Date   

Clair - images with Unknown vulnerabilities

brianwadesmith@...
 

I have enabled the blocking of pulling vulnerable images labeled as high or greater.  This setting is preventing images scanned and labeled as "Unknown" from being pulled. Can anyone tell me if this is by design?  I'm running v1.10.2

Thanks!!!


Harbor Graduation

Michael Michael <michmike@...>
 

Hello everyone, if you were not already aware, Harbor (goharbor.io) is in the final stage of becoming a Graduated project in CNCF. This is a tremendous achievement for the project and we would not have been here without our contributors, our users, and the support of the CNCF community. Please provide your public vote of support for Harbor in this thread
https://lists.cncf.io/g/cncf-toc/topic/harbor_in_public_comment/74163632


Import OIDC groups into harbor

tiagomendes93@...
 

How can I import groups from OIDC into harbor? 
Do I have to create a Mapper and then use that mapper on group claim Id? 
There is no documentation on this..
Thank you


Re: API Call for Vulnerability Report

Steven Ren
 

Hi Brian,

      In 2.0 UI, we have some stats shown in the UI, could you please take a look whether that matches your query? You are welcome to make your changes in the code to improve Harbor

Best regards,

Steven

 

From: <harbor-users@...> on behalf of "brianwadesmith via lists.cncf.io" <brianwadesmith=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Friday, May 1, 2020 at 11:53 PM
To: "harbor-users@..." <harbor-users@...>
Subject: Re: [harbor-users] API Call for Vulnerability Report

 

If anyone is interested, here is the quick script I put together to get these details

total=0
critical=()
high=()
medium=()
high+=("High risk images\n")
critical+=("Critical risk images\n")
medium+=("Medium risk images\n")
none+=("Images with no risk\n")
unknown+=("UNKNOWN\n")

for x in $(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/top?count=99999" -H "accept: application/json" -H "authorization: Basic <REPLACE>" | jq .[].name);
do
    ((total=$total+1))
    echo "TOTAL::" $total
    x=$(echo $x | cut -d '"' -f 2)
    echo "IMAGE::" $x
    result=$(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/${x}/tags" -H "authorization: Basic <REPLACE>" -H "accept: application/json" | jq '.[] | .scan_overview[]? | .severity')
    echo $result

    if [[ $result == *"Critical"* ]]; then
        critical+="$x\n"
    elif [[ $result == *"High"* ]]; then
        high+="$x\n"
    elif [[ $result == *"Medium"* ]]; then
        medium+="$x\n"
    elif [[ $result == *"None"* ]]; then
        none+="$x\n"
    elif [[ $result == *"Unknown"* ]]; then
        unknown+="$x\n"
    fi
done
echo "TOTAL IMAGES::" $total
printf "$critical"
printf "$high"
printf "$medium"
printf "$none"
printf "$unknown"


Installing Harbor in a docker environment behind LB

tiagomendes93@...
 

Hello community We are trying to use Harbor in a docker environment behind a LB (HA-PROXY) and integrate it with Keycloack.
It happens that we can't redirrect the call on the harbor instance to the dns defined in the keycloack giving us the error 400 mismatch.
When can we change the callback uri to match the dns created ? Because on the OIDC configuration it has defined the uri to point to the hostname.



We changed the external_url on the harbor.yaml and got no effect.. 
Has anyone been through this? 
Best, Regards

Tiago


Cancelled Event: Harbor Community Meeting - Americas Time zone #cal-cancelled

harbor-users@lists.cncf.io Calendar <harbor-users@...>
 

Cancelled: Harbor Community Meeting - Americas Time zone

This event has been cancelled.

When:
Wednesday, 31 July 2019
4:00pm to 5:00pm
(UTC-04:00) America/New York
Repeats: Every 2 weeks on Wednesday

Where:
https://zoom.us/j/734959521

Organizer: Harbor

Description:

Hello everyone,
 
This is a recurring calendar invite for the bi-weekly Harbor community meetings.
There will be two meetings, one for China/Europe time zone, and one for Americas time zone
Please pick the one that fits your schedule best.
 
To attend, use the following Zoom link: https://zoom.us/j/734959521

Meeting notes, agenda, and recordings of past meetings and other details are located at https://github.com/goharbor/community/blob/master/MEETING_SCHEDULE.md
and


Cancelled Event: Harbor Community Meeting - China/Europe Time zone #cal-cancelled

harbor-users@lists.cncf.io Calendar <harbor-users@...>
 

Cancelled: Harbor Community Meeting - China/Europe Time zone

This event has been cancelled.

When:
Wednesday, 31 July 2019
9:00pm to 10:00pm
(UTC+08:00) Asia/Chongqing
Repeats: Every 2 weeks on Wednesday

Where:
https://zoom.us/j/734959521

Organizer: Harbor

Description:

Hello everyone,
 
This is a recurring calendar invite for the bi-weekly Harbor community meetings.
There will be two meetings, one for China/Europe time zone, and one for Americas time zone
Please pick the one that fits your schedule best.
 
To attend, use the following Zoom link: https://zoom.us/j/734959521

Meeting notes, agenda, and recordings of past meetings and other details are located at https://github.com/goharbor/community/blob/master/MEETING_SCHEDULE.md
and
https://github.com/goharbor/community/tree/master/conf-calls


Re: API Call for Vulnerability Report

brianwadesmith@...
 

If anyone is interested, here is the quick script I put together to get these details

total=0
critical=()
high=()
medium=()
high+=("High risk images\n")
critical+=("Critical risk images\n")
medium+=("Medium risk images\n")
none+=("Images with no risk\n")
unknown+=("UNKNOWN\n")

for x in $(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/top?count=99999" -H "accept: application/json" -H "authorization: Basic <REPLACE>" | jq .[].name);
do
    ((total=$total+1))
    echo "TOTAL::" $total
    x=$(echo $x | cut -d '"' -f 2)
    echo "IMAGE::" $x
    result=$(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/${x}/tags" -H "authorization: Basic <REPLACE>" -H "accept: application/json" | jq '.[] | .scan_overview[]? | .severity')
    echo $result

    if [[ $result == *"Critical"* ]]; then
        critical+="$x\n"
    elif [[ $result == *"High"* ]]; then
        high+="$x\n"
    elif [[ $result == *"Medium"* ]]; then
        medium+="$x\n"
    elif [[ $result == *"None"* ]]; then
        none+="$x\n"
    elif [[ $result == *"Unknown"* ]]; then
        unknown+="$x\n"
    fi
done
echo "TOTAL IMAGES::" $total
printf "$critical"
printf "$high"
printf "$medium"
printf "$none"
printf "$unknown"


Re: Replication Failed

Steven Zou
 

Hi,

 

Officially doing replication among different versions of Harbor is not supported.

 

 

thanks&regards

-- 

Steven Zou(邹佳)

 

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

 

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

 

 

 

From: <harbor-users@...> on behalf of "aprado1976 via lists.cncf.io" <aprado1976=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Tuesday, April 21, 2020 at 01:45
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Replication Failed

 

 

 

 

Hello,

Is it possible to replicate a 1.7 registry to a 1.10 registry?
The two servers ping in both directions but the sync is not done

Thank you for your help


Replication Failed

aprado1976@...
 

 
 
 
Hello,

Is it possible to replicate a 1.7 registry to a 1.10 registry?
The two servers ping in both directions but the sync is not done

Thank you for your help



Harbor LDAP User Base DN

brianwadesmith@...
 

Does anyone know if there is a way to configure LDAP Auth to search under 2 Base DNs?  My directory is absolutely MASSIVE.  I have users in an "Associates" OU and service accounts in a "Service accounts" OU.  Both are at the root of the directory.  If I set the search base tot he root, login times are greatly impacted.

Does anyone know if there a way to provide an LDAP search filter to be able to target both OUs without searching the entire directory?


Question on Harbor's pull-based replication

Bipin Jethwani
 

How does Harbor's pull-based replication work under the hood? WebSocket/watch or HTTP based polling?


Re: API Call for Vulnerability Report

Steven Zou
 

For vulnerability summary, you can try the API shown below:

'/repositories/{repo_name}/tags/{tag}':

    get:

      summary: Get the tag of the repository.

      description: |

        This endpoint aims to retrieve the tag of the repository. If deployed with Notary, the signature property of response represents whether the image is singed or not. If the property is null, the image is unsigned.

      parameters:

        - name: repo_name

          in: path

          type: string

          required: true

          description: Relevant repository name.

        - name: tag

          in: path

          type: string

          required: true

          description: Tag of the repository.

      tags:

        - Products

      responses:

        '200':

          description: Get tag successfully.

          schema:

            $ref: '#/definitions/DetailedTag'

        '500':

          description: Unexpected internal errors.

The tag model will include a `scan_overview` if the image has been scanned and it has the vul report (otherwise that field will be empty).

 

For detailed report including the vulnerability item list, you can use the following API:

'/repositories/{repo_name}/tags/{tag}/scan':

get:

      summary: Get the scan report

      description: |

        Retrieve the scan report for the artifact identified by the repo_name and tag.

      tags:

        - Scan

      parameters:

        - name: repo_name

          in: path

          type: string

          required: true

          description: Repository name

        - name: tag

          in: path

          type: string

          required: true

          description: Tag name

        - name: Accept

          in: header

          type: string

          description: |

            Mimetype in header. e.g: "application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0"

      responses:

        200:

          description: The report details of the specified artifact identified by the repo_name and tag.

          schema:

            $ref: '#/definitions/Report'

        '401':

          description: Unauthorized request

        '403':

          description: Request is not allowed

        '404':

          description: The target artifact is not found

        '500':

          description: Internal server error happened

 

 

thanks&regards

-- 

Steven Zou(邹佳)

 

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

 

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

 

 

 

From: <harbor-users@...> on behalf of "brianwadesmith via lists.cncf.io" <brianwadesmith=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Thursday, April 9, 2020 at 23:28
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] API Call for Vulnerability Report

 

I'm just starting to use the Harbor API and finding it to be very useful.  I would like to create an automated report to detail Vulnerabilities discovered through scanning.  I see Model references to NativeReportSummary, VulnerabilitySummary, VulnerabilityItem, etc.  I cannot figure out how to call this data via the API.  I'm sure I'm missing something simple.  Could anyone help me out?


API Call for Vulnerability Report

brianwadesmith@...
 

I'm just starting to use the Harbor API and finding it to be very useful.  I would like to create an automated report to detail Vulnerabilities discovered through scanning.  I see Model references to NativeReportSummary, VulnerabilitySummary, VulnerabilityItem, etc.  I cannot figure out how to call this data via the API.  I'm sure I'm missing something simple.  Could anyone help me out?


Re: Redis usage

Steven Zou
 

Please see comments inline.

 

 

thanks&regards

--

Steven Zou(邹佳)

 

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

 

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

 

 

 

From: <harbor-users@...> on behalf of "bruno via Lists.Cncf.Io" <bruno=robotinfra.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Tuesday, March 31, 2020 at 15:11
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Redis usage

 

[Edited Message Follows]
[Reason: add clarification on why I sent this msg]

Many open-source project use redis just as a cache.
What about harbor? why it use it?

 

>>Steven: harbor core and registry components are using Redis as cache.  Jobservice is using Redis as job queue that supports retry and failover restore functions.



I did already my homework on this one, and my last step is too look at harbor code itself... but I have a terrible experiences with beego

I want to be sure if redis data must be:

- persitent on redis statefulset upgrade

>>Steven: Y


- is that data important and must be backup? but as PostgreSQL is already there... I assume critical data that need integrity is stored there. I assume it might just be user sessions.

>>Steven: The underlying job framework is using Redis as queue and some cron spec of periodical jobs launched by jobservice are also stored in Redis


- is redis can be rebuild from PostgreSQL, just not efficient when redis start from a blank PVC.

>>Steven: So far, it cannot. We’re planning to provide a manager (like an inner client of jobservice) that may take some responsibilities to store the stateful data in DB to make sure some data can be rebuilt from DB.



Thanks a lot


Redis usage

bruno@...
 
Edited

Many open-source project use redis just as a cache.
What about harbor? why it use it?

I did already my homework on this one, and my last step is too look at harbor code itself... but I have a terrible experiences with beego

I want to be sure if redis data must be:

- persitent on redis statefulset upgrade
- is that data important and must be backup? but as PostgreSQL is already there... I assume critical data that need integrity is stored there. I assume it might just be user sessions.
- is redis can be rebuild from PostgreSQL, just not efficient when redis start from a blank PVC.

Thanks a lot


error during docker login - Error response from daemon: Get https://172.26.37.250/v2/: x509: cannot validate certificate for 172.26.37.250 because it doesn't contain any IP SANs

ppinker@...
 

I can access the Harbor UI - from my mac connected over VPN
but after the install I try to test docker login and get the error
how to I setup IP SANs ?
this VM  is running in Openstack on an isolated network


Re: Limiting label assigning permissions

Steven Zou
 

Welcome any contributions.

 

You can check the proposal-process to learn how to propose a new feature and check the CONTRIBUTING guide to learn how to start your 1st commit.

 

thanks&regards

-- 

Steven Zou(邹佳)

 

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

 

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

 

 

 

From: <harbor-users@...> on behalf of "Julia Vitória Cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Monday, March 23, 2020 at 20:51
To: "harbor-users@..." <harbor-users@...>
Subject: RES: [harbor-users] Limiting label assigning permissions

 

Thanks for answering. Yes, I just confirmed this. The only role that restricts the labels is Guest.

 

I will try some work around to make the restrictions we need, but it would be very useful to have more granular permissions. Maybe in the future I work in something for this problem.

 

Thanks again

 

Julia Cardoso

Segurança de TI julia.cardoso@...

 

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

 

 

 

0251c8a3-ed20-4be3-b223-3324bbb53153

De: harbor-users@... <harbor-users@...> Em nome de Steven Zou via Lists.Cncf.Io
Enviada em: sábado, 21 de março de 2020 00:00
Para: harbor-users@...
Assunto: Re: [harbor-users] Limiting label assigning permissions

 

Per my understanding, the answer is no so far.

 

Currently, permissions of adding/removing to the image are granted to `Project Admin`, `Master` and `Developer`. Only `Guest` role has not such permissions, but it also have very minimal/limited permissions to do other actions.

 

 

 

thanks&regards

-- 

Steven Zou(邹佳)

 

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

 

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

 

 

 

From: <harbor-users@...> on behalf of "Julia Vitória Cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Friday, March 20, 2020 at 23:29
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Limiting label assigning permissions

 

Hi there. We are working with labels in Harbor to configure replication of images, but because of this we need to limit who can assign a label to certain image, as this label will provide the replication of the image after approval.

 

Is this possible?

 

Julia Cardoso

Segurança de TI julia.cardoso@...

 

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

 

 

 

0251c8a3-ed20-4be3-b223-3324bbb53153

Aviso: O conteúdo integral deste e-mail, incluindo os anexos, é destinado exclusivamente ao(s) destinatário(s) nomeado(s) e contém informações confidenciais. Você está notificado e ciente que qualquer divulgação, disseminação, distribuição, cópia ou outro uso deste conteúdo é terminantemente proibido sem o prévio consentimento por escrito da Saque e Pague e sujeito a penalidade do art. 153 do Código Penal. Se você recebeu esta comunicação por engano, por favor, notifique imediatamente o remetente por e-mail de resposta.

Aviso: O conteúdo integral deste e-mail, incluindo os anexos, é destinado exclusivamente ao(s) destinatário(s) nomeado(s) e contém informações confidenciais. Você está notificado e ciente que qualquer divulgação, disseminação, distribuição, cópia ou outro uso deste conteúdo é terminantemente proibido sem o prévio consentimento por escrito da Saque e Pague e sujeito a penalidade do art. 153 do Código Penal. Se você recebeu esta comunicação por engano, por favor, notifique imediatamente o remetente por e-mail de resposta.


RES: [harbor-users] Limiting label assigning permissions

Julia Vitória Cardoso
 

Thanks for answering. Yes, I just confirmed this. The only role that restricts the labels is Guest.

 

I will try some work around to make the restrictions we need, but it would be very useful to have more granular permissions. Maybe in the future I work in something for this problem.

 

Thanks again

 

Julia Cardoso

Segurança de TI julia.cardoso@...

 

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

 

 

 

0251c8a3-ed20-4be3-b223-3324bbb53153

De: harbor-users@... <harbor-users@...> Em nome de Steven Zou via Lists.Cncf.Io
Enviada em: sábado, 21 de março de 2020 00:00
Para: harbor-users@...
Assunto: Re: [harbor-users] Limiting label assigning permissions

 

Per my understanding, the answer is no so far.

 

Currently, permissions of adding/removing to the image are granted to `Project Admin`, `Master` and `Developer`. Only `Guest` role has not such permissions, but it also have very minimal/limited permissions to do other actions.

 

 

 

thanks&regards

-- 

Steven Zou(邹佳)

 

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

 

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

 

 

 

From: <harbor-users@...> on behalf of "Julia Vitória Cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Friday, March 20, 2020 at 23:29
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Limiting label assigning permissions

 

Hi there. We are working with labels in Harbor to configure replication of images, but because of this we need to limit who can assign a label to certain image, as this label will provide the replication of the image after approval.

 

Is this possible?

 

Julia Cardoso

Segurança de TI julia.cardoso@...

 

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

 

 

 

0251c8a3-ed20-4be3-b223-3324bbb53153

Aviso: O conteúdo integral deste e-mail, incluindo os anexos, é destinado exclusivamente ao(s) destinatário(s) nomeado(s) e contém informações confidenciais. Você está notificado e ciente que qualquer divulgação, disseminação, distribuição, cópia ou outro uso deste conteúdo é terminantemente proibido sem o prévio consentimento por escrito da Saque e Pague e sujeito a penalidade do art. 153 do Código Penal. Se você recebeu esta comunicação por engano, por favor, notifique imediatamente o remetente por e-mail de resposta.

Aviso: O conteúdo integral deste e-mail, incluindo os anexos, é destinado exclusivamente ao(s) destinatário(s) nomeado(s) e contém informações confidenciais. Você está notificado e ciente que qualquer divulgação, disseminação, distribuição, cópia ou outro uso deste conteúdo é terminantemente proibido sem o prévio consentimento por escrito da Saque e Pague e sujeito a penalidade do art. 153 do Código Penal. Se você recebeu esta comunicação por engano, por favor, notifique imediatamente o remetente por e-mail de resposta.


Re: Limiting label assigning permissions

Steven Zou
 

Per my understanding, the answer is no so far.

 

Currently, permissions of adding/removing to the image are granted to `Project Admin`, `Master` and `Developer`. Only `Guest` role has not such permissions, but it also have very minimal/limited permissions to do other actions.

 

 

 

thanks&regards

-- 

Steven Zou(邹佳)

 

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

 

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

 

 

 

From: <harbor-users@...> on behalf of "Julia Vitória Cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Friday, March 20, 2020 at 23:29
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Limiting label assigning permissions

 

Hi there. We are working with labels in Harbor to configure replication of images, but because of this we need to limit who can assign a label to certain image, as this label will provide the replication of the image after approval.

 

Is this possible?

 

Julia Cardoso

Segurança de TI julia.cardoso@...

 

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

 

 

 

0251c8a3-ed20-4be3-b223-3324bbb53153

Aviso: O conteúdo integral deste e-mail, incluindo os anexos, é destinado exclusivamente ao(s) destinatário(s) nomeado(s) e contém informações confidenciais. Você está notificado e ciente que qualquer divulgação, disseminação, distribuição, cópia ou outro uso deste conteúdo é terminantemente proibido sem o prévio consentimento por escrito da Saque e Pague e sujeito a penalidade do art. 153 do Código Penal. Se você recebeu esta comunicação por engano, por favor, notifique imediatamente o remetente por e-mail de resposta.

101 - 120 of 261