containerd: Containerd cannot pull image from insecure registry
Description
I deployed Harbor (172.17.1.201) in my Kubernetes cluster and pushed an image (172.17.1.201/library/alpine) into it. When I tried to manually pull the image from a worker node (it uses containerd as container runtime and there is no Docker on this node at all) of my Kubernetes cluster, it failed:
$ crictl pull 172.17.1.201/library/alpine
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to resolve image "172.17.1.201/library/alpine:latest": no available registry endpoint: failed to do request: Head https://172.17.1.201/v2/library/alpine/manifests/latest: x509: certificate signed by unknown authority
I have already setup 172.17.1.201 as an insecure registry of containerd, and restarted containerd.
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."172.17.1.201"]
endpoint = ["http://172.17.1.201"]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
Steps to reproduce the issue:
- Push an image into Harbor
- Pull the image from Harbor
Describe the results you received: Failed to pull image from Harbor.
Describe the results you expected: Successfully pull image from Harbor.
Output of containerd --version:
containerd containerd.io 1.2.6 894b81a4b802e4eb2a91d1ce216b8817763c29fb
Any other relevant information:
$ crictl info
{
"status": {
"conditions": [
{
"type": "RuntimeReady",
"status": true,
"reason": "",
"message": ""
},
{
"type": "NetworkReady",
"status": true,
"reason": "",
"message": ""
}
]
},
"config": {
"containerd": {
"snapshotter": "overlayfs",
"defaultRuntime": {
"runtimeType": "io.containerd.runtime.v1.linux",
"runtimeEngine": "",
"runtimeRoot": "",
"options": null
},
"untrustedWorkloadRuntime": {
"runtimeType": "",
"runtimeEngine": "",
"runtimeRoot": "",
"options": null
},
"runtimes": null,
"noPivot": false
},
"cni": {
"binDir": "/opt/cni/bin",
"confDir": "/etc/cni/net.d",
"confTemplate": ""
},
"registry": {
"mirrors": {
"172.17.1.201": {
"endpoint": [
"http://172.17.1.201"
]
},
"docker.io": {
"endpoint": [
"https://registry-1.docker.io"
]
}
},
"auths": null
},
"streamServerAddress": "127.0.0.1",
"streamServerPort": "0",
"enableSelinux": false,
"sandboxImage": "k8s.gcr.io/pause:3.1",
"statsCollectPeriod": 10,
"systemdCgroup": false,
"enableTLSStreaming": false,
"x509KeyPairStreaming": {
"tlsCertFile": "",
"tlsKeyFile": ""
},
"maxContainerLogSize": 16384,
"containerdRootDir": "/var/lib/containerd",
"containerdEndpoint": "/run/containerd/containerd.sock",
"rootDir": "/var/lib/containerd/io.containerd.grpc.v1.cri",
"stateDir": "/run/containerd/io.containerd.grpc.v1.cri"
},
"golang": "go1.11.8"
}
$ crictl version
Version: 0.1.0
RuntimeName: containerd
RuntimeVersion: 1.2.6
RuntimeApiVersion: v1alpha2
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 22 (7 by maintainers)
This worked for me FYI
I changed
"io.containerd.grpc.v1.cri"tocriinstead, and then it worked.not work for me containerd just restart failed:
containerd: failed to load TOML from /etc/containerd/config.toml: invalid plugin key URI "cri" expect io.containerd.x.vx@boeboe Is’t this parameter?
plugins."io.containerd.grpc.v1.cri".containerddefault_runtime_name = "cri"