[英]How to skip TLS cert check for crictl (containerd CR) while pulling the images from private repository
I have installed k8s 1.24 version and containerd (containerd://1.5.9) is the CR for my setup (ubuntu 20.04).我已经安装了 k8s 1.24 版本,并且 containerd (containerd://1.5.9) 是我的设置 (ubuntu 20.04) 的 CR。
I have also installed docker on my VM and have added my private repository under /etc/docker/daemon.json with the following changes:我还在我的 VM 上安装了 docker 并在 /etc/docker/daemon.json 下添加了我的私有存储库,并进行了以下更改:
{ "insecure-registries" : ["myPvtRepo.com:5028"] }
When I am running docker pull myPvtRepo:123/image
after login to my pvt repo by using docker login myPvtRepo:123
command, I am able to pull the images while running the same command with crictl pull myPvtRepo:123/image
, I am facing:当我在使用 docker pull myPvtRepo:123/image 使用
docker login myPvtRepo:123
命令登录到我的 pvt repo 后运行docker pull myPvtRepo:123/image
时,我能够在使用crictl pull myPvtRepo:123/image
运行相同命令的同时拉取图像,我正面临:
E0819 06:49:01.200489 162610 remote_image.go:218] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image "myPvtRepo.com:5028/centos:latest": failed to resolve reference "myPvtRepo.com:5028/centos:latest": failed to do request: Head https://myPvtRepo.com::5028/v2/centos/manifests/latest : x509: certificate signed by unknown authority" image="myPvtRepo.com::5028/centos:latest" FATA[0000] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "myPvtRepo.com::5028/centos:latest": failed to resolve reference "myPvtRepo.com:5028/centos:latest": failed to do request: Head https://myPvtRepo.com::5028/v2/centos/manifests/latest : x509: certificate signed by unknown authority
E0819 06:49:01.200489 162610 remote_image.go:218] “从图像服务中提取图像失败” err="rpc 错误:代码 = 未知描述 = 无法提取和解压缩图像 "myPvtRepo.com:5028/centos:latest": 失败解析引用“myPvtRepo.com:5028/centos:latest”:请求失败:Head https://myPvtRepo.com::5028/v2/centos/manifests/latest :x509:由未知权威机构签署的证书“image= “myPvtRepo.com::5028/centos:latest” FATA[0000] 拉取图像:rpc 错误:代码 = Unknown desc = 拉取和解压图像失败 “myPvtRepo.com::5028/centos:latest”:无法解析参考“myPvtRepo.com:5028/centos:latest”:请求失败:Head https://myPvtRepo.com::5028/v2/centos/manifests/latest :x509:由未知权威机构签署的证书
FYI, I have modified /etc/containerd/config.toml with below content.仅供参考,我已经用以下内容修改了 /etc/containerd/config.toml。
version = 2
[plugin."io.containerd.grpc.v1.cri".registry.configs."myPvtRepo.com:5028".tls]
insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://myPvtRepo.com:5028", "https://myPvtRepo.com:5038", "https://myPvtRepo.com:5037",
"https://myPvtRepo.com:5039"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."IP:5000"]
endpoint = ["http://IP:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."IP:5000"]
endpoint = ["http://IP:5000"]
I have also modified containerd's endpoint to point to containerd's sock.我还修改了 containerd 的端点以指向 containerd 的袜子。
Can you please help me out to understand and fix that even after setting insecure_skip_verify = true
for my pvt repository and restarting the containerd service why I am getting this issue.即使在为我的 pvt 存储库设置了
insecure_skip_verify = true
并重新启动 containerd 服务之后,你能帮我理解并解决这个问题吗?
I got a solution:我有一个解决方案:
cd /usr/local/share/ca-certificates/
curl -L --remote-name http://your-artifacts.com/xyz-bundle.crt
/usr/sbin/update-ca-certificates
This one work for me.这对我有用。
Also make sure to update your endpoints under /etc/crictl.yaml还要确保在 /etc/crictl.yaml 下更新您的端点
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: ""
timeout: 0
debug: false
pull-image-on-create: false
disable-pull-on-run: false
You will need to specify the hosts.toml
file for the private registry and add skip-verify = true
.您需要为私有注册表指定
hosts.toml
文件并添加skip-verify = true
。
ref: https://github.com/containerd/containerd/blob/main/docs/hosts.md参考: https://github.com/containerd/containerd/blob/main/docs/hosts.md
Steps:脚步:
mkdir -p /etc/containerd/certs.d/<your registry>
mkdir -p /etc/containerd/certs.d/<your registry>
/etc/containerd/config.toml
:/etc/containerd/config.toml
中添加这些配置: [plugins."io.containerd.grpc.v1.cri".registry] config_path = "/etc/containerd/certs.d"
hosts.toml
under the just created folderhosts.toml
server = "https://<your registry>" [host."https://<your registry>"] capabilities = ["pull", "resolve"] skip_verify = true
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.