官方文档地址:https://github.com/containerd/cri/blob/master/docs/registry.md

严格来说,这个具体可分为两部分

1.在k8s中使用Containerd,从 harbor 私有仓库拉取镜像

2.单独使用Containerd进行配置,从 harbor 私有仓库拉取镜像 并运行容器

docker-compose安装harbor:https://www.cnblogs.com/sanduzxcvbnm/p/16370495.html

参考文章地址:

https://www.cnblogs.com/rancherlabs/p/14324469.html

https://blog.weiyigeek.top/2021/6-30-581.html

官方文档内容

# Configure Image Registry

This document describes the method to configure the image registry for `containerd` for use with the `cri` plugin.

NOTE: The configuration syntax used in this doc is in version 2 which is the

recommended since `containerd` 1.3. If your configuration is still in version 1,

you can replace `"io.containerd.grpc.v1.cri"` with `cri`.

## Configure Registry Endpoint

With containerd, `docker.io` is the default image registry. You can also set up other image registries similar to docker.

To configure image registries create/modify the `/etc/containerd/config.toml` as follows:

```toml

# Config file is parsed as version 1 by default.

# To use the long form of plugin names set "version = 2"

# explicitly use v2 config format

version = 2

[plugin."io.containerd.grpc.v1.cri".registry.mirrors]

  [plugin."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]

    endpoint = ["https://registry-1.docker.io"]

  [plugin."io.containerd.grpc.v1.cri".registry.mirrors."test.https-registry.io"]

    endpoint = ["https://HostIP1:Port1"]

  [plugin."io.containerd.grpc.v1.cri".registry.mirrors."test.http-registry.io"]

    endpoint = ["http://HostIP2:Port2"]

  # wildcard matching is supported but not required.

  [plugin."io.containerd.grpc.v1.cri".registry.mirrors."*"]

    endpoint = ["https://HostIP3:Port3"]

```

The default configuration can be generated by `containerd config default > /etc/containerd/config.toml`.

The endpoint is a list that can contain multiple image registry URLs split by commas. When pulling an image

from a registry, containerd will try these endpoint URLs one by one, and use the first working one. Please note

that if the default registry endpoint is not already specified in the endpoint list, it will be automatically

tried at the end with scheme `https` and path `v2`, e.g. `https://gcr.io/v2` for `gcr.io`.

As an example, for the image `gcr.io/library/busybox:latest`, the endpoints are:

* `gcr.io` is configured: endpoints for `gcr.io` + default endpoint `https://gcr.io/v2`.

* `*` is configured, and `gcr.io` is not: endpoints for `*` + default

  endpoint `https://gcr.io/v2`.

* None of above is configured: default endpoint `https://gcr.io/v2`.

After modify this config, you need restart the `containerd` service.

## Configure Registry TLS Communication

`cri` plugin also supports configuring TLS settings when communicating with a registry.

To configure the TLS settings for a specific registry, create/modify the `/etc/containerd/config.toml` as follows:

```toml

# explicitly use v2 config format

version = 2

# The registry host has to be a domain name or IP. Port number is also

# needed if the default HTTPS or HTTP port is not used.

[plugin."io.containerd.grpc.v1.cri".registry.configs."my.custom.registry".tls]

    ca_file   = "ca.pem"

    cert_file = "cert.pem"

    key_file  = "key.pem"

```

In the config example shown above, TLS mutual authentication will be used for communications with the registry endpoint located at <https://my.custom.registry>.

`ca_file` is file name of the certificate authority (CA) certificate used to authenticate the x509 certificate/key pair specified by the files respectively pointed to by `cert_file` and `key_file`.

`cert_file` and `key_file` are not needed when TLS mutual authentication is unused.

```toml

# explicitly use v2 config format

version = 2

[plugin."io.containerd.grpc.v1.cri".registry.configs."my.custom.registry".tls]

    ca_file   = "ca.pem"

```

To skip the registry certificate verification:

```toml

# explicitly use v2 config format

version = 2

[plugin."io.containerd.grpc.v1.cri".registry.configs."my.custom.registry".tls]

  insecure_skip_verify = true

```

## Configure Registry Credentials

`cri` plugin also supports docker like registry credential config.

To configure a credential for a specific registry, create/modify the

`/etc/containerd/config.toml` as follows:

```toml

# explicitly use v2 config format

version = 2

# The registry host has to be a domain name or IP. Port number is also

# needed if the default HTTPS or HTTP port is not used.

[plugin."io.containerd.grpc.v1.cri".registry.configs."gcr.io".auth]

  username = ""

  password = ""

  auth = ""

  identitytoken = ""

```

The meaning of each field is the same with the corresponding field in `.docker/config.json`.

Please note that auth config passed by CRI takes precedence over this config.

The registry credential in this config will only be used when auth config is

not specified by Kubernetes via CRI.

After modifying this config, you need to restart the `containerd` service.

### Configure Registry Credentials Example - GCR with Service Account Key Authentication

If you don't already have Google Container Registry (GCR) set-up then you need to do the following steps:

* Create a Google Cloud Platform (GCP) account and project if not already created (see [GCP getting started](https://cloud.google.com/gcp/getting-started))

* Enable GCR for your project (see [Quickstart for Container Registry](https://cloud.google.com/container-registry/docs/quickstart))

* For authentication to GCR: Create [service account and JSON key](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key)

* The JSON key file needs to be downloaded to your system from the GCP console

* For access to the GCR storage: Add service account to the GCR storage bucket with storage admin access rights (see [Granting permissions](https://cloud.google.com/container-registry/docs/access-control#grant-bucket))

Refer to [Pushing and pulling images](https://cloud.google.com/container-registry/docs/pushing-and-pulling) for detailed information on the above steps.

> Note: The JSON key file is a multi-line file and it can be cumbersome to use the contents as a key outside of the file. It is worthwhile generating a single line format output of the file. One way of doing this is using the `jq` tool as follows: `jq -c . key.json`

It is beneficial to first confirm that from your terminal you can authenticate with your GCR and have access to the storage before hooking it into containerd. This can be verified by performing a login to your GCR and

pushing an image to it as follows:

```console

docker login -u _json_key -p "$(cat key.json)" gcr.io

docker pull busybox

docker tag busybox gcr.io/your-gcp-project-id/busybox

docker push gcr.io/your-gcp-project-id/busybox

docker logout gcr.io

```

Now that you know you can access your GCR from your terminal, it is now time to try out containerd.

Edit the containerd config (default location is at `/etc/containerd/config.toml`)

to add your JSON key for `gcr.io` domain image pull

requests:

```toml

version = 2

[plugins."io.containerd.grpc.v1.cri".registry]

  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]

      endpoint = ["https://registry-1.docker.io"]

    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]

      endpoint = ["https://gcr.io"]

  [plugins."io.containerd.grpc.v1.cri".registry.configs]

    [plugins."io.containerd.grpc.v1.cri".registry.configs."gcr.io".auth]

      username = "_json_key"

      password = 'paste output from jq'

```

> Note: `username` of `_json_key` signifies that JSON key authentication will be used.

Restart containerd:

```console

service containerd restart

```

Pull an image from your GCR with `crictl`:

```console

$ sudo crictl pull gcr.io/your-gcp-project-id/busybox

DEBU[0000] get image connection

DEBU[0000] connect using endpoint 'unix:///run/containerd/containerd.sock' with '3s' timeout

DEBU[0000] connected successfully using endpoint: unix:///run/containerd/containerd.sock

DEBU[0000] PullImageRequest: &PullImageRequest{Image:&ImageSpec{Image:gcr.io/your-gcr-instance-id/busybox,},Auth:nil,SandboxConfig:nil,}

DEBU[0001] PullImageResponse: &PullImageResponse{ImageRef:sha256:78096d0a54788961ca68393e5f8038704b97d8af374249dc5c8faec1b8045e42,}

Image is up to date for sha256:78096d0a54788961ca68393e5f8038704b97d8af374249dc5c8faec1b8045e42

```

在k8s中使用Containerd,从 harbor 私有仓库拉取镜像

k8s-1.20发布之后,不再使用docker作为底层容器运行时,而是默认使用Container Runtime Interface(CRI)。因此原来在docker中配置的个人仓库环境不再起作用,导致k8s配置pods时拉取镜像失败。

1.Containerd生成默认配置文件

mkdir -p /etc/containerd

containerd config default > /etc/containerd/config.toml

2.修改配置文件

vim /etc/containerd/config.toml  # 添加如下信息

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

        # 如下这些仓库可以作为公共仓库使用

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]

            endpoint = ["https://docker.mirrors.ustc.edu.cn","http://hub-mirror.c.163.com"]

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]

            endpoint = ["https://gcr.mirrors.ustc.edu.cn"]

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]

            endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers/"]

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]

            endpoint = ["https://quay.mirrors.ustc.edu.cn"]

        # 内部私有仓库配置

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."www.myharbor.com"]

            endpoint = ["https://www.myharbor.com/"]

      [plugins."io.containerd.grpc.v1.cri".registry.configs]

        # 内部私有仓库认证信息

        [plugins."io.containerd.grpc.v1.cri".registry.configs."www.myharbor.com"] # 这行不确定要不要写上

          [plugins."io.containerd.grpc.v1.cri".registry.configs."www.myharbor.com".tls]

            insecure_skip_verify = false # 是否跳过证书认证

            ca_file = "/etc/containerd/www.myharbor.com/ca.crt" # CA 证书

          [plugins."io.containerd.grpc.v1.cri".registry.configs."www.myharbor.com".auth]

            username = "test" # 在harbor里单独创建的用户,授权访问指定项目

            password = "Test123456"

注意:

2.1 配置文件中有个默认的sandbox_image = "k8s.gcr.io/pause:3.2",因为网络原因,理论上这个镜像是无法拉取的,但是配置了国内公共仓库:k8s.gcr.io (只是名称而已,实际是从endpoint地址中拉取镜像),因此可以拉取这个镜像。若是配置文件中没有配置国内公共仓库;k8s.gcr.io,则需要手动修改sandbox_image的值,确保这个镜像可以拉取

2.2 如果镜像仓库配置了双向认证,那么需要为 containerd 配置 ssl 证书用于 镜像仓库对 containerd 做认证。

      [plugins."io.containerd.grpc.v1.cri".registry.configs]

        # 内部私有仓库认证信息

        [plugins."io.containerd.grpc.v1.cri".registry.configs."www.myharbor.com"] # 这行不确定要不要写上

          [plugins."io.containerd.grpc.v1.cri".registry.configs."www.myharbor.com".tls]

            insecure_skip_verify = false # 是否跳过证书认证

            ca_file = "/etc/containerd/www.myharbor.com/ca.crt" # CA 证书

            cert_file = "/etc/containerd/www.myharbor.com/www.myharbor.com.crt" # harbor 证书

            key_file = "/etc/containerd/www.myharbor.com/www.myharbor.com.key" # harbor 私钥

          [plugins."io.containerd.grpc.v1.cri".registry.configs."www.myharbor.com".auth]

            username = "test" # 在harbor里单独创建的用户,授权访问指定项目

            password = "Test123456

2.3 Containerd 与 docker 都有默认仓库,均为 docker.io 。如果配置中未指定 mirror 为 docker.io,containerd 后会自动加载 docker.io 配置。与 docker 不同的是,containerd 可以修改 docker.io 对应的 endpoint(默认为 https://registry-1.docker.io ) ,而 docker 无法修改。

Docker 中可以通过 registry-mirrors 设置镜像加速地址。如果 pull 的镜像不带仓库地址(项目名+镜像名:tag),则会从默认镜像仓库去拉取镜像。如果配置了镜像加速地址,会先访问镜像加速仓库,如果没有返回数据,再访问默认的镜像仓库。

Containerd 目前没有直接配置镜像加速的功能,但 containerd 中可以修改 docker.io 对应的 endpoint,所以可以通过修改 endpoint 来实现镜像加速下载。因为 endpoint 是轮询访问,所以可以给 docker.io 配置多个仓库地址来实现 加速地址+默认仓库地址。

如上就是上文配置那些公共仓库的缘由。

3.重载 systemd 的 daemon守护进程并重启containerd.service服务

systemctl daemon-reload && systemctl restart containerd.service

4.在k8s集群节点上执行如下命令进行测试

crictl pull www.myharbor.com/library/nginx:v1.0

5.在对应的namespace中创建secret

kubectl create secret docker-registry www.myharbor.com --docker-server=https://www.myharbor.com --docker-username=test --docker-password=Test123456 --docker-email=info@foo.com -n <namespace>

6.在pod/deployment中设置imagePullSecrets

apiVersion: v1

kind: Pod

metadata:

  name: private-reg

spec:

  containers:

  - name: private-reg-container

    image: <your-private-image>

  imagePullSecrets:

  - name: www.myharbor.com

单独使用Containerd进行配置,从 harbor 私有仓库拉取镜像 并运行容器

1.Containerd生成默认配置文件

mkdir -p /etc/containerd

containerd config default > /etc/containerd/config.toml

2.修改配置文件

vim /etc/containerd/config.toml  # 添加如下信息

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

        # 如下这些仓库可以作为公共仓库使用

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]

            endpoint = ["https://docker.mirrors.ustc.edu.cn","http://hub-mirror.c.163.com"]

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"]

            endpoint = ["https://gcr.mirrors.ustc.edu.cn"]

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]

            endpoint = ["https://gcr.mirrors.ustc.edu.cn/google-containers/"]

        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]

            endpoint = ["https://quay.mirrors.ustc.edu.cn"]

注意:跟上一步相比,没有添加harbor私有仓库信息。这是因为就算添加了,在使用 ctl命令 进行手动拉取镜像此时会报如下错误(巨坑-经过无数次失败测试,原本以为是CA证书签发的harbor证书问题),即使你在config.toml中配置insecure_skip_verify为true也是不行的。

# ctr images pull www.myharbor.com/mytest/busybox:v0.2

INFO[0000] trying next host     error="failed to do request: Head \"https://www.myharbor.com/v2/mytest/busybox/manifests/v0.2\": x509: certificate signed by unknown authority" host=www.myharbor.com

ctr: failed to resolve reference "www.myharbor.com/mytest/busybox:v0.2": failed to do request: Head "https://www.myharbor.com/v2/mytest/busybox/manifests/v0.2": x509: certificate signed by unknown authority

3.手动拉取镜像

# 解决办法1.指定 -k 参数跳过证书校验。

$ ctr images pull --user test:Test123456 -k www.myharbor.com/mytest/busybox:v0.2

# 解决办法2.指定CA证书、Harbor相关证书文件路径。

$ ctr images pull --user test:Test123456 --tlscacert ca.crt www.myharbor.com/mytest/busybox:v0.2

配置 Containerd 在 harbor 私有仓库拉取镜像的更多相关文章

  1. k8s实战之从私有仓库拉取镜像 - kubernetes

    1.实战目的 从私有docker仓库拉取镜像,部署pod.上一篇中,我们搭建了私有的镜像仓库,这一篇我们将与k8s结合实战使用私有仓库. 2.登录docker 为了完成本次实战,需要登录docker, ...

  2. K8S从私有仓库拉取镜像

    通常来讲,我们在通过公共镜像仓库拉取docker镜像的时候,不需要任何的认证操作,但我们在构建了企业的私有镜像以后,就不得不在拉取镜像之前通过用户名密码来完成认证. 在docker单机环境中,我们可以 ...

  3. Portainer安装,配置自定义镜像仓库拉取镜像

    Portainer介绍 Portainer是Docker的图形化管理工具,提供状态显示面板.应用模板快速部署.容器镜像网络数据卷的基本操作(包括上传下载镜像,创建容器等操作).事件日志显示.容器控制台 ...

  4. 关于使用kubeoperator搭建k8s集群使用containerd作为容器运行时,从自己搭建的habor仓库拉取镜像的有关说明

    1.kubepi界面添加habor仓库信息,并授权给k8s集群 这一步的操作是当在工作负载选择从harbor仓库拉取镜像时会自动创建有关的secrets信息,从而不用事先手动创建了(有别于kuboar ...

  5. Kubernetes从私有镜像仓库中拉取镜像

    当我们尝试从私有仓库中拉取镜像时,可能会收到这样提示:requested access to the resource is denied Error response from daemon: pu ...

  6. Kunbernetes从私有仓库nexus拉取镜像

    1.docker登陆认证 [root@master ~]# vim /etc/docker/daemon.json { "insecure-registries": [" ...

  7. 搭建harbor私有仓库

    2-1.项目说明  Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,由VMware开源,其通过添加一些企业必需的功能特性,例如安全.标识和管理等,扩展了开源 Docke ...

  8. 部署 harbor 私有仓库

    安装下载依赖包 安装docker-compose 从 docker compose 发布页面下载最新的 docker-compose 二进制文件,本文以1.25.4为例 cd /opt/k8s/wor ...

  9. 从Harbor仓库拉起镜像,创建容器并更新shell脚本

    注意: 此shell脚本仅供基本使用,还有好多待完善的地方 大致流程 使用Jenkins从Gogs拉取仓库代码,根据选择的参数和输入的标签,确定要编译打包jar的模块,以及要制作的docker镜像信息 ...

随机推荐

  1. C++ 模板和泛型编程(掌握Vector等容器的使用)

    1. 泛型 泛型在我的理解里,就是可以泛化到多种基本的数据类型,例如整数.浮点数.字符和布尔类型以及自己定义的结构体.而容器就是提供能够填充任意类型的数据的数据结构.例如vector就很类似于pyth ...

  2. labview从入门到出家4--用事件结构实现运算功能

    使用事件结构可以快速定位响应界面的操作事件,如按下,拖动,双击的事件.基本上我们所要实现的所有功能,都可以通过条件结构+事件结构去实现,比如后面进阶篇将会讲到的状态机就是通过条件结构和事件结构组成的. ...

  3. centos一些mysql常用命令

    # service mysqld status    #命令来查看mysql 的启动状态,active (running) 是运行中 systemctl start mysqld.service    ...

  4. Note -「因数的欧拉函数求和」

    归档. 试证明:\(\sum \limits _{d | x} \varphi (d) = x\) Lemma 1. 试证明:\(\sum \limits _{d | p^k} \varphi (d) ...

  5. 使用 Abp.Zero 搭建第三方登录模块(三):网页端开发

    ​简短回顾一下网页端的流程,总的来说网页端的职责有三: 生成一个随机字符作为鉴权会话的临时Token, 生成一个小程序码, Token作为参数固化于小程序码当中 监控整个鉴权过程状态,一旦状态变为AU ...

  6. 基于Caffe ResNet-50网络实现图片分类(仅推理)的实验复现

    摘要:本实验主要是以基于Caffe ResNet-50网络实现图片分类(仅推理)为例,学习如何在已经具备预训练模型的情况下,将该模型部署到昇腾AI处理器上进行推理. 本文分享自华为云社区<[CA ...

  7. 羽夏看Linux内核——段相关入门知识

    写在前面   此系列是本人一个字一个字码出来的,包括示例和实验截图.如有好的建议,欢迎反馈.码字不易,如果本篇文章有帮助你的,如有闲钱,可以打赏支持我的创作.如想转载,请把我的转载信息附在文章后面,并 ...

  8. 3.26省选模拟+NOI-ONLINE

    今日趣闻: 这三个人都是同机房的,卡最优解(大常数选手不参与)....以至于最优解第一页都是我们机房的(有图为证,共三人) $NOI\ online$ $T1$ 首先模拟一遍记录这个点当前单调栈前面位 ...

  9. GreatSQL特性介绍及未来展望--叶金荣|万里数据库

    「3306π」是由业内知名MySQL专家叶金荣.吴炳锡首发倡议成立,围绕MySQL及云数据库.大数据等周边相关技术的技术爱好者的社区.致力于把互联网技术带到传统行业里,推动开源技术在传统行业中应用.本 ...

  10. Min GW 安装教程(转载)

    下载方式一:1.百度搜索关键词"mingw",点击第一个:2.进入官网后,点击右上角的"Downloads":3.进入第三个页面后,点击"mingw- ...