背景

Harbor大名就不用介紹了，VMware開源的一套企業級的Dokcer鏡像倉庫，其支持的功能也很豐富。目前最新的Release版本是2016年12月6日發布的harbor_0.5.0。雖然用上了穩定版，但是仍然有些細節需要完善和優化，比如#1217、#1741 等等，當然Harbor的團隊fixed也很快，如果我們不能忍受0.5.0，重新構建harbor的開發版也不失為一個好方法。

依賴

操作系統: Ubuntu16.04

構建

**1. ** 下載Harbor最新的源碼

$ git clone https://github.com/vmware/harbor

**2. ** 解決LDAP編譯依賴

$ apt-get update && apt-get install -y libldap2-dev

**3. ** Harbor配置文件

在編譯的時候會依賴harbor.conf，我這里的配置

## Configuration file of Harbor

#The IP address or hostname to access admin UI and registry service.
#DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname = index.mycloud.com

#The protocol for accessing the UI and token/notification service, by default it is http.
#It can be set to https if ssl is enabled on nginx.
ui_url_protocol = https

#Email account settings for sending out password resetting emails.

#Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
#Identity left blank to act as username.
email_identity = 
email_server = 192.168.16.100
email_server_port = 25
email_username = harbor@mycloud.com
email_password = 
email_from = harbor <harbor@mycloud.com>
email_ssl = false

##The initial password of Harbor admin, only works for the first time when Harbor starts. 
#It has no effect after the first launch of Harbor.
#Change the admin password from UI after launching Harbor.
harbor_admin_password = magine1989

##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
#Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
auth_mode = ldap_auth

#The url for an ldap endpoint.
ldap_url = ldaps:// 192.168.16.2

#A user's DN who has the permission to search the LDAP/AD server. 
#If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
ldap_searchdn = cn=,ou=,dc=int,dc=,dc=

#the password of the ldap_searchdn
ldap_search_pwd = 

#The base DN from which to look up a user in LDAP/AD
ldap_basedn = ou=,dc=,dc=,dc=

#Search filter for LDAP/AD, make sure the syntax of the filter is correct.
ldap_filter = 

# The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD  
ldap_uid = uid 

#the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
ldap_scope = 3 

#The password for the root user of mysql db, change this before any production use.
db_password = magine1989

#Turn on or off the self-registration feature
self_registration = on

#Determine whether the UI should use compressed js files. 
#For production, set it to on. For development, set it to off.
use_compressed_js = on

#Maximum number of job workers in job service  
max_job_workers = 3 

#The expiration time (in minute) of token created by token service, default is 30 minutes
token_expiration = 30

#Determine whether the job service should verify the ssl cert when it connects to a remote registry.
#Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
verify_remote_cert = on

#Determine whether or not to generate certificate for the registry's token.
#If the value is on, the prepare script creates new root cert and private key 
#for generating token to access the registry. If the value is off, a key/certificate must 
#be supplied for token generation.
customize_crt = off

#Information of your organization for certificate
crt_country = CN
crt_state = State
crt_location = CN
crt_organization = organization
crt_organizationalunit = organizational unit
crt_commonname = example.com
crt_email = example@example.com

#The flag to control what users have permission to create projects
#Be default everyone can create a project, set to "adminonly" such that only admin can create project.
project_creation_restriction = adminonly

#The path of cert and key files for nginx, they are applied only the protocol is set to https
ssl_cert = /data/cert/server.crt
ssl_cert_key = /data/cert/server.key
#############

這里如果啟用了https就需要吧證書放到你自己配置的路徑下。

**4. ** 編譯

• 聲明GOPATH

GOPATH=/home/magine/go

• 拷貝代碼

 $ mkdir $GOPATH/src/github.com/vmware/
 $ mv harbor $GOPATH/src/github.com/vmware/

• 編譯運行harbor

$ cd $GOPATH/src/github.com/vmware/harbor
$ make install

官方提供了一些make的參數，可以參考

如果順利，這個時候就已經開始構建Harbor的Docker鏡像

root@magine:/home/magine/go/src/github.com/vmware/harbor# make install

Note: golang version: 1.6.2

Note: docker version: 17.03.1

Note: docker-compose version: 1.11.2
compiling binary for ui...
Done.
compiling binary for jobservice...
Done.
buildging db container for photon...
Sending build context to Docker daemon 16.38 kB
Step 1/5 : FROM mysql:5.6
 ---> 68399df75c59
Step 2/5 : WORKDIR /tmp
 ---> Using cache
 ---> 23265b344ba7
Step 3/5 : ADD registry.sql r.sql
.....

編譯完成得到如下鏡像

$ docker images
REPOSITORY                              TAG                 IMAGE ID            CREATED             SIZE
vmware/harbor-jobservice                dev                 12c148059f55        About an hour ago   171 MB
vmware/harbor-ui                        dev                 53d9a3869741        About an hour ago   238 MB
vmware/harbor-log                       dev                 e025eb457143        14 hours ago        193 MB
vmware/harbor-db                        dev                 dedc7c8d024b        16 hours ago        329 MB
mysql                                   5.6                 68399df75c59        8 days ago          329 MB
nginx                                   1.11.5              05a60462f8ba        4 months ago        181 MB
registry                                2.5.0               c6c14b3960bd        8 months ago        33.3 MB
photon                                  1.0                 e6e4e4a2ba1b        9 months ago        128 MB

可以看到，默認的harbor鏡像tag都是dev標簽。如果擔心穩定問題的話，就只能等待harbot團隊的下一次發布release了。

發布

發布Harbor社區提供很多方式，有基于docker-compose，也有基于Kubernetes的，我這里就不再對其詳解了，畢竟網上很多資料可以查看。

本文參考：

harbor官方Github：
https://github.com/vmware/harbor/blob/master/docs/compile_guide.md