在containerd中添加不安全的注册表

问题描述 投票:0回答:3

尝试将不安全的注册表添加到containerd配置中,如下所示:

[plugins."io.containerd.grpc.v1.cri".cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      max_conf_num = 1
      conf_template = ""
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
        [plugin."io.containerd.grpc.v1.cri".registry.mirrors."test.http-registry.io"]
          endpoint = ["http://v048011.dom600.lab:5000"]

即使将其添加到

config.toml
后,当从不安全的注册表中提取映像时,它也会失败:

sudo ctr image pull v048011.dom600.lab:5000:5000/myjenkins:latest

ctr: failed to resolve reference "v048011.dom600.lab:5000/myjenkins:latest": failed to do request: Head https://v048011.dom600.lab:5000:5000/v2/myjenkins/manifests/latest: http: server gave HTTP response to HTTPS client


docker
中,我们只需将 
insecure registry
添加到 
daemon.json
文件中,docker 就会从中提取图像,我如何在 
containerd
中实现相同的效果? 替换 docker 作为 k8s 集群中的运行时。

kubernetes containerd
3个回答
30
投票

ctr
读取
/etc/containerd/config.toml
配置文件,此配置由cri使用,这意味着
kubectl
crictl
会使用它。

错误日志

http: server gave HTTP response to HTTPS client
显示注册表正在使用http,但
ctr
正在尝试使用https连接它。因此,如果你想从 http 中提取图像,你应该添加参数 
--plain-http
ctr
,如下所示:

$ ctr image pull --plain-http <image>

注册表配置文档位于此处

你应该能够使用 

crictl
拉取镜像,记得重启containerd。

$ sudo crictl -r /run/containerd/containerd.sock pull <image>

# or config runntime once for all
$ sudo crictl config runtime-endpoint /run/containerd/containerd.sock
$ sudo crictl pull <image>

配置示例(已弃用):

# /etc/containerd/config.toml
# change <IP>:5000 to your registry url

[plugins."io.containerd.grpc.v1.cri".registry]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."<IP>:5000"]
      endpoint = ["http://<IP>:5000"]
  [plugins."io.containerd.grpc.v1.cri".registry.configs]
    [plugins."io.containerd.grpc.v1.cri".registry.configs."<IP>:5000".tls]
      insecure_skip_verify = true

配置示例(新):
https://github.com/containerd/containerd/blob/main/docs/cri/registry.md
https://github.com/containerd/containerd/blob/main/docs/cri/config.md#registry-configuration
https://github.com/containerd/containerd/blob/main/docs/hosts.md

/etc/containerd/config.toml
----
[plugins."io.containerd.grpc.v1.cri".registry]
   config_path = "/etc/containerd/certs.d"

/etc/containerd/certs.d/docker.io/hosts.toml
----
server = "https://registry-1.docker.io"
[host."https://{docker.mirror.url}"]
  capabilities = ["pull", "resolve"]

/etc/containerd/certs.d/{your.ip}:5000/hosts.toml
----
server = "https://registry-1.docker.io"
[host."http://{your.ip}:5000"]
  capabilities = ["pull", "resolve", "push"]
  skip_verify = true

配置修改后重启服务。

$ sudo systemctl restart containerd
6
投票

添加以下配置:

    [plugins."io.containerd.grpc.v1.cri".cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      max_conf_num = 1
      conf_template = ""
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."test.http-registry.io"]
          endpoint = ["http://v048011.dom600.lab:5000"]
        [plugins."io.containerd.grpc.v1.cri".registry.configs]
          [plugins."io.containerd.grpc.v1.cri".registry.configs."test.http-registry.io".tls]
            insecure_skip_verify = true

应跳过测试注册表的 TLS 验证。另请参阅有关 registry TLS 通信配置的文档。

编辑:请注意插件中的“s”,您的配置中有一个拼写错误。

注意: 请务必重新启动容器:

$ sudo systemctl restart containerd
2
投票

就我而言,我只是将 

[[registry]]
字段添加到 
/etc/containers/registries.conf
文件中,因为我正在使用 
crio

[[registry]]
insecure = true
location = "IP ADDRESS"

然后重新启动crio

systemctl restart crio.service

请参考 https://github.com/cri-o/cri-o/blob/main/docs/crio.conf.5.md

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.