You set system level parameters for Harbor in the harbor.yml
file that is contained in the installer package. These parameters take effect when you run the install.sh
script to install or reconfigure Harbor.
After the initial deployment and after you have started Harbor, you perform additional configuration in the Harbor Web Portal.
Required Parameters
The table below lists the parameters that must be set when you deploy Harbor. By default, all of the required parameters are uncommented in the harbor.yml
file. The optional parameters are commented with #
. You do not necessarily need to change the values of the required parameters from the defaults that are provided, but these parameters must remain uncommented. At the very least, you must update the hostname
parameter.
IMPORTANT: Harbor does not ship with any certificates. In versions up to and including 1.9.x, by default Harbor uses HTTP to serve registry requests. This is acceptable only in air-gapped test or development environments. In production environments, always use HTTPS.
You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. For information about how to create a CA, and how to use a CA to sign a server certificate and a client certificate, see Configuring Harbor with HTTPS Access.
Parameter | Sub-parameters | Description and Additional Parameters |
---|---|---|
hostname | None | Specify the IP address or the fully qualified domain name (FQDN) of the target host on which to deploy Harbor. This is the address at which you access the Harbor Portal and the registry service. For example, 192.168.1.10 or reg.yourdomain.com . The registry service must be accessible to external clients, so do not specify localhost , 127.0.0.1 , or 0.0.0.0 as the hostname. |
http | Do not use HTTP in production environments. Using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks. | |
port | Port number for HTTP, for both Harbor portal and Docker commands. The default is 80. | |
https | Use HTTPS to access the Harbor Portal and the token/notification service. Always use HTTPS in production environments and environments that are not air-gapped. | |
port | The port number for HTTPS, for both Harbor portal and Docker commands. The default is 443. | |
certificate | The path to the SSL certificate. | |
private_key | The path to the SSL key. | |
internal_tls | Use HTTPS to communicate between harbor components | |
enabled | Set this flag to true means internal tls is enabled | |
dir | The path to the directory that contains internal certs and keys | |
harbor_admin_password | None | Set an initial password for the Harbor system administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator’s password is set in the Harbor Portal. The default username and password are admin and Harbor12345 . |
database | Use a local PostgreSQL database. You can optionally configure an external database, in which case you can deactivate this option. | |
password | Set the root password for the local database. You must change this password for production deployments. | |
max_idle_conns | The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained. | |
max_open_conns | The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections. | |
conn_max_lifetime | The maximum amount of time a connection may be reused. If it <= 0, connections are not closed due to a connection’s age. | |
conn_max_idle_time | The maximum amount of time a connection may be idle. If it <= 0, connections are not closed due to a connection’s idle time. | |
data_volume | None | The location on the target host in which to store Harbor’s data. This data remains unchanged even when Harbor’s containers are removed and/or recreated. You can optionally configure external storage, in which case deactivate this option and enable storage_service . The default is /data . |
trivy | Configure Trivy scanner. | |
ignore_unfixed | Set the flag to true to display only fixed vulnerabilities. The default value is false | |
security_check | Comma-separated list of what security issues to detect. Possible values are vuln , config and secret . Defaults to vuln . | |
skip_update | You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. If the flag is enabled you have to download the trivy-offline.tar.gz archive manually, extract and the trivy.db and metadata.json files and mount them in the /home/scanner/.cache/trivy/db/trivy.db path in container. The default value is false | |
insecure | Set the flag to true to skip verifying registry certificate. The default value is false | |
github_token | Set the GitHub access token to download Trivy DB. Trivy DB is downloaded by Trivy from the GitHub release page. Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough for production operations. If, for any reason, it’s not enough, you could increase the rate limit to 5000 requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult https://developer.github.com/v3/#rate-limiting .You can create a GitHub token by following the instructions in https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line | |
jobservice | max_job_workers | The maximum number of replication workers in the job service. For each image replication job, a worker synchronizes all tags of a repository to the remote destination. Increasing this number allows more concurrent replication jobs in the system. However, since each worker consumes a certain amount of network/CPU/IO resources, set the value of this attribute based on the hardware resource of the host. The default is 10. |
notification | webhook_job_max_retry | Set the maximum number of retries for web hook jobs. The default is 10. |
log | Configure logging. Harbor uses rsyslog to collect the logs for each container. | |
level | Set the logging level to debug , info , warning , error , or fatal . The default is info . | |
local | Set the log retention parameters:
| |
external_endpoint | Enable this option to forward logs to a syslog server.
| |
proxy | Configure proxies to be used by trivy-adapter, the replication jobservice, and Harbor. Leave blank if no proxies are required. Some proxies have whitelist settings, if Trivy is enabled, you need to add the following urls to the proxy server whitelist: github.com , github-releases.githubusercontent.com , and *.s3.amazonaws.com. | |
http_proxy | Configure an HTTP proxy, for example, http://my.proxy.com:3128 . | |
https_proxy | Configure an HTTPS proxy, for example, http://my.proxy.com:3128 . | |
no_proxy | Configure when not to use a proxy, for example, 127.0.0.1,localhost,core,registry . | |
cache | Configure cache layer for your Harbor instance. When enabled, Harbor will cache some Harbor resources (for example, artifacts, projects, or project metadata) using Redis, reducing the amount of time and resources used for repeated requests for the same Harbor resource. It’s strongly recommended that you enable this feature on Harbor instances with high concurrent pull request rates to improve Harbor’s overall performance. For more details on the cache layer implementation and performance improvements, see the Cache Layer wiki page. | |
enabled | Default is false , set to true to enable Harbor’s cache layer. | |
expire_hours | Configure the cache expiration limit in hours. Default is 24. |
Optional Parameters
The following table lists the additional, optional parameters that you can set to configure your Harbor deployment beyond the minimum required settings. To enable a setting, you must uncomment it in harbor.yml
by deleting the leading #
character.
Parameter | Sub-Parameters | Description and Additional Parameters |
---|---|---|
external_url | None | Enable this option to use an external proxy. When enabled, the hostname is no longer used. |
storage_service | By default, Harbor stores images and charts on your local filesystem. In a production environment, you might want to use another storage backend instead of the local filesystem. The parameters listed below are the configurations for the registry. See Configuring Storage Backend below for more information about how to configure a different backend. | |
ca_bundle | The path to the custom root CA certificate, which is injected into the trust store of registry and chart repository containers. This is usually needed if internal storage uses a self signed certificate. | |
filesystem | The default is filesystem , but you can set azure , gcs , s3 , swift and oss . For information about how to configure other backends, see Configuring a Storage Backend below. Set maxthreads to limit the number of threads to the external provider. The default is 100. | |
redirect | Set deactivate to true when you want to deactivate registry redirect | |
external_database | Configure external database settings, if you deactivate the local database option. Currently, Harbor only supports PostgreSQL database. You must create a database for Harbor core. The tables are generated automatically when Harbor starts up. | |
harbor | Configure an external database for Harbor data.
| |
external_redis | Configure an external Redis instance. | |
host | redis_host:redis_port of the external Redis instance. If you are using Sentinel mode, this part should be host_sentinel1:port_sentinel1,host_sentinel2:port_sentinel2 | |
sentinel_master_set | Only set this when using Sentinel mode | |
password | Password to connect to the external Redis instance. | |
registry_db_index | Database index for Harbor registry. | |
jobservice_db_index | Database index for jobservice. | |
chartmuseum_db_index | Database index for Chart museum. | |
trivy_db_index | Database index for Trivy adapter. | |
metric | Configure exposing Harbor instance metrics to a specified port and path | |
enabled | Enable exposing metrics on your Harbor instance by setting this to true . Default is false | |
port | Port metrics are exposed on. Default is 9090 | |
path | Path metrics are exposed on. Default is /metrics | |
trace | Configure exposing Distributed tracing data | |
enabled | Enable exposing tracing on your Harbor instance by setting this to true . Default is false | |
sample_rate | Set the sample rate of tracing. For example, set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth | |
namespace | Namespace used to differenciate different harbor services, which will set to attribute with key service.namespace | |
attributes | The attributes is a key value dict contains user defined customized attributes used to initialize trace provider, and all of these atributes will added to trace data | |
jaeger |
| |
otel |
|
The harbor.yml
file includes options to configure a UAA CA certificate. This authentication mode is not recommended and is not documented.
Configuring a Storage Backend
By default Harbor uses local storage for the registry, but you can optionally configure the storage_service
setting so that Harbor uses external storage. For information about how to configure the storage backend of a registry for different storage providers, see the Distribution Configuration Reference in the Distribution Registry (previously Docker Registry) documentation. For example, if you use Openstack Swift as your storage backend, the parameters might resemble the following:
storage_service:
ca_bundle:
swift:
username: admin
password: ADMIN_PASS
authurl: http://keystone_addr:35357/v3/auth
tenant: admin
domain: default
region: regionOne
container: docker_images
redirect:
disabled: false
What to Do Next
To install Harbor, Run the Installer Script.