michael.reber/harbor-podman
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
root be898b6145 add missing environment variable for trivy
2025-04-22 15:20:06 +02:00
.gitignore
update gitignore
2025-04-22 09:11:52 +02:00
common.sh
first commit
2025-04-21 20:42:49 +02:00
docker-compose.yml
add missing environment variable for trivy
2025-04-22 15:20:06 +02:00
harbor.yml.tmpl
some fixes
2025-04-22 13:44:53 +02:00
install.sh
add missing environment variable for trivy
2025-04-22 15:20:06 +02:00
LICENSE
first commit
2025-04-21 20:42:49 +02:00
prepare
first commit
2025-04-21 20:42:49 +02:00
README.md
update readme
2025-04-22 13:51:11 +02:00

README.md

Harbor on Podman for Rocky Linux 9

This document provides a minimal, engineeroriented guide to deploy Harbor on Rocky Linux 9 using Podman and podmancompose. It covers system preparation, repository setup, configuration, TLS certificate generation and the setup.

1. Prerequisites & System Preparation

  1. Update base system

    sudo -i
dnf update -y

  2. Enable EPEL and install dependencies

    dnf install -y epel-release
dnf install -y \
  podman podman-docker buildah podman-compose \
  python3-pip wget tar gzip git \
  policycoreutils-python-utils

  3. Configure Podman

    • Basic settings
    systemctl enable --now podman.socket
sed -i 's/unqualified-search-registries = \["registry.access.redhat.com", "registry.redhat.io", "docker.io"\]/unqualified-search-registries = ["docker.io"]/g' /etc/containers/registries.conf

    Allow containers to manage cgroups:

    setsebool -P container_manage_cgroup true

  4. Clone your Git repository

    cd /opt
git clone https://code.swissmakers.ch/michael.reber/harbor-podman.git

  5. SELinux configuration Set the correct label on persistent data directory:

    semanage fcontext -a -t svirt_sandbox_file_t "/opt/harbor-podman(/.*)?"
restorecon -R /opt/harbor-podman

  6. Firewall (firewalld)

    sudo firewall-cmd --add-port=443/tcp
sudo firewall-cmd --add-port=443/tcp --permanent

3. TLS Certificate Generation

Generate a selfsigned certificate valid for 10 years:

mkdir -p /opt/harbor-podman/cert
openssl req -newkey rsa:4096 -nodes -x509 -days 3650 \
  -subj "/C=CH/ST=Bern/L=Bern/O=Swissmakers/CN=harbor.swissmakers.ch" \
  -keyout /opt/harbor-podman/cert/harbor.key \
  -out    /opt/harbor-podman/cert/harbor.crt

Apply ownership:

chown -R 1000:1000 /opt/harbor-podman

4. Prepare harbor.yml and set passwords

  • Copy template: 
    cd /opt/harbor-podman
cp harbor.yml.tmpl harbor.yml
  • Update Harbor hostname: 
    sed -i 's|^hostname:.*|hostname: harbor.swissmakers.ch|' harbor.yml
  • Generate random passwords for admin and database: 
    sed -i "s|^harbor_admin_password:.*|harbor_admin_password: \"$(openssl rand -base64 30)\"|" harbor.yml
sed -i "/^database:/ { n; n; s|^  password:.*|  password: \"$(openssl rand -base64 30)\"| }" harbor.yml

5. Run the modified Installer for Podman

  1. Run it with or without included trivy-setup

    ./install.sh --with-trivy

  2. Verify

    podman ps -a
podman logs harbor-core

Detailed Explanation of Key Adjustments here

  • container_manage_cgroup: Allows Podman to manage cgroups under SELinux enforcement.
  • SELinux file context: The svirt_sandbox_file_t label authorizes container runtimes to read/write the data directory.
  • Password randomization: Avoids default weak credentials; injected via openssl rand -base64.
  • Installer script:
    • Removed Docker/docker-compose checks to prevent hard failures under Podman.
    • Overrode DOCKER_COMPOSE to invoke podman-compose transparently.
  • Compose file tweaks:
    • Stripped repetitive logging blocks to maintain podman compatibility.
    • Explicit networks stanza ensures containers attach to the correct overlay.
Description
No description provided
Readme Apache-2.0 59 KiB
Languages
Shell 100%