How to setup Harbor registry on Synology

With my recent exploration of GenAI and using a private ChatGPT solution with my own blog posts, I quickly realized in the space of AI/ML, the required software dependencies can take up a significant amount of storage, especially for a kubernetes/container-based deployment.

To give you an example, to deploy the private ChatGPT (h2ogpt) application using kubernetes, just the container image itself is a whopping 40GB+! 😲

Unfourntately, this is not a one off scenario but a common theme when working in the AI/ML space that the size of the packages and drivers are extremely large even when using containers. I figure I should probably setup my own container registry instead of pulling directly from the Internet given the size of these images.

I already have a local Harbor instance running in a VM but with my Synology, I have been using it centralize a number of functions and that would be the ideal place to actually run Harbor. While you can run individual containers on the Synology as I have demonstrated HERE with GitLab, the Harbor installation processes relies on Docker Compose, which Synology does not natively support using the Synology DiskStation Manager (DSM) interface.

With a little bit of tinkering and trial/error, I was able to finally get Harbor running on my Synology and centralize all my storage needs including having my own container registry.

Step 1 - Login to the DSM management interface and create a new shared folder called harbor

Step 2 - Generate a self-signed TLS certificate for Harbor since we are going to consume the registry using vSphere with Tanzu, which only supports HTTPS and SCP that to your Synology.

openssl req -newkey rsa:4096 -nodes -sha256 -keyout primp-industries.local.key -subj "/CN=nas.primp-industries.local/O=nas.primp-industries.local" -addext "subjectAltName = DNS:nas.primp-industries.local" -x509 -days 3650 -out primp-industries.local.crt

Step 3 - SSH to the Synology as the remainder steps will require the command-line. The following commands will download the latest Harbor release (as of this blog post, v2.9.0 is latest but you can change to your desired version) and setup the required directories and also copy the generated TLS certificate file to the certs directory which will be referenced in the Harbor configuration file. You will need to replace the volume1 with the name of your Synology volume label and the TLS certificate filename.

cd /volume1/harbor
wget https://github.com/goharbor/harbor/releases/download/v2.9.0/harbor-offline-installer-v2.9.0.tgz
tar -zxvf harbor-offline-installer-v2.9.0.tgz
mkdir -p /volume1/harbor/harbor/{data,config,log,secret,certs}
mkdir -p /volume1/harbor/harbor/common/config
cp primp-industries.local.* /volume1/harbor/harbor/certs/
sudo chown -R 10000:10000 /volume1/harbor
sudo chmod -R 755 /volume1/harbor/harbor
cd /volume1/harbor/harbor/

Step 4 - Next, we need to update the harbor.yml configuration file and below is a snippet of the changes I made for my setup which includes the hostname, HTTP(s) ports, TLS certificate paths and data_volume. You can leave the default Harbor admin password since you will need to change it upon logging in for the first time.

hostname: nas.primp-industries.local

# http related config
http:
  # port for http, default is 80. If https enabled, this port will redirect to https port
  port: 8888

# https related config
https:
  # https port for harbor, default is 443
  port: 8443
  # The path of cert and key files for nginx
  certificate: /volume1/harbor/harbor/certs/primp-industries.local.crt
  private_key: /volume1/harbor/harbor/certs/primp-industries.local.key

# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: Harbor1234

# The default data volume
data_volume: /volume1/harbor/harbor/data

Step 4 - Now we run the Harbor prepare script which will verify that everything was setup correctly prior to performing Harbor installation.

sudo ./prepare

Note: If you run into any errors, please resolve them before proceeding. More than likely, you missed a step or forgot to update a value during Step 3.

Step 5 - Finally to install Harbor, we run the install.sh script like the following:

sudo ./install.sh

This process can take a few minutes but once everything is up and running, you should be able to open a browser to the FQDN (remember to try HTTPS) and the port you had specified on your Synology and login using admin and the default password (Harbor1234). Once successfully logged in, you should immediately change the default password by clicking on the username on the upper right hand side.

Before you can start pushing and pulling images to your private Harbor registry, you need to configure your Docker Client so that it is aware of the insecure registry which includes HTTP or or HTTPS (with self-signed TLS certificate), unless you are using a proper signed TLS certificate

Since I am using Docker Desktop on macOS, you can easily do this by going to Settings->Docker Engine and then append the Harbor hostame and port to the existing JSON configuration:

"insecure-registries": [ "nas.primp-industries.local:8443" ]

Note: For more details on configuring Docker Client with insecure registry including HTTP, please see the documentation here.

At this point you should be able to push container image to your Harbor registry.

Similarly, you should also be able to pull the container image from your Harbor registry.

While you will not be able to administrator Harbor using the Synology DSM, you can still get progress for the individual containers that make up the Harbor registry, which can be useful to determine if all services are healthy and running.