Introduction
Container technology has transformed how teams build, deploy, and manage applications. However, as container usage grows, managing images and orchestrating deployments becomes increasingly complex. For small teams with limited budgets, commercial container platforms can cost thousands of dollars monthly, making self-hosted alternatives attractive.
This guide explores open source tools for container registry and management, focusing on solutions suitable for small teams. We’ll examine Harbor for enterprise-grade registry capabilities, Portainer for container and Kubernetes management, and complementary tools that round out a complete container infrastructure.
Whether you’re just starting with containers or looking to optimize existing workflows, these tools provide capabilities that rival commercial offerings while maintaining the flexibility and control that open source provides.
Understanding Container Infrastructure Needs
Modern container infrastructure encompasses several functional areas that must work together effectively. Understanding these components helps you choose appropriate tools and design coherent systems.
Container registries store and distribute container images—the foundation of container deployment. While public registries like Docker Hub serve important purposes, private registries provide control over which images you use, enable faster pulls in geographically distributed environments, and provide security scanning capabilities.
Container orchestration manages the deployment, scaling, and operation of containers across clusters. Kubernetes has become the standard for production orchestration, but its complexity creates a learning curve. Management tools help bridge this gap, providing more accessible interfaces for common operations.
Container runtime management involves monitoring, logging, and security for running containers. These operational concerns are essential for production environments but often require additional tooling beyond basic orchestration.
Harbor: Enterprise-Grade Registry
Harbor is an open source container registry that provides enterprise features including role-based access control, image scanning, vulnerability analysis, and image signing. Originally developed at VMware, Harbor has become the CNCF-incubating project for enterprise registry needs.
Key Features
Harbor extends basic registry functionality with comprehensive security and governance features. Vulnerability scanning using Trivy or Clair identifies known security issues in container images. Role-based access control (RBAC) enables fine-grained permissions for different teams and projects. Image retention policies automatically clean up old or unused images.
The replication feature allows synchronizing images between multiple Harbor instances or to cloud registries. This capability supports disaster recovery scenarios, multi-region deployments, and hybrid cloud strategies. You can replicate specific repositories or entire projects based on flexible rules.
Harbor’s registry serves as a complete artifact repository, supporting Helm charts, OCI artifacts, and container images. This consolidation simplifies your infrastructure by providing a single solution for various artifact types.
Installing Harbor
Harbor installation is straightforward using the official installer. For small deployments, the online installer provides the quickest path:
# Download Harbor
wget https://github.com/goharbor/harbor/releases/download/v2.10.0/harbor-online-installer-v2.10.0.tgz
tar xvf harbor-online-installer-v2.10.0.tgz
cd harbor
# Configure Harbor
cp harbor.yml.tmpl harbor.yml
# Edit harbor.yml with your settings
The configuration file defines Harbor’s behavior:
hostname: harbor.yourdomain.com
harbor_admin_password: YourSecurePassword
database:
password: YourDatabasePassword
data_volume: /data
clair:
updaters_interval: 24
trivy:
ignore_unfixed: false
skip_update_db: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
Run the installer:
./install.sh
For production deployments, consider deploying Harbor on Kubernetes using the Helm chart, which provides better scalability and manageability:
helm repo add harbor https://helm.goharbor.io
helm install harbor harbor/harbor \
--set externalDomain=harbor.yourdomain.com \
--set harborAdminPassword=YourSecurePassword
Managing Images with Harbor
After installation, Harbor provides a web interface for managing repositories and projects. The API enables programmatic interactions for CI/CD integration:
# Push an image to Harbor
docker login harbor.yourdomain.com
docker tag myapp:latest harbor.yourdomain.com/myproject/myapp:latest
docker push harbor.yourdomain.com/myproject/myapp:latest
Configure your Kubernetes clusters to pull from your private Harbor instance:
apiVersion: v1
kind: Secret
metadata:
name: harbor-secret
namespace: default
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <base64-encoded-config>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
spec:
imagePullSecrets:
- harbor-secret
containers:
- name: myapp
image: harbor.yourdomain.com/myproject/myapp:latest
Cost Analysis
Harbor is free and open source, with costs limited to infrastructure. A small Harbor deployment runs comfortably on a single virtual machine with 2 CPUs, 4GB RAM, and sufficient disk storage for your image library.
The main infrastructure costs are storage for container images and network bandwidth for image pushes and pulls. Consider using object storage like S3 or MinIO for large image libraries to manage costs effectively.
Portainer: Container Management Simplified
Portainer provides a web-based interface for managing Docker and Kubernetes environments. It simplifies container operations, making advanced functionality accessible to teams without deep container expertise.
Key Features
Portainer’s visual interface makes container operations intuitive. Managing containers, images, volumes, and networks becomes point-and-click rather than command-line work. This accessibility helps onboard team members less familiar with Docker CLI.
The environment support is comprehensive—Portainer connects to Docker hosts, Docker Swarm clusters, and Kubernetes clusters through a unified interface. This consolidation simplifies management when you run multiple container environments.
Portainer templates enable standardized application deployment. Teams can define application stacks that other users deploy without understanding underlying Docker Compose or Kubernetes YAML. This self-service capability accelerates deployment workflows.
Installing Portainer
Portainer runs as a Docker container, making installation straightforward:
# Create volume for persistence
docker volume create portainer_data
# Start Portainer
docker run -d \
-p 9000:9000 \
-p 9443:9443 \
--name portainer \
--restart always \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data \
portainer/portainer-ce:latest
For Kubernetes deployments, Helm provides the standard installation method:
helm repo add portainer https://portainer.github.io/k8s/
helm install portainer portainer/portainer \
--namespace portainer \
--set service.type=LoadBalancer
Managing Containers Through Portainer
After initial setup, connect your container environments through the Portainer interface. Each environment shows its containers, images, volumes, and networks with management options.
Create application templates for repeatable deployments:
version: '3.8'
services:
web:
image: nginx:alpine
ports:
- "8080:80"
volumes:
- ./html:/usr/share/nginx/html:ro
restart: always
environment:
- NGINX_HOST=example.com
- NGINX_PORT=80
Deploy this stack through Portainer’s interface, making it available to team members without requiring CLI access.
For Kubernetes, Portainer provides similar functionality through its cluster connection. Deploy applications using manifests or Helm charts directly through the interface. View pod logs, exec into containers, and manage resources visually.
Team Collaboration Features
Portainer supports team-based workflows through user management and access controls. Create teams with specific permissions, enabling self-service while maintaining security boundaries.
The registry management integration allows configuring private registries including Harbor, making image deployment workflows consistent regardless of where images are stored.
MinIO: S3-Compatible Object Storage
While not strictly a container tool, MinIO provides essential infrastructure for container ecosystems. This S3-compatible object storage handles container image layers, Helm chart storage, and backup data for container databases.
Why MinIO for Containers
Container registries benefit from object storage for large image layers. While Harbor can use filesystem storage, MinIO provides better scalability and durability. Helm repositories work seamlessly with MinIO, providing private Helm chart hosting.
MinIO’s S3 compatibility means tools designed for AWS S3 work with your local storage. This compatibility simplifies integration with CI/CD systems and other tools that expect S3 APIs.
Installing MinIO
MinIO runs as a container or directly on hosts:
# Start MinIO
docker run -d \
--name minio \
-p 9000:9000 \
-p 9090:9090 \
-e MINIO_ROOT_USER=minioadmin \
-e MINIO_ROOT_PASSWORD=minioadmin \
-v minio_data:/data \
minio/minio server /data --console-address ":9090"
Configure Harbor to use MinIO storage in harbor.yml:
storage:
type: s3
s3:
bucket: harbor
region: us-east-1
endpoint: http://minio:9000
access_key: minioadmin
secret_key: minioadmin
secure: false
v4auth: true
Kubernetes Management Tools
For teams running Kubernetes, several tools complement Harbor and Portainer by addressing specific management needs.
Lens: The Kubernetes IDE
Lens provides a powerful desktop application for managing Kubernetes clusters. The visual interface makes cluster resources comprehensible, showing relationships between resources and enabling efficient navigation.
Lens connects to multiple clusters, providing a unified view across your infrastructure. Install locally from the Lens website, then add cluster configurations from your kubeconfig files.
Octant: Kubernetes Dashboard Alternative
Octant offers a web-based Kubernetes dashboard with plugin extensibility. Developed by VMware, it provides resource visualization and plugin capabilities that extend functionality beyond the standard Kubernetes dashboard.
Deploy Octant as a container or locally:
docker run -d \
--name octant \
-p 7777:7777 \
-v "${HOME}/.kube:/home/octant/.kube" \
-v /var/run/docker.sock:/var/run/docker.sock \
octant:latest
K9s: Terminal UI
For teams preferring command-line interfaces, K9s provides a terminal-based UI for Kubernetes management. It offers rapid navigation, resource viewing, and management capabilities through keyboard shortcuts.
Install and run:
# Install K9s
brew install k9s
# Run K9s
k9s
Building Complete Container Infrastructure
Combining these tools creates comprehensive container management. Here’s how they fit together:
Container Registry: Harbor stores and manages container images, providing security scanning, access control, and replication.
Container Management: Portainer provides accessible interfaces for deploying and managing containers across Docker and Kubernetes environments.
Object Storage: MinIO handles storage needs for Harbor image layers and any other object storage requirements.
Kubernetes Interfaces: Lens or K9s provide cluster management, with optional Octant for specialized dashboards.
This combination provides enterprise-grade capabilities while remaining manageable for small teams.
Security Best Practices
Container infrastructure requires attention to security at multiple levels.
Image Security
Scan images for vulnerabilities using Harbor’s built-in scanning. Configure policies that prevent deployment of images with critical vulnerabilities. Keep base images updated to receive security patches.
Never store credentials in container images. Use secrets management solutions or environment variables injected at runtime. The same principle applies to API keys, tokens, and other sensitive data.
Use read-only file systems where possible to limit the impact of container compromises. Run containers with minimal privileges, avoiding root where feasible.
Registry Security
Configure Harbor with HTTPS using valid certificates (Let’s Encrypt provides free certificates). Enable authentication for all users and integrate with LDAP or OIDC for enterprise identity management.
Implement image signing using Harbor’s Notary functionality. Signed images provide verification that images haven’t been tampered with since signing.
Access Control
Follow principle of least privilege for all access. Create Harbor projects with appropriate permissions for different teams. Use Portainer’s team features to limit who can deploy containers.
Regularly audit access and remove unused accounts. Monitor for anomalous access patterns that might indicate compromise.
Cost Optimization
Managing container infrastructure costs requires attention to storage, compute, and network usage.
Storage Optimization
Implement image retention policies in Harbor to automatically delete old versions. Keep only necessary image versions—typically current plus a few previous releases for rollback.
Use multi-stage Docker builds to minimize final image sizes. Smaller images pull faster and reduce storage requirements.
Network Efficiency
Deploy registries close to clusters to minimize cross-region bandwidth costs. Harbor’s replication feature supports this optimization.
Consider using registries in each region for globally distributed deployments.
Resource Rightsizing
Portainer and Kubernetes can help identify overprovisioned containers. Right-size resource requests to match actual usage, enabling higher cluster density and better resource utilization.
Conclusion
Self-hosted container infrastructure provides enterprise-grade capabilities without enterprise costs. Harbor delivers comprehensive registry functionality including security scanning and access control. Portainer makes container management accessible to teams without deep container expertise. MinIO provides scalable object storage for container ecosystems.
These tools work together to create complete container management infrastructure. Starting with Harbor for image storage addresses immediate needs while providing foundations for growth. Adding Portainer for management simplifies operations and enables team self-service.
The open source nature of these tools provides flexibility and control that proprietary solutions cannot match. With proper implementation and security practices, self-hosted container infrastructure serves small teams well while enabling the operational excellence that container technology makes possible.
Resources
- Harbor Documentation
- Portainer Documentation
- MinIO Documentation
- Lens Kubernetes IDE
- K9s Terminal UI
- Trivy Vulnerability Scanner
- Notary Project
Comments