Containerd 使用HTTP协议容器镜像仓库

背景
containerd默认会使用HTTPS协议来访问容器镜像仓库服务,然而内网中容器镜像仓库服务为HTTP协议,所以需要追加些参数来实现交互。
环境
- Containerd: 1.6.33
实现方式
编辑/etc/containerd/config.toml文件
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""
[plugins."io.containerd.grpc.v1.cri".registry.auths]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."hub.vqiu.cn".tls]
insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."hub.vqiu.cn"]
endpoint = ["http://hub.vqiu.com:80"]
重启containerd服务即可。
# systemctl restart containerd
使用crictl 拉取
# crictl pull hub.vqiu.cn/node-problem-detector:v0.8.19
Image is up to date for sha256:44253193157e97eaab4567e6413d6ca810ef91f34a97225c12b7898d739b8c33
使用ctr 拉取
# ctr images pull --plain-http hub.vqiu.cn/node-problem-detector:v0.8.19
Image is up to date for sha256:44253193157e97eaab4567e6413d6ca810ef91f34a97225c12b7898d739b8c33
拉取会报以下警告
WARN[0000] DEPRECATION: The mirrors
property of [plugins."io.containerd.grpc.v1.cri".registry]
is deprecated since containerd v1.5 and will be removed in containerd v2.0. Use config_path
instead.
WARN[0000] DEPRECATION: The configs
property of [plugins."io.containerd.grpc.v1.cri".registry]
is deprecated since containerd v1.5 and will be removed in containerd v2.0. Use config_path
instead.
虽然上述方式还能使用,然而该方式会在2.0版本中进行移除,所以我们还是需要掌握最新的配置方式。
声明 config_path 的路径
# sed -i 's@config_path =.*@config_path = "/etc/containerd/certs.d"@' /etc/containerd/config.toml
新增内部明文镜像仓库
mkdir -p /etc/containerd/certs.d/hub.vqiu.cn
cat >/etc/containerd/certs.d/hub.vqiu.cn/hosts.toml <<EOF
server = "http://hub.vqiu.cn"
[host."http://hub.vqiu.cn"]
capabilities = ["pull", "resolve", "push"]
EOF
重启containerd服务
# systemctl restart containerd
镜像拉取测试
# crictl pull hub.vqiu.cn/prometheus:v3.2.1
Image is up to date for sha256:503e04849f1c820b73ed19f348cb8da0c9728f38b6a4f68eb68d8c3eb0e1869f
其它配置参考范例
[host."https://mirror.registry"]
capabilities = ["pull"]
ca = "/etc/certs/mirror.pem"
skip_verify = false
[host."https://mirror.registry".header]
x-custom-2 = ["value1", "value2"]
[host."https://mirror-bak.registry/us"]
capabilities = ["pull"]
skip_verify = true
[host."http://mirror.registry"]
capabilities = ["pull"]
[host."https://test-1.registry"]
capabilities = ["pull", "resolve", "push"]
ca = ["/etc/certs/test-1-ca.pem", "/etc/certs/special.pem"]
client = [["/etc/certs/client.cert", "/etc/certs/client.key"],["/etc/certs/client.pem", ""]]
[host."https://test-2.registry"]
client = "/etc/certs/client.pem"
[host."https://test-3.registry"]
client = ["/etc/certs/client-1.pem", "/etc/certs/client-2.pem"]