Harbor Container Registry on an Offshore VPS

Docker Hub rate limits anonymous pulls to 100 per 6 hours per IP, and authenticated free pulls to 200. CI pipelines that build several services per commit blow through that allowance fast, and you end up either paying Docker for a team subscription or proxying everything through a private registry. GitHub Container Registry has no pull limit but retains every untagged manifest forever in your account quota, which gets ugly with frequent rebuilds. Quay is fine but ties your supply chain to Red Hat. A self-hosted Harbor registry on an offshore VPS solves all three issues. Unlimited pulls from your own pipelines, full control over retention policy (delete untagged manifests after 7 days, keep last 10 tags per repo), and no third-party scanning of your image contents. You also get image signing via Notary or Cosign, vulnerability scanning via Trivy, and replication to a second registry for disaster recovery. For teams shipping code that touches sanctioned regions, scrapers, or any product where the SaaS provider might politely ask you to leave, a private registry is the only safe path. Your container images often contain proprietary code, sometimes embedded secrets in older base layers, and always your full dependency tree. Keeping that on infrastructure you own is the right call.

Harbor is a multi-component stack - core (the API), portal (the UI), jobservice (background tasks like scanning and replication), registry (the storage backend that speaks OCI), trivy (the vulnerability scanner), and a Postgres database plus a Redis cache. All of these run as docker containers in a docker-compose stack. The minimum viable Harbor needs about 4 GB RAM and 2 vCPU to run smoothly. The disk is the variable - it grows with the size and number of images you push. For a team pushing 10 to 30 images per day with retention of the last 20 tags per repo, allocate at least 200 GB SSD. Larger teams or projects with heavy base images (full GPU/ML stacks at 5 to 10 GB each) want 500 GB to 1 TB. Harbor supports S3 backend storage through MinIO or any compatible service, which lets you decouple the registry compute from the storage and grow each independently. Trivy database updates pull a few hundred MB once a day. Replication to a second registry can saturate your egress when you have a backlog. The 1 Gbps unmetered uplink on AnubizHost VPS plans handles both without throttling. Harbor itself listens on port 443 (or your configured TLS port) and serves OCI distribution protocol to any docker, podman, or kubernetes client.

On a Ubuntu 22.04 VPS, install Docker and docker-compose: `curl -fsSL https://get.docker.com | sh && apt install -y docker-compose-plugin`. Download the Harbor online installer from the official releases page: `wget https://github.com/goharbor/harbor/releases/download/v2.10.0/harbor-online-installer-v2.10.0.tgz && tar xzvf harbor-online-installer-*.tgz && cd harbor`. Copy the sample config and edit it: `cp harbor.yml.tmpl harbor.yml`. Set `hostname` to your registry's DNS name. Configure TLS - if you already have a wildcard or LE cert, point `https.certificate` and `https.private_key` at those files; otherwise comment out the https block initially and set `http.port: 80` for an HTTP-only first test (do not run HTTP in production, only as a smoke test). Set a strong `harbor_admin_password` and a strong `database.password`. Run the installer with Trivy enabled: `./install.sh --with-trivy`. This pulls all Harbor images, generates compose config, and starts the stack. Wait a couple of minutes for everything to come up, then check `docker compose ps` - all services should show healthy. Log in at the configured hostname with admin and the password you set. Create a new project, push a test image with `docker tag alpine:latest your-registry.tld/test/alpine:1 && docker push your-registry.tld/test/alpine:1`, and verify it appears in the UI with a vulnerability scan after a few seconds. Configure retention rules in the project settings to keep disk usage under control.