How can I use harbor as a proxy for dockerub using clair and dashboard?

[odg0318]

Hello.

I try to make a cache-through registry using harbor.
I read the following document, https://github.com/goharbor/harbor/blob/master/contrib/Configure_mirror.md, and followed it as written.
Pulling docker image is ok but the downloaded image is not shown on harbor dashboard.
I expect that the download images from dockerhub are managed on dashboard and they are scanned using clair.

I am not sure that harbor is properly configured.

Thanks

[ghost]

Can you share your config.yml?

[reasonerjt]

@odg0318
This is a limitation, cached images which are pulled from dockerhub will not show on the dashboard, because no project was created when the image is cached.

[odg0318]

@reasonerjt
As I remember, to pull an image from dockerhub, the project should be created before pulling. For example, suppose that image name is odg0318/harbor. odg0318 becomes project name and harbor becomes image name in Harbor. If odg0318 project is not in Harbor, pulling doesn't work.

Anyway, it is a limitation in Harbor, is there a way to scan images pulled from dockerhub using clair?

[odg0318]

Can you share your config.yml?

I think that my config.yml is not required to discuss more.
Thank you for your reply.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[sport3]

Hey @odg0318, if your number of images is just a dozen, you can have a local docker machine in between.
I manually pull the image on the local docker installation, then e.g. tag them [ yourdomain]/<harbor_project>/image:latest and push them to harbor.
The compose files then use the harbor tag and you can be sure that they've been scanned by claire.

[odg0318]

@sport3
I actually manage my docker images as like what you suggested. But I think that it could make some trouble to manually manage external docker images. Can you tell me a way to automatically manage them?

[sport3]

I don't have a clue either. Basically this has to do with the way docker treats the images since it defaults to docker hub. Which is probably the reason why this is not available in third-party image repositories. Personally I'd find an additional proxy functionality similar to e.g. what artifactory does with mavenrepository/jcenter while also providing the manual uploaded packages a great feature to have.

Is there an option to change the default host that docker uses for pulling?

[odg0318]

@sport3
Suppose that Harbor is used to proxy dockerhub whose domain is `harbor.repo' . I need a feature that Harbor works like the followings.

1. Pull an image, harbor.repo/library/alpine which is equal to library/alpine of dockerhub.
2. And then library project is automatically created in harbor.repo if it does not exists.
3. Harbor pulls library/alpine and pushs harbor.repo/library/alpine to proxy.
4. Proxied image is listed in harbor.repo and clair scans the image.

[xaleeks]

@odg0318 This reads like two separate requirements, automatic creation of Harbor project during pull if it does not exist and ability of Harbor to act as pull through cache for docker-hub.

The 1st requirement is not possible right now and we don't have plans to enable this anytime soon really, it adds quite a bit of complexity.

The 2nd requirement is tracked here #8082, Harbor will front for dockerhub but for various other 3rd party registries both on-prem and cloud based

[odg0318]

@odg0318 This reads like two separate requirements, automatic creation of Harbor project during pull if it does not exist and ability of Harbor to act as pull through cache for docker-hub.

The 1st requirement is not possible right now and we don't have plans to enable this anytime soon really, it adds quite a bit of complexity.

The 2nd requirement is tracked here #8082, Harbor will front for dockerhub but for various other 3rd party registries both on-prem and cloud based

Additionally, I want to scan the docker images cached through pull-through-cache using clair and see the scanned result in the dashboard. But you told me it seems to be hard to support that right now. Anyway, thanks for your keeping your eyes on my issue.

[xaleeks]

@odg0318 the proxy cache epic is underway now for the upcoming v2.1 release and although scanning images in the cache is not part of the first iteration, it's a user story we understand pretty well. tracking here #11658