pkcon install golang-docker-credential-helpers

Then add following to ~/.docker/config.json:

{
  "credsStore": "secretservice"
}

Now when you login to registry using docker the token is stored to your credential store.

Login to Harbor using docker doesn’t happen with your Aalto password, but instead you need to get a CLI secret from the Harbor web app. You can find your secret by clicking your email address on right corner and select user profile from dropdown. Last in the user profile dialog is CLI secret that you can copy by clicking the icon next to the field. You can also generate new secret or upload your own secret.

Now run:

docker login https://harbor.cs.aalto.fi

For username enter the username show in the user profile dialog, and for the password use the CLI secret from the same dialog.

Tag the image first before pushing (images must be prefixed with harbor.cs.aalto.fi):

docker tag <source_image>[:<tag>] harbor.cs.aalto.fi/<project>/<repository>[:<tag>]

To push an image to a project use:

docker push harbor.cs.aalto.fi/<project>/<repository>[:<tag>]

You can find the project specific tag and push commands from the repositories page of the project. Similarly the pull commands for individual artifacts can be found in the artifacts page of their repository.

Robot accounts

Harbor supports robot accounts for projects. They can be create from the robot accounts page of project. Each robot account can have different set of permissions. Each robot account should have minimal permissions needed for their use case. After creating the robot account Harbor generates a secret for it. This secret used to login to the account in same way as with normal accounts. If you forget the secret you refresh it to new one later.

Security

Aalto’s Harbor is officially security rated for public data. Still, if you set permissions right it should only be available to those with permissions (unless it’s set to public).