Harbor Project P2p Preheat — Quick Fix Guide
In this tutorial, you'll learn about Harbor Project P2p Preheat. We cover key concepts, practical examples, and best practices.
The Hook
Harbor Project P2p Preheat is a common pain point in Harbor-based container registry workflows. When projects aren't created correctly, robot accounts have wrong permission scopes, vulnerability scanning fails to trigger, or tag retention policies aren't set, the team's software supply chain security is compromised and CI/CD pipelines fail unpredictably.
Wrong
The typical mistakes include attempting to push images to non-existent projects, using personal admin credentials instead of robot accounts, and skipping vulnerability scanning configuration:
# Pushing without creating the project first
docker push harbor.example.com/team-app/my-image:latest 2>&1
# unauthorized: project team-app not found
# Using personal credentials instead of robot accounts
docker login harbor.example.com -u admin
docker push harbor.example.com/team-app/my-image:latest 2>&1
# Error: request returned Unauthorized for ...
# Pushing and assuming scanning is automatic
docker push harbor.example.com/team-app/my-image:v1 2>&1
# Success (but never scanned!)
Harbor requires explicit project creation, prefers robot accounts for automation, and needs scanning to be enabled per project.
Right
The correct workflow creates the project with proper configuration, provisions a robot account with minimal permissions, enables vulnerability scanning, and pushes images through the registry:
# 1. Create project via Harbor API
curl -u admin:$HARBOR_PASS -X POST \
https://harbor.example.com/api/v2.0/projects \
-H 'Content-Type: application/json' \
-d '{"project_name": "team-app", "public": false,
"storage_limit": -1, "registry_id": null}'
# {"id": 42, "name": "team-app"}
# 2. Create robot account for CI/CD automation
ROBOT=$(curl -u admin:$HARBOR_PASS -X POST \
https://harbor.example.com/api/v2.0/projects/team-app/robots \
-H 'Content-Type: application/json' \
-d '{"name": "cicd-pusher", "duration": -1,
"access": [
{"resource": "artifact", "action": "push"},
{"resource": "artifact", "action": "pull"}
]}')
TOKEN=$(echo $ROBOT | jq -r '.token')
# 3. Enable vulnerability scanning
curl -u admin:$HARBOR_PASS -X PUT \
https://harbor.example.com/api/v2.0/projects/team-app \
-H 'Content-Type: application/json' \
-d '{"auto_scan": true}'
# 4. Login and push using robot account
docker login harbor.example.com -u 'robot$team-app+cicd-pusher' -p $TOKEN
docker tag app:latest harbor.example.com/team-app/app:latest
docker push harbor.example.com/team-app/app:latest 2>&1
# The push refers to repository [harbor.example.com/team-app/app]
# latest: digest: sha256:abc123def456 size: 428
# 5. Verify scan results
curl -u admin:$HARBOR_PASS \
"https://harbor.example.com/api/v2.0/projects/team-app/repositories/app/artifacts/latest/scan"
# {"scan_status": "finished", "severity": "None"}
DodaTech automates this entire workflow with Terraform modules that create projects, provision robot accounts, and configure scanning policies for every new team.
Prevention
- Create Harbor projects via API or Terraform before pushing any images
- Use robot accounts with minimal permissions per project instead of personal credentials
- Enable vulnerability scanning at project creation time, not after images are pushed
- Configure tag retention rules to automatically clean up old and untagged images
- Set storage quotas per project to prevent a single team from exhausting registry capacity
- Enable audit logging for compliance and security incident investigation
- Set up replication rules for cross-region disaster recovery and geo-distribution
- Configure webhooks for integration with Slack notifications and CI/CD pipelines
Common Mistakes with project p2p preheat
- Using
returnto exit a function early instead of wrapping a pure value in the monad - Mixing let bindings with <- bindings in do notation, producing type errors
- Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
These mistakes appear frequently in real-world HARBOR code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Q: How do I create a Harbor project via the command line?
A: Harbor provides no dedicated CLI client for project management. Use the REST API v2.0 with curl, the Harbor web UI, or the Terraform provider for Harbor. Most teams wrap project creation in shell scripts or Terraform modules.
Q: What permissions should CI/CD robot accounts have in Harbor?
A: Minimal — push and pull access only in the specific project they need to deploy. Never assign system-wide admin or system-level permissions to CI/CD robot accounts. Harbor's robot account model supports per-project, per-action access control for least-privilege security.
Q: How does DodaTech integrate Harbor with its CI/CD pipeline?
A: We create one robot account per project per environment (dev, staging, production). Robot tokens are stored in HashiCorp Vault and rotated weekly. DodaZIP's container security scanner validates all images against vulnerability policies before promotion to the next environment.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro