Harbor: [Feature Request] Harbor registry images hardening

By images do you mean the images of Harbor itself?

Yes, the images for Harbor itself and the docker-compose.yml for some options (like the read_only: true flag).

I work for a company that would like to use Harbor but also make it compliant with PCI-DSS standards. It might be a valuable addition to Harbor itself.

@wdhif
That would be helpful, but it would be helpful if we can take small steps for the refinement.

Appreciate your help!

OK glad to hear that, I'll start checking what can be done and I will open a PR if I get any results. I'll leave the issue open to reference it in a PR if necessary.

Hi @reasonerjt

Just to give you a little update. I currently have the read_only flag set for all images in the 3 docker-compose files, with the necessary volumes.

You can check the modifications here https://github.com/wdhif/harbor

I also had some question regarding the non-root user and the healthchecks, those modifications must be made in the Dockerfiles of each images.
I've found the Dockerfiles for all Harbor and Clair images but not for Notary, also, I don't really understand the file structure for the Dockerfiles, like 'common', 'dev', 'photon'. Do you have any information about this ?

Also feel free to comment about the work done so far.

Thanks, regards

Hi wdhif,

It's an historical issue, eventually all Harbor images will be based on photon.
Please just refer to the Dockerfiles in the 'photon', and you do not need to care about the files in the 'dev', it just CI used temporary folder.

-Yan

I see Yan, thanks for the informations.

I also have a question regarding the fact that some of the Dockerfiles seems to be missing from the photon folder.

1. Harbor
2. nginx-photon
3. harbor-db
4. Notary
5. notary-photon (server)
6. notary-photon (signer)
7. harbor-notary (notary-db)
8. Clair
9. postgresql

Also feel free to check the read_only flags for harbor, notary and clair here https://github.com/wdhif/harbor/commit/a6d2164bc44fcfa673e610202ca6deb6a6b98dd3

I could try to improve this by adding the volumes in the Dockerfiles instead of the docker-compose files.

The healthcheck part of https://github.com/vmware/harbor/issues/3052 could be implemented as part of the hardening process

I will re-org the folder structure in the future release. Now, for your questions,

1, nginx-photon, please refer to common\nginx
2, harbor-db, havn't move to photon but it will happen soon. please refer to common\db
3, postgresql, please refer to common\postgresql
4, notary, all the Dockerfiles havn't public yet, they are now locates at private repo.

-Yan

Thanks, I'll keep working on the images I have access right now and I will wait for Notary.

Hi @wy65701436

I wanted to keep you up to date with the recent changes.

I've successfully added the healthcheck for the vmware/registry image.
https://github.com/wdhif/harbor/commit/449da22fc3d984ec8af357df29cb61d381a217ae

I think it would be better for me to wait for the images re-org you are planning to do before adding more healtchecks since the images might change ? Also, do you have any ETA for the re-org or the 1.2.0 version ?

Thanks for your time, regards.

I cannot give you an ETA as it depends on release schedule. You can just keep watching the source code change.

I see, thanks for the information.

I've create the PR about healthchecks, I will now proceed with the non root user for the images.

This has been fixed in 1.3 release. closing.