containerd
Add harbor to our integration testing suite?
What is the problem you're trying to solve
Right now, we rely solely on distribution registry (and cesanta/docker_auth) for login/push/pull testing.
It is a possibility that Harbor has some specific behaviors diverging from mainline registry (eg, looking at https://github.com/containerd/nerdctl/issues?q=is%3Aissue+is%3Aopen+harbor )
Describe the solution you'd like
Suggestion is to add https://hub.docker.com/r/bitnami/harbor-registry as one of our option, and tests against it as well.
If this does not uncover any issue at all, then we can consider disabling it.
Additional context
No response
I am currently working for ovhcloud where we use harbor for our managed privage registry. I can confirm that is becoming more popular so improving the support of harbor is a very good point.
Thanks @fahedouch It is on my radar for #3249 - I will make sure to get it done.
Notes:
Just spent some time on this. This is not looking too good. The documented installation process for Harbor is very lacunar and buggy. They point to a gist that simply does not work, and release an install script that does not work well either:
- several permissions bugs (likely not setting perm properly - possibly related to blissful ignorance of umask)
- confusing / broken TLS instructions
- huge / complex system, with assumed large requirements (eg: logging)
- no arm version of their images
That last point is a big deal - because of the sad state of qemu, and because not running native will impair performance.
In a shell, yes, this is feasible (everything is feasible, right?), but this looks particularly painful.
Here is about what has to happen:
curl -O -fsSL https://github.com/goharbor/harbor/releases/download/v2.13.1/harbor-online-installer-v2.13.1.tgz
tar -xvf harbor-online-installer-v2.13.1.tgz
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=MyPersonal Root CA" \
-key ca.key \
-out ca.crt
openssl genrsa -out yourdomain.com.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
-key yourdomain.com.key \
-out yourdomain.com.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=192.168.5.15
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in yourdomain.com.csr \
-out yourdomain.com.crt
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
sudo mkdir -p /etc/docker/certs.d/192.168.5.15/
sudo cp yourdomain.com.cert /etc/docker/certs.d/192.168.5.15/
sudo cp yourdomain.com.key /etc/docker/certs.d/192.168.5.15/
sudo cp ca.crt /etc/docker/certs.d/192.168.5.15/
sudo systemctl restart docker
cd harbor
cp ../yourdomain* .
Edit harbor.yml file to read:
hostname: 192.168.5.15
https:
# https port for harbor, default is 443
port: 443
# The path of cert and key files for nginx
certificate: /home/apo.linux/harbor/yourdomain.com.crt
private_key: /home/apo.linux/harbor/yourdomain.com.key
Then
./prepare
# Fix permissions idiocy
sudo find ./common/ -type f -exec chmod a+r {} \
docker compose down -v
docker compose up -d