2 min read kubernetes

Containerd 使用HTTP协议容器镜像仓库

Containerd 使用HTTP协议容器镜像仓库

背景

containerd默认会使用HTTPS协议来访问容器镜像仓库服务,然而内网中容器镜像仓库服务为HTTP协议,所以需要追加些参数来实现交互。

环境

  • Containerd: 1.6.33

实现方式

编辑/etc/containerd/config.toml文件

    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = ""

      [plugins."io.containerd.grpc.v1.cri".registry.auths]

      [plugins."io.containerd.grpc.v1.cri".registry.configs]
        [plugins."io.containerd.grpc.v1.cri".registry.configs."hub.vqiu.cn".tls]
          insecure_skip_verify = true
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."hub.vqiu.cn"]
          endpoint = ["http://hub.vqiu.com:80"]

重启containerd服务即可。

# systemctl restart containerd

使用crictl 拉取

# crictl pull hub.vqiu.cn/node-problem-detector:v0.8.19
Image is up to date for sha256:44253193157e97eaab4567e6413d6ca810ef91f34a97225c12b7898d739b8c33

使用ctr 拉取

# ctr images pull --plain-http hub.vqiu.cn/node-problem-detector:v0.8.19 
Image is up to date for sha256:44253193157e97eaab4567e6413d6ca810ef91f34a97225c12b7898d739b8c33
拉取会报以下警告

WARN[0000] DEPRECATION: The mirrors property of [plugins."io.containerd.grpc.v1.cri".registry] is deprecated since containerd v1.5 and will be removed in containerd v2.0. Use config_path instead.
WARN[0000] DEPRECATION: The configs property of [plugins."io.containerd.grpc.v1.cri".registry] is deprecated since containerd v1.5 and will be removed in containerd v2.0. Use config_path instead.

虽然上述方式还能使用,然而该方式会在2.0版本中进行移除,所以我们还是需要掌握最新的配置方式。

声明 config_path 的路径

# sed -i 's@config_path =.*@config_path = "/etc/containerd/certs.d"@' /etc/containerd/config.toml

新增内部明文镜像仓库

mkdir -p /etc/containerd/certs.d/hub.vqiu.cn
cat >/etc/containerd/certs.d/hub.vqiu.cn/hosts.toml <<EOF
server = "http://hub.vqiu.cn"

[host."http://hub.vqiu.cn"]
  capabilities = ["pull", "resolve", "push"]
EOF

重启containerd服务

# systemctl restart containerd

镜像拉取测试

# crictl pull hub.vqiu.cn/prometheus:v3.2.1
Image is up to date for sha256:503e04849f1c820b73ed19f348cb8da0c9728f38b6a4f68eb68d8c3eb0e1869f

其它配置参考范例

[host."https://mirror.registry"]
  capabilities = ["pull"]
  ca = "/etc/certs/mirror.pem"
  skip_verify = false
  [host."https://mirror.registry".header]
    x-custom-2 = ["value1", "value2"]

[host."https://mirror-bak.registry/us"]
  capabilities = ["pull"]
  skip_verify = true

[host."http://mirror.registry"]
  capabilities = ["pull"]

[host."https://test-1.registry"]
  capabilities = ["pull", "resolve", "push"]
  ca = ["/etc/certs/test-1-ca.pem", "/etc/certs/special.pem"]
  client = [["/etc/certs/client.cert", "/etc/certs/client.key"],["/etc/certs/client.pem", ""]]

[host."https://test-2.registry"]
  client = "/etc/certs/client.pem"

[host."https://test-3.registry"]
  client = ["/etc/certs/client-1.pem", "/etc/certs/client-2.pem"]

参考引用

You might also like...

Mar
31
Containerd 配置带认证容器镜像仓库

Containerd 配置带认证容器镜像仓库

背景企业内部的容器镜像仓库服务带凭证是再正常不过了,正好containerd支持带认证的容器镜像仓库。 环境容器镜像仓库地址:http://hub.vqiu.cn用户名:vqiu密码:vqiu实现步骤docker-registy为docker-registry服务实现简单的认证 生成一个Basic认证类型的用户USERNAME=vqiu PASSWORD=vqiu htpasswd -Bnb $USERNAME $PASSWORD > /etc/docker-registry/
1 min read
Jan
23
轻量级私有容器镜像仓库

轻量级私有容器镜像仓库

背景需要一个容器镜像仓库服务,Habor、Nexus是首选,尽量保持轻量化但又想能提供可视化页面。此时就可以使用 registry-ui + docker-registry。 服务实现 docker-compose.ymlservices: registry-ui: image: registry.cn-shenzhen.aliyuncs.com/shuhui/docker-registry-ui:2.5.
1 min read
Jan
09
使用lsyncd实现数据同步

使用lsyncd实现数据同步

2 min read
Dec
30
OpenSSL 生成国密SM2密钥对

OpenSSL 生成国密SM2密钥对

要点:openssl 的版本必须为1.1.1+ 查看openssl 是否支持SM2 # openssl ecparam -list_curves | grep SM2 如果有输出就说明支持。 生成 CA 密钥对生成CA私钥 # openssl ecparam -genkey
1 min read
Dec
08
NFS服务端安全策略

NFS服务端安全策略

背景环境检测 查看NFS配置,已经配置ACL # cat /etc/exports /.nfs-fileshare 10.10.88.48/32(rw,async,crossmnt,insecure,fsid=0,no_auth_
1 min read