harbor-users@lists.cncf.io

Home Messages Hashtags Subgroups

Expanded

Topics Messages Polls

Export Group Data

Between

and

Import OIDC groups into harbor

tiagomendes93@...

#159

How can I import groups from OIDC into harbor?
Do I have to create a Mapper and then use that mapper on group claim Id?
There is no documentation on this..
Thank you

Re: API Call for Vulnerability Report

Steven Ren

#158

Hi Brian,

In 2.0 UI, we have some stats shown in the UI, could you please take a look whether that matches your query? You are welcome to make your changes in the code to improve Harbor ☺

Best regards,

Steven

From: <harbor-users@...> on behalf of "brianwadesmith via lists.cncf.io" <brianwadesmith=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Friday, May 1, 2020 at 11:53 PM
To: "harbor-users@..." <harbor-users@...>
Subject: Re: [harbor-users] API Call for Vulnerability Report

If anyone is interested, here is the quick script I put together to get these details

Show quoted text

total=0
critical=()
high=()
medium=()
high+=("High risk images\n")
critical+=("Critical risk images\n")
medium+=("Medium risk images\n")
none+=("Images with no risk\n")
unknown+=("UNKNOWN\n")

for x in $(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/top?count=99999" -H "accept: application/json" -H "authorization: Basic <REPLACE>" | jq .[].name);
do
    ((total=$total+1))
    echo "TOTAL::" $total
    x=$(echo $x | cut -d '"' -f 2)
    echo "IMAGE::" $x
    result=$(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/${x}/tags" -H "authorization: Basic <REPLACE>" -H "accept: application/json" | jq '.[] | .scan_overview[]? | .severity')
    echo $result

    if [[ $result == *"Critical"* ]]; then
        critical+="$x\n"
    elif [[ $result == *"High"* ]]; then
        high+="$x\n"
    elif [[ $result == *"Medium"* ]]; then
        medium+="$x\n"
    elif [[ $result == *"None"* ]]; then
        none+="$x\n"
    elif [[ $result == *"Unknown"* ]]; then
        unknown+="$x\n"
    fi
done
echo "TOTAL IMAGES::" $total
printf "$critical"
printf "$high"
printf "$medium"
printf "$none"
printf "$unknown"

Installing Harbor in a docker environment behind LB

tiagomendes93@...

#157

Hello community We are trying to use Harbor in a docker environment behind a LB (HA-PROXY) and integrate it with Keycloack.
It happens that we can't redirrect the call on the harbor instance to the dns defined in the keycloack giving us the error 400 mismatch.
When can we change the callback uri to match the dns created ? Because on the OIDC configuration it has defined the uri to point to the hostname.

We changed the external_url on the harbor.yaml and got no effect..
Has anyone been through this?
Best, Regards

Tiago

Cancelled Event: Harbor Community Meeting - Americas Time zone #cal-cancelled

harbor-users@lists.cncf.io Calendar <harbor-users@...>

#156

Cancelled: Harbor Community Meeting - Americas Time zone

This event has been cancelled.

When:
Wednesday, 31 July 2019
4:00pm to 5:00pm
(UTC-04:00) America/New York
Repeats: Every 2 weeks on Wednesday

Where:
https://zoom.us/j/734959521

Organizer: Harbor

Description:

Hello everyone,

This is a recurring calendar invite for the bi-weekly Harbor community meetings.

There will be two meetings, one for China/Europe time zone, and one for Americas time zone

Please pick the one that fits your schedule best.

To attend, use the following Zoom link: https://zoom.us/j/734959521

Meeting notes, agenda, and recordings of past meetings and other details are located at https://github.com/goharbor/community/blob/master/MEETING_SCHEDULE.md
and

https://github.com/goharbor/community/tree/master/conf-calls

invite.ics

Cancelled Event: Harbor Community Meeting - China/Europe Time zone #cal-cancelled

harbor-users@lists.cncf.io Calendar <harbor-users@...>

#155

Cancelled: Harbor Community Meeting - China/Europe Time zone

This event has been cancelled.

When:
Wednesday, 31 July 2019
9:00pm to 10:00pm
(UTC+08:00) Asia/Chongqing
Repeats: Every 2 weeks on Wednesday

Where:
https://zoom.us/j/734959521

Organizer: Harbor

Description:

Hello everyone,

This is a recurring calendar invite for the bi-weekly Harbor community meetings.
There will be two meetings, one for China/Europe time zone, and one for Americas time zone
Please pick the one that fits your schedule best.

To attend, use the following Zoom link: https://zoom.us/j/734959521

Meeting notes, agenda, and recordings of past meetings and other details are located at https://github.com/goharbor/community/blob/master/MEETING_SCHEDULE.md
and
https://github.com/goharbor/community/tree/master/conf-calls

invite.ics

Re: API Call for Vulnerability Report

brianwadesmith@...

#154

If anyone is interested, here is the quick script I put together to get these details

Show quoted text

total=0
critical=()
high=()
medium=()
high+=("High risk images\n")
critical+=("Critical risk images\n")
medium+=("Medium risk images\n")
none+=("Images with no risk\n")
unknown+=("UNKNOWN\n")

for x in $(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/top?count=99999" -H "accept: application/json" -H "authorization: Basic <REPLACE>" | jq .[].name);
do
    ((total=$total+1))
    echo "TOTAL::" $total
    x=$(echo $x | cut -d '"' -f 2)
    echo "IMAGE::" $x
    result=$(curl -k -s -X GET "https://harbor.xyz.net/api/repositories/${x}/tags" -H "authorization: Basic <REPLACE>" -H "accept: application/json" | jq '.[] | .scan_overview[]? | .severity')
    echo $result

    if [[ $result == *"Critical"* ]]; then
        critical+="$x\n"
    elif [[ $result == *"High"* ]]; then
        high+="$x\n"
    elif [[ $result == *"Medium"* ]]; then
        medium+="$x\n"
    elif [[ $result == *"None"* ]]; then
        none+="$x\n"
    elif [[ $result == *"Unknown"* ]]; then
        unknown+="$x\n"
    fi
done
echo "TOTAL IMAGES::" $total
printf "$critical"
printf "$high"
printf "$medium"
printf "$none"
printf "$unknown"

Re: Replication Failed

Steven Zou

#153

Hi,

Officially doing replication among different versions of Harbor is not supported.

thanks&regards

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "aprado1976 via lists.cncf.io" <aprado1976=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Tuesday, April 21, 2020 at 01:45
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Replication Failed

Hello,

Is it possible to replicate a 1.7 registry to a 1.10 registry?
The two servers ping in both directions but the sync is not done

Thank you for your help

Replication Failed

aprado1976@...

#152

Hello,

Is it possible to replicate a 1.7 registry to a 1.10 registry?
The two servers ping in both directions but the sync is not done

Thank you for your help

Harbor LDAP User Base DN

brianwadesmith@...

#151

Does anyone know if there is a way to configure LDAP Auth to search under 2 Base DNs? My directory is absolutely MASSIVE. I have users in an "Associates" OU and service accounts in a "Service accounts" OU. Both are at the root of the directory. If I set the search base tot he root, login times are greatly impacted.

Does anyone know if there a way to provide an LDAP search filter to be able to target both OUs without searching the entire directory?

Question on Harbor's pull-based replication

Bipin Jethwani

#150

How does Harbor's pull-based replication work under the hood? WebSocket/watch or HTTP based polling?

Re: API Call for Vulnerability Report

Steven Zou

#149

For vulnerability summary, you can try the API shown below:

'/repositories/{repo_name}/tags/{tag}':
	get:
	summary: Get the tag of the repository.
	description: \|
	This endpoint aims to retrieve the tag of the repository. If deployed with Notary, the signature property of response represents whether the image is singed or not. If the property is null, the image is unsigned.
	parameters:
	- name: repo_name
	in: path
	type: string
	required: true
	description: Relevant repository name.
	- name: tag
	in: path
	type: string
	required: true
	description: Tag of the repository.
	tags:
	- Products
	responses:
	'200':
	description: Get tag successfully.
	schema:
	$ref: '#/definitions/DetailedTag'
	'500':
	description: Unexpected internal errors.

The tag model will include a `scan_overview` if the image has been scanned and it has the vul report (otherwise that field will be empty).

For detailed report including the vulnerability item list, you can use the following API:

'/repositories/{repo_name}/tags/{tag}/scan':

get:
	summary: Get the scan report
	description: \|
	Retrieve the scan report for the artifact identified by the repo_name and tag.
	tags:
	- Scan
	parameters:
	- name: repo_name
	in: path
	type: string
	required: true
	description: Repository name
	- name: tag
	in: path
	type: string
	required: true
	description: Tag name
	- name: Accept
	in: header
	type: string
	description: \|
	Mimetype in header. e.g: "application/vnd.scanner.adapter.vuln.report.harbor+json; version=1.0"
	responses:
	200:
	description: The report details of the specified artifact identified by the repo_name and tag.
	schema:
	$ref: '#/definitions/Report'
	'401':
	description: Unauthorized request
	'403':
	description: Request is not allowed
	'404':
	description: The target artifact is not found
	'500':
	description: Internal server error happened

thanks&regards

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "brianwadesmith via lists.cncf.io" <brianwadesmith=gmail.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Thursday, April 9, 2020 at 23:28
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] API Call for Vulnerability Report

I'm just starting to use the Harbor API and finding it to be very useful. I would like to create an automated report to detail Vulnerabilities discovered through scanning. I see Model references to NativeReportSummary, VulnerabilitySummary, VulnerabilityItem, etc. I cannot figure out how to call this data via the API. I'm sure I'm missing something simple. Could anyone help me out?

API Call for Vulnerability Report

brianwadesmith@...

#148

Re: Redis usage

Steven Zou

#147

Please see comments inline.

thanks&regards

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "bruno via Lists.Cncf.Io" <bruno=robotinfra.com@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Tuesday, March 31, 2020 at 15:11
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Redis usage

[Edited Message Follows]
[Reason: add clarification on why I sent this msg]

Many open-source project use redis just as a cache.
What about harbor? why it use it?

>>Steven: harbor core and registry components are using Redis as cache. Jobservice is using Redis as job queue that supports retry and failover restore functions.

I did already my homework on this one, and my last step is too look at harbor code itself... but I have a terrible experiences with beego

I want to be sure if redis data must be:

- persitent on redis statefulset upgrade

>>Steven: Y

- is that data important and must be backup? but as PostgreSQL is already there... I assume critical data that need integrity is stored there. I assume it might just be user sessions.

>>Steven: The underlying job framework is using Redis as queue and some cron spec of periodical jobs launched by jobservice are also stored in Redis

- is redis can be rebuild from PostgreSQL, just not efficient when redis start from a blank PVC.

>>Steven: So far, it cannot. We’re planning to provide a manager (like an inner client of jobservice) that may take some responsibilities to store the stateful data in DB to make sure some data can be rebuilt from DB.

Thanks a lot

Redis usage

bruno@...

#146
Edited

Many open-source project use redis just as a cache.
What about harbor? why it use it?

I did already my homework on this one, and my last step is too look at harbor code itself... but I have a terrible experiences with beego

I want to be sure if redis data must be:

- persitent on redis statefulset upgrade
- is that data important and must be backup? but as PostgreSQL is already there... I assume critical data that need integrity is stored there. I assume it might just be user sessions.
- is redis can be rebuild from PostgreSQL, just not efficient when redis start from a blank PVC.

Thanks a lot

error during docker login - Error response from daemon: Get https://172.26.37.250/v2/: x509: cannot validate certificate for 172.26.37.250 because it doesn't contain any IP SANs

ppinker@...

#145

I can access the Harbor UI - from my mac connected over VPN
but after the install I try to test docker login and get the error
how to I setup IP SANs ?
this VM is running in Openstack on an isolated network

Re: Limiting label assigning permissions

Steven Zou

#144

Welcome any contributions.

You can check the proposal-process to learn how to propose a new feature and check the CONTRIBUTING guide to learn how to start your 1^st commit.

thanks&regards

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "Julia Vitória Cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Monday, March 23, 2020 at 20:51
To: "harbor-users@..." <harbor-users@...>
Subject: RES: [harbor-users] Limiting label assigning permissions

Thanks for answering. Yes, I just confirmed this. The only role that restricts the labels is Guest.

I will try some work around to make the restrictions we need, but it would be very useful to have more granular permissions. Maybe in the future I work in something for this problem.

Thanks again

Julia Cardoso

Segurança de TI julia.cardoso@...

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

0251c8a3-ed20-4be3-b223-3324bbb53153

De: harbor-users@... <harbor-users@...> Em nome de Steven Zou via Lists.Cncf.Io
Enviada em: sábado, 21 de março de 2020 00:00
Para: harbor-users@...
Assunto: Re: [harbor-users] Limiting label assigning permissions

Per my understanding, the answer is no so far.

Currently, permissions of adding/removing to the image are granted to `Project Admin`, `Master` and `Developer`. Only `Guest` role has not such permissions, but it also have very minimal/limited permissions to do other actions.

thanks&regards

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "Julia Vitória Cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Friday, March 20, 2020 at 23:29
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Limiting label assigning permissions

Hi there. We are working with labels in Harbor to configure replication of images, but because of this we need to limit who can assign a label to certain image, as this label will provide the replication of the image after approval.

Is this possible?

Julia Cardoso

Segurança de TI julia.cardoso@...

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

0251c8a3-ed20-4be3-b223-3324bbb53153

Aviso: O conteúdo integral deste e-mail, incluindo os anexos, é destinado exclusivamente ao(s) destinatário(s) nomeado(s) e contém informações confidenciais. Você está notificado e ciente que qualquer divulgação, disseminação, distribuição, cópia ou outro uso deste conteúdo é terminantemente proibido sem o prévio consentimento por escrito da Saque e Pague e sujeito a penalidade do art. 153 do Código Penal. Se você recebeu esta comunicação por engano, por favor, notifique imediatamente o remetente por e-mail de resposta.

RES: [harbor-users] Limiting label assigning permissions

Julia Vitória Cardoso

#143

Thanks for answering. Yes, I just confirmed this. The only role that restricts the labels is Guest.

I will try some work around to make the restrictions we need, but it would be very useful to have more granular permissions. Maybe in the future I work in something for this problem.

Thanks again

Julia Cardoso

Segurança de TI julia.cardoso@...

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

0251c8a3-ed20-4be3-b223-3324bbb53153

Per my understanding, the answer is no so far.

thanks&regards

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "Julia Vitória Cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Friday, March 20, 2020 at 23:29
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Limiting label assigning permissions

Is this possible?

Julia Cardoso

Segurança de TI julia.cardoso@...

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

0251c8a3-ed20-4be3-b223-3324bbb53153

Re: Limiting label assigning permissions

Steven Zou

#142

Per my understanding, the answer is no so far.

thanks&regards

Steven Zou(邹佳）

Engineer, MAP(Modern Application Platform), VMware R&D | Harbor Maintainer

Mail: szou@...

GitHub: github.com/steven-zou

Cell: +8618600021252

Addr: 9F Tower C, Raycom Info Tech Park, No. 2 Kexueyuan South Road Haidian District, Beijing 100738 China

From: <harbor-users@...> on behalf of "Julia Vitória Cardoso via Lists.Cncf.Io" <julia.cardoso=saqueepague.com.br@...>
Reply-To: "harbor-users@..." <harbor-users@...>
Date: Friday, March 20, 2020 at 23:29
To: "harbor-users@..." <harbor-users@...>
Subject: [harbor-users] Limiting label assigning permissions

Is this possible?

Julia Cardoso

Segurança de TI julia.cardoso@...

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

0251c8a3-ed20-4be3-b223-3324bbb53153

Limiting label assigning permissions

Julia Vitória Cardoso

#141

Is this possible?

Julia Cardoso

Segurança de TI julia.cardoso@...

Fone: +55 51 3455-1605 /

+55 51 3455-1687

www.saqueepague.com.br

0251c8a3-ed20-4be3-b223-3324bbb53153

Re: PersistentVolumeClaims issue on jobservice

Gaurav Negi

#140

After I disabled persistence in value files, it generated the right template and using that

I was able to deploy in k8s cluster.

Thanks

-Gaurav

Show quoted text

On Fri, Mar 13, 2020 at 5:31 PM Gaurav Negi <gaurav.negi@...> wrote:

Dear Harbor experts,
Can you please help me fix the issue I am facing?
I deployed Harbor via using Helm. (generated k8s manifest using helm and then applying kubectl).

1. My jobservice POS are not coming up. All other pods are running.

prod-harbor-harbor-jobservice-65465446bb-6m6gl 0/1 Pending 0 27m

prod-harbor-harbor-jobservice-65465446bb-7n4km 0/1 Pending 0 27m

prod-harbor-harbor-jobservice-65465446bb-8mjcc 0/1 Pending 0 27m

2. Describing pods it says

Events:
Type Reason Age From Message
---- ------ ---- ---- -------

Warning FailedScheduling 18s (x16 over 20m) default-scheduler pod has unbound immediate PersistentVolumeClaims (repeated 6 times)

Some complaint about PersistentVolumeClaims

3. My manifest file says following about the jobservice.

---

# Source: harbor/templates/jobservice/jobservice-pvc.yaml

kind: PersistentVolumeClaim

apiVersion: v1

metadata:

name: prod-harbor-harbor-jobservice

annotations:

helm.sh/resource-policy: keep

labels:

heritage: Helm

release: prod-harbor

chart: harbor

app: "harbor"

component: jobservice

spec:

accessModes:

- ReadWriteOnce

resources:

requests:

storage: 1Gi

---

Any input will be highly appreciated.

Thanks
-Gaurav

161 - 180 of 319

Home Hashtags Subgroups Terms