michael.reber/harbor-podman
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
harbor-podman/README.md
root 777a5302f6 update readme
2025-04-22 13:51:11 +02:00

3.4 KiB
Raw Permalink Blame History

Harbor on Podman for Rocky Linux 9

This document provides a minimal, engineeroriented guide to deploy Harbor on Rocky Linux 9 using Podman and podmancompose. It covers system preparation, repository setup, configuration, TLS certificate generation and the setup.

1. Prerequisites & System Preparation

  1. Update base system

    sudo -i
dnf update -y

  2. Enable EPEL and install dependencies

    dnf install -y epel-release
dnf install -y \
  podman podman-docker buildah podman-compose \
  python3-pip wget tar gzip git \
  policycoreutils-python-utils

  3. Configure Podman

    • Basic settings
    systemctl enable --now podman.socket
sed -i 's/unqualified-search-registries = \["registry.access.redhat.com", "registry.redhat.io", "docker.io"\]/unqualified-search-registries = ["docker.io"]/g' /etc/containers/registries.conf

    Allow containers to manage cgroups:

    setsebool -P container_manage_cgroup true

  4. Clone your Git repository

    cd /opt
git clone https://code.swissmakers.ch/michael.reber/harbor-podman.git

  5. SELinux configuration Set the correct label on persistent data directory:

    semanage fcontext -a -t svirt_sandbox_file_t "/opt/harbor-podman(/.*)?"
restorecon -R /opt/harbor-podman

  6. Firewall (firewalld)

    sudo firewall-cmd --add-port=443/tcp
sudo firewall-cmd --add-port=443/tcp --permanent

3. TLS Certificate Generation

Generate a selfsigned certificate valid for 10 years:

mkdir -p /opt/harbor-podman/cert
openssl req -newkey rsa:4096 -nodes -x509 -days 3650 \
  -subj "/C=CH/ST=Bern/L=Bern/O=Swissmakers/CN=harbor.swissmakers.ch" \
  -keyout /opt/harbor-podman/cert/harbor.key \
  -out    /opt/harbor-podman/cert/harbor.crt

Apply ownership:

chown -R 1000:1000 /opt/harbor-podman

4. Prepare harbor.yml and set passwords

  • Copy template: 
    cd /opt/harbor-podman
cp harbor.yml.tmpl harbor.yml
  • Update Harbor hostname: 
    sed -i 's|^hostname:.*|hostname: harbor.swissmakers.ch|' harbor.yml
  • Generate random passwords for admin and database: 
    sed -i "s|^harbor_admin_password:.*|harbor_admin_password: \"$(openssl rand -base64 30)\"|" harbor.yml
sed -i "/^database:/ { n; n; s|^  password:.*|  password: \"$(openssl rand -base64 30)\"| }" harbor.yml

5. Run the modified Installer for Podman

  1. Run it with or without included trivy-setup

    ./install.sh --with-trivy

  2. Verify

    podman ps -a
podman logs harbor-core

Detailed Explanation of Key Adjustments here

  • container_manage_cgroup: Allows Podman to manage cgroups under SELinux enforcement.
  • SELinux file context: The svirt_sandbox_file_t label authorizes container runtimes to read/write the data directory.
  • Password randomization: Avoids default weak credentials; injected via openssl rand -base64.
  • Installer script:
    • Removed Docker/docker-compose checks to prevent hard failures under Podman.
    • Overrode DOCKER_COMPOSE to invoke podman-compose transparently.
  • Compose file tweaks:
    • Stripped repetitive logging blocks to maintain podman compatibility.
    • Explicit networks stanza ensures containers attach to the correct overlay.