Hilscher Forum
Create own trusted Docker registry server - Printable Version

+- Hilscher Forum (https://forum.hilscher.com)
+-- Forum: netPI - Ruggedized Raspberry Pi with Industrial Ethernet (https://forum.hilscher.com/Forum-netPI-Ruggedized-Raspberry-Pi-with-Industrial-Ethernet)
+--- Forum: Software (https://forum.hilscher.com/Forum-Software)
+--- Thread: Create own trusted Docker registry server (/Thread-Create-own-trusted-Docker-registry-server)

Create own trusted Docker registry server - Armin@netPI - January-27th-2018

netPI pulls images from trusted Docker registry servers only. Trusted servers provide a trusted certificate from an official Certificate Authority (CA) to rely on its digital signature. The most popular trusted Docker registry is Docker hub. But you can run trusted Docker registry servers yourself on-premise as well. We show you how.

Here is how you set up your own trusted Docker registry server with help of an official Certificate Authority such as Let's Encypt.
  • First you need a domain name (hostname) of your server. Get one from noip for example. Let's suppose you got a name mydockerregistry.ddns.net.
  • As next configure DynDNS service on your Internet Router as described here so that your router is reachable through your domain name over the internet.
  • Then set up a physical server. Run Linux on it for quick results. Ubuntu will do it.
  • Configure your Internet Router to forward the TCP ports 80 and 443 to the server. Port 80 is needed to demonstrate control over the domain during one time certification process. Port 443 is needed to run the Docker registry across.
  • For an automated certificate issuance you need a web server installed on your server. For quick results we recommend Nginx. To install it simply call sudo apt-get install nginx.
  • Additionally install CertBot, a software that is automatically requesting a certificate from Let's encrypt for your domain. On the web site select as software Nginx and as system Ubuntu and it will be providing you an installation instruction. Execute the proposed commands on your server.
  • During the procedure you will be asked for the domain name you want the certificate for. Enter your domain name mydockerregistry.ddns.net(our example) at this stage.
  • The certificates and keys will be genrated and stored on your server in the folder /etc/letsencrypt/live/mydockerregistry.ddns.net/. Port 80 forwarding on your Internet Router is no longer needed.
  • Now install Docker on your server as described here
  • The certificates and keys need a renaming and a merge so that the Docker registry can use them. Call
    cd /etc/letsencrypt/live/mydockerregistry.ddns.net/cp privkey.pem domain.keycat cert.pem chain.pem > domain.crtchmod 777 domain.crtchmod 777 domain.key
  • Finally run the Docker registry with the following docker command
    $ docker run -d \  --restart=always --name registry \  -v /etc/letsencrypt/live/mydockerregistry.ddns.net:/certs \  -v /opt/docker-registry:/var/lib/registry \  -e REGISTRY_HTTP_ADDR= \  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \  -p 443:443 \  registry:2
  • Now you are able to acess your Docker registry over mydockerregistry.ddns.net. e.g. call the command docker pull mydockerregistry.ddns.net/myimage for example to pull an image named myimage across the internet.
If you want to turn your Docker registry server into a local server you should close all forwarded ports in your Internet Router first and then add the hostname to your server's files /etc/hosts and /etc/hostnames e.g. mydockerregistry.ddns.net(our example). Then run a local DNS server in your network translating the hostname to the local IP address of your server and that's it. All access to mydockerregistry.ddns.net are running now locally.