How to setup an own trusted Docker Registry Server (comes as a container from Docker Hub) to push and pull Docker images to and from.

As example a standard Raspberry Pi (RPi) preloaded with Raspbian OS is used but you can be any Linux Host:

Make a basic setup of your RPi:

1. Get terminal access to the system using a tool like putty
   
2. Change to user root
   $ sudo -i
   
3. Install Docker Engine
   $ curl -sSL https://get.docker.com | sh
   
4. Give your RPi a reasonable Hostname e.g. myregistry. (The name has to be lowercase since Docker can address image/tags/registries by name only if they are lowercase. A discrete Hostname is necessary since it is strongly recommended that trusted CA certificates identifiying a device as secure should not be issued for the device's IP address but for its Hostname instead.) Use an editor (e.g.nano) to change the current Hostname raspberrypi to myregistry in the two files:
   $ nano /etc/hosts (string behind the ip address 127.0.1.1)
   $ nano /etc/hostname
   
5. (optional) If you want to make the Hostname public in a MS Windows based office network you have to install two additional services
   $ apt-get install samba
   $ apt-get install winbind
   Additionally the wins service needs to be activated. Edit the following file in an editor
   $ nano /etc/nsswitch.conf[/b]
   In the line hosts: add the term wins and mdns4 to the existing terms files, dns, mdns4_minimal and others
   
6. Reboot the system
   $ reboot now
   
7. After the reboot generate new SSH keys pairs. First remove old ones
   $ rm /etc/ssh/ssh_host_*
   
8. Reconfigure SSH server and generate new key pairs
   $ dpkg-reconfigure openssh-server
   
9. Restart SSH server
   $ service ssh restart
   

1. Create a folder certs on your RPi host and move to it. This folder is mapped later into the Registry Server container using the Docker "volume mapping" parameter allowing to mirror a host folder in a container when it is started. So this folder serves as storage for the needed keys and certicates for the container.
   $ mkdir -p /certs && cd /certs
   
2. Generate a new key devdockerCA.key needed for your own "trusted" CA used as private key.
   $ openssl genrsa -out devdockerCA.key 2048
   
3. Generate public certificate of your CA devdockerCA.pem derived from the private key. Adjust the following sample configuration "/C=DE/ST=Hessen ..." to your personal credentials. The devdockerCA.pem file made known on your RPi host lets it accept certificates signed by this CA, respectively the one reported by your Registry Server later.
   $ openssl req -x509 -new -nodes -key devdockerCA.key -days 10000 -out devdockerCA.pem -subj "/C=DE/ST=Hessen/L=Hattersheim/O=Hilscher/OU=Hilscher/CN=myownca/emailAddress=myownca@hilscher.com"
   
4. For your Registry Server another key named domain.key needs to be generated that is used as public key and needs later to be signed by your CA.
   $ openssl genrsa -out domain.key 2048
   
5. Create a configuration file req.conf with
   $ nano /certs/req.conf
   that necessary for a proper signing procedure. Copy the following content to it and tailored it to your credentials. Especially the CN parameter Common Name has to match your choosen RPi Hostname):
   [ req ]
   distinguished_name = req_distinguished_name
   req_extensions = v3_req
   prompt = no
   [ req_distinguished_name ]
   C = DE
   ST = Hessen
   L = Hattersheim
   O = Hilscher
   OU = netIOT
   CN = myregistry
   emailAddress = mypi@hilscher.com
   [ v3_req ]
   keyUsage = keyEncipherment, dataEncipherment
   extendedKeyUsage = serverAuth
   subjectAltName = @alt_names
   [ req_ext ]
   subjectAltName = @alt_names
   [ alt_names ]
   DNS.1 = myregistry
   DNS.2 = myregistry.local
   DNS.3 = myregistry.domain
   IP.1 = 127.0.0.1
   
6. Generate now a CSR (Certificate Signing Request) including the public Registry Server key intended to be signed by your CA.
   $ openssl req -new -key domain.key -out dev-docker-registry.com.csr -config req.conf
   
7. Cross sign your Registry Server public key with the private CA merged with the CSR parameters and generate domain.crt file which is the final signed certificate of your Registry Server.
   $ openssl x509 -req -in dev-docker-registry.com.csr -CA devdockerCA.pem -CAkey devdockerCA.key -CAcreateserial -out domain.crt -days 10000 -extensions req_ext -extfile req.conf
   
8. Let the public CA certificate become known on your RPi (else pushing to the Registry Server from the local RPi itself (later topic) will fail).
   $ cp /certs/devdockerCA.pem /usr/local/share/ca-certificates/devdockerCA.crt
   $ update-ca-certificates
   $ reboot now
   
9. Start the Registry as a container (certs folder is mapped to it)
   $ docker run -d --restart=always --name registry -v /certs:/certs -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key -p 443:5000 registry:2
   
10. Check if the Registry Server is running
    $ curl https://myregistry.local/v2/_catalog
    {"repositories":[]} -> returns empty list of repositories, which is fine.
    

1. Pull a valid image from the Docker Hub internet registry on your RPi
   $ docker pull nginx:latest
   
2. Tag the image with a name fitting to the name of your registry to prepare it for a push
   $ docker tag nginx:latest  myregistry.local/mytest:latest
   
3. Push the tagged image to your registry
   $ docker push myregistry.local/mytest:latest
   

1. Copy the previously created /certs/devdockerCA.pem file from your RPi to a location where it can be uploaded over netPI's Web-GUI.Typically you would use an FTP client such as WinSCP to copy it to your PC/machine running the web browser.
   
2. Upload the pem file to your netPI using the Security/Public Key Infrastructure menu, highlighting then Trusted Certification Authorities and clicking upload finally as the picture shows:
      
   
3. Reboot the netPI to let the new trusted CA become known on your netPI
   

Hallo together,

as I understand from another topic in the forum it is feasible to use a generic Rpi3 + netHAT in order to have a netPI RTE like device. Is it also possible to use the RT-patched Yocto Linux used on netPI on the raspberry or just a generic Linux OS with docker?
I want to test what I can to with the POWERLINK and Codesys before investing in a netPI. For example I guess there will also be the slave only issue decribed by others for other fieldbuses.

thanks in advance
Reinhard

Rpi3 + netHAT Topic:
https://www.netiot.com/forum/?tx_typo3fo...f6095b1138

Hello All,

On my netIOT device, the nodes in my input and output palettes do not contain the OPC/UA client nodes. The documentation and sample projects show that these nodes are typically available.

Any ideas why they are not visible or how I can re-install them?

Hello,

I am using the NetIOT device and was trying to test the nodes to control LED2. However, anytime a message is triggered to turn them on, I receive a message that "Error: EACCES: permission denied, open '/var/platform/led_led2'".

The same thing happens for LED1. Any suggestions on what I am doing wrong? Does this have to do with the NetIOT platform versus NetPi?

Hi,

is it possible to configure the netpi to work alongside with one or multiple other profinet slave devices?

In the profinet example the configuration for the slots submodules and other relevant bits reside in this file:
netpi-netx-programming-examples/examples/sources/PacketHandlerPNS.c

Which are the relevant configuration options to be considered on the master?
What are the important configuration parameters in the code and do I need to change the GSDML configuration file as well?

Best regards
Reimar

Hi,

Actually I want to add hot swapping feature on top of this netPI. I mean: if the device break down for some reasons, the network traffic will be bypassed.

Thus, I need PCI slots to connect some additional network interfaces (with hot swapping feature). Whether the netPI can provide such PCI slots?

Thanks.

Is there any way by which I might be able to access the docker daemon running on the NetPI through a remote Docker CLI. Secondly, Is there any way I can access the Netpi other than its standard web GUI; for instance through SSH?

Regards,
Adeel Jamal

Hey,

is it possible to run a hostapd in the container to use the netPi as WLAN access point or is the WLAN nic restricted to the host os?

Frank

Hey there,

can someone tell me the command i have to use in a shell script to enable/disable the LED1 and LED2?
I tried to set the GPIO12 to high, but this doesn't work.

Frank

Hey there,

we are trying to set up the netPi as an USB-Device-Server to share USB devices over ethernet. The server software we want to use is called VirtualHere and works great on a RaspberryPi3. But after setting up a container with raspbian and installing the server software we got some problems with the connected USB devices. The virtualhere server is not able to  open the devices. We get this error message:

"LOG_ERR     Error 1 opening device (/usr/sbin/bus_usb_001_005) file descriptor, Operation not permitted"


It seems that the container doesn't have enough permissions to use the USB devices. The same happens with USB mass storage devices. By configuring the container, the devices were linked to the container (/dev/ttyUSB0)

Is there any option to get is working on a netPi, maybe witch more permissions for the docker container?


Regards, daice