 Hello everybody, thank you for joining our talk today about harbour, so if you're not interested in harbour, you're in the wrong session All right, my name is Vadim Bauer. I'm one of the co-maintenance of harbour together with Yangmang and today we're gonna talk about harbour and specifically we're gonna talk about some harbour superpowers that you may be already know of, maybe not and then Yangmang is gonna talk about some of the features that we developed in the last half year that are already available and that you can use and he's gonna dive a bit into details of those features and we're gonna give an outlook about what to expect in from harbour in the next release and then we'll close with ways how you can collaborate with us and also pick up some t-shirts here and Okay, so if you don't know it harbour is a container registry, right? so it's just existing since 2016 and it's graduated from Graduate project in the CNCF It is a registry to you know store images on OCI artifacts But more importantly it is a container image management solution So you really can manage the life cycle of your container images, which makes your harbour somewhat special compared to simple Storage solution to where you just storage images, right? so it has the policies role-based access control vulnerability analytics and Signing possibilities like notary and cosine Over the years harbour has gained quite popularity and I'm Confident to say that harbour is probably today one of the most Popular and widely used container registry Specifically on prem environments in the cloud. It's a bit different, of course But on the on prem on self-hosted harbour is the defect of standard and I mean don't take my words for that because I'm Obviously biased, but this is for example what the Victor says about harbour This is what he says about harbour in one of his YouTube episodes, so he knows what it what he talked about and As I said like harbour has a ton of features, right? So it has like access control artifact distribution security compliance But you know, there's like all features a bit difficult to to understand what it actually does so I'm gonna focus a bit on the superpowers of harbour and I picked up three of those today for you and one of the superpowers of harbour is That it's remarkably well working for small teams like you know, if you have a team of five five people three four people Who needs who you know want to have a registry it works equally well for small teams as well as for large enterprises It's for enterprises, of course the feature like robust access controls IDP and SSO are defective standard in the industry and they're Available with harbour and you can use not only for authentication, but also for authorization so you can do authorization and bring the authorization from your identity provider into harbour and use this for Authenticate and authorize users on different projects, and I'm gonna show this Quickly then second superpower of harbour is that harbour makes seizes happy. You know, how does it make seizes happy because? typically people use harbour as a central registry like they Aggregate all the images in one registry and this is of course very good for Makes seizes happy because everything is one place. It is transparent if you know which images are used in your organization You have like like replications proxying that you can you know ingest other registries And they have a overview about vulnerabilities and you can also hook in other scanning tools and security Tools into harbour so that you can you know do other things with the harbour Which are not you know, which we don't provide out of the box You can hook it quite easily and then the third superpower is the It's it's ups people darling right because it's and why is it ups people darling because it has Automation you can use rest API to automate harbour can automate workflows with harbour so you can Collaborate in teams you can use terraform you can use plume it to automate not deployment itself, of course You know, this is obvious, but you can also use terraform plume it to Modify the configuration of harbour right so you can use it for you know get ops workflows for your teams And this is really powerful functionality that you you get out of the box And this is why ups people of harbour and then there's operational controls right you have an advanced garbage collection Which is differs a bit from docker distribution that we are using I mean harbour is based on toco distribution and we use toco distribution underneath But we have our own garbage collection, which has the power that is runs In and can you know run while your registries operating So you don't have to switch register in read only mode like you do with toco distribution You have like the quotas and policies so you can control your register quite powerful And I'm just quickly showing what you can do with with harbour So I have here a demo instance of harbour. Let me check if this is working exactly So this is a demo instance I can recommend you just go to demon dot go harbour.io and you can log in there is admin and harbour 1345 is the password. It's really for demo purposes. That's why I can hand out the password here And it's gets a lot of things gets needed after a while. So When we talk about the first superpower the you know, this works for small teams and enterprises You can select a project here. It's a project. There's a kind of a namespace and then you can add members You can use users groups and you can add those users and groups into Into harbour and you know assign them permissions. This is quite straightforward. This is you know works for small and larger teams and then the The other functionality is the IDP. So the IDP is the way how you cannot select it now because we have database enabled Just delete all the users. That's why it's a demo instance, right? And we can switch like the OIDC provider for example, and then we of course set all the OIDC settings And here we can import our Our groups right admin group or user group so that people Users that you import from the IDP automatically mapped to groups in harbour and so you can assign groups to projects and that you know automatically People when they look in automatically in the right group with the right permissions in the right project Which is quite powerful feature for the for ops people to use then The season part and young one is gonna talk about this more in detail But I'm just quickly showing that you have the possibility to have this Vulnerability overviews right so you have the possibility to view the vulnerabilities on a on the project basis Let's take a look this one. For example, it's not scanned. Let's take this one Yeah, this is a good project. Yeah, for example, you can see the vulnerabilities based on an image And then you have also the other option to view vulnerabilities Images that contains vulnerabilities or other ways around and Yeah, the third option is a bit difficult to tell or to show because it's a mostly rest API based and but you have the possibility to use the garbage collection because so that your image is not getting out of control and The the quota and policies is something that you can of course as an ops person You can respect who gets how much data on your registry so that It's not you're not ending up in in terabytes of data and you can run lean and efficiently and These are basically the superpowers of of harbor. They're of course much more features But I just wanted to focus on what I think are the unique functionalities of harbor and what makes it stand out to other registries and Then in the next one, I'm handing over to young one and he will Tell you more about the features of harbor Thank you, I need hi This is the end from From our team currently I'm working at my mayor and I'm the maintainer of Project harbor and the project distribution. I'm currently leading up this project So I'm gonna show you about the what we Have done it in 2009 and what I'm doing for the 2010 and what we'll do in the future. So The latest anchor features in the 2009 is regarding to the OCI so some of you may already know not harbor is a OCI compatible registry So I feel like to adopt the latest change of the upstream OCI It's a top priority of us so I can give you a little background regarding the OCI spike so already harbor was designed to Manage the dog image With the introduction of OCI since got changed. So you can package any files like Into artifacts like doc image. I'm char As bomb tax and even videos. So harbor is capable of managing those individual artifacts and One step further the OCI 101 allows you to establish the Relationship between those individual artifacts So that means You can associate any artifact to a subject manifest Without alerting the subject manifest itself like the figure shows You can approve your artifact security by adding elements like signature as well so In addition to that you can replicate those artifacts as a whole That means that the policy settings you date in the highway The those settings still work in the harbor B because that nothing was lost during replication. So and What's more we we had some cooperation with the OCI client team like Nutation namely the notary version 2 so to define some security features Which I will show on the demo So I will show you the the demo or regarding the OCI so I Will try to firstly to Push demo artifact So you will after refresh the harbor you can see the the Time artifact so then I will try to Enable the no such a policy and That means that when you try to pull the image if you do not have the signature of mutation you can pull La you cannot pull that image. So here is the error message the image is now signed by mutation. So So next let's try to use a mutation to sign this demo image so after the the after you use the mutation to sign this you will see a new Signature be attached to the demo artifact so after refresh you can see the the Signature is attached to the demo subject. So then let's try to pull the demo artifact again So you can see now it exceeds So that means we have a signature For this artifact. So the last I will try to use ours Ours is a OCI client to push a S-bomb of the demo artifact to Here I add some annotations for my S-bomb artifact and We should know that we are using the OCI 101 mode to push the S-bomb So after we push To the the JSO file you will see there are two attachments of Demo artifact so you can see After we go into the details We can see the annotations that we start at our sale app so So next let's try to use Nutation to sign this S-bomb artifact so I will copy the digest of the S-bomb and then I will try to use Nutation to sign this artifact so after light you will see there are third level of The whole bunch of artifacts So that the last level of is the signature of the S-bomb so Because that you can Attach any kind of artifact to your subject manifest. So here I will try to upload a CVE as port of this artifact to attach To the demo. So the similar command I define some annotations and use the OCI 101 mode and Specified the subject manifest and the local file. So after light You will see there are another one more accessory attached to the Subject demo demo subject. So you can see the Annotation that I define in the gamma line. So next is the last step as you can use Notation to sign this CVE report To guarantee the security of my subject so after Pushing the after signing the last subject. I will expand the whole structure of This subject you will see we have three levels and Two signatures and one S-bomb and one CVE as port. So last I will use the Our discoverer command to view the whole structure of demo artifact So the output is tree mode So we can see the result here The same graphic as the Harbor UI shows So it's worth noting that the harbor and auras do not Cosmet anything for each other We are simply coding based on the same specification That is the OCS bike So The next is the security harp. So we have already recognized that Security remains a big concern within the community community, especially when it comes to the safety of artifacts So we want to do some enhancement from a perspective of the artifact registry Harbor allows you to scan the CVE scan your artifact and Establish the poor policies around this, but it makes a comprehensive centralized view of your For monitoring the overall status of your harbor instance and and associate artifacts This is where the security harp comes in With the security harp you can achieve a more powerful approach to security the security harp provides a overview dashboard making it easier for you to define and conduct CVE search You can quickly identify how many artifacts are Imparted by a specific CVE And who the owners are so you can quickly notify the owner to fix and Adjust the CVE as soon as possible so why we name list as harp is because that we would like to Continue adding more security functionality to this central platform So the CVE search is just the initial step in this jewelry So beside the anchor features We did a lot of enhancements in the tonight one such improvement is in the area of garbage collection So you may know that harbor supports the single thread to remove the garbage from the back end story and But we have received feedback from some of our users from community Who report that the performance was not up to their aspect texture? with Some taking days or even weeks to finish their garbage collection process. So now harbor introduced Multiple deletion this allows you to specify the number of workers to handle the file deletion in parallel and Another key point we have been focusing on is performance and stability Many of our users rely on harbor for their commercial needs and serve the contents for their customer So in the last several releases we continue to improve on the performance especially on the multiple Concurrency pooling and pushing so I can show you some data one of user report that their harbor instance can serve six millions pools per hour and Another user I made on the last time Europe copy-con They told me that in their harbor instance their harbor instant has been running without Without any downtime for an entire year so If you find yourself in a similar situation, we highly recommend you to upgrade to the latest patch Here is the the demo regarding to the Security harp I Adjust a push a radius and then try to use harbor to scan the radius So after scanning you will see the the CVE will be list into the details page of Artifact So now let's try jump to the security harp page So here you can see the overall status of CVE and then you can see the most dangerous artifacts and the most dangerous CVE that you should care about and So in the following a degree is the One amenity search So here you can customize several categories like CVE ID Survivority and in a degree we list all the required information of a severity of a vulnerability So on like you can slide the radius The CVE will be listed belongs to the CVE. You can also select with CVE ID you can specify any ID you want you will see the which artifact will be packed and Also, you can search with severity means higher than the minimum and last You can search With score the here adjust the specified a range from 8 to 10 So then you can see all the results Belongs to this range So here is the overview of a security harp page. So You can drop to the artifact by the link here also so Next let's try to remove the radius Artifact and then art after remove it. I will try to execute a garbage collection So Like I mentioned earlier, we enable the multiple deletion. So here you can specify the worker count to do the Multiple deletion in parallel. So after you specify the worker to that means you there are two Workers are running in the back end to remove files So There's another small enhancement that means you can get the summary in the GC history degrade to a point how many artifacts and blobs were removed and how many space were freed up and by clicking the log You could see There are two workers are running in parallel and each worker has a unique identity So you can see this from the log here So The multiple deletion will accelerate the GC execution so you can try that and so the last one is the Binder message so a lot of users from community ask us to that we want to customize Message to my user when I Maintain my harbor instance. So here you can try to customize message on the the rival on the expiration time so like I just said hello to become and the manner is Clickable and you can also update the the To an info level and disable the clickable So now you can just reveal the Information, but you cannot delete remove it So this is quite useful for for you to maintain your harbor instance okay, so What are we are doing right now? Robert full exercise so It was one of the hardest topic in a community the rubber con was originally designed to access our Harbor APIs, but currently we only exposed the more part of them 16 and below so given you still can leverage API to create a robot with customized scope site It can quiet challenge Especially for those who are not familiar with the harbor API ecosystem Because we have hundreds of Endpoints so to simplify this process We have unified we find the harbor UI to add a friend user friendly tutorial That gets you through Creating a new robot. You can just specify the permission site at your like by single screen So I just have a quick demo here When I try to create a project level robot you you should firstly to specify some basic information and Sorry, so after that you can select the required permission in this stop so you can Select or or you can customize any you want so after that you will finish the creation and you can see the scope in the degree So the last I will try to create a system level robot. So the difference here is that you have to Select the scope for system and you can also select the scope for project to after specify the basic information you can specify the scope for system level We have a lot of actions. We have a lot of resources and you can customize any use anything you want to So after you select the system level you will jump to the project level So for this specific Robot if you want to cover all projects just click like checkbox but if you wanted to specify any specific project just select that project and select the Permission so This is the robot full access So this is the feature will be released in the coming release. That is 2.10 So Plug both scanners back so You may already know that Harbor currently support TV as a building scanner to detect CVEs In theory Harbor can actually have the capability to support any kind of third-party scanners How to do this and the scanner a Developer all you need to do is to implement as adapter based on the block both scanners back the block both block of both scanners back is is the standardized the behavior definition of a Scanner it defines how a scanner should interact with the Harbor to finish the artifact scanning So in our most recent release one or two our goal is to it has this aspect making it more flexible to Enable more capability of the scanners So currently we support one ability scan so next is a bomb the future should be the CIS and mis-configuration so what about date so The metadata the metadata is the description of scanner include capabilities so But the previous version was rather general so in two dot one or two we it has the response to give more specific information like The scanner will tell Harbor that I can scan one ability and I can scan as bomb So with the enhanced response When Harbor issue a scanning request It can specify the exact capability required for the scanner to execute. So and let's example Harbor issued a scanning request not included the both scanner both CVE and Both vulnerability and I spawn scanning. Let me talk about the future. So this is a future fly So everything regarding safety of your artifact is our top priority. I believe so As bomb support is a key area That we want to focus on But please keep in mind that everything is still in the design phase and nothing is not finalized But however, I still wanted to share some basic idea with you Firstly, we we would like to leverage the proper scanner's back to work with the trivia team to and all to generate the S bomb and attach the S bomb to the Subject manifest as a cannot accessory Not I showed in the OSI 101 Support so next we plan to integrate security harp with S bomb to provide more insights For example, a user can will be able to conduct a Package or library search based on the S bomb content and then As and now we are working closely with the travel team to enhance the image scanning performance a list of collaboration will eliminate the need for a scanner to fetch the entire Artifact, but just the S bomb you're not you you may know that the S bomb the size of S bomb is KB, but the the size of Artifact should could be a gigabyte. Yeah So it can save the time and save IO traffic And last we wanted to define some policy around the content of S bomb like Someone cannot pull any specific image with The open SSR SSR version equals 100 for example but Again, everything is in the draft phase so I'm happy to listen your requirement your niece and How would you like to see the integration? and so We are seeking a collaboration contribution from community And so if you love harbor if you have interest in the development of harbor So feel free to join my line through this my sir you can ask question in the stock channel or You can join us the community meaning Thank you That's all As a closing remark, we have a few of the swag here some t-shirts and harbor t-shirts I think as well a few cups if you have questions I mean we are running out of time now if you have questions you can ask your questions and come to a booth We have a booth at the project section of the in the in the conference hall there and you can come after Now to the to the booth and we can you can place your questions there We are there today afternoon and tomorrow in the morning, right? Afternoon as well. Okay. Yeah, so we are in that afternoon. We are there you can come there and We can chat with you and discuss your questions that you have regarding harbor Thank you very much