harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

A default `library` can be auto appended to the pull path when proxying cache dockerhub

Open steven-zou opened this issue 4 years ago • 10 comments

Now, for pulling popular images of the docker hub, user needs to explicitly specify the library namespace.

docker pull 10.192.203.193/szou_proxy/library/redis:4.0

Actually, we can support the shorten pulling path for dockerhub (so far) by automatically appending the default library if the user does not specify the namespace:

docker pull 10.192.203.193/szou_proxy/redis:4.0

If the user specifies other namespaces, then directly ignore:

docker pull 10.192.203.193/szou_proxy/goharbor/harbor-core:2.1

steven-zou avatar Aug 11 '20 07:08 steven-zou

Is there a plan to implement this ? i am trying to setup a proxy-repository that behaves somewhat like the standard docker registry but currently i need to specify

$HARBOR_SERVER/library/library/$IMAGE:$TAG though i created the proxy project with the name "library"

flixpae avatar Sep 23 '20 10:09 flixpae

if the Proxy Cache support base path could resolve this.

${HARBOR}${BASE_PATH}/${IMAGE} => ${HUB}${BASE_PATH}/${IMAGE}

// new project as Proxy Cache in HARBOR
${HARBOR}/library: proxy_cache("docker.io", "/library")

${HARBOR}/library/nginx:latest => docker.io/library/nginx:latest

When user pull ${HARBOR}/nginx. The path parts only two and automately convert to ${HARBOR}/library/nginx.

The rule could be used for multi proxy too.

// new project as Proxy Cache in HARBOR_PROXY
${HARBOR_PROXY}/docker.io: proxy_cache("docker.io", "")
// new project as Proxy Cache in HARBOR_INTERNAL
${HARBOR_INTERNAL}/docker.io: proxy_cache("${HARBOR_PROXY}", "/docker.io")

${HARBOR_INTERNAL}/docker.io/library/busybox 
=> ${HARBOR_PROXY}/docker.io/library/busybox
=> docker.io/library/busybox

@steven-zou @xaleeks could we support this feature.

morlay avatar Oct 15 '20 08:10 morlay

to what is "mirror proxy support" related ?

flixpae avatar Oct 15 '20 08:10 flixpae

@flixpae just a suggestion.

v2.1 have a new feature Proxy Cache (i renamed it). i think if it support to configure BASE_PATH could solve this issue.

morlay avatar Oct 15 '20 08:10 morlay

from what i understand (read in the documentation) harbor imposes to specify the harbor "project" in the pull command if there would be a way present the docker client with the same path that he expects from e.g index.docker.io. It would be possible to use harbor as a registry-mirror in the docker-daemon config so minimal user adjustment is needed when using harbor as pull-through proxy

@morlay when i change the BASE_PATH how does harbor know if to fetch from remote-registry or a internal project ?

flixpae avatar Oct 15 '20 09:10 flixpae

Proxy cache could not be used in registry-mirror. i think we only pull image with a path prefix.

@flixpae for your usage.

First create a proxy cache project library as proxy_cache("docker.io", "/library")

when you pull

docker pull $HARBOR_SERVER/library/nginx

The request for path /library/nginx fisrt touch harhor, harhor know /library should return from target hub of proxy_cache,

then fetch from target hub with converted path "docker.io" + "/library" + "/nginx"

so the BASE_PATH is for proxy_cache to get pull image full uri.

if want to proxy for all image under docker.io, prefer use docker.io as project name, this could be clear.

# to pull 
docker pull docker.io/library/nginx

# then add host prefix
docker pull $HARBOR_SERVER/docker.io/library/nginx

morlay avatar Oct 15 '20 09:10 morlay

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 21 '21 04:07 stale[bot]

we worked around the lack of this feature in our ingress controllers. This is a hack and I would love to see better support in harbor, but using this ingress spec (ingress-nginx specific) we are able to register our harbor instance as a registry mirror in /etc/docker/daemon.json and have commands like docker pull mysql pull from harbor instead of dockerhub.

assuming the proxy cache project is called "proxy" we use:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "0"
    nginx.ingress.kubernetes.io/rewrite-target: /v2/proxy/library/$1
    nginx.ingress.kubernetes.io/rewrite-log: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      if ( $request_uri ~ "scope=repository%3Alibrary(.*)" ) {
        rewrite ^ /service/token?scope=repository%3Aproxy%2Flibrary$1 break;
      }
  labels:
    app: harbor
  name: harbor-proxy-ingress
  namespace: harbor
spec:
  rules:
  - host: harbor.my.domain
    http:
      paths:
      - backend:
          serviceName: harbor-core
          servicePort: 80
        path: /v2/library/(.*)
      - backend:
          serviceName: harbor-core
          servicePort: 80
        path: /service/token

this rewrites the request URL made to harbor for the image to include the proxy project name, and modifies the token request parameters to include the project scope.

mmiller1 avatar Nov 05 '21 16:11 mmiller1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 16 '22 19:04 stale[bot]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jul 07 '22 09:07 github-actions[bot]