I have a Harbor server which has no connection to the internet what so ever. Not through a proxy, nothing and I need to get a bunch of container images from a vendor to it.
I've installed Harbor on a VirtualBox on my PC and pulled the images from the vendor to that and now my idea was to copy the /data/registry dir which contains all the images to /data/registry on the real Harbor server. But when browsing to the gui I don't see the repository under Project.
What am I missing? Or isn't this approach doable?
CodePudding user response:
You can do it manually, I guess your local machine has access to the internet and internal Harbor.
- Use skopeo copy to replicate images
- Install a dedicated replication Harbor instance in the DMZ
Generally speaking, it is a bad idea not being able to reach out and sync. Many images even in secure environments are based on official Alpine, Debian base images and so fort. If your org isn't able to sync frequently, your org won't get any fixes. Also, the vulnerability database is not updated, so you actually don't even know what CVEs exist in your images. On top, if your vendor releases a critical patch, and you aren't there to ingest it manually and the manual steps aren't idiot-proof documented, someone else needs to figure it out for a few days.
I would suggest to set up some sort of automated process. This can be a dedicated Harbor instance that sits on the internet and is configured to also access the internal Harbor. You can set up replication rules for upstream and vendor images.
Short rant: Often it is more secure to have no CISO than OPs CISO.
Unfortunately, in many organizations or government authorities, the CISOs make their own life easier in the present instead of thinking globally about security. The fact that OP somehow can get vendors images and ingest them into the isolated Harbor proofs that you can get stuff in. However, this process lacking transparency, isn't reproducible, depend on the goodwill of OP to be the "good guy" and the goodwill of the "good guy" on the vendor side giving him the images.