You set system level parameters for Harbor in the harbor.yml file that is contained in the installer package. These parameters take effect when you run the install.sh script to install or reconfigure Harbor.

After the initial deployment and after you have started Harbor, you perform additional configuration in the Harbor Web Portal.

Required Parameters

The table below lists the parameters that must be set when you deploy Harbor. By default, all of the required parameters are uncommented in the harbor.yml file. The optional parameters are commented with #. You do not necessarily need to change the values of the required parameters from the defaults that are provided, but these parameters must remain uncommented. At the very least, you must update the hostname parameter.

IMPORTANT: Harbor does not ship with any certificates. In versions up to and including 1.9.x, by default Harbor uses HTTP to serve registry requests. This is acceptable only in air-gapped test or development environments. In production environments, always use HTTPS. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS.

You can use certificates that are signed by a trusted third-party CA, or you can use self-signed certificates. For information about how to create a CA, and how to use a CA to sign a server certificate and a client certificate, see Configuring Harbor with HTTPS Access.

Required Parameters for Harbor Deployment
ParameterSub-parametersDescription and Additional Parameters
hostnameNoneSpecify the IP address or the fully qualified domain name (FQDN) of the target host on which to deploy Harbor. This is the address at which you access the Harbor Portal and the registry service. For example, 192.168.1.10 or reg.yourdomain.com. The registry service must be accessible to external clients, so do not specify localhost, 127.0.0.1, or 0.0.0.0 as the hostname.
http Do not use HTTP in production environments. Using HTTP is acceptable only in air-gapped test or development environments that do not have a connection to the external internet. Using HTTP in environments that are not air-gapped exposes you to man-in-the-middle attacks.
 portPort number for HTTP, for both Harbor portal and Docker commands. The default is 80.
https Use HTTPS to access the Harbor Portal and the token/notification service. Always use HTTPS in production environments and environments that are not air-gapped.
 portThe port number for HTTPS, for both Harbor portal and Docker commands. The default is 443.
 certificateThe path to the SSL certificate.
 private_keyThe path to the SSL key.
internal_tls Use HTTPS to communicate between harbor components
 enabledSet this flag to true means internal tls is enabled
 dirThe path to the directory that contains internal certs and keys
harbor_admin_passwordNoneSet an initial password for the Harbor system administrator. This password is only used on the first time that Harbor starts. On subsequent logins, this setting is ignored and the administrator’s password is set in the Harbor Portal. The default username and password are admin and Harbor12345.
database Use a local PostgreSQL database. You can optionally configure an external database, in which case you can deactivate this option.
 passwordSet the root password for the local database. You must change this password for production deployments.
 max_idle_connsThe maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
 max_open_connsThe maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
 conn_max_lifetimeThe maximum amount of time a connection may be reused. If it <= 0, connections are not closed due to a connection’s age.
 conn_max_idle_timeThe maximum amount of time a connection may be idle. If it <= 0, connections are not closed due to a connection’s idle time.
data_volumeNoneThe location on the target host in which to store Harbor’s data. This data remains unchanged even when Harbor’s containers are removed and/or recreated. You can optionally configure external storage, in which case deactivate this option and enable storage_service. The default is /data.
trivy Configure Trivy scanner.
 ignore_unfixedSet the flag to true to display only fixed vulnerabilities. The default value is false
 security_checkComma-separated list of what security issues to detect. Possible values are vuln, config and secret. Defaults to vuln.
 skip_updateYou might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues. If the flag is enabled you have to download the trivy-offline.tar.gz archive manually, extract and the trivy.db and metadata.json files and mount them in the /home/scanner/.cache/trivy/db/trivy.db path in container. The default value is false
 insecureSet the flag to true to skip verifying registry certificate. The default value is false
 github_tokenSet the GitHub access token to download Trivy DB. Trivy DB is downloaded by Trivy from the GitHub release page. Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough for production operations. If, for any reason, it’s not enough, you could increase the rate limit to 5000 requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult https://developer.github.com/v3/#rate-limiting .You can create a GitHub token by following the instructions in https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
jobservicemax_job_workersThe maximum number of replication workers in the job service. For each image replication job, a worker synchronizes all tags of a repository to the remote destination. Increasing this number allows more concurrent replication jobs in the system. However, since each worker consumes a certain amount of network/CPU/IO resources, set the value of this attribute based on the hardware resource of the host. The default is 10.
notificationwebhook_job_max_retrySet the maximum number of retries for web hook jobs. The default is 10.
chartabsolute_urlSet to enabled for Chart to use an absolute URL. Set to deactivated for Chart to use a relative URL.
log Configure logging. Harbor uses rsyslog to collect the logs for each container.
 levelSet the logging level to debug, info, warning, error, or fatal. The default is info.
 localSet the log retention parameters:
  • rotate_count: Log files are rotated rotate_count times before being removed. If count is 0, old versions are removed rather than rotated. The default is 50.
  • rotate_size: Log files are rotated only if they grow bigger than rotate_size bytes. Use k for kilobytes, M for megabytes, and G for gigabytes. 100, 100k, 100M and 100G are all valid values. The default is 200M.
  • location: Set the directory in which to store the logs. The default is /var/log/harbor.
 external_endpointEnable this option to forward logs to a syslog server.
  • protocol: Transport protocol for the syslog server. Default is TCP.
  • host: The URL of the syslog server.
  • port: The port on which the syslog server listens
proxy Configure proxies to be used by trivy-adapter, the replication jobservice, and Harbor. Leave blank if no proxies are required. Some proxies have whitelist settings, if Trivy is enabled, you need to add the following urls to the proxy server whitelist: github.com, github-releases.githubusercontent.com, and *.s3.amazonaws.com.
 http_proxyConfigure an HTTP proxy, for example, http://my.proxy.com:3128.
 https_proxyConfigure an HTTPS proxy, for example, http://my.proxy.com:3128.
 no_proxyConfigure when not to use a proxy, for example, 127.0.0.1,localhost,core,registry.
cache Configure cache layer for your Harbor instance. When enabled, Harbor will cache some Harbor resources (for example, artifacts, projects, or project metadata) using Redis, reducing the amount of time and resources used for repeated requests for the same Harbor resource. It’s strongly recommended that you enable this feature on Harbor instances with high concurrent pull request rates to improve Harbor’s overall performance. For more details on the cache layer implementation and performance improvements, see the Cache Layer wiki page.
 enabledDefault is false, set to true to enable Harbor’s cache layer.
 expire_hoursConfigure the cache expiration limit in hours. Default is 24.

Optional Parameters

The following table lists the additional, optional parameters that you can set to configure your Harbor deployment beyond the minimum required settings. To enable a setting, you must uncomment it in harbor.yml by deleting the leading # character.

Optional Parameters for Harbor
ParameterSub-ParametersDescription and Additional Parameters
external_urlNoneEnable this option to use an external proxy. When enabled, the hostname is no longer used.
storage_service By default, Harbor stores images and charts on your local filesystem. In a production environment, you might want to use another storage backend instead of the local filesystem. The parameters listed below are the configurations for the registry. See Configuring Storage Backend below for more information about how to configure a different backend.
 ca_bundleThe path to the custom root CA certificate, which is injected into the trust store of registry and chart repository containers. This is usually needed if internal storage uses a self signed certificate.
 filesystemThe default is filesystem, but you can set azure, gcs, s3, swift and oss. For information about how to configure other backends, see Configuring a Storage Backend below. Set maxthreads to limit the number of threads to the external provider. The default is 100.
 redirectSet deactivate to true when you want to deactivate registry redirect
external_database Configure external database settings, if you deactivate the local database option. Currently, Harbor only supports PostgreSQL database. You must create three databases for Harbor core, Notary server, and Notary signer. The tables are generated automatically when Harbor starts up.
 harbor

Configure an external database for Harbor data.

  • host: Hostname of the Harbor database.
  • port: Database port.
  • db_name: Database name.
  • username: Username to connect to the core Harbor database.
  • password: Password for the account you set in username.
  • ssl_mode: Enable SSL mode.
  • max_idle_conns: The maximum number of connections in the idle connection pool. If <=0 no idle connections are retained. The default value is 2.
  • max_open_conns: The maximum number of open connections to the database. If <= 0 there is no limit on the number of open connections. The default value is 0.
 notary_signerConfigure an external database for the Notary signer database
  • host: Hostname of the Notary signer database
  • port: Database port.
  • db_name: Database name.
  • username: Username to connect to the Notary signer database.
  • password: Password for the account you set in username.
  • ssl_mode: Enable SSL mode.
 notary_server
  • host: Hostname of the Notary server database.
  • port: Database port.
  • db_name: Database name.
  • username: Username to connect to the Notary server database.
  • password: Password for the account you set in username.
  • ssl_mode: Enable SSL mode.e
external_redis Configure an external Redis instance.
 hostredis_host:redis_port of the external Redis instance. If you are using Sentinel mode, this part should be host_sentinel1:port_sentinel1,host_sentinel2:port_sentinel2
 sentinel_master_setOnly set this when using Sentinel mode
 passwordPassword to connect to the external Redis instance.
 registry_db_indexDatabase index for Harbor registry.
 jobservice_db_indexDatabase index for jobservice.
 chartmuseum_db_indexDatabase index for Chart museum.
 trivy_db_indexDatabase index for Trivy adapter.
metric Configure exposing Harbor instance metrics to a specified port and path
 enabledEnable exposing metrics on your Harbor instance by setting this to true. Default is false
 portPort metrics are exposed on. Default is 9090
 pathPath metrics are exposed on. Default is /metrics
trace Configure exposing Distributed tracing data
 enabledEnable exposing tracing on your Harbor instance by setting this to true. Default is false
 sample_rateSet the sample rate of tracing. For example, set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
 namespaceNamespace used to differenciate different harbor services, which will set to attribute with key service.namespace
 attributesThe attributes is a key value dict contains user defined customized attributes used to initialize trace provider, and all of these atributes will added to trace data
 jaeger
  • endpoint: The url of endpoint(for example http://127.0.0.1:14268/api/traces). set endpoint means export to jaeger collector via http.
  • username:: Username used to connect endpoint. Left empty if not needed.
  • password:: Password used to connect endpoint. Left empty if not needed.
  • agent_host: The host name of jaeger agent. Set agent_host means export data to jaeger agent via udp.
  • agent_port:: The port name of jaeger agent.
 otel
  • endpoint: The hostname and port for otel compitable backend(for example 127.0.0.1:4318).
  • url_path:: The url path of endpoint(for example 127.0.0.1:4318)
  • compression:: If enabling data compression
  • insecure: Ignore cert verification for otel backend
  • timeout:: The timeout of data transfer

The harbor.yml file includes options to configure a UAA CA certificate. This authentication mode is not recommended and is not documented.

Configuring a Storage Backend

By default Harbor uses local storage for the registry, but you can optionally configure the storage_service setting so that Harbor uses external storage. For information about how to configure the storage backend of a registry for different storage providers, see the Registry Configuration Reference in the Docker documentation. For example, if you use Openstack Swift as your storage backend, the parameters might resemble the following:

  1. storage_service:
  2. ca_bundle:
  3. swift:
  4. username: admin
  5. password: ADMIN_PASS
  6. authurl: http://keystone_addr:35357/v3/auth
  7. tenant: admin
  8. domain: default
  9. region: regionOne
  10. container: docker_images"
  11. redirect:
  12. disable: false

What to Do Next

To install Harbor, Run the Installer Script.