Harbor开源运维方案

1、采用Harbor开源企业级Registry实现高效安全 的镜像运维Agenda1Container Image Basics2Project Harbor Introduction3Consistency of Images4Security5Image Distribution6High Availability of RegistryLifecycle of Containers and Images5ImagesContainersStop Start RestartRunCommitDockerfileBuildtagtar archiveSaveLoadPushRegistryIma

2、gesPull6PushPullRepository for storing imagesIntermediary for shipping and distributing imagesIdeal for access control and other image managementRegistryImagesRegistry - Key Component to Manage ImagesAgenda1Container Image Basics2Project Harbor Introduction3Consistency of Images4Security5Image Distr

3、ibution6High Availability of RegistryProject HarborAn open source enterprise-class registry server.Initiated by VMware China, adopted by users worldwide.Integrated into vSphere Integrated Containers.Apache 2 license./vmware/harbor/8Key FeaturesUser management & access controlRBAC: admin, developer,

4、guestAD/LDAP integrationPolicy based image replicationVulnerability ScanningNotaryWeb UIAudit and logsRestful API for integrationLightweight and easy deployment9Users and Developers200+Users2600+20K+DownloadsDevelopersStarsUsers55Contributors700+Forks6Partners10Harbor ArchitectureDocker clientNginxH

5、arborBrowserUI APIAuthDBAD / LDAPCore ServiceLog CollectorReplication Job ServicesNotary clientRemote Harbor InstanceNotaryRegistry V2Vulnerability ScanningAdmin ServiceHarbor users and partners (selected)12Image replication (synchronization)13ProjectImagesPolicyImageProjectImagesInitial replication

6、Imageincremental replication (including image deletion)Agenda1Container Image Basics2Project Harbor Introduction3Consistency of Images4Security5Image Distribution6High Availability of RegistryConsistency of Container ImagesContainer images are used throughout the life cycle of software developmentDe

7、vTestStagingProductionConsistency must be maintainedVersion controlIssue trackingTroubleshootingAuditing15Same Dockerfile Always Builds Same Image?16Example:FROM ubuntuRUN apt-get install y python ADD app.jar /myapp/app.jarBase image ubuntu:latest could be changed between buildsubuntu:14.04 could al

8、so be changed due to patchingapt-get (curl, wget.) cannot guarantee always to install the same packagesADD depends on the build time environment to add filesShipping Images in Binary Format for Consistency17D.v R.gistryCIGitT.st R.gistryimag.s imag.simag.sStaging R.gistryimag.simag.sProduction R.gis

9、tryimag.sImag.s ar. synchroniz.d b.tw.n .nvironm.nts by using Harbor r.gistry.Agenda1Container Image Basics2Project Harbor Introduction3Consistency of Images4Security5Image Distribution6High Availability of RegistryAccess Control to ImagesOrganizations often keep images within their own organization

10、sIntellectual property stays in organizationEfficiency: LAN vs WANPeople with different roles should have different accessDeveloper Read/WriteTester Read OnlyDifferent rules should be enforced in different environmentsDev/test env many people can accessProduction a limited number of people can acces

11、sCan be integrated with internal user management systemLDAP/Active Directory19Example: Role Based Access Control in Harbor20ProjectMembersImagesGuest:Developer:Admin:$Project/ubuntu:14.04$Project/nginx:1.8, 1.9$Project/golang:1.6.2$Project/redis:3.0.docker pull .docker pull/push .Other security cons

12、iderationsEnable content trust by installing Notary serviceImage is signed by publishers private key during pushingImage is pulled using digestPerform vulnerability scanningPrevent images with vulnerabilities from being pulledRegular scanning based on updated vulnerability database21Content trust fo

13、r image provenanceRegistryNotaryImage CreatorImage ConsumerVulnerability ScanningStatic analysis of vulnerability by inspecting filesystem of container image and indexing features in database.Rescanning is needed only and only if new detectors are added.Update vulnerability data regularlyDebian Secu

14、rity Bug TrackerUbuntu CVE TrackerRed Hat Security DataOracle Linux Security DataAlpine SecDB24Vulnerability scanningSet vulnerability thresholdPrevent images from being pulled if they exceed thresholdPeriodic scanning based on updated vulnerability databaseRegistry Image Vulnerability ScanningAgend

15、a1Container Image Basics2Project Harbor Introduction3Consistency of Images4Security5Image Distribution6High Availability of RegistryImage DistributionContainer images are usually distributed from a registry.Registry becomes the bottleneck for a large cluster of nodesI/ONetworkScaling out an registry

16、 serverMultiple instances of registry sharing same storageMultiple instances of independent registry sharing no storage26Image Distribution via Master-Slave Replication27Mast.r - Slav. mod.lDocker ClientpushDocker hostDocker hostpullDocker hostDocker hostDocker hostDocker hostLoad balancingWorks w.l

17、l with g.ographically distribut.d cli.ntsHierarchical Image Distribution28Hi.rarchicalDocker ClientpushAgenda1Container Image Basics2Project Harbor Introduction3Consistency of Images4Security5Image Distribution6High Availability of RegistryHigh Availability of RegistryTo remove single point of failu

18、re on registryThree models to achieve HAShared storageReplication ( no shared storage )Using other HA platform30Shar.d Storag.L R.qu.stR.gistry instanc.sRegistries using Shared StorageImage replication between registries32L R.qu.stVMware ESXi-1Docker Volume Driver for vSphereVMware ESXi-2Docker Volume Driver for vSphereVMware ESXi-3Docker Volume Driver for vSphereShared StorageVirtual SANDocker Volume -1Docker Host VMHarborvSphere Docker Volume PluginDocker Volume -2Docker Volume-3Other Docker Volume sRegistry HA on vSphereRegistry in a VM protected by vSph