• 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Setup trusted Docker registry on a Raspberry Pi to host netPI containers
#1
How to setup a trusted Docker registry with a self-signed certificate on a Linux machine (Raspberry Pi):

Make a basic setup of your RPi:

  1. Get terminal access to the system
  2. Change to user root
    $ sudo -i
  3. Install Docker Engine
    $ curl -sSL https://get.docker.com | sh
  4. Give your RPi a reasonable Hostname e.g. myregistry. (The name has to be lowercase since Docker can address image/tags/registries by name only if they are lowercase. A discrete Hostname is necessary since it is strongly recommended that trusted CA certificates identifiying a device as secure should not be issued for the device's IP address but for its Hostname instead.) Use an editor (e.g.nano) to change the current Hostname raspberrypi to myregistry in the two files:
    $ nano /etc/hosts (string behind the ip address 127.0.1.1)
    $ nano /etc/hostname

  5. (optional) If you want to make the Hostname public in a MS Windows based office network you have to install two additional services
    $ apt-get install samba
    $ apt-get install winbind

    Additionally the wins service needs to be activated. Edit the following file in an editor
    $ nano /etc/nsswitch.conf[/b]
    In the line hosts: add the term wins and mdns4 to the existing terms files, dns, mdns4_minimal and others
  6. Reboot the system
    $ reboot now
  7. After the reboot generate new SSH keys pairs. First remove old ones
    $ rm /etc/ssh/ssh_host_*
  8. Reconfigure SSH server and generate new key pairs
    $ dpkg-reconfigure openssh-server
  9. Restart SSH server
    $ service ssh restart
Generate a self signed certificate:

  1. Create a folder certs on your RPi and move to it. It will be mapped into the Registry Server container later and will provide the certificates to it
    $ mkdir -p /certs && cd /certs
  2. Generate a new private key devdockerCA.key.
    $ openssl genrsa -out devdockerCA.key 2048
  3. Generate root CA certificate devdockerCA.pem. Adjust the following sample configuration "/C=DE/ST=Hessen ..." to your personal credentials.
    $ openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.pem -subj "/C=DE/ST=Hessen/L=Hattersheim/O=Hilscher/OU=Hilscher/CN=myownca/emailAddress=myownca@hilscher.com"
  4. Generate a another private key named domain.key file for the Registry Server.
    $ openssl genrsa -out domain.key 2048
  5. Create a new file req.conf with
    $ nano /certs/req.conf
    that necessary for a proper signing procedure. Copy the following content to it and tailored it to your credentials. Especially the CN parameter Common Name has to match your choosen RPi Hostname):
    [ req ]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    prompt = no
    [ req_distinguished_name ]
    C = DE
    ST = Hessen
    L = Hattersheim
    O = Hilscher
    OU = netIOT
    CN = myregistry
    emailAddress = mypi@hilscher.com
    [ v3_req ]
    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    [ req_ext ]
    subjectAltName = @alt_names
    [ alt_names ]
    DNS.1 = myregistry
    DNS.2 = myregistry.local
    DNS.3 = myregistry.domain
    IP.1 = 127.0.0.1

  6. Excecute certificate signing request.
    $ openssl req -new -key domain.key -out dev-docker-registry.com.csr -config req.conf
  7. Cross sign the server certificate with the CA root certificate and generate domain.crt file.
    $ openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.pem -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000 -extensions req_ext -extfile req.conf
  8. Let the root CA certificate become known on your RPi (else pushing to the Registry Server from the local RPi itself (later topic) is not possible).
    $ cp /certs/devdockerCA.pem /usr/local/share/ca-certificates/devdockerCA.crt
    $ update-ca-certificates
    $ reboot now

  9. Start the Registry as a container (certs folder is mapped to it)
    $ docker run -d --restart=always --name registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:5000 registry:2
  10. Check if the Registry Server is running
    $ curl https://myregistry.local/v2/_catalog
    {"repositories":[]} -> returns empty list of repositories, which is fine.
Load a test image on your Registry:

  1. Pull a valid image from the Docker Hub internet registry on your RPi
    $ docker pull nginx:latest

  2. Tag the image with a name fitting to the name of your registry to prepare it for a push
    $ docker tag nginx:latest  myregistry.local/mytest:latest

  3. Push the tagged image to your registry
    $ docker push myregistry.local/mytest:latest

Make the certificate known on your netPI:

  1. Copy the previously created /certs/devdockerCA.pem file from your RPi to a location where it can be uploaded over netPI's Web-GUI. [/b]Typically you would use an FTP client such as WinSCP to copy it to your PC/machine running the web browser.
  2. Upload the pem file to your netPI using the Security/Public Key Infrastructure menu, highlighting then Trusted Certification Authorities and clicking upload finally as the picture shows:
       
  3. Reboot the netPI to let the new trusted CA certificate/authority become known on your netPI
Pull the test image on your netPI from your Registry:

  1. Use netPI's Docker Web-GUI
  2. Select Registries in the left menu pane, then click Add registry. Enter a name like mycustomregistry and as Registry URL the value myregistry.local. Finally click Add registry.
  3. Select Images in the left menu pane. Enter there the string mytest:latest as image name and as registry myregistry.local. Then click Pull the image. netPI will now pull the image from your trusted Registry instead of Docker Hub.
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply
#2
Hi,

i followed this setup using a netIoT not a netPi. Everything went fine until i uploaded the certificate with net Web-GuI.

After the restart i cannot connect to the netIoT via Wifi or cable using the static ip port or the dhcp port i allways get a time out for the static ip and a not found error for the dhcp.
  Reply
#3
(November-2nd-2018, 10:04 AM)PhilippS Wrote: i followed this setup using a netIoT not a netPi

You mean you bought a NIOT-E-TPI Edge Gateway instead of a netPI? Is my understanding correct?

This one?: https://www.hilscher.com/products/produc...eeis/?cats=
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply
#4
Yes.

we are using this gateway: https://www.hilscher.com/products/produc...-gb-reeis/?

the registry is running on standart raspberry pi.
  Reply
#5
Hello Philipp,

 ... but your problem is not the Raspberry registry - which is running fine as I have understood -, your problem is the NIOT-E-TIJCX-GB-RE is not running fine any more, correct?

You said, you used the *.pem file and have imported it into your NIOT-E-TIJCX-GB-RE device and after you did that, the device was not responding any more and you cannot reach the Web GUI any more, correct? Or when did the problem started to occur?

Thx
Armin
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply
#6
Hi armin,

yes I have the registry running on the Raspberry pi.

Everything went fine until step 3 in Work on your netPI.

I uploded the *.pem using the WebGUI and issued a reboot.
After the reboot I could not reconnect to the Gateway.

I connected directly to the Gateway using a cable.
I tried both ports. I am not able to connect to the Gatway GUI anymore.

If I try to connect via Port 1 using the dchp server I get a Webpage not found error in the browser.
If I try to connect via Port 2 using a static IP connecting to the static IP of the Port I get a timeout.

I tried pinging the device via powershell and got a timeout.
  Reply
#7
Ok Philipp, understood your problem.

Basically it seems you did everything well. I couldn't do it better. The *.pem file should never cause the NIOT Edge Gateway causing a boot failure in my opinion.

Since Edge Gateways are not supported through this forum but through Hilscher Hotline, please send your *.pem file and your inquiry to hotline@hilscher.com. They will take care of it.

One thing in addition. The edge gateway your are using is a x86 intel process based device. All netPI Docker containers will not on this Edge Gateway machine. But I agree that a registry can run on any machine, also on a Raspberry, and host ARM based and x86 based container images.

Thx
Armin
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply
#8
By the way ... if the device is not responding any more as you describe ... the only way to recover it from this state is to reset it to factory default using a USB stick and the latest firmware from here https://www.hilscher.com/de/support/downloads/ on it
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply
#9
Hallo Armin,
we have setup a registry wihin our company which is available by the hostname docker01 and it ist working from any Raspberry Pi.

If we try to pull images from the Portainer Site on the NetPi we always get the same error:

Failure Get https://docker01.local/v2/: dial tcp:lookup docker01.local: no such host

I can ping the server from inside a Container on the NetPi, so I think the network settings on the NetPi are correct (DHCP).

In the syslog i can see following lines. I guess the netpi uses the google dns server only


<30>1 2019-01-31T10:12:56+00:00 NTB827EBEADCB9 dockerd 1463 - - time="2019-01-31T10:12:56.012225733Z" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]"

<30>1 2019-01-31T10:16:24+00:00 NTB827EBEADCB9 dockerd 1463 - - time="2019-01-31T10:16:24.722309664Z" level=info msg="No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]"


Do you have any idea what is happening here.

Best Regards
Reinhold
  Reply
#10
Which version of netPI do you use? Versions >= 1.1.4.0? So if yes, do you have defined your server as a registry right?

The error indicates to me that the name "docker01.local" cannot be resolved by your DHCP server. How about using a registry with the name" docker01" without ".local" and if nothing else works just enter the plain ip address instead of "docker01.local" for test purposesy, then resolving names it not necessary at all.
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  [SOLVED] Docker GUI login issue MGharat 1 26 September-19th-2019, 11:50 AM
Last Post: Armin@netPI
Information netPI Docker REST API for versions >= V1.1.4.0 patrick 1 82 July-16th-2019, 02:45 PM
Last Post: patrick
  Using Windows Containers a.w.d.m. 3 62 July-16th-2019, 01:46 PM
Last Post: patrick
  [SOLVED] Pull Docker Image a.w.d.m. 8 38 July-8th-2019, 11:17 AM
Last Post: Armin@netPI
  [SOLVED] Docker issues AlexRegev 7 193 June-26th-2019, 02:14 PM
Last Post: AlexRegev
  docker timing MGharat 2 35 June-13th-2019, 08:57 AM
Last Post: patrick
  Launching multi-containers at a time - Docker stacks Armin@netPI 0 37 June-4th-2019, 04:11 PM
Last Post: Armin@netPI
  CODESYS - Control for Raspberry Florian 1 30 March-18th-2019, 06:16 PM
Last Post: Armin@netPI
  [INFO]Docker DNS server Armin@netPI 0 20 March-7th-2019, 09:02 AM
Last Post: Armin@netPI
  [SOLVED] node-red Dashboard Docker Image for netPI? anrodriguez 1 26 February-7th-2019, 05:35 PM
Last Post: Armin@netPI

Forum Jump:


Users browsing this thread: 1 Guest(s)