Setup Docker Registry on RPi
The goal

Set up a local Docker Registry so that when the GitLab CI does it's thing, it is not constantly downloading the images over the Internet saving time and bandwidth.

Overview:

Server:

  • Raspberry Pi Model 3B+

  • Raspberry OS (2021-10-30-raspios-bullseye-armhf-lite)

  • hostname = dhub so hostname -f = dhub.example.com

  • using "pi" as the user

  • Note: using example.com as domain, change that to the correct domain where needed

Computer:

  • In this case: OS is ArcoLinux

  • Docker is already installed and working

Setup the Server:

Install Raspberry OS (search for instructions on internet)

sudo apt install vim

Update to use static IP instead of DHCP (search for instructions on internet) (hint: sudo vim /etc/dhcpcd.conf)

Since I am using PiHole for the DNS server, ssh into PiHole and add DNS entry to /etc/pihole/custom.list and restart DNS

Install and setup Docker Registry.

Install Docker:

curl -fsSL get.docker.com -o get-docker.sh

sh get-docker.sh

sudo usermod -aG docker pi

logout/login

Check if it works:

docker ps

and/or

docker images

Both should display just the report header.

Setup a more secure system:

At $HOME

Create a directory to hold the certificates:

mkdir certs

Create a cert:

openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -addext "subjectAltName = DNS:dhub.example.com" \
  -x509 -days 365 -out certs/domain.crt

Answer the questions it will ask.

Note: the cert will expire in 365 days! Will need to renew in a year.

Start Docker Registry with a run command: (This will pull the Registry image from Docker Hub and start it)

docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -e REGISTRY_PROXY_REMOTEURL="https://registry-1.docker.io" \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -p 443:443 \
  registry:2

The certs on Server and Computer must match.

(Again, for this example, the computer is running Arch Linux, there may be a different process for other OS's.)

Copy the domain.crt from $HOME/certs on Server to Computer.

On Computer: copy domain.crt to /etc/ca-certificates/trust-source/anchors/ and it must have a .crt extension.

sudo trust extract-compat

Also on Computer:

sudo vim /etc/docker/daemon.json

Add the following line:

{
  "registry-mirrors": ["https://dhub.example.com"]
}

Restart docker on Computer.

sudo systemctl restart docker

And then test it.

run:

curl https://dhub.example.com/v2/_catalog

Since this is the first time, it should be an empty list.

Select an image from Docker Hub and pull it:

docker pull <new image>

curl https://dhub.example.com/v2/_catalog

should display the new image stored on Server.