Harbor: Immutable Repositories

Created on 19 Oct 2017  ·  30Comments  ·  Source: goharbor/harbor

As a administrator I would like to make specific repositories (e.g. in production) immutable, since this is a mandatory regulatory requirement in certain industries and has been asked by several customers. This has to be a mechanisms based on tags, e.g. if you push an image (e.g. alpine) to an immutable repository (e.g. harbor.lab.local/tom) with a certain tag (e.g. 3.6), then you can not re-push it again. But you can still create images with another tag (e.g. a new version).

Example:

docker push harbor.lab.local/tom/alpine:3.6

This works, but when you do it a second time you get e.g.:

tag=3.6 cannot be overwritten because tom/alpine is an immutable repository

Pushing an updated version works:

docker push harbor.lab.local/tom/alpine:3.6.1

There should also be an admin option that images in a certain repository can not be deleted anymore (black hole feature: You get an image into a repository, but never out again).

candidat1.10 enhancement kinrequirement
Source
picture tschwaller
👍12

Most helpful comment

+1

There are many similar mechanism , like git protected branch or released version of jar.
In common production artifacts, It is a really usefull feature to prevent the released version being changed.
It has some relations to feature of Image Signature, they have a same goal : Makes people to beleve the artifacts is reliable.

I have some different thought about this feature except Immutable Repositories,

  • support Immutable Repositories and Immutable Tags.
  • match tags by regular expression
  • match repositories by it's project

Because single setting of repository is too tedious。

picture chengjingtao on 2 Jul 2019
👍2

All 30 comments

degist id to identify tag, will have a lot of issue, need to further discussion.

yixingjia picture yixingjia on 24 Oct 2017

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 7 Oct 2018

We are also interested in a way to make images immutable, so that you can not push an image with a tag already existing in the registry.

ghost picture ghost on 25 Oct 2018

I am also interested in the diferent options to archive inmutablility on specific harbor images

miguelpoyatosmora picture miguelpoyatosmora on 21 Nov 2018

Is there any progress in this issue? I am also interested about Immutable tag. Like docker-ee DTR: https://docs.docker.com/ee/dtr/user/manage-images/prevent-tags-from-being-overwritten/

annProg picture annProg on 4 Jan 2019
👍2

+1

vasicvuk picture vasicvuk on 21 Feb 2019

I think it will be great feature, because there is another option to implement in on the pipeline's side (in CI/CD process), but it is not fool-proof.

gecube picture gecube on 4 Mar 2019

+1

alxndr13 picture alxndr13 on 14 Mar 2019

imo there are two ways to make this happen:

Implement this functionality registry-wide or implement it as a project policy. I just started digging around in the code, but i'm not fluent in Angular.. If theres anyone interested in this, who is capable of writing the Angular part, i can assist doing the go stuff.

alxndr13 picture alxndr13 on 15 Mar 2019
👍1

@alxndr13 The best solution is to provide policy-like feature. The registry-wide can be implemented too but WE need granularity (i.e. there are production images with version like v.1.0.0, v.1.0.1 etc. which MUST be protected and the common labels like "latest" which will point to the latest release and often are rewritten).

gecube picture gecube on 15 Mar 2019

@gecube I agree. There should be the possibility to add something like a whitelist of tags, which can be overwritten even tho the "immutable" policy is set.

alxndr13 picture alxndr13 on 15 Mar 2019

+1

rovner picture rovner on 20 Mar 2019

+1

strainovic picture strainovic on 1 Apr 2019

+1

achyutjhunjhunwala picture achyutjhunjhunwala on 8 Apr 2019

+1

airadier picture airadier on 8 Apr 2019

+1

urosht picture urosht on 11 Apr 2019

+1

noffa picture noffa on 3 May 2019

+1

There are many similar mechanism , like git protected branch or released version of jar.
In common production artifacts, It is a really usefull feature to prevent the released version being changed.
It has some relations to feature of Image Signature, they have a same goal : Makes people to beleve the artifacts is reliable.

I have some different thought about this feature except Immutable Repositories,

  • support Immutable Repositories and Immutable Tags.
  • match tags by regular expression
  • match repositories by it's project

Because single setting of repository is too tedious。

chengjingtao picture chengjingtao on 2 Jul 2019
👍2

+1

I'd prefer the project level immutable setting.

cd1989 picture cd1989 on 2 Jul 2019

Also meet this issue. We need it. Because if someone override a base image used by others could cause problem.

louyiping picture louyiping on 5 Jul 2019

adding this ticket to the 1.10 pool of candidate stories. i am in full support of this and we can expose it using 3 levers in Harbor under project settings

  1. Make an entire project immutable
  2. Allow a user to define a regex to include repos that are immutable
  3. Allow a user to define a regex to include tags that are immutable

2 & 3 are not mutually exclusive

michmike picture michmike on 11 Jul 2019

+1

I'd prefer the project level immutable setting.

Is this referring to nothing pushed to any repos in a project can be overwritten. But deletion are still allowed I assume

xaleeks picture xaleeks on 15 Jul 2019

adding this ticket to the 1.10 pool of candidate stories. i am in full support of this and we can expose it using 3 levers in Harbor under project settings

  1. Make an entire project immutable
  2. Allow a user to define a regex to include repos that are immutable
  3. Allow a user to define a regex to include tags that are immutable

2 & 3 are not mutually exclusive

by 2 & 3 not mutually exclusive,
I imagine something like immutability configured on for a repo, but a whitelist on tags that allows for certain exceptionalities like 'latest' can be overwritten repeatedly w/ no consequences

xaleeks picture xaleeks on 15 Jul 2019

Is this referring to nothing pushed to any repos in a project can be overwritten. But deletion are still allowed I assume

Yes

cd1989 picture cd1989 on 23 Jul 2019

@xaleeks i meant above that you can use any combination of 1, 2, or 3.

let me rephrase it because you made an excellent point

Expose immutability using multiple policy options in Harbor under project settings. A user can use any combination of the below to define policy.

  1. Make an entire project immutable
  2. Allow a user to define a regex to include repos that are immutable
  3. Allow a user to define a regex to include tags that are immutable
  4. Allow a user to define a regex to exclude repos that are not immutable
  5. Allow a user to define a regex to exclude tags that are not immutable
michmike picture michmike on 24 Jul 2019

OK so it's 'whitelisting' at various levels. This is going to get groomed for 1.10. I will work on a gdoc PRD and share w/ everyone. Please watch this ticket if you're not already.

xaleeks picture xaleeks on 26 Jul 2019

feel free add comments on requirement doc:
https://docs.google.com/document/d/1cPZGf8X0Z7YENp0rq8buq4_A0b2kZimzol6s26kP_lk/edit

xaleeks picture xaleeks on 24 Aug 2019

I'm also interested in this new feature, +1 vote

ernestomedina17 picture ernestomedina17 on 24 Aug 2019

Created https://github.com/goharbor/harbor/issues/9572 to track the doc update, so removing doc-impact from this one.

stuclem picture stuclem on 24 Oct 2019

This is done in our release of 1.10 today!! @tschwaller

xaleeks picture xaleeks on 13 Dec 2019
🚀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

protochron picture protochron  ·  3Comments
cedvan picture cedvan  ·  3Comments
adomenech73 picture adomenech73  ·  3Comments
izhichao picture izhichao  ·  3Comments
andrewtchin picture andrewtchin  ·  3Comments