Running VMware Harbor™ in a vCloud Air Network Environment
Continuing with the series of posts related to running Containers on vCloud Air Network (vCAN), this post covers VMware Harbor™. VMware Harbor™ is VMware’s enterprise-class registry server for Docker images. Private registry servers like VMware Harbor™, allow storage of Docker images without publishing them publicly on the internet and adds an additional layer of control that’s often desired in enterprise environments.
This post will show how to deploy VMware Harbor™, add the new registry to VMware Admiral™, then deploy and push images to the registry. Since VMware Harbor™ has no special infrastructure requirements, this post applies to both providers as well as tenants wishing to deploy their own container service. If you have not already, refer to https://blogs.vmware.com/vcat/2017/01/hybrid-container-management-vcloud-director-photon-os-admiral.html to deploy the VMware Admiral™ and VMware Photon OS™ components needed in this post.
The diagram below shows a high-level view of VMware Harbor™ added to the container management platform within a vCloud Director vApp.
Prepare VMware Harbor Template
Creating the VMware Harbor template requires additional steps beyond just importing the ova into the vCloud Director catalog. The key step here is using ovftool to ensure the required ovf properties are imported correctly.
- Download the VMware Harbor ova from http://vmware.github.io/harbor/.
- Ensure ovftool is installed. If not, it can be obtained at https://www.vmware.com/support/developer/ovf/.
- Import the ova as vApp (not vApp Template) using ovftool.
ovftool --noSSLVerify --acceptAllEulas --name=Harbor --net:"Network 1"="My Network" --diskMode=thin --X:waitForIp --X:injectOvfEnv --X:enableHiddenProperties --prop:auth_mode="db_auth" --prop:root_pwd="password" --prop:harbor_admin_password="password --prop:db_password="password" --prop:vm.vmname=Harbor "C:\Users\Administrator\Downloads\harbor_0.5.0-9e4c90e.ova" "vcloud://administrator:firstname.lastname@example.org?org=Admin&vapp=Harbor"
- Navigate to the Harbor VM in the Harbor vApp in the vCloud Director UI.
- Import the Harbor vApp into the catalog. It’s important to create the vApp Template before powering on the VM to ensure that the first boot script only runs when deployed from the template.
Deploy VMware Harbor™ vApp
Now that the vApp Template is ready, it’s time to deploy the Harbor vApp. Note, that since the template was created with DHCP, special care is needed if you wish to deploy it with static IPs.
- Deploy the Harbor vApp from catalog.
- The simplest method is to deploy the vApp with DHCP. For DHCP, set IP allocation to DHCP in Network Mapping and leave all Networking Properties fields blank in Custom Properties.
- To deploy the vApp with a static IP, set IP allocation to “Static – Manual” in Network Mapping and enter the necessary IP configuration in the Networking Properties fields under Custom Properties.
- Power on the Harbor vApp.
- Connect to Harbor at https://HARBORIP/dashboard# using admin and the password provided during deployment.
Add VMware Harbor™ Registry to VMware Admiral™
- Logon to Admiral UI.
- Navigate to Templates / Manage Repositories.
- Add the new Harbor server as a registry.
- Click Verify then the check mark to finish adding Harbor.
Configure Photon OS™ to Trust VMware Harbor™
Because Harbor was deployed with a self-signed SSL certificate, the Photon OS hosts need to be configured to trust Harbor. Each Photon OS host needs Harbor’s root certificate locally to validate Harbor SSL certificate. These commands must be executed on each Photon OS host either directly or via Guest Customization.
# Set environment variables HARBORUSER=admin HARBORPASSWORD=password HARBORFQDN=harbor.example.com HARBORIP=192.168.100.142 # Download root certificate for Harbor FQDN mkdir -p /etc/docker/certs.d/$HARBORFQDN curl -k -L -u $HARBORUSER:$HARBORPASSWORD https://$HARBORFQDN/api/systeminfo/getcert -o /etc/docker/certs.d/$HARBORFQDN/ca.crt # Download root certificate for Harbor FQDN:443 mkdir -p /etc/docker/certs.d/$HARBORFQDN:443 curl -k -L -u $HARBORUSER:$HARBORPASSWORD https://$HARBORFQDN/api/systeminfo/getcert -o /etc/docker/certs.d/$HARBORFQDN:443/ca.crt # Download root certificate for Harbor IP mkdir -p /etc/docker/certs.d/$HARBORIP curl -k -L -u $HARBORUSER:$HARBORPASSWORD https://$HARBORIP/api/systeminfo/getcert -o /etc/docker/certs.d/$HARBORIP/ca.crt # Download root certificate for Harbor IP:443 mkdir -p /etc/docker/certs.d/$HARBORIP:443 curl -k -L -u $HARBORUSER:$HARBORPASSWORD https://$HARBORIP/api/systeminfo/getcert -o /etc/docker/certs.d/$HARBORIP:443/ca.crt # Restart Docker systemctl daemon-reload systemctl restart docker
Deploy Containers from VMware Harbor™
At this stage, Photon OS hosts and Admiral trust the new Harbor server so containers can be provisioned.
- Connect to Admiral at http://<admiralip>:8282.
- Click Templates.
- Search for the Photon template and deploy the one from the Harbor registry. You can identify it from the repository URL under the template name.
- Verify the Photon container deployed successfully.
Push Docker Image to VMware Harbor™
Now it’s time to start pushing images to the new VMware Harbor registry. This section walks through tagging an image and pushing it to the registry.
- Login to the Harbor sever.
root@Photon-0 [ ~ ]# docker login https://192.168.100.142:443 Username: admin Password: Login Succeeded
- List the available images.
root@Photon-0 [ ~ ]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE 168.100.142:443/library/nginx latest cc1b61406712 4 weeks ago 181.8 MB nginx latest cc1b61406712 4 weeks ago 181.8 MB 192.168.100.142/library/admiral_agent 0.9.1 2104134d707d 9 weeks ago 155.3 MB vmware/admiral_agent 0.9.1 2104134d707d 9 weeks ago 155.3 MB photon latest e6e4e4a2ba1b 8 months ago 127.5 MB
- Tag the image.
root@Photon-0 [ ~ ]# docker tag nginx:latest 192.168.100.142:443/library/nginx
- Push the image.
root@Photon-0 [ ~ ]# docker push 192.168.100.142:443/library/nginx The push refers to a repository [192.168.100.142:443/library/nginx] 7d530616ebc2: Pushed db07381cb585: Pushed a2ae92ffcd29: Pushed latest: digest: sha256:f2d384a6ca8ada733df555be3edc427f2e5f285ebf468aae940843de8cf74645 size: 948
- Verify the new image is available in Admiral UI.
Adding VMware Harbor™ to manage containers running on a vCloud Air Network provider is simple, as shown above. VMware Harbor provides many benefits, which include a private location to store Docker images and enterprise class management. Additional information about VMware Harbor is available at http://vmware.github.io/harbor/.
Stay tuned here for additional Container related topics with vCloud Air Network providers.