🎬

Video tutorial coming soon.

← Academy/Harbor

🚢 Setup Harbor — Private Container Registry

Deploy Harbor on Ubuntu with Docker — an enterprise-grade open-source container registry with vulnerability scanning, role-based access control (RBAC), image replication, and a rich web UI. Host your own private Docker registry with security built in.

⚠️ This script is provided for demo and testing purposes only. Not intended for production use.

📦 Resources & Setup Scripts

Grab the automated bash script from GitHub to follow along with the video.

Automated install script — private container registry with scanning in one command.
View on GitHub

Quick Install:

wget https://raw.githubusercontent.com/mhmdali94/Docker/main/dev/harbor/harbor-ubuntu.sh
chmod +x harbor-ubuntu.sh
sudo bash harbor-ubuntu.sh

Tutorial Steps

1 Download & Run the Script

The script installs Docker, downloads the official Harbor installer, generates a secure admin password, and starts all Harbor services. The generated password is displayed at the end — save it immediately.

wget https://raw.githubusercontent.com/mhmdali94/Docker/main/dev/harbor/harbor-ubuntu.sh
chmod +x harbor-ubuntu.sh
sudo bash harbor-ubuntu.sh

2 Access the Web UI & Login

Open your browser and navigate to the Harbor registry portal. Login with the auto-generated admin credentials:

http://<your-server-ip>:5080

Username: admin
Password: (shown at end of install script)

3 Create a Project

In the Harbor UI, go to Projects → New Project. Give it a name and set access control (public or private). Projects organize your image repositories and allow fine-grained RBAC for team members.

4 Push Your First Image

Login to the registry from your Docker client, then tag and push your image:

docker login <your-server-ip>:5080

docker tag myapp:latest <your-server-ip>:5080/my-project/myapp:latest
docker push <your-server-ip>:5080/my-project/myapp:latest

Ports Used

PortPurpose
5080Harbor Web UI & Registry API

Overview

Harbor is an open-source container registry that stores, signs, and scans container images. It extends the Docker Registry with enterprise features: role-based access control, image vulnerability scanning via Trivy, content signing, image replication between registries, and a full audit log. It is a CNCF Graduated project.

Why Use It

Harbor solves two problems simultaneously: giving you a private Docker registry without Docker Hub's rate limits and paid private repository tiers, and adding security scanning that Docker Hub's free tier doesn't provide. Every image pushed to Harbor is automatically scanned by Trivy for known CVEs — you can block deployment of images with critical vulnerabilities. RBAC means developers can push to their own projects but cannot overwrite production images. For teams running any production container workload, Harbor closes the security gap that plain Docker registries leave open.

When You Need It

    Who Should Use It

      Real Use Cases

        Main Features

          How to Use After Installation

            Security Best Practices

              Ports and Firewall Notes

              Harbor's installer configures it to listen on HTTP port 5080 and optionally HTTPS 5443. Put it behind Nginx Proxy Manager on HTTPS port 443 and proxy to Harbor's 5080. The Docker daemon on each server pushing/pulling images needs to trust your domain's certificate — configure this in /etc/docker/daemon.json if using a non-public CA. For Kubernetes, configure imagePullSecrets with Harbor credentials and ensure the cluster nodes can reach your Harbor domain on port 443.

              Backup and Maintenance

                Common Mistakes

                  Troubleshooting

                    Alternatives

                    Docker Hub is the easiest choice if you don't need on-premises storage — private repositories start at $5/month but have rate limits. GitHub Container Registry (GHCR) is free for public images and integrated with GitHub Actions. GitLab Container Registry is included with GitLab self-hosted. Nexus Repository OSS includes a Docker registry alongside Maven and npm. Distribution (formerly Docker Registry) is the minimal open-source option — no UI, no scanning, no RBAC. Harbor is the right choice when you need all three: private storage, scanning, and access control.

                    When Not to Use It

                    Avoid Harbor if you only have a handful of images and no security scanning requirement — Docker Hub free tier or GHCR is simpler to operate. Harbor requires 2+ GB RAM and meaningful disk for image storage; on a resource-constrained VPS it competes with other services. If your team is entirely on GitHub and uses GitHub Actions, GHCR with GitHub Actions' native integration is far simpler to set up and maintain than a self-hosted Harbor. Harbor's value is clearest when you have compliance requirements or a regulated multi-team environment.

                    Need Help Setting Up Harbor?

                    PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.

                      Contact Us

                      Frequently Asked Questions

                      What is a Robot Account in Harbor and why should I use one?

                      A Robot Account is a service account credential in Harbor designed for automated use — CI pipelines, Kubernetes, deployment scripts. Unlike personal user credentials, Robot Accounts have an expiration date, are scoped to specific projects and permissions (push only, or pull only), and can be easily revoked without affecting a person's access. Always use Robot Accounts in CI/CD — never use your personal Harbor login in a pipeline.

                      How do I set up Harbor as a Docker Hub proxy cache?

                      In Harbor, go to Administration > Registries > New Endpoint, select Docker Hub, and save. Then create a new Project with type 'Proxy Cache' and select your Docker Hub endpoint. Configure your Docker daemon or Kubernetes containerd to use harbor.yourdomain.com/dockerhub-cache as a registry mirror. Pulls from this project transparently fetch from Docker Hub on first access and cache locally, eliminating rate limits.

                      How do I use Harbor with Kubernetes (imagePullSecret)?

                      Create a Robot Account in Harbor with pull access to your project. Then create a Kubernetes secret: kubectl create secret docker-registry harbor-secret --docker-server=harbor.yourdomain.com --docker-username=robot$myapp --docker-password=TOKEN -n your-namespace. Reference it in your pod spec: imagePullSecrets: [{name: harbor-secret}]. For cluster-wide access, copy the secret to each namespace that needs it.

                      How do I block deployment of images with critical vulnerabilities?

                      In your Harbor project, go to Configuration and enable 'Prevent vulnerable images from running'. Set the threshold to Critical or High. With this enabled, Docker pull will fail if the image has CVEs at or above your threshold. In Kubernetes, pair this with Harbor's Notary (content trust) or an admission controller like OPA Gatekeeper to enforce scanning at the cluster level.

                      How large does the server need to be to run Harbor?

                      Harbor's minimum requirements are 2 vCPU and 4 GB RAM, with storage proportional to your image library. A small team with a few dozen images comfortably fits in 20–50 GB. For production use with Trivy scanning enabled, 4 GB RAM is more comfortable. Harbor runs as about 10 Docker containers so it is not suitable for a shared tiny VPS — dedicate a machine or use a VPS with at least 4 GB RAM.

                      Can Harbor replicate images to Docker Hub or another Harbor instance?

                      Yes. Harbor's Replication feature supports push or pull replication to Docker Hub, GHCR, AWS ECR, GCR, Azure ACR, and other Harbor instances. Set up a Replication Rule under Administration > Replications: specify the source project, destination registry, filter by image name or tag patterns, and schedule (on push, scheduled, or manual). This is useful for distributing images to multiple regions or backing up to Docker Hub.

                      How do I update Harbor?

                      Harbor releases new versions regularly. Back up the database and image storage directory first. Download the new installer from Harbor's GitHub releases, run the prepare script, then docker compose down && docker compose up -d. Harbor runs database migrations automatically. Check the upgrade guide for your specific version pair — some major version upgrades require running a migration helper container first.

                      Does Harbor work with Podman instead of Docker?

                      Yes. Harbor is OCI-compliant so any OCI-compatible client works — Podman, Skopeo, Buildah, and Crane all interact with Harbor the same way as Docker. Use podman login harbor.yourdomain.com, podman push, podman pull — same syntax. In Kubernetes environments using CRI-O instead of containerd, configure the registry mirror in /etc/containers/registries.conf to point to Harbor.

                      Related Tutorials

                      Gitea Woodpecker CI Portainer Nginx Proxy Manager