When Docker Hub is No Longer “Free and Unlimited”
A phone call at 2 AM usually signals a serious incident. My company’s CI/CD pipeline suddenly stopped with a 429 Too Many Requests error. In reality, Docker Hub has tightened its limits: free accounts are restricted to 100-200 pulls every 6 hours. When a K8s system scales up to 20-30 nodes, this limit disappears in the blink of an eye.
Moreover, storing images containing company core code on a public cloud always carries data leak risks. If you want full control over your infrastructure without depending on third parties, building a Private Docker Registry is an essential step. Instead of using the basic default Registry, Harbor is the most comprehensive solution I’ve ever deployed.
Why Harbor is the Top Choice for Enterprises?
Harbor is more than just an image repository; it’s an Artifact ecosystem manager (including Helm Charts). Here are the reasons why Harbor stands out:
- Intuitive Interface: Manage everything via Web UI—no more “blindly” typing commands to check every layer.
- Granular RBAC: You can restrict the Dev team to pull-only, while the DevOps/CI-CD team has push permissions.
- Vulnerability Scanning with Trivy: Automatically detect outdated libraries or CVEs (Common Vulnerabilities and Exposures) as soon as an image is pushed.
- Retention Policies: Automatically delete old images after 30 days or keep only the 5 latest versions to save storage space.
Infrastructure Preparation: Don’t Skimp on RAM
In terms of infrastructure, Harbor runs several sub-services (PostgreSQL, Redis, Core, Jobservice). I recommend using a VPS with at least 2 CPUs and 4GB RAM. However, if you enable continuous vulnerability scanning, upgrade to 8GB RAM to prevent system hangs due to Out Of Memory (OOM) errors.
Ensure Docker is already installed. Currently, Docker Compose v2 (the docker compose command without a hyphen) has become the standard. Switching to v2 makes container management much smoother and more stable.
# Check Docker Compose version
docker compose versionDetailed Harbor Installation Steps
Step 1: Download the Installer
I prefer using the Online Installer to save initial download bandwidth; the system will automatically pull necessary images while running the script.
wget https://github.com/goharbor/harbor/releases/download/v2.9.0/harbor-online-installer-v2.9.0.tgz
tar xvzf harbor-online-installer-v2.9.0.tgz
cd harborStep 2: Configure the harbor.yml File
The key lies in the configuration file. Copy the template and edit the important parameters:
cp harbor.yml.tmpl harbor.yml
nano harbor.ymlNote the following lines:
- hostname: Enter your domain (e.g.,
hub.itfromzero.com). - https: Docker requires secure connections by default. If you use Nginx Proxy Manager or Cloudflare in front, disable HTTPS in this file to let the Proxy handle SSL, simplifying the configuration.
- data_volume: Where images are stored. Ensure this partition has at least 50-100GB of free space.
Step 3: Activate Security Features
Don’t just install a “plain” Harbor. Integrate Trivy to turn your Registry into a security fortress:
sudo ./install.sh --with-trivyThis process takes about 5 minutes. When the terminal displays a success message, you can access the admin interface.
Real-world Operation: Pushing Images and Scanning for Vulnerabilities
After logging in, create a new Project immediately instead of using the public one. Don’t forget to enable “Automatically scan images on push”. This feature helps you sleep better knowing that any image with vulnerabilities will be flagged immediately.
Pushing Images from a Local Machine
First, you need to authenticate with your private registry:
docker login hub.itfromzero.com
# Tag the image according to Harbor's structure
docker tag my-app:latest hub.itfromzero.com/itfromzero-project/my-app:v1
# Push the image to the system
docker push hub.itfromzero.com/itfromzero-project/my-app:v1If your image contains old libraries like an outdated OpenSSL, Harbor will display a red warning right on the Dashboard. This is extremely useful for requiring Devs to fix code before deploying to Production.
Troubleshooting Tips
The most common issue is disk space exhaustion. Every time a new image is built, old layers still exist as “untagged”. Go to Administration -> Garbage Collection and set a weekly schedule to free up space.
If you encounter the x509: certificate signed by unknown authority error due to using self-signed SSL, you need to declare the Registry in the Docker configuration file on the client machine:
# Edit /etc/docker/daemon.json
{
"insecure-registries" : ["hub.itfromzero.com"]
}Then, run systemctl restart docker to apply the changes.
Conclusion
Deploying Harbor is a worthy investment for any DevOps team looking to go professional. You not only save on bandwidth costs but also gain full ownership of your data. Although initial SSL configuration and resource optimization take some effort, the stability and security Harbor provides are indisputable.
