- The goal
-
Set up a local Docker Registry so that when the GitLab CI does it's thing, it is not constantly downloading the images over the Internet saving time and bandwidth.
Overview:
- Server:
Raspberry Pi Model 3B+
Raspberry OS (2021-10-30-raspios-bullseye-armhf-lite)
hostname = dhub so hostname -f = dhub.example.com
using "pi" as the user
Note: using example.com as domain, change that to the correct domain where needed
- Computer:
In this case: OS is ArcoLinux
Docker is already installed and working
Setup the Server:
Install Raspberry OS (search for instructions on internet)
sudo apt install vim
Update to use static IP instead of DHCP (search for instructions on internet) (hint: sudo vim /etc/dhcpcd.conf
)
Since I am using PiHole for the DNS server, ssh into PiHole and add DNS entry to /etc/pihole/custom.list and restart DNS
Install and setup Docker Registry.
Install Docker:
curl -fsSL get.docker.com -o get-docker.sh
sh get-docker.sh
sudo usermod -aG docker pi
logout/login
Check if it works:
docker ps
and/or
docker images
Both should display just the report header.
Setup a more secure system:
At $HOME
Create a directory to hold the certificates:
mkdir certs
Create a cert:
openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -addext "subjectAltName = DNS:dhub.example.com" \ -x509 -days 365 -out certs/domain.crt
Answer the questions it will ask.
Note: the cert will expire in 365 days! Will need to renew in a year.
Start Docker Registry with a run command: (This will pull the Registry image from Docker Hub and start it)
docker run -d \ --restart=always \ --name registry \ -v "$(pwd)"/certs:/certs \ -e REGISTRY_PROXY_REMOTEURL="https://registry-1.docker.io" \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -p 443:443 \ registry:2
The certs on Server and Computer must match.
(Again, for this example, the computer is running Arch Linux, there may be a different process for other OS's.)
Copy the domain.crt from $HOME/certs on Server to Computer.
On Computer: copy domain.crt to /etc/ca-certificates/trust-source/anchors/ and it must have a .crt extension.
sudo trust extract-compat
Also on Computer:
sudo vim /etc/docker/daemon.json
Add the following line:
Restart docker on Computer.
sudo systemctl restart docker
And then test it.
run:
curl https://dhub.example.com/v2/_catalog
Since this is the first time, it should be an empty list.
Select an image from Docker Hub and pull it:
docker pull <new image>
curl https://dhub.example.com/v2/_catalog
should display the new image stored on Server.