之前有强调过-需要有镜像管理，这里的镜像管理不是只单台上的，而是指N台服务器的镜像管理。

现状和考虑的事情
1)有多个封闭的环境-不能直接上外网
2)有很多服务器，当需要更新镜像时，要考虑如何更新
3)镜像的版本如何控制

因以上问题，建一个私有库肯定不够的，但建了多个私有库之后，库和库之间的信息要不要共享？ 想想就头疼的来着。

还是先看下如何搭建私有仓库：

1. 环境准备
   192.168.220.123 centos7 已有Docker 1.12.1 （registry）
   192.168.220.215 centos7 Docker 1.10
   192.168.220.126 centos6.5 Docker 1.7.1

2. 搭建私有库

docker pull registry
docker run -d -p 5000:5000 -v /var/lib/registry:/var/lib/registry registry
[root@wxtest1607 registry]# docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                               NAMES
d480848f889b        registry            "/entrypoint.sh /etc/"   19 seconds ago      Up 16 seconds       0.0.0.0:5000->5000/tcp              goofy_mccarthy

因registry的dockerfile中定义的VOLUME ["/var/lib/registry"]
如本地无/var/lib/registry 目录，上传的镜像将保存在容器的/var/lib/registry目录，有可能会造成镜像的丢失。

vi /etc/docker/registry/config.yml
dev:
  loglevel: info
  storage: local
  storage_path: /var/lib/registry

3. 验证私有库
   3.1 push镜像到私有库
   在126服务器-docker客户端

docker pull hello-world
docker tag hello-world  192.168.220.123:5000/hellobyqq
docker push 192.168.220.123:5000/hellobyqq

在123服务器-docker registry

[root@wxtest1607 repositories]# pwd
/var/lib/registry/docker/registry/v2/repositories
[root@wxtest1607 repositories]# ls -lh
总用量 0
drwxr-xr-x 5 root root 52 8月  29 15:24 hellobyqq

3.2 从私有库pull镜像到本地
在215服务器-docker客户端

docker push 192.168.220.123:5000/hellobyqq

3.3 查询私有库

[root@localhost docker]# docker search 192.168.220.123:5000/hellobyqq
Error response from daemon: Unexpected status code 404
[root@localhost docker]# curl  http://192.168.220.123:5000/v2/_catalog
{"repositories":["hellobyqq"]}

3.4 常见错误

Error response from daemon: invalid registry endpoint https://192.168.220.123:5000/v1/: Get https://192.168.220.123:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add --insecure-registry 192.168.220.123:5000 to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/192.168.220.123:5000/ca.crt

解决方式：
在客户端配置
126服务器的解决方式 docker1.7
vi /etc/sysconfig/docker

# /etc/sysconfig/docker
#
# Other arguments to pass to the docker daemon process
# These will be parsed by the sysv initscript and appended
# to the arguments list passed to docker -d
other_args="--selinux-enabled=true --insecure-registry 192.168.220.123:5000"  #修改处
DOCKER_CERT_PATH=/etc/docker
# Resolves: rhbz#1176302 (docker issue #407)
DOCKER_NOWARN_KERNEL_VERSION=1
# Location used for temporary files, such as those created by
# # docker load and build operations. Default is /var/lib/docker/tmp
# # Can be overriden by setting the following environment variable.
# # DOCKER_TMPDIR=/var/tmp

重启docker
215服务器配置 docker 1.10

[root@localhost docker]# cat /etc/sysconfig/docker
# /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled --log-driver=journald'
DOCKER_CERT_PATH=/etc/docker
# If you want to add your own registry to be used for docker search and docker
# pull use the ADD_REGISTRY option to list a set of registries, each prepended
# with --add-registry flag. The first registry added will be the first registry
# searched.
#ADD_REGISTRY='--add-registry registry.access.redhat.com'
# If you want to block registries from being used, uncomment the BLOCK_REGISTRY
# option and give it a set of registries, each prepended with --block-registry
# flag. For example adding docker.io will stop users from downloading images
# from docker.io
# BLOCK_REGISTRY='--block-registry'
# If you have a registry secured with https but do not have proper certs
# distributed, you can tell docker to not look for full authorization by
# adding the registry to the INSECURE_REGISTRY line and uncommenting it.
INSECURE_REGISTRY='--insecure-registry 192.168.220.123:5000'   #修改处
# On an SELinux system, if you remove the --selinux-enabled option, you
# also need to turn on the docker_transition_unconfined boolean.
# setsebool -P docker_transition_unconfined 1
# Location used for temporary files, such as those created by
# docker load and build operations. Default is /var/lib/docker/tmp
# Can be overriden by setting the following environment variable.
# DOCKER_TMPDIR=/var/tmp
# Controls the /etc/cron.daily/docker-logrotate cron job status.
# To disable, uncomment the line below.
# LOGROTATE=false
#
# docker-latest daemon can be used by starting the docker-latest unitfile.
# To use docker-latest client, uncomment below line
#DOCKERBINARY=/usr/bin/docker-latest

重启docker

docker 1.12则需

Create or modify /etc/docker/daemon.json
{ "insecure-registries":["192.168.220.123:5000"] }
Restart docker daemon
systemctl restart docker.service