|Index|Getting started with SUSE Private Registry|Frequently asked questions
Applies to SUSE Private Registry 1.0

6 Frequently asked questions

 

6.1 Product overview and differentiators

 
What kind of subscription do customers need for SUSE Private Registry?

It is included in Rancher Suite and offered as an add-on for Rancher Prime.

The pricing of the add-on is the same as other add-ons.

What are the differentiators with Harbor (from Application Collection or upstream)?

Use SUSE Private Registry if you need:

  • Level 3 (L3) support for product issues.

  • A predictable release cycle.

  • Patched images for known vulnerabilities. Upstream Harbor images from Docker Hub often contain numerous unpatched vulnerabilities.

    Over time, SUSE will also add out-of-the-box integrations with Rancher and prioritize feature requests from customers.

Do customers have to buy the same number of add-on SUSE Private Registry subscriptions as Rancher Prime subscriptions?

Yes, just like other add-ons such as SUSE Security. An additional advantage of the SUSE Private Registry subscription model is that it allows customers to run as many deployments as they need.

6.2 Relationship with upstream Harbor

 
How does the release cycle align with upstream Harbor?

The release cycle of SUSE Private Registry is independent of the release cycle of upstream Harbor.

When releasing new versions of SUSE Private Registry, SUSE aims to include the latest version of the upstream Harbor project that meets SUSE quality assurance and maintenance requirements.

Will you publish migration considerations for customers running Harbor from other sources?

Not at this time.

6.3 Deployment and installation

 
Do you support installing SUSE Private Registry via docker-compose?

No. You must install and configure SUSE Private Registry using its Helm chart. This chart is also used for ongoing management (Day 2 operations) and can be integrated with GitOps workflows.

Do you recommend deployments on the local (Rancher Manager) cluster?

No. SUSE recommends deploying SUSE Private Registry on a downstream cluster. This makes the registry accessible to other downstream clusters that need to consume images.

What are the deployment best practices for a high-availability (HA) environment?

For HA, do not deploy SUSE Private Registry on the Rancher Management cluster to avoid resource contention.

You can deploy SUSE Private Registry on a dedicated cluster, or on one or more of your application clusters.

For instructions, see Chapter 4, High Availability setup. Note that you must provide your own HA components for the Postgres database, Valkey or Redis server, and Ingress controller. These components are not deployed by the SUSE Private Registry Helm chart and are not supported by SUSE.

Is the SUSE Private Registry Helm chart going to be added to the Application Collection eventually?

Yes, SUSE plans to publish the chart there in the future.

Do you ship a Kubernetes operator?

SUSE Private Registry does not ship with a dedicated operator. It is installed and managed using its Helm chart, which can be integrated with GitOps. SUSE continues to evaluate operator-based management for future releases.

6.4 Security, scanning and signing

 
Do you integrate any signing tool within SUSE Private Registry?

SUSE Private Registry does not sign images itself, but it can store, distribute and verify Open Container Initiative (OCI)-compatible signatures.

A widely used tool is cosign, which can sign images and store the signatures in SUSE Private Registry.

cosign signatures attached to images are viewable and downloadable from the SUSE Private Registry portal.

Is it possible to sign images with Notary or Cosign for approval during the deployment process?

SUSE Private Registry can store, distribute and verify cosign signatures.

SUSE Private Registry itself does not sign images. You must sign images during their build process, and then upload the signature to the registry along with the image.

Notary is not included or supported with SUSE Private Registry.

Are images scanned for Common Vulnerabilities and Exposures (CVEs) only with Trivy, or can it use SUSE Security (NeuVector) as well?

Images are scanned with Trivy, which comes out of the box. SUSE Security can be added in addition to or as a replacement for Trivy.

Is it possible to run ClamAV or similar malware scans?

By default, SUSE Private Registry scans images using Trivy. You can also configure SUSE Security (NeuVector) as a scanner.

In the pull-through cache scenario, will the vulnerability criteria be enforced?

Yes, but with a known limitation. Due to upstream Harbor issues, vulnerability criteria are not enforced on the first pull of an image because the scan has not yet completed.

For complete coverage, pair SUSE Private Registry with SUSE Security admission controls.

Are the images of SUSE Private Registry hardened?

Yes. The container images for SUSE Private Registry are hardened. They are based on SUSE Linux Enterprise Base Container Images (SLE BCI) and built in the same enterprise-grade SUSE Build Service used for SUSE Linux Enterprise. This ensures a secure supply chain. The images are also signed, and SUSE publishes their Supply-chain Levels for Software Artifacts (SLSA) attestations.

Are the images of SUSE Private Registry signed? How?

The images are signed with cosign. You can verify them by saving the PEM-formatted signing key published at KB 000021411.

Then run, for example:

cosign verify --key container-key.pem registry.suse.com/private-registry/harbor-portal:latest

6.5 Replication and sync

 
Is there a plan for a plug-in to sync with SUSE Registry and SUSE Application Collection?

Yes, such a feature is planned.

Does SUSE Private Registry offer multi-site replication?

Yes. SUSE Private Registry supports multi-site, policy-based image replication (pull and push). You can synchronize images across multiple SUSE Private Registry deployments while keeping each registry independent.

6.6 Features and integration with Rancher

 
Is there a plan to integrate the Registry within Rancher using an Extension?

Yes. SUSE plans deeper integration with Rancher Prime and other offerings. Future enhancements being considered include single sign-on (SSO) integration, simplified setup for SUSE Security scanners and Application Collection mirroring, monitoring with SUSE Observability, and a Rancher UI extension.

Will SUSE add the Registry to the Training Catalog?

This is not yet planned. If you are interested in training material, contact SUSE to discuss possibilities with the Training team.

6.7 Support and documentation

 
Is there a support policy for SUSE Private Registry?

Yes. The support policy of SUSE Private Registry is the same as any other Rancher Prime add-on.

If the SUSE Private Registry documentation lacks information, can I refer to the official Harbor documentation?

Yes. Since SUSE Private Registry is based on Harbor, the official Harbor documentation is a useful resource. For features specific to the SUSE version, refer to the SUSE Private Registry documentation.

The Release notes specify which upstream Harbor version corresponds to your SUSE Private Registry version.