harbor-users@lists.cncf.io

Harbor 2.0 is released!

Jonas Rosland

#164

Harbor 2.0 is released! This release makes Harbor the first OCI-compliant open source registry capable of storing cloud-native artifacts like container images, @HelmPack charts, CNABs, @OpenPolicyAgent, @SingularityApp, and much more.
With Harbor 2.0, we have made Trivy from @AquaSecTeam the default image scanner, and with that taking container image scanning to higher levels of usability and performance than ever before.

Other notable features in Harbor 2.0 include: - The ability to set expiration dates on robot accounts - You can now configure SSL for core Harbor services - Webhooks can be individually triggered, and come with Slack integration - A new snazzy dark mode, try it out!

A huge thank you goes out to the entire Harbor community for bringing all these new features into this major release.
Read all about Harbor 2.0 in the announcement blog: goharbor.io/blog/harbor-2.0

Re: API Call for Vulnerability Report

Steven Ren

#163

Hi Brian,

if you have an installed Harbor, in the left bottom of the UI, there is “API Explorer” feature, we can view all the APIs harbor exposed. Thanks

-steven

From: <harbor-users@...> on behalf of "brianwadesmith via lists.cncf.io" <brianwadesmith=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Wednesday, May 13, 2020 at 8:55 PM
To: "harbor-users@..." <harbor-users@...>
Subject: Re: [harbor-users] API Call for Vulnerability Report

I'm looking forward to checking that out. Most of my harbor deployments are running in Pivotal Cloud Foundry (or tanzu or whatever its called now) and I'm reliant on the version in pivnet (or Tanzunet?). I do have a separate "home-brew" bosh deployment I'll load 2.0 to play with.

Re: API Call for Vulnerability Report

brianwadesmith@...

#162

I'm looking forward to checking that out. Most of my harbor deployments are running in Pivotal Cloud Foundry (or tanzu or whatever its called now) and I'm reliant on the version in pivnet (or Tanzunet?). I do have a separate "home-brew" bosh deployment I'll load 2.0 to play with.

Clair - images with Unknown vulnerabilities

brianwadesmith@...

#161

I have enabled the blocking of pulling vulnerable images labeled as high or greater. This setting is preventing images scanned and labeled as "Unknown" from being pulled. Can anyone tell me if this is by design? I'm running v1.10.2

Thanks!!!

Harbor Graduation

Michael Michael <michmike@...>

#160

Hello everyone, if you were not already aware, Harbor (goharbor.io) is in the final stage of becoming a Graduated project in CNCF. This is a tremendous achievement for the project and we would not have been here without our contributors, our users, and the support of the CNCF community. Please provide your public vote of support for Harbor in this thread

https://lists.cncf.io/g/cncf-toc/topic/harbor_in_public_comment/74163632

Import OIDC groups into harbor

tiagomendes93@...

#159

How can I import groups from OIDC into harbor?
Do I have to create a Mapper and then use that mapper on group claim Id?
There is no documentation on this..
Thank you

Re: API Call for Vulnerability Report

Steven Ren

#158

Hi Brian,

In 2.0 UI, we have some stats shown in the UI, could you please take a look whether that matches your query? You are welcome to make your changes in the code to improve Harbor ☺

Best regards,

Steven

From: <harbor-users@...> on behalf of "brianwadesmith via lists.cncf.io" <brianwadesmith=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Friday, May 1, 2020 at 11:53 PM
To: "harbor-users@..." <harbor-users@...>
Subject: Re: [harbor-users] API Call for Vulnerability Report

If anyone is interested, here is the quick script I put together to get these details

Show quoted text

total=0
critical=()
high=()
medium=()
high+=("High risk images\n")
critical+=("Critical risk images\n")
medium+=("Medium risk images\n")
none+=("Images with no risk\n")
unknown+=("UNKNOWN\n")

for x in $(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/top?count=99999" -H "accept: application/json" -H "authorization: Basic <REPLACE>" | jq .[].name);
do
    ((total=$total+1))
    echo "TOTAL::" $total
    x=$(echo $x | cut -d '"' -f 2)
    echo "IMAGE::" $x
    result=$(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/${x}/tags" -H "authorization: Basic <REPLACE>" -H "accept: application/json" | jq '.[] | .scan_overview[]? | .severity')
    echo $result

    if [[ $result == *"Critical"* ]]; then
        critical+="$x\n"
    elif [[ $result == *"High"* ]]; then
        high+="$x\n"
    elif [[ $result == *"Medium"* ]]; then
        medium+="$x\n"
    elif [[ $result == *"None"* ]]; then
        none+="$x\n"
    elif [[ $result == *"Unknown"* ]]; then
        unknown+="$x\n"
    fi
done
echo "TOTAL IMAGES::" $total
printf "$critical"
printf "$high"
printf "$medium"
printf "$none"
printf "$unknown"

Installing Harbor in a docker environment behind LB

tiagomendes93@...

#157

Hello community We are trying to use Harbor in a docker environment behind a LB (HA-PROXY) and integrate it with Keycloack.
It happens that we can't redirrect the call on the harbor instance to the dns defined in the keycloack giving us the error 400 mismatch.
When can we change the callback uri to match the dns created ? Because on the OIDC configuration it has defined the uri to point to the hostname.

We changed the external_url on the harbor.yaml and got no effect..
Has anyone been through this?
Best, Regards

Tiago

Cancelled Event: Harbor Community Meeting - Americas Time zone #cal-cancelled

harbor-users@lists.cncf.io Calendar <harbor-users@...>

#156

Cancelled: Harbor Community Meeting - Americas Time zone

This event has been cancelled.

When:
Wednesday, 31 July 2019
4:00pm to 5:00pm
(UTC-04:00) America/New York
Repeats: Every 2 weeks on Wednesday

Where:
https://zoom.us/j/734959521

Organizer: Harbor

Description:

Hello everyone,

This is a recurring calendar invite for the bi-weekly Harbor community meetings.

There will be two meetings, one for China/Europe time zone, and one for Americas time zone

Please pick the one that fits your schedule best.

To attend, use the following Zoom link: https://zoom.us/j/734959521

Meeting notes, agenda, and recordings of past meetings and other details are located at https://github.com/goharbor/community/blob/master/MEETING_SCHEDULE.md
and

https://github.com/goharbor/community/tree/master/conf-calls

Calendar

Cancelled Event: Harbor Community Meeting - China/Europe Time zone #cal-cancelled

harbor-users@lists.cncf.io Calendar <harbor-users@...>

#155

Cancelled: Harbor Community Meeting - China/Europe Time zone

This event has been cancelled.

When:
Wednesday, 31 July 2019
9:00pm to 10:00pm
(UTC+08:00) Asia/Chongqing
Repeats: Every 2 weeks on Wednesday

Where:
https://zoom.us/j/734959521

Organizer: Harbor

Description:

Hello everyone,

This is a recurring calendar invite for the bi-weekly Harbor community meetings.
There will be two meetings, one for China/Europe time zone, and one for Americas time zone
Please pick the one that fits your schedule best.

To attend, use the following Zoom link: https://zoom.us/j/734959521

Meeting notes, agenda, and recordings of past meetings and other details are located at https://github.com/goharbor/community/blob/master/MEETING_SCHEDULE.md
and
https://github.com/goharbor/community/tree/master/conf-calls

Calendar

Re: API Call for Vulnerability Report

brianwadesmith@...

#154

If anyone is interested, here is the quick script I put together to get these details

Show quoted text

total=0
critical=()
high=()
medium=()
high+=("High risk images\n")
critical+=("Critical risk images\n")
medium+=("Medium risk images\n")
none+=("Images with no risk\n")
unknown+=("UNKNOWN\n")

for x in $(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/top?count=99999" -H "accept: application/json" -H "authorization: Basic <REPLACE>" | jq .[].name);
do
    ((total=$total+1))
    echo "TOTAL::" $total
    x=$(echo $x | cut -d '"' -f 2)
    echo "IMAGE::" $x
    result=$(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/${x}/tags" -H "authorization: Basic <REPLACE>" -H "accept: application/json" | jq '.[] | .scan_overview[]? | .severity')
    echo $result

    if [[ $result == *"Critical"* ]]; then
        critical+="$x\n"
    elif [[ $result == *"High"* ]]; then
        high+="$x\n"
    elif [[ $result == *"Medium"* ]]; then
        medium+="$x\n"
    elif [[ $result == *"None"* ]]; then
        none+="$x\n"
    elif [[ $result == *"Unknown"* ]]; then
        unknown+="$x\n"
    fi
done
echo "TOTAL IMAGES::" $total
printf "$critical"
printf "$high"
printf "$medium"
printf "$none"
printf "$unknown"

Re: Replication Failed

Steven Zou

#153

Hi,

Officially doing replication among different versions of Harbor is not supported.

thanks&regards

--

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "aprado1976 via lists.cncf.io" <aprado1976=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Tuesday, April 21, 2020 at 01:45
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Replication Failed

Hello,

Is it possible to replicate a 1.7 registry to a 1.10 registry?
The two servers ping in both directions but the sync is not done

Thank you for your help

Replication Failed

aprado1976@...

#152

Hello,

Is it possible to replicate a 1.7 registry to a 1.10 registry?
The two servers ping in both directions but the sync is not done

Thank you for your help

Harbor LDAP User Base DN

brianwadesmith@...

#151

Does anyone know if there is a way to configure LDAP Auth to search under 2 Base DNs? My directory is absolutely MASSIVE. I have users in an "Associates" OU and service accounts in a "Service accounts" OU. Both are at the root of the directory. If I set the search base tot he root, login times are greatly impacted.

Does anyone know if there a way to provide an LDAP search filter to be able to target both OUs without searching the entire directory?

Question on Harbor's pull-based replication

Bipin Jethwani

#150

How does Harbor's pull-based replication work under the hood? WebSocket/watch or HTTP based polling?

Re: API Call for Vulnerability Report

Steven Zou

#149

For vulnerability summary, you can try the API shown below:

'/repositories/{repo_name}/tags/{tag}':
	get:
	summary: Get the tag of the repository.
	description: \|
	This endpoint aims to retrieve the tag of the repository. If deployed with Notary, the signature property of response represents whether the image is singed or not. If the property is null, the image is unsigned.
	parameters:
	- name: repo_name
	in: path
	type: string
	required: true
	description: Relevant repository name.
	- name: tag
	in: path
	type: string
	required: true
	description: Tag of the repository.
	tags:
	- Products
	responses:
	'200':
	description: Get tag successfully.
	schema:
	$ref: '#/definitions/DetailedTag'
	'500':
	description: Unexpected internal errors.

The tag model will include a `scan_overview` if the image has been scanned and it has the vul report (otherwise that field will be empty).

For detailed report including the vulnerability item list, you can use the following API:

'/repositories/{repo_name}/tags/{tag}/scan':

get:
	summary: Get the scan report
	description: \|
	Retrieve the scan report for the artifact identified by the repo_name and tag.
	tags:
	- Scan
	parameters:
	- name: repo_name
	in: path
	type: string
	required: true
	description: Repository name
	- name: tag
	in: path
	type: string
	required: true
	description: Tag name
	- name: Accept
	in: header
	type: string
	description: \|
	Mimetype in header. e.g: "application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0"
	responses:
	200:
	description: The report details of the specified artifact identified by the repo_name and tag.
	schema:
	$ref: '#/definitions/Report'
	'401':
	description: Unauthorized request
	'403':
	description: Request is not allowed
	'404':
	description: The target artifact is not found
	'500':
	description: Internal server error happened

thanks&regards

--

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "brianwadesmith via lists.cncf.io" <brianwadesmith=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Thursday, April 9, 2020 at 23:28
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] API Call for Vulnerability Report

I'm just starting to use the Harbor API and finding it to be very useful. I would like to create an automated report to detail Vulnerabilities discovered through scanning. I see Model references to NativeReportSummary, VulnerabilitySummary, VulnerabilityItem, etc. I cannot figure out how to call this data via the API. I'm sure I'm missing something simple. Could anyone help me out?

API Call for Vulnerability Report

brianwadesmith@...

#148

I'm just starting to use the Harbor API and finding it to be very useful. I would like to create an automated report to detail Vulnerabilities discovered through scanning. I see Model references to NativeReportSummary, VulnerabilitySummary, VulnerabilityItem, etc. I cannot figure out how to call this data via the API. I'm sure I'm missing something simple. Could anyone help me out?

Re: Redis usage

Steven Zou

#147

Please see comments inline.

thanks&regards

--

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "bruno via Lists.Cncf.Io" <bruno=robotinfra.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Tuesday, March 31, 2020 at 15:11
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Redis usage

[Edited Message Follows]
[Reason: add clarification on why I sent this msg]

Many open-source project use redis just as a cache.
What about harbor? why it use it?

>>Steven: harbor core and registry components are using Redis as cache. Jobservice is using Redis as job queue that supports retry and failover restore functions.

I did already my homework on this one, and my last step is too look at harbor code itself... but I have a terrible experiences with beego

I want to be sure if redis data must be:

- persitent on redis statefulset upgrade

>>Steven: Y

- is that data important and must be backup? but as PostgreSQL is already there... I assume critical data that need integrity is stored there. I assume it might just be user sessions.

>>Steven: The underlying job framework is using Redis as queue and some cron spec of periodical jobs launched by jobservice are also stored in Redis

- is redis can be rebuild from PostgreSQL, just not efficient when redis start from a blank PVC.

>>Steven: So far, it cannot. We’re planning to provide a manager (like an inner client of jobservice) that may take some responsibilities to store the stateful data in DB to make sure some data can be rebuilt from DB.

Thanks a lot

Redis usage

bruno@...

#146
Edited

Many open-source project use redis just as a cache.
What about harbor? why it use it?

I did already my homework on this one, and my last step is too look at harbor code itself... but I have a terrible experiences with beego

I want to be sure if redis data must be:

- persitent on redis statefulset upgrade
- is that data important and must be backup? but as PostgreSQL is already there... I assume critical data that need integrity is stored there. I assume it might just be user sessions.
- is redis can be rebuild from PostgreSQL, just not efficient when redis start from a blank PVC.

Thanks a lot

error during docker login - Error response from daemon: Get https://172.26.37.250/v2/: x509: cannot validate certificate for 172.26.37.250 because it doesn't contain any IP SANs

ppinker@...

#145

I can access the Harbor UI - from my mac connected over VPN
but after the install I try to test docker login and get the error
how to I setup IP SANs ?
this VM is running in Openstack on an isolated network