【docker】私有仓库搭建

主要参考：http://blog.csdn.net/gqtcgq/article/details/51163558

假设我们在1.1.1.1:5000上搭建私人仓库，并在2.2.2.2上访问这个私人仓库，开启tls认证。

1. 在1.1.1.1上打开/etc/pki/tls/openssl.cnf，里面[ v3_ca ]上添加选项

[ v3_ca ]
subjectAltName = IP:1.1.1.1

2. 在1.1.1.1生成证书

mkdir -p /opt/docker/registry/certs

openssl req -x509 -days 3650 -nodes -newkey rsa:2048 \
-keyout /opt/docker/registry/certs/1_1_1_1.key \
-out /opt/docker/registry/certs/1_1_1_1.crt
...
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:1.1.1.1:5000 
Email Address []:

3. 创建私人仓库容器

docker run \
-d \
--name docker-registry-no-proxy  --restart=always \
-v /opt/docker/registry/data:/var/lib/registry \
-u root \
-p 1.1.1.1:5000:5000 \
-v /opt/docker/registry/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/1_1_1_1.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/1_1_1_1.key \
registry

4. 拷贝证书到指定位置， 1.1.1.1和2.2.2.2上都要做 (有这个证书的机器才能访问搭建的私人仓库)

mkdir -p /etc/docker/certs.d/1.1.1.1:5000/

cp /opt/docker/registry/certs/1_1_1_1.crt /etc/docker/certs.d/1.1.1.1:5000/

5. 上传镜像my_image,先将镜像打上带仓库地址的标签，然后push

docker tag my_image 1.1.1.1:5000/my_image
docker push 1.1.1.1:5000/my_image

6. 下载镜像

docker pull 1.1.1.1:5000/my_image