Harbor 2 — CNCF container registry on Ubuntu 24.04 LTS by cloudimg. Image storage, RBAC, OCI, replication. Per-VM admin password. Apache 2.0.
## Harbor 2 Container Registry on Ubuntu 24.04 by cloudimg
Harbor is the CNCF-graduated open-source container image registry — a production-grade Docker / OCI registry with built-in role-based access control, image replication, vulnerability scanning, content signing, image retention, garbage collection, and a proper web UI. Originally created at VMware and donated to the CNCF, Harbor is the de-facto private registry for Kubernetes workloads, GitOps pipelines, and air-gapped or sovereign-cloud deployments where pushing internal images to Docker Hub or a public registry is not an option.
The cloudimg image installs Harbor 2.15.0 OSS (Apache 2.0) from the official goharbor/harbor offline installer tarball, configured to listen on TCP 80 with the bundled stack of Postgres 14, Redis 7, registry, registryctl, harbor-core, harbor-jobservice, harbor-portal, and nginx — all running as Docker Compose services and supervised by a thin systemd wrapper (harbor.service). Docker Engine and the docker-compose v2 plugin come from Docker's official APT repository. Customers reach the Harbor web UI on http://<vm-ip>/ and `docker login <vm-ip>` works out of the box.
Why Choose cloudimg?
* 24/7 Expert Support with guaranteed 24 hour response. support@cloudimg.co.uk
* Production Ready from Launch Pre-configured, security-patched, validated
* Azure Native Integration Azure Linux Agent, cloud-init, Gen2 Hyper-V, TrustedLaunch
* Per-VM admin password at first boot harbor_admin_password is rotated uniquely on every customer VM via harbor-firstboot.service and written to /stage/scripts/harbor-credentials.log mode 0600 root:root. No two VMs ever share an admin password.
* Hostname auto-detected from Azure IMDS harbor.yml hostname is set to the VM's public IP at first boot so image manifest references resolve correctly from `docker pull`.
What is Included
* Harbor 2.15.0 OSS from the official goharbor/harbor offline installer (Apache 2.0, CNCF graduated)
* Docker Engine (Docker CE) + docker-compose-plugin (compose v2) from download.docker.com/linux/ubuntu noble
* Bundled Postgres 14, Redis 7, registry, registryctl, harbor-core, harbor-jobservice, harbor-portal, nginx — all running as Docker Compose services
* harbor.service systemd wrapper bringing the compose stack up on boot and down on shutdown cleanly
* harbor-firstboot.service oneshot rotating per-VM admin password + Postgres password and running install.sh on first launch
* /opt/harbor — Harbor home (install.sh, harbor.yml, harbor.yml.tmpl, prepare, common/)
* /data — registry blobs, db, redis, jobservice logs, ca_download, secret, scan-data
* /var/log/harbor — log subdirectory per Harbor component
* Web UI on TCP 80 — admin login at http://<vm-ip>/
* Docker Registry HTTP API v2 on TCP 80 — `docker login <vm-ip>` and `docker push <vm-ip>/library/myimage:tag` work immediately
* Ubuntu 24.04 LTS base with latest security patches applied at build time
* 24/7 cloudimg support with guaranteed 24 hour response SLA
Vulnerability Scanning (Trivy)
Trivy is NOT enabled in this image to keep the steady-state RAM footprint compatible with Standard_B2s (4 GB total). Customers who want vulnerability scanning can re-run `/opt/harbor/install.sh --with-trivy` after upgrading to a Standard_D2s_v5 (8 GB) or larger VM. The user guide documents the upgrade path.
Use Cases
* Private Docker / OCI registry for internal services, CI/CD pipelines, and Kubernetes workloads
* Air-gapped or sovereign-cloud image hosting where Docker Hub / GHCR / ECR are not reachable
* GitOps pipelines (Argo CD, Flux) pulling images from a registry under your control with RBAC + retention policies
* Image promotion pipeline (dev → staging → prod) using Harbor projects + replication rules
* Helm chart hosting via Harbor's bundled OCI chart-repo (no separate ChartMuseum required)
* Image signing and content trust with Cosign integration
* Centralised vulnerability scanning across all team images via Trivy (after enabling on a larger VM)
Technical Specifications
* Operating System: Ubuntu 24.04 LTS (Noble Numbat)
* Harbor Version: 2.15.0 OSS (latest stable on the goharbor/harbor v2 line at build time)
* Docker Engine: Docker CE from download.docker.com/linux/ubuntu noble
* Compose: docker-compose-plugin v2 (the `docker compose` command)
* Bundled Stack: Postgres 14, Redis 7, registry, registryctl, harbor-core, harbor-jobservice, harbor-portal, nginx (all in Docker Compose)
* HTTP Port: 80 (Harbor's nginx container; Web UI + Registry API)
* TLS: Disabled at Harbor level by default — terminate TLS at an upstream Application Gateway / Front Door, or re-enable Harbor's own TLS via install.sh after dropping a cert into /etc/harbor-cert/
* Default User: azureuser (sudo enabled, OS); admin (Harbor UI, password rotated per VM)
* Service Management: systemd (harbor.service wraps docker compose; harbor-firstboot.service rotates secrets)
* Recommended Size: Standard_B2s (2 vCPU, 4 GB) for dev/test without Trivy; Standard_D2s_v5 or D4s_v5 for production with Trivy enabled
* VM Generation: Hyper-V Gen2 with UEFI boot
Notes on TLS and Hardening
Harbor listens on plain HTTP on port 80 by design — TLS termination is intentionally left to an upstream reverse proxy so customers can use their existing certificate workflow. For a quick TLS test, the cloudimg `nginx-ssl-certbot-ubuntu-24-04` image makes a good companion proxy. Alternatively, Harbor can terminate TLS itself by editing /opt/harbor/harbor.yml (uncomment the https: block, point at /etc/harbor-cert/server.crt + server.key) and re-running /opt/harbor/install.sh.
Support
cloudimg provides 24/7/365 expert technical support. Contact support@cloudimg.co.uk or visit www.cloudimg.co.uk for the latest documentation and deployment guides.
Harbor and the Harbor logo are trademarks of The Linux Foundation. Docker is a trademark of Docker, Inc.