• 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Setup trusted Docker registry on a Raspberry Pi to host netPI containers
#1
Follow the steps to setup a trusted Docker image hosting registry on a standard Raspberry Pi:


  1. Login to your Pi with a terminal program such as Putty and make you root in the console with
    $ sudo -i
  2. Install Docker first (if not already installed)
    $ curl -sSL https://get.docker.com | sh
  3. Make your registry hosting Raspberry Pi unique in your (office) network (a Pi has a default Hostname: raspberrypi) and give it a reasonable Hostname like myregistry. (The name has to be lowercase. Docker can address image/tags/registries by name only if they are lowercase).
    Why is a unique Hostname necessary at all? A discrete Hostname is necessary since it is strongly recommended that trusted CA certificates identifiying a device as secure should not be issued for the device's IP address but for its Hostname instead. Below you will recognize that we need to create exactly such a CA certificate to let clients accept our server as secure once the certificate is made available to them.
  4. Change with an editor (nano) the current Hostname raspberrypi to myregistry in the two files.
    $ nano /etc/hosts (string behind the ip address 127.0.1.1)
    $ nano /etc/hostname

  5. (optional) If you want to make the Hostname public in a windows based office network you have to install two additional services
    $ apt-get install samba
    $ apt-get install winbind

    Additionally the wins service needs to be activated. Edit the following file in an editor
    $ nano /etc/nsswitch.conf
    In the line hosts: add the term wins and mdns4 to the existing terms files, dns, mdns4_minimal and others
  6. Reboot the Pi
    $ reboot now
  7. After the reboot generate new SSH keys pairs. First remove old ones.
    $ rm /etc/ssh/ssh_host_*
  8. Reconfigure SSH server.
    $ dpkg-reconfigure openssh-server
  9. Restart SSH server.
    $ service ssh restart
  10. Create a folder e.g.certs on your Pi and move to it. (This folder will be mapped into the Registry Server Container later and will contain its certificates).
    $ mkdir -p /certs && cd /certs
  11. Generate a new private key devdockerCA.key.
    $ openssl genrsa -out devdockerCA.key 2048
  12. Generate root CA certificate devdockerCA.pem. (Change the sample configuration "/C=DE/ST=Hessen ..." to your personal settings)
    $ openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.pem -subj "/C=DE/ST=Hessen/L=Hattersheim/O=Hilscher/OU=Hilscher/CN=myownca/emailAddress=myownca@hilscher.com"
  13. Generate a new private key named domain.key file for the Registry Server.
    $ openssl genrsa -out domain.key 2048
  14. Create a new file req.conf ($ nano /certs/req.conf) necessary for a proper signing procedure. Copy the following content to it (tailored to your credentials, especially the most important CN that has to match your Pi Hostname):
    [ req ]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    prompt = no
    [ req_distinguished_name ]
    C = DE
    ST = Hessen
    L = Hattersheim
    O = Hilscher
    OU = netIOT
    CN = myregistry
    emailAddress = mypi@hilscher.com
    [ v3_req ]
    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    [ req_ext ]
    subjectAltName = @alt_names
    [ alt_names ]
    DNS.1 = myregistry
    DNS.2 = myregistry.local
    DNS.3 = myregistry.domain
    IP.1 = 127.0.0.1

  15. Excecute certificate signing request.
    $ openssl req -new -key domain.key -out dev-docker-registry.com.csr -config req.conf
  16. Cross sign the server certificate with the CA root certificate and generate domain.crt file.
    $ openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.pem -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000 -extensions req_ext -extfile req.conf
  17. Let the root CA certificate become known on your Pi (else pushing to the Registry Server from the Pi itself (later topic) is not possible.
    $ cp /certs/devdockerCA.pem /usr/local/share/ca-certificates/devdockerCA.crt
    $ update-ca-certificates
    $ reboot now

  18. Start the registry on your Pi as a container and map the certs folder into it.
    $ docker run -d --restart=always --name registry -v /certs:/certs -e REGISTRY_HTTP_ADDR=0.0.0.0:443 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:443 armbuild/registry:2
  19. Check if the Registry Server is running on your Pi by using its REST API reading the available repositories
    $ curl https://myregistry.local:443/v2/_catalog
    {"repositories":[]} -> returns empty list of repositories, which is fine.
  20. Pull a test image from Docker Hub onto your Pi
    $ docker pull hilschernetpi/netpi-debian-stretch:latest

  21. Tag the image with a name fitting to the name of your registry to prepare it for a push to it
    $ docker tag hilschernetpi/netpi-debian-stretch:latest  myregistry.local/mytest:latest

  22. Push the tagged image to your registry
    $ docker push myregistry.local/mytest:latest

Work to do on your netPI:

  1. Copy the previously created /certs/devdockerCA.pem file from your Pi to a location where it can be uploaded over netPI's Web-GUI. Typically you would use an FTP client such as WinSCP to copy it to your PC/machine running the web browser.
  2. Upload the pem file to your netPI using the Security/Public Key Infrastructure menu, highlighting then Trusted Certification Authorities and clicking upload finally as the picture shows:
       
  3. Reboot the netPI to let the new trusted CA certificate/authority become known on the system
  4. Finally pull the created test image from the registry onto your netPI. Use netPI's Docker Web-GUI and select Images in the left menu pane.
    Enter there the string mytest:latest as image name and as registry myregistry.local. Then click Pull the image. netPI will now pull the image from your private registry instead of Docker Hub.
You never fail until you stop trying.“, Albert Einstein (1879 - 1955)

  Reply


Messages In This Thread
Setup trusted Docker registry on a Raspberry Pi to host netPI containers - by Armin@netPI - July-18th-2018, 09:02 AM

Possibly Related Threads...
Thread Author Replies Views Last Post
  [SOLVED] Docker GUI login issue MGharat 1 21 Yesterday, 11:50 AM
Last Post: Armin@netPI
Information netPI Docker REST API for versions >= V1.1.4.0 Patrick@netPI 1 72 July-16th-2019, 02:45 PM
Last Post: Patrick@netPI
  Using Windows Containers a.w.d.m. 3 62 July-16th-2019, 01:46 PM
Last Post: Patrick@netPI
  [SOLVED] Pull Docker Image a.w.d.m. 8 37 July-8th-2019, 11:17 AM
Last Post: Armin@netPI
  [SOLVED] Docker issues AlexRegev 7 192 June-26th-2019, 02:14 PM
Last Post: AlexRegev
  docker timing MGharat 2 34 June-13th-2019, 08:57 AM
Last Post: Patrick@netPI
  Launching multi-containers at a time - Docker stacks Armin@netPI 0 21 June-4th-2019, 04:11 PM
Last Post: Armin@netPI
  CODESYS - Control for Raspberry Florian 1 25 March-18th-2019, 06:16 PM
Last Post: Armin@netPI
  [INFO]Docker DNS server Armin@netPI 0 19 March-7th-2019, 09:02 AM
Last Post: Armin@netPI
  [SOLVED] node-red Dashboard Docker Image for netPI? anrodriguez 1 23 February-7th-2019, 05:35 PM
Last Post: Armin@netPI

Forum Jump:


Users browsing this thread: 1 Guest(s)