krustlet: Krustlet-tutorial pod get stuck in init:regitered status

Hi, I followed https://github.com/deislabs/krustlet/blob/main/docs/intro/tutorial03.md to create a pod on krustlet node, the pod successfully scheduled to the krustlet node, but the pod get stuck in init:registered and I don’t know why. I think it’s because I build istio in cluster.The init containers istio-init firstly got stuck in waiting status. Istio’s version is v1.10.0. Is that krustlet’s problem or istio’s problem? How to solve this? Another question by the way: Does krustlet use wasm-to-oci pull to pull a wasm module from registry or still use docker pull to pull from a registry?

About this issue

Original URL
State: open
Created 3 years ago
Comments: 19 (2 by maintainers)

Commits related to this issue

Do not fail if Docker-Content-Digest not given. AWS ECR (public.ecr.aws), Red Hat (registry.redhat.io), and likely other registries do not provide the `Docker-Content-Digest` header. As discussed in ... — committed to adobe-platform/krustlet by cdmurph32 3 years ago
Do not fail if Docker-Content-Digest not given. AWS ECR (public.ecr.aws), Red Hat (registry.redhat.io), and likely other registries do not provide the `Docker-Content-Digest` header. As discussed in ... — committed to adobe-platform/krustlet by cdmurph32 3 years ago

Most upvoted comments

A couple of things to unpack here.

Then I ran the command docker pull manually on the krustlet node to pull the wasm module from the registry, but it reported an error:invalid rootfs in image configuration

There is a common misconception that because Krustlet stores WebAssembly modules in OCI means that you can use docker pull to fetch the module. There is also the other misconception that because modules are stored in OCI, they must be a Docker container. Both are untrue. WebAssembly modules are stored as WebAssembly modules. And while the push/pull mechanism is the same between Docker and Krustlet, docker only understands how to fetch Docker containers, not WebAssembly modules. In order to fetch modules from an OCI server, use wasm-to-oci.

Why is this?

docker can only build, push, pull, unpack, and run Docker containers. It does not understand how to build, push, pull, unpack, or run a WebAssembly module.

Does it have to use HTTPS to connection to the registry?

Yes. This is enforced by the OCI distribution specification. All connections must be through HTTPS unless that registry is marked as “insecure”, or is listening on the local loopback address (127.0.0.1).

bacongobbler on Jun 7, 2021

❯ krustlet-wasi --node-ip=192.168.46.249 --bootstrap-file=~/.krustlet/config/bootstrap.conf
Aug 03 10:02:15.368 ERROR kubelet::state::common::image_pull: error=unsupported media type: application/vnd.docker.distribution.manifest.list.v2+json
Aug 03 10:02:27.551 ERROR kubelet::state::common::image_pull: error=unsupported media type: application/vnd.docker.distribution.manifest.list.v2+json
Aug 03 10:02:49.937 ERROR kubelet::state::common::image_pull: error=unsupported media type: application/vnd.docker.distribution.manifest.list.v2+json
Aug 03 10:03:31.961 ERROR kubelet::state::common::image_pull: error=unsupported media type: application/vnd.docker.distribution.manifest.list.v2+json
Aug 03 10:07:00.345 ERROR kubelet::state::common::image_pull: error=unsupported media type: application/vnd.docker.distribution.manifest.list.v2+json
Aug 03 10:08:09.451 ERROR kubelet::state::common::image_pull: error=error sending request for url (https://localhost:5000/v2/): error trying to connect: record overflow
Aug 03 10:08:19.477 ERROR kubelet::state::common::image_pull: error=error sending request for url (https://localhost:5000/v2/): error trying to connect: record overflow
Aug 03 10:08:39.509 ERROR kubelet::state::common::image_pull: error=error sending request for url (https://localhost:5000/v2/): error trying to connect: record overflow
Aug 03 10:09:19.548 ERROR kubelet::state::common::image_pull: error=error sending request for url (https://localhost:5000/v2/): error trying to connect: record overflow
Aug 03 10:09:43.063 ERROR kubelet::state::common::image_pull: error=OCI API error: authentication required on https://registry-1.docker.io/v2/kindest/kindnetd/manifests/v20210326-1e038dc5
Aug 03 10:10:39.584 ERROR kubelet::state::common::image_pull: error=error sending request for url (https://localhost:5000/v2/): error trying to connect: record overflow
Aug 03 10:13:19.636 ERROR kubelet::state::common::image_pull: error=error sending request for url (https://localhost:5000/v2/): error trying to connect: record overflow
Aug 03 10:14:45.710 ERROR kubelet::state::common::image_pull: error=OCI API error: authentication required on https://registry-1.docker.io/v2/kindest/kindnetd/manifests/v20210326-1e038dc5

Running from KinD on M1 Mac by following Krustlet’s howto

I was using KinD’s registry to store my wasm module. I switched to the latest tag, built from source and by passing --insecure-registries localhost:5000 flag to Krustlet-wasi I was successfully able to see it working.

VishnuJin on Aug 5, 2021