Setup harbor on podman using ansible

[akramelnouby]

Cheers,

our company wants to setup the harbor service, but due to restrictions, we can only use RHEL and therefore podman instead of docker, as it is not supported by either RedHat nor Docker. And k8s is currently not available

The solution was to convert the docker-compose configuration generated by the prepare image to an ansible configuration
So far, as long as I only configure trivy and chartmuseum to be setup up, everything works as expected. Harbor login is availabel, images can be pushed to a repository and scanned with the trivy feature.

But as soon as I include the notary containers and their configuration, the login page runs into a timeout, and I can't find any hint as to why it's behaving this way or what causes the error. I am guessing it has something to do with the dedicated notary network... but I currently have no clue.

Is anyone familiar with ansible, podman and harbor/notary who might have a guess or could help troubleshoot this issue? Or did someone manage to run harbor on podman with the notary service and could help me out with the notary configuration used?

Thanks in advance and cheers
Akram

[thegasmann]

I had the same problem (Harbor on RHEL8, Podman instead of docker) and once Notary was included the logon page failed to load.
If anyone managed to bring it up correctly I'd be thankful for suggestions as well!

[shawngmc]

Notary will likely fail because RH (via Podman) does not support Docker Content Trust/Notary v1 signatures. Instead, RH has a technically-open-but-not-standardized GPG-based signing method, with Harbor doesn't offer support for.

I had been hoping that Notary v2 would take off, but it's moving very slowly. In the meantime, sigstore/cosign has taken off, and Harbor added support for cosign in 2.5.0. Cosign seems to be the frontrunner at the moment, so this is a positive development.

[shawngmc]

1. Podman 3.x supports docker-compose (see this RH article). Is using docker-compose with podman acceptible? If so, this would likely just be fixes to the prereq/install script.
2. RHEL8/9 doesn't include Docker; that said, Docker itself provides packages for OSes, and for RHEL they recommend the binary-compatible, Docker-provided CentOS packages. Are you able to just use this version of Docker?

[akramelnouby]

Thanks for the quick response. We are missing the integrated feature of container signing in harbor while usind podman, therefore we will take a look at cosign. Using Docker-compose with podman wouldn't have solved the problem, if I understood your answer regarding Docker Content Trust correctly.
We are aware that Docker offers binary-compatible packages for RHEL, but as they would not be supported by RedHat, they are no option for us.

[akramelnouby]

Notary will likely fail because RH (via Podman) does not support Docker Content Trust/Notary v1 signatures. Instead, RH has a technically-open-but-not-standardized GPG-based signing method, with Harbor doesn't offer support for.

I had been hoping that Notary v2 would take off, but it's moving very slowly. In the meantime, sigstore/cosign has taken off, and Harbor added support for cosign in 2.5.0. Cosign seems to be the frontrunner at the moment, so this is a positive development.

Thank you for that information. We will take a look at cosign, and hope it can replace Notary, until Notary v2 will be released and hopefully be available in RHEL/podman.

[wy65701436]

yes, the cosign could be an alternative before the notary v2 is available. cc @MinerYang

[Gyeah11]

we've been using harbor ( 2.5.3 ) rootless with podman for a while, i've made it work by adding

ExecStart=/usr/bin/podman run --cgroups=no-conmon --name podman-harbor-registry --net=host --rm \
--userns=keep-id \
--ulimit=nofile=16384:16384 \
--env-file=/opt/harbor/config/registry/env \
--annotation run.oci.keep_original_groups=1 \
--volume /data/registry:/storage:rw \
--volume /opt/harbor/config/registry/:/etc/registry/:rw \
--volume /opt/harbor/config/shared/trust-certificates:/harbor_cust_cert:rw \
harbor/external/registry-photon:v2.5.3 \

and when to artefacts grew we had errors in GC and i've added the setting below to postgresql

--shm-size=4g