- The goal
Set up a local Docker Registry so that when the GitLab CI does it's thing, it is not constantly downloading the images over the Internet saving time and bandwidth.
Raspberry Pi Model 3B+
Raspberry OS (2021-10-30-raspios-bullseye-armhf-lite)
hostname = dhub so hostname -f = dhub.example.com
using "pi" as the user
Note: using example.com as domain, change that to the correct domain where needed
In this case: OS is ArcoLinux
Docker is already installed and working
Setup the Server:
Install Raspberry OS (search for instructions on internet)
sudo apt install vim
Update to use static IP instead of DHCP (search for instructions on internet) (hint:
sudo vim /etc/dhcpcd.conf)
Since I am using PiHole for the DNS server, ssh into PiHole and add DNS entry to /etc/pihole/custom.list and restart DNS
Install and setup Docker Registry.
curl -fsSL get.docker.com -o get-docker.sh
sudo usermod -aG docker pi
Check if it works:
Both should display just the report header.
Setup a more secure system:
Create a directory to hold the certificates:
Create a cert:
openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -addext "subjectAltName = DNS:dhub.example.com" \ -x509 -days 365 -out certs/domain.crt
Answer the questions it will ask.
Note: the cert will expire in 365 days! Will need to renew in a year.
Start Docker Registry with a run command: (This will pull the Registry image from Docker Hub and start it)
docker run -d \ --restart=always \ --name registry \ -v "$(pwd)"/certs:/certs \ -e REGISTRY_PROXY_REMOTEURL="https://registry-1.docker.io" \ -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ -p 443:443 \ registry:2
The certs on Server and Computer must match.
(Again, for this example, the computer is running Arch Linux, there may be a different process for other OS's.)
Copy the domain.crt from $HOME/certs on Server to Computer.
On Computer: copy domain.crt to /etc/ca-certificates/trust-source/anchors/ and it must have a .crt extension.
sudo trust extract-compat
Also on Computer:
sudo vim /etc/docker/daemon.json
Add the following line:
Restart docker on Computer.
sudo systemctl restart docker
And then test it.
Since this is the first time, it should be an empty list.
Select an image from Docker Hub and pull it:
docker pull <new image>
should display the new image stored on Server.