containerd: [Question] ctr fails to pull images from insecure-registry.
Description
I’ve set inscecure registry in /etc/containerd/config.toml like below:
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
conf_template = ""
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."registry.k8s.my.io"]
endpoint = ["http://registry.k8s.my.io:5000"]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
Then restart containerd.
systemctl stop containerd; systemctl start containerd
But still fail when I try to pull image via ctr ctr image pull registry.k8s.my.io:5000/coredns/coredns:1.2.2
elapsed: 0.1 s total: 0.0 B (0.0 B/s)
ctr: failed to resolve reference "registry.k8s.my.io:5000/coredns/coredns:1.2.2": failed to do request: Head https://registry.k8s.my.io:5000/v2/coredns/coredns/manifests/1.2.2: http: server gave HTTP response to HTTPS client
What should I do to let ctr/kubernetes pull images from insecure-registry.
Completely containerd config
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0
[grpc]
address = "/run/containerd/containerd.sock"
uid = 0
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
[debug]
address = ""
uid = 0
gid = 0
level = "debug"
[metrics]
address = ""
grpc_histogram = false
[cgroup]
path = ""
[plugins]
[plugins.cgroups]
no_prometheus = false
[plugins.cri]
stream_server_address = "127.0.0.1"
stream_server_port = "0"
enable_selinux = false
sandbox_image = "k8s.gcr.io/pause:3.1"
stats_collect_period = 10
systemd_cgroup = false
enable_tls_streaming = false
max_container_log_line_size = 16384
[plugins.cri.containerd]
snapshotter = "overlayfs"
no_pivot = false
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = ""
runtime_root = ""
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = ""
runtime_engine = ""
runtime_root = ""
[plugins.cri.cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
conf_template = ""
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."registry.k8s.my.io"]
endpoint = ["http://registry.k8s.my.io:5000"]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
[plugins.cri.x509_key_pair_streaming]
tls_cert_file = ""
tls_key_file = ""
[plugins.diff-service]
default = ["walking"]
[plugins.linux]
shim = "containerd-shim"
runtime = "runc"
runtime_root = ""
no_shim = false
shim_debug = false
[plugins.opt]
path = "/opt/containerd"
[plugins.restart]
interval = "10s"
[plugins.scheduler]
pause_threshold = 0.02
deletion_threshold = 0
mutation_threshold = 100
schedule_delay = "0s"
startup_delay = "100ms"
Steps to reproduce the issue:
- insecure-registry
- restart containerd
- pull image via ctr
Describe the results you received:
ctr: failed to resolve reference “registry.k8s.my.io:5000/coredns/coredns:1.2.2”: failed to do request: Head https://registry.k8s.my.io:5000/v2/coredns/coredns/manifests/1.2.2: http: server gave HTTP response to HTTPS client
Describe the results you expected: ctr/kubernetes can pull images from insecure-registry.
Output of containerd --version:
containerd github.com/containerd/containerd v1.2.0 c4446665cb9c30056f4998ed953e6d4ff22c7c39
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 3
- Comments: 27 (12 by maintainers)
@Alvin-Lau please try this
by default, ctr will use
httpsto handle the request. If the registry is http server, we should useplain-httpflag.Thanks for your kindly replies. Let me close this.
@Alvin-Lau Can you try
crictl pull registry.k8s.my.io:5000/coredns/coredns:1.2.2?plugins.cri.registryis a config for thecriplugin, and thecriplugin should usehttpif you specify that in the config.If it doesn’t work, we should fix it.