在kubernetes技术体系中，镜像的仓库扮演着重要的角色。应用的更新与发布都是通过对镜像进行更新，并通过新的镜像启动容器实现的。

为方便之后的学习，本文将介绍在centos7上实现docker本地仓库的搭建。之前写过一篇在centos6上搭建本地仓库的文章，当时使用的registry版本为V1。V1版本在nginx代理上配置和v2版本存在较大差别，前文传送门： http://blog.51cto.com/ylw6006/1597873

环境介绍：
操作系统版本：centos linux 7.2 64bit
Server: 192.168.115.5/24 vm1
Clinet: 192.168.115.6/24 vm2
docker版本： 1.12.6

一、在vm1上创建registry

# docker pull docker.io/registry
# mkdir /home/registry
# docker run -d -p 5000:5000 --name registry --privileged=true --restart=always  \-v /home/registry:/var/lib/registry registry
# curl -XGET http://192.168.115.5:5000/v2/_catalog

通过执行上述命令就可以简单构建出一个可用的本地仓库，但仓库没有配置用户认证，且使用的是http协议。

二、配置vm1使用本地仓库
docker1.12.6版本默认要求仓库必须用https协议，我们可以修改docker配置文件允许使用http协议的仓库。

# grep '5000' /etc/sysconfig/docker
OPTIONS='-g /home/docker -H 0.0.0.0:2375 -H unix:///var/run/docker.sock --insecure-registry 192.168.115.5:5000'
ADD_REGISTRY='--add-registry 192.168.115.5:5000'
# systemctl restart docker
# docker start registry
# docker tag docker.io/busybox 192.168.115.5:5000/busybox
# docker push 192.168.115.5:5000/busybox
# curl -XGET http://192.168.115.5:5000/v2/_catalog
# curl -XGET http://192.168.115.5:5000/v2/busybox/tags/list 

三、使用脚本删除本地仓库中的镜像文件,也可以直接删除对应目录的文件夹达到效果

# curl  \
https://raw.githubusercontent.com/burnettk/delete-docker-registry-image/master/delete_docker_registry_image.py | sudo tee /usr/local/bin/delete_docker_registry_image >/dev/null
# chmod a+x /usr/local/bin/delete_docker_registry_image
# export REGISTRY_DATA_DIR=/home/registry/docker/registry/v2
# delete_docker_registry_image --image busybox 

四、使用nginx对客户端的请求进行代理
1、安装nginx，这里为了省事，直接用rpm包安装。准备配置文件如下

# yum -y install nginx httpd-tools
# cat /etc/nginx/conf.d/docker.conf
upstream docker-registry {server 192.168.115.5:5000;
}
server {listen  443;server_name  registry.fjhb.cn;  ssl on;ssl_certificate     /etc/nginx/keys/nginx.crt;ssl_certificate_key /etc/nginx/keys/nginx.key;proxy_set_header Host       $http_host;   # required for Docker client sakeproxy_set_header X-Real-IP  $remote_addr; # pass on real client IPclient_max_body_size 0; # disable any limits to avoid HTTP 413 for large image uploads# required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)chunked_transfer_encoding on;  location /v2/ {# let Nginx know about our auth fileauth_basic              "Restricted";auth_basic_user_file    docker-registry.htpasswd;add_header 'Docker-Distribution-Api-Version' 'registry/2.0' always;proxy_set_header  Host              $http_host;   # required for docker client‘s sakeproxy_set_header  X-Real-IP         $remote_addr; # pass on real client‘s IPproxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;proxy_set_header  X-Forwarded-Proto $scheme;proxy_read_timeout                  900;proxy_pass http://docker-registry;}
}

2、使用openssl工具创建自签名证书

# cd /etc/pki/CA/
# touch ./{serial,index.txt}
# echo "00" > serial
# openssl  genrsa -out private/cakey.pem 2048
# openssl  req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
# cd /etc/ssl/
# openssl genrsa -out nginx.key 2048
# openssl  req -new -key nginx.key -out nginx.csr
# openssl ca -in nginx.csr -days 3650 -out nginx.crt
# htpasswd -c  /etc/nginx/docker-registry.htpasswd yang
# mkdir /etc/nginx/keys/
# mv nginx.crt  nginx.key  /etc/nginx/keys/
# nginx -t
# systemctl start nginx
# netstat -ntpl |grep nginx 

3、修改vm1主机的hosts文件，并进行测试

# ping -c 1 registry.fjhb.cn
# curl https://registry.fjhb.cn

以上是因为证书是自签名的，操作系统认证失败

# cp /etc/pki/tls/certs/ca-bundle.crt{,.bak}
# cat /etc/pki/CA/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt
# systemctl restart docker
# docker start registry
# curl https://registry.fjhb.cn
# curl -u yang:123 https://registry.fjhb.cn
# docker login -u yang -p 123 -e ylw@fjhb.cn registry.fjhb.cn

# docker tag docker.io/busybox  registry.fjhb.cn/busybox
# docker push registry.fjhb.cn/busybox
# curl -XGET http://192.168.115.5:5000/v2/_catalog
# curl -XGET http://192.168.115.5:5000/v2/busybox/tags/list 

参考文档：
https://github.com/burnettk/delete-docker-registry-image