Open Source Project Harbor: Efficient & Secure Container Image Management

One of VMware’s most popular open source projects is Project Harbor, an enterprise-class registry server with hundreds of users worldwide. At VMworld, Henry Zhang, chief architect of Project Harbor, delivered a vBrownBag presentation on efficient and secure container image management using Harbor.

Watch the full vBrownBag video below for a demo of Project Harbor, including how to replicate a container image and perform vulnerability scanning. Read on for some of the biggest takeaways from Henry’s presentation.

Container Image Basics

There are two important aspects of container management:

  1. Managing a running container
  2. Managing the static image

When a container is running, it mirrors the application it contains on an operating system. When a container is not running, it is a static image or file. A lot of management happens with these static images.

A key component of managing container images is a registry. When someone creates a container image, the idea is to share the image with others. A container image can be pushed or uploaded to a registry service. From there, others can pull or download it from their own hosts. Think of registries as a repository for storing container images that facilitates the distribution of images for applications.

Project Harbor

As an open source enterprise-class registry server, Project Harbor is a useful tool for the management of container images and offers lightweight and easy deployment. Initiated by VMware China, Project Harbor integrates into vSphere Integrated Containers (VIC) and VMware Pivotal Container Service (PKS), and has an Apache 2 license.

With more than 300 active users worldwide, Project Harbor has been downloaded more than 20,000 times. Fifty-five contributors and six partners work closely together on Project Harbor, contributing more than 700 forks to the project, which means they are forking it and using their own code for container image management.

Consistency of Images

Developers use container images throughout the lifecycle of software development for a few key reasons. During the development and production stages, issues can arise if there are different versions of container images for an application being developed. Maintaining the consistency of these images is crucial for version control, issue tracking, troubleshooting and auditing. Project Harbor helps facilitate consistency and maintain the same exact container images throughout all environments.

Key Features of Project Harbor

Project Harbor possesses a number of key features that allow for the efficient and secure management of container images, as well as ensuring these images remain consistent. Some of these key features are:

  • User Management & Access Control – Organizations often keep container images within their own private registries so that intellectual property stays safe and internal. Organizations can apply role-based access, meaning people with different roles have different access codes. (E.g. Developers can read/write, testers can only read). Administrators control who has access to what, and can also integrate with an internal user management system (LDAP/Active directory). Because of this, private registries are much more efficient and secure when it comes to accessing, downloading and pushing images.
  • Policy-based Image Replication (Synchronization) – Policy-based image replication helps organizations populate all the container images from one source registry to their destination. An identical copy of an image from one instance to the other results. When a new image is pushed to Harbor, it incrementally replicates to the other side, resulting in a totally synchronized copy of Harbor in another environment. Policy-based image replication has proven extremely useful, and is one of the most popular features among users.
  • Notary – A security feature that enables content trust. With a notary service, a publisher’s private key signs a container image during push and stores it in a digest. The image can then be pulled using the contents of the digest. A notary service ensures that the images being pushed and pulled always come from a trusted, reliable source.
  • Vulnerability Scanning – Vulnerability scanning is a new feature that identifies container images with vulnerabilities during push and prevents images with vulnerabilities from being pulled. Organizations can conduct regular scanning based on an updated vulnerability database as well.

Image Distribution

Because container images are usually distributed from a registry, a large cluster of nodes can create a bottleneck inside the registry. If multiple people pull images from a registry at the same time, it can become congested and extremely slow. To solve this issue, Project Harbor scales out its registry server. Users can have multiple instances of a registry sharing the same storage or multiple instances of independent registry sharing with no storage.

Project Harbor accomplishes image distribution via a process known as master-slave replication. Users can replicate or distribute Project Harbor to a second tier of registry instances and push an image to that upper level, allowing other Docker hosts to pull images from it. For geographically distributed organizations, this is a major benefit. Harbor can also support multi-level image distribution as well.

To learn even more about Project Harbor and how to manage container images using it, be sure to watch Henry’s full vBrownBag presentation.

Check back with the Open Source Blog for more information around Project Harbor, and follow us on Twitter @VMWopensource.


Leave a Reply

Your email address will not be published.