Question 83059 in Docker Question posted in
The official documentation can be found here.

Pulling image from insecure registery with containerd – Docker

I have a problem when I pull images from insecure registries(in my case, it is harbor). I receive a connection refused error when I use the command below.

sudo crictl pull  192.168.12.10/calculator/app2:new

Below is the full error message:

DEBU[0000] get image connection                         
DEBU[0000] connect using endpoint 'unix:///run/containerd/containerd.sock' with '2s' timeout 
DEBU[0000] connected successfully using endpoint: unix:///run/containerd/containerd.sock 
DEBU[0000] PullImageRequest: &PullImageRequest{Image:&ImageSpec{Image:192.168.12.10/calculator/app2:asdf,Annotations:map[string]string{},},Auth:nil,SandboxConfig:nil,} 
DEBU[0000] PullImageResponse: nil                       
FATA[0000] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "192.168.12.10/calculator/app2:asdf": failed to resolve reference "192.168.12.10/calculator/app2:asdf": failed to do request: Head https://192.168.12.10/v2/calculator/app2/manifests/asdf: dial tcp 192.168.12.10:443: connect: connection refused

Added configuration to ‘/etc/containerd/config.toml’ like this

    [plugins."io.containerd.grpc.v1.cri".registry]
      config_path = ""

      [plugins."io.containerd.grpc.v1.cri".registry.auths]
      [plugins."io.containerd.grpc.v1.cri".registry.configs]    
        [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.12.10:80".tls]
          insecure_skip_verify = true    
        [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.12.10:80".auth]
          username = "admin12"
          password = "Hada123213"
          auth = "YWRtaW4xMjpIYWRhMTIzMjEzCg=="

      [plugins."io.containerd.grpc.v1.cri".registry.headers]

      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.12.10:80"]
          endpoint = ["http://192.168.12.10:80"]

To configure this file, I use the below like on stack overflow and github:

source one

source two

In my search on the web, more than 95 percent of websites said to add the insecure registry to /etc/docker/daemon.json to resolve this problem.

but its about docker not contaierd.

Tags:

2

Answers


  1. 0

    in ‘/etc/containerd/config.toml’ convert all of 192.168.12.10:80 to 192.168.12.10 so that will be working well.

    because in your ctr command you refer to

    sudo crictl pull  192.168.12.10/calculator/app2:new

    and no refer to port number.

    for more details look at this link.

    Login or Signup to reply.
  2. 0

    Per https://github.com/containerd/containerd/blob/main/docs/hosts.md

    The old CRI config pattern for specifying registry.mirrors and registry.configs has been DEPRECATED. You should now point your registry config_path to the path where your hosts.toml files are located.

    The right way to setup should be (in my example http://172.31.0.36 is the private insecure registry):

    $ tree
.
├── certs.d
│   └── 172.31.0.36
│       └── hosts.toml
└── config.toml

    where config.toml should include

    version = 2

[plugins."io.containerd.grpc.v1.cri".registry]
   config_path = "/etc/containerd/certs.d"

    and in hosts.toml:

    server = "http://172.31.0.36"

[host."http://172.31.0.36"]
  skip_verify = true

    Restart the containerd service:

    $ sudo systemctl restart containerd

    To confirm it works:

    $ sudo crictl pull 172.31.0.36/newpathfly/hello-world
Image is up to date for sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search