K
Q

Adding insecure registry in containerd

1/12/2021

Trying to add insecure registry to containerd config as below:

[plugins."io.containerd.grpc.v1.cri".cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      max_conf_num = 1
      conf_template = ""
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
        [plugin."io.containerd.grpc.v1.cri".registry.mirrors."test.http-registry.io"]
          endpoint = ["http://v048011.dom600.lab:5000"]

Even after adding it to config.toml, when pulling image from the insecure registry, it fails:

sudo ctr image pull v048011.dom600.lab:5000:5000/myjenkins:latest

ctr: failed to resolve reference "v048011.dom600.lab:5000/myjenkins:latest": failed to do request: Head https://v048011.dom600.lab:5000:5000/v2/myjenkins/manifests/latest: http: server gave HTTP response to HTTPS client

In docker we could just add the insecure registry to daemon.json file and docker would pull images from it, how can i achieve the same in containerd ? Replacing docker as runtime in k8s cluster.

-- Sanjay M. P.
containerd
kubernetes

Similar Questions

Ensure minimum number of pods in every node with node selector
Restart kubernetes deployment after changing configMap
Kubernetes pod auto restart with exit 137 code
What is Google Kubernetes Engine version 1.13.12?
Web App Dependencies (JS, CSS) fail to load when using Istio Gateway and VirtualService

2 Answers

4/29/2021

ctr do not read the /etc/containerd/config.toml config file
this config is used by cri , which means kubectl or crictl would use it.

the error log http: server gave HTTP response to HTTPS client, shows that the registry is using http, but ctr is trying to connect it using https.
So if you want to pull the image from http, you should add the param --plain-http with ctr like this: 

ctr i pull --plain-http <image>

the registry config doc is : https://github.com/containerd/containerd/blob/master/docs/cri/registry.md

You should be able to pull the image with crictl, remember to restart containerd.

sudo crictl -r /run/containerd/containerd.sock pull <image>

#or config runntime once for all
sudo crictl config runtime-endpoint /run/containerd/containerd.sock
sudo crictl pull <image>

config example:

# /etc/containerd/config.toml
# change <IP>:5000 to your registry url

[plugins."io.containerd.grpc.v1.cri".registry]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."<IP>:5000"]
      endpoint = ["http://<IP>:5000"]
  [plugins."io.containerd.grpc.v1.cri".registry.configs]
    [plugins."io.containerd.grpc.v1.cri".registry.configs."<IP>:5000".tls]
      insecure_skip_verify = true
-- ws_
Source: StackOverflow
1/12/2021

Adding the following config:

    [plugins."io.containerd.grpc.v1.cri".cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      max_conf_num = 1
      conf_template = ""
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."test.http-registry.io"]
          endpoint = ["http://v048011.dom600.lab:5000"]
        [plugins."io.containerd.grpc.v1.cri".registry.configs]
          [plugins."io.containerd.grpc.v1.cri".registry.configs."test.http-registry.io".tls]
            insecure_skip_verify = true

should skip TLS verification for the test registry. See also the documentation on registry TLS communication configuration.

Edit: Please note the "s" in plugins, there is a typo in your configuration.

-- Blokje5
Source: StackOverflow