Home > Blogs > vCloud Architecture Toolkit (vCAT) Blog


Hybrid Container Management for vCloud Director with VMware Harbor™

Running VMware Harbor™ in a vCloud Air Network Environment

Continuing with the series of posts related to running Containers on vCloud Air Network (vCAN), this post covers VMware Harbor™.  VMware Harbor™ is VMware’s enterprise-class registry server for Docker images.  Private registry servers like VMware Harbor™, allow storage of Docker images without publishing them publicly on the internet and adds an additional layer of control that’s often desired in enterprise environments.

This post will show how to deploy VMware Harbor™, add the new registry to VMware Admiral™, then deploy and push images to the registry.  Since VMware Harbor™ has no special infrastructure requirements, this post applies to both providers as well as tenants wishing to deploy their own container service.  If you have not already, refer to https://blogs.vmware.com/vcat/2017/01/hybrid-container-management-vcloud-director-photon-os-admiral.html to deploy the VMware Admiral™ and VMware Photon OS™ components needed in this post.

The diagram below shows a high-level view of VMware Harbor™ added to the container management platform within a vCloud Director vApp.

Prepare VMware Harbor Template

Creating the VMware Harbor template requires additional steps beyond just importing the ova into the vCloud Director catalog.  The key step here is using ovftool to ensure the required ovf properties are imported correctly.

  1. Download the VMware Harbor ova from http://vmware.github.io/harbor/.
  2. Ensure ovftool is installed. If not, it can be obtained at https://www.vmware.com/support/developer/ovf/.
  3. Import the ova as vApp (not vApp Template) using ovftool.
    ovftool --noSSLVerify --acceptAllEulas --name=Harbor --net:"Network 1"="My Network" --diskMode=thin --X:waitForIp --X:injectOvfEnv --X:enableHiddenProperties --prop:auth_mode="db_auth" --prop:root_pwd="password" --prop:harbor_admin_password="password --prop:db_password="password" --prop:vm.vmname=Harbor "C:\Users\Administrator\Downloads\harbor_0.5.0-9e4c90e.ova" "vcloud://administrator:password@vcd.corp.local?org=Admin&vapp=Harbor"
  4. Navigate to the Harbor VM in the Harbor vApp in the vCloud Director UI.
  5. Import the Harbor vApp into the catalog.  It’s important to create the vApp Template before powering on the VM to ensure that the first boot script only runs when deployed from the template.

Deploy VMware Harbor™ vApp

Now that the vApp Template is ready, it’s time to deploy the Harbor vApp.  Note, that since the template was created with DHCP, special care is needed if you wish to deploy it with static IPs.

  1. Deploy the Harbor vApp from catalog.
  2. The simplest method is to deploy the vApp with DHCP.  For DHCP, set IP allocation to DHCP in Network Mapping and leave all Networking Properties fields blank in Custom Properties.

  3. To deploy the vApp with a static IP, set IP allocation to “Static – Manual” in Network Mapping and enter the necessary IP configuration in the Networking Properties fields under Custom Properties.
  4. Power on the Harbor vApp.
  5. Connect to Harbor at https://HARBORIP/dashboard# using admin and the password provided during deployment.

Add VMware Harbor™ Registry to VMware Admiral™

  1. Logon to Admiral UI.
  2. Navigate to Templates / Manage Repositories.
  3. Add the new Harbor server as a registry.
  4. Click Verify then the check mark to finish adding Harbor.

Configure Photon OS™ to Trust VMware Harbor™

Because Harbor was deployed with a self-signed SSL certificate, the Photon OS hosts need to be configured to trust Harbor.  Each Photon OS host needs Harbor’s root certificate locally to validate Harbor SSL certificate. These commands must be executed on each Photon OS host either directly or via Guest Customization.

# Set environment variables
HARBORUSER=admin
HARBORPASSWORD=password
HARBORFQDN=harbor.example.com
HARBORIP=192.168.100.142

# Download root certificate for Harbor FQDN
mkdir -p /etc/docker/certs.d/$HARBORFQDN
curl -k -L -u $HARBORUSER:$HARBORPASSWORD https://$HARBORFQDN/api/systeminfo/getcert -o /etc/docker/certs.d/$HARBORFQDN/ca.crt

# Download root certificate for Harbor FQDN:443
mkdir -p /etc/docker/certs.d/$HARBORFQDN:443
curl -k -L -u $HARBORUSER:$HARBORPASSWORD https://$HARBORFQDN/api/systeminfo/getcert -o /etc/docker/certs.d/$HARBORFQDN:443/ca.crt

# Download root certificate for Harbor IP
mkdir -p /etc/docker/certs.d/$HARBORIP
curl -k -L -u $HARBORUSER:$HARBORPASSWORD https://$HARBORIP/api/systeminfo/getcert -o /etc/docker/certs.d/$HARBORIP/ca.crt

# Download root certificate for Harbor IP:443
mkdir -p /etc/docker/certs.d/$HARBORIP:443
curl -k -L -u $HARBORUSER:$HARBORPASSWORD https://$HARBORIP/api/systeminfo/getcert -o /etc/docker/certs.d/$HARBORIP:443/ca.crt

# Restart Docker
systemctl daemon-reload
systemctl restart docker

Deploy Containers from VMware Harbor™

At this stage, Photon OS hosts and Admiral trust the new Harbor server so containers can be provisioned.

  1. Connect to Admiral at http://<admiralip>:8282.
  2. Click Templates.
  3. Search for the Photon template and deploy the one from the Harbor registry.  You can identify it from the repository URL under the template name.
  4. Verify the Photon container deployed successfully.

Push Docker Image to VMware Harbor™

Now it’s time to start pushing images to the new VMware Harbor registry.  This section walks through tagging an image and pushing it to the registry.

  1. Login to the Harbor sever.

    root@Photon-0 [ ~ ]# docker login https://192.168.100.142:443
    Username: admin
    Password:
    Login Succeeded
  2. List the available images.

    root@Photon-0 [ ~ ]# docker images
    REPOSITORY TAG                          IMAGE ID            CREATED             SIZE
    168.100.142:443/library/nginx           latest              cc1b61406712        4 weeks ago         181.8 MB
    nginx                                   latest              cc1b61406712        4 weeks ago         181.8 MB
    192.168.100.142/library/admiral_agent   0.9.1               2104134d707d        9 weeks ago         155.3 MB
    vmware/admiral_agent                    0.9.1               2104134d707d        9 weeks ago         155.3 MB
    photon                                  latest              e6e4e4a2ba1b        8 months ago        127.5 MB
  3. Tag the image.
    root@Photon-0 [ ~ ]# docker tag nginx:latest 192.168.100.142:443/library/nginx
  4. Push the image.
    root@Photon-0 [ ~ ]# docker push 192.168.100.142:443/library/nginx
    The push refers to a repository [192.168.100.142:443/library/nginx]
    7d530616ebc2: Pushed
    db07381cb585: Pushed
    a2ae92ffcd29: Pushed
    latest: digest: sha256:f2d384a6ca8ada733df555be3edc427f2e5f285ebf468aae940843de8cf74645 size: 948
  5. Verify the new image is available in Admiral UI.

Conclusion

Adding VMware Harbor™ to manage containers running on a vCloud Air Network provider is simple, as shown above.  VMware Harbor provides many benefits, which include a private location to store Docker images and enterprise class management.  Additional information about VMware Harbor is available at http://vmware.github.io/harbor/.

Stay tuned here for additional Container related topics with vCloud Air Network providers.