Adding insecure registry in containerd

Sanjay M. P. picture Sanjay M. P. · Jan 12, 2021 · Viewed 8.3k times · Source

Trying to add insecure registry to containerd config as below:

[plugins."io.containerd.grpc.v1.cri".cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      max_conf_num = 1
      conf_template = ""
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
        [plugin."io.containerd.grpc.v1.cri".registry.mirrors."test.http-registry.io"]
          endpoint = ["http://v048011.dom600.lab:5000"]

Even after adding it to config.toml, when pulling image from the insecure registry, it fails:

sudo ctr image pull v048011.dom600.lab:5000:5000/myjenkins:latest

ctr: failed to resolve reference "v048011.dom600.lab:5000/myjenkins:latest": failed to do request: Head https://v048011.dom600.lab:5000:5000/v2/myjenkins/manifests/latest: http: server gave HTTP response to HTTPS client

In docker we could just add the insecure registry to daemon.json file and docker would pull images from it, how can i achieve the same in containerd ? Replacing docker as runtime in k8s cluster.

Answer

ws_ picture ws_ · Apr 29, 2021

ctr do not read the /etc/containerd/config.toml config file
this config is used by cri , which means kubectl or crictl would use it.

the error log http: server gave HTTP response to HTTPS client, shows that the registry is using http, but ctr is trying to connect it using https.
So if you want to pull the image from http, you should add the param --plain-http with ctr like this:

ctr i pull --plain-http <image>

the registry config doc is : https://github.com/containerd/containerd/blob/master/docs/cri/registry.md

You should be able to pull the image with crictl, remember to restart containerd.

sudo crictl -r /run/containerd/containerd.sock pull <image>

#or config runntime once for all
sudo crictl config runtime-endpoint /run/containerd/containerd.sock
sudo crictl pull <image>

config example:

# /etc/containerd/config.toml
# change <IP>:5000 to your registry url

[plugins."io.containerd.grpc.v1.cri".registry]
  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."<IP>:5000"]
      endpoint = ["http://<IP>:5000"]
  [plugins."io.containerd.grpc.v1.cri".registry.configs]
    [plugins."io.containerd.grpc.v1.cri".registry.configs."<IP>:5000".tls]
      insecure_skip_verify = true