Create your own registry ======================== In this tutorial, we'll configure a raspberry pi to create a fully functional docker registry to push/pull your custom images. The technologies used in this tutorial: - Raspberry Pi 4 model B - Debian 12 (bookworm) - Docker Registry using the :code:`registry` docker image - Apache2 + certbot (Let's encrypt) for HTTPS - Reverse proxy using Apache proxy modules #. Debian installation on the Raspberry PI Use Raspberry Pi Imager to flash and configure debian: https://www.raspberrypi.com/software/ .. note:: Make sure to enable SSH during configuration, you can also pre configure the wifi if you're not planning to use an ethernet cable. #. Connection to the Raspberry PI If you enabled it during configuration you can use the following alias to connect: .. code-block:: bash ssh @raspberrypi.local # If enabled during configuration # OR ssh @ #. Configure the DNS Modify the DNS so that it points to the IP adress where the Raspberry PI is connected to. In my case I added a `A` record on `OVH `_ for :code:`docker.algolisto.org` pointing to my home IP adress. #. Install Apache2 .. code-block:: bash # Install Apache2 sudo apt install apache2 -y # Enable required Apache2 modules a2enmod proxy* rewrite headers ssl #. Open port 443 and 80 Get into your router configuration and open ports :code:`443` (HTTPS) and :code:`80` (HTTP) only for the Raspberry PI device. #. Check that you have access to the default Apache2 page using HTTP (in my case: :code:`http://docker.algolisto.org`) (if the DNS has been updated) #. Enable HTTPS using :code:`Let's encrypt` and :code:`certbot` .. code-block:: bash # Install Certbot and Apache Plugin sudo apt install certbot python3-certbot-apache # Obtain and Install a Certificate sudo certbot --apache -d docker.algolisto.org # View Installed Certificates sudo certbot certificates # Check Certbot Timer Status systemctl status certbot.timer # Test Certificate Renewal certbot renew --dry-run #. Check that you have access to the default Apache2 page using HTTPS (in my case: :code:`https://docker.algolisto.org`) #. Start the docker registry local server .. code-block:: bash sudo mkdir -p /data/docker-registry docker run -d \ --name docker-registry \ --restart always \ -p 127.0.0.1:8080:5000 \ -v /data/docker-registry:/var/lib/registry \ registry:2 .. note:: Port :code:`8080` on :code:`127.0.0.1` loopback address is forwarding the request to the container on port :code:`5000` (the default port for the registry) #. Create a user/password for access to the docker registry .. code-block:: bash # Create a file /etc/apache2/htpasswd with an entry for the user "docker" and the hashed MD5 password cd /etc/apache2 sudo htpasswd -c -m htpasswd docker #. Edit the Apache configuration Edit the file: :code:`/etc/apache2/sites-enabled/000-default-le-ssl.conf` .. code-block:: apache # Access Control with IP Restriction Order deny,allow Deny from all Allow from 87.104.201.45 Satisfy all # Authentication AuthUserFile /etc/apache2/htpasswd AuthName "Authentication" AuthType Basic require valid-user ServerAdmin webmaster@localhost ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # Certificates path ServerName docker.algolisto.org SSLCertificateFile /etc/letsencrypt/live/docker.algolisto.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/docker.algolisto.org/privkey.pem # Additional SSL/TLS-related configuration options provided by Let's Encrypt Include /etc/letsencrypt/options-ssl-apache.conf # Custom headers added to indicate compatibility with Docker Registry API version 2.0 Header always set "Docker-Distribution-Api-Version" "registry/2.0" Header onsuccess set "Docker-Distribution-Api-Version" "registry/2.0" # Ensures that the backend server is aware that the original request was made over HTTPS RequestHeader set X-Forwarded-Proto "https" # Reverse Proxy to the Backend Server (docker registry) ProxyPreserveHost On ProxyPass / http://127.0.0.1:8080/ ProxyPassReverse / http://127.0.0.1:8080/ .. note:: In the file above you need to adapt the following lines to your need: - :code:`Allow from 87.104.201.45` - :code:`ServerName docker.algolisto.org` - :code:`SSLCertificateFile /etc/letsencrypt/live/docker.algolisto.org/fullchain.pem` - :code:`SSLCertificateKeyFile /etc/letsencrypt/live/docker.algolisto.org/privkey.pem` .. note:: You can get the path of the certificates using the command :code:`sudo certbot certificates` #. Check the validity of the apache configuration .. code-block:: bash sudo apache2ctl configtest #. Check pushing/pulling an image to/from your repository from another machine .. code-block:: bash docker login docker.algolisto.org # set the user and password you created earlier docker pull hello-world docker tag hello-world:latest docker.algolisto.org/hello-world:latest docker push docker.algolisto.org/hello-world:latest docker pull docker.algolisto.org/hello-world:latest ------------------------------------------------------------ **Sources**: - https://raspi.debian.net/how-to-image/ - https://idroot.us/install-certbot-debian-12/