1, the real purpose

Private enterprise to build a mirror image of the warehouse to meet the push and pull from the development environment mirrors . When we used to arrange and schedule k8s containers, the basic unit of operation is a mirror image, it is necessary to pull the mirror from the warehouse to the current working node. Originally using common docker hub fully meet our needs, but also very convenient, but the uploaded image anyone can access, followed by docker hub of private warehouses and for a fee, so consider from both safety and business, companies must build mirror own private warehouse.

2, build private warehouse

2.1 Production Certificate

In order to ensure transport safety mirror, the development environment to push and pull mirror from a private warehouse, the general use https ways (NOTE: For ordinary http way please refer to the official document: https://docs.docker.com/registry/ insecure / # deploy-a-plain -http-registry yourself down combat.), so we need to provide a trusted, well-known SSL / TLS certificate authority to be well-known third-party certificate purchased certificate, you can also use Let's Encrypt the production of free certificates, they can also produce their own a self-signed certificate.
In the absence of buying real name, and not a third-party certificate authority to interact verification, so we decided to produce their own a self-signed certificate, add to a private warehouse, then let docker client trust this certificate.
Create a directory to store certificates and private keys certs

$ mkdir -p certs

Production certificate and private key

$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt

Note in advance like a good domain name (eg: registry.wuling.com), and as CN, the whole process as shown:

see the generated certificate:

2.2, running container, warehouse boot image

Docker using open source Registry: 2 image, as shown:

Run the following commands:

$ docker run -d \
  --restart=always \
  --name registry.wuling.com \
  -v `pwd`/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -p 443:443 \ registry:2

parameter	Explanation
-d	Background run silently container.
-restart	Setting container restart strategy.
-name	命名容器。
-v	挂载host的certs/目录到容器的/certs/目录。
-e REGISTRY_HTTP_ADDR	设置仓库主机地址格式。
-e REGISTRY_HTTP_TLS_CERTIFICATE	设置环境变量告诉容器证书的位置。
-e REGISTRY_HTTP_TLS_KEY	设置环境变量告诉容器私钥的位置。
-p	将容器的 443 端口映射到Host的 443 端口。

如图所示：

丛上图可以看到，服务端私有仓库已经正常运行起来了！！！

3、实战(从服务器和开发环境分别推送和拉取镜像)

3.1 服务器(私有仓库所在主机)

3.1.1、下载并重命名镜像

镜像的完整命名格式：[registry-host]:[port]/[username]/[imagename]，当我们使用docker push的时候，docker会自动识别[registry-host]部分为容器镜像仓库地址。
使用docker tag重命名镜像：

docker pull justmine/helloworldapi:v2.2 
docker tag justmine/helloworldapi:v2.2 registry.wuling.com/justmine/helloworldapi:v2.2

3.1.2、推送镜像到私有仓库

什么情况？哦哦哦！！！域名是我们杜撰的，需要将与IP映射关系写入hosts文件。

再次推送，如下：

x509: certificate signed by unknown authority
又是什么情况？哦哦哦！！！原来系统不信任我们颁发的证书，好吧，不知名就不信任，那我们就主动宣布此证书是值得信任的！！！
为docker client安装证书，命令如下：

# 假如：仓库域名为=》registry.wuling.com，端口为=》8000，需要信任的证书地址为=》/root/certs/domain.crt
# 1. 老版本docker
$ mkdir -p /etc/docker/certs.d/registry.wuling.com $ cp /root/certs/domain.crt /etc/docker/certs.d/registry.wuling.com/ca.crt # 2. 新版本docker $ mkdir -p /etc/docker/certs.d/registry.wuling.com:8000 $ cp /root/certs/domain.crt /etc/docker/certs.d/registry.wuling.com:8000/ca.crt

备注：根据docker版本情况，大家按照这两种方法添加信任就行了。

再次推送：

成功了！！！

3.1.3、通过浏览器查看仓库概况

仓库镜像目录：

https://registry.wuling.com/v2/_catalog

镜像详情

https://registry.wuling.com/v2/justmine/helloworldapi/tags/list

3.2 其他宿主机(开发环境Windows主机)

3.2.1 推送镜像到私有仓库

docker push registry.wuling.com/justmine/healthchecksapi:v1.5

同理：为了让当前Windows主机上运行的docker信任此证书，我们只需要在Windows主机上安装此证书，右键点击【安装证书】，选择【本地主机】，选择【受信任的根证书】，添加证书即可。同时将域名与私有仓库主机ip的映射关系写入到Windows主机的hosts文件。
重启docker，再次推送：

哎，终于成功了，不容易啊！！！

3.2.2 拉取镜像

docker pull registry.wuling.com/justmine/healthchecksapi:v1.5

3.2.3、通过浏览器查看仓库概况