「开源摘星计划」Containerd拉取Harbor中的私有镜像,云原生进阶必备技能
source link: https://blog.51cto.com/lidabai/5411587
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
「开源摘星计划」Containerd拉取Harbor中的私有镜像,云原生进阶必备技能
推荐 原创【摘要】 配置 Containerd 拉取 harbor 私有仓库中的镜像,打工人必备技能!
本文已参与「开源摘星计划」,欢迎正在阅读的你加入。
活动链接: https://github.com/weopenprojects/WeOpen-Star
在k8s的1.20版本发布之后,对外宣称在1.23.x不再使用doker shim作为默认的底层容器运行时,而是通过Container Runtime Interface(CRI)使用containerd来作为容器运行时, 因此原来在docker中配置的个人仓库环境不再起作用,导致k8s配置pods时拉取镜像失败, 本文将进行演示如何在 containerd 配置从Harbor私有仓库拉取镜像。
- 操作系统:CentOS
- Harbor Version:2.3.5
- Containerd Version:1.6.5
- Harbor地址: https://192.168.2.22:443
Containerd使用二进制安装的方式,安装步骤见: https://blog.51cto.com/lidabai/5408290
Harbor使用https证书认证的方式部署的,部署文档见: https://blog.51cto.com/lidabai/5173694
修改containerd配置
配置Harbor私有镜像仓库地址
...
version = 2
...
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
[plugins."io.containerd.grpc.v1.cri".cni]
...
########################################################配置以下部分:
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""
[plugins."io.containerd.grpc.v1.cri".registry.auths]
[plugins."io.containerd.grpc.v1.cri".registry.headers]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://kvuwuws2.mirror.aliyuncs.com","http://hub-mirror.c.163.com"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.lidabai"] #名称
endpoint = ["https://192.168.2.22:443"] #Harbor的Url地址
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugin."io.containerd.grpc.v1.cri".registry.configs."harbor.lidabai".tls] #tle,harbor 证书认证配置
insecure_skip_verify = true #是否跳过证书认证
ca_file = "/etc/containerd/harbor/ca.crt" # CA 证书
cert_file = "/etc/containerd/harbor/harbor.crt" # harbor 证书
key_file = "/etc/containerd/harbor/harbor.key" # harbor 私钥
[plugin."io.containerd.grpc.v1.cri".registry.configs."harbor.lidabai".auth] #auth,配置注册表凭据
username = "admin" #Harbor用户名
password = "Harbor12345" #Harbor密码
auth = ""
identitytoken = ""
重启containerd.service服务
重新加载载 systemd 的 daemon守护进程并重启containerd.service服务,然后k8s集群节点便可正常从Harbor拉取镜像了。
虽然上面的方式可以使k8s直接拉取镜像,但是在利用 ctl命令 进行手动拉取镜像此时会报如下错误(巨坑-经过无数次失败测试,原本以为是CA证书签发的harbor证书问题),即使你在config.toml中配置insecure_skip_verify为true也是不行的,可以添加-k参数跳过证书校验。
查看下载的镜像
刚才我们下载镜像时通过-n参数指定了namespace。在查看时也要通过-n指定namespace,否则看不到。
unexpected status code [manifests 1.28]: 401 Unauthorized
【问题描述】
下载Harbor中的私有镜像时报错:
ctr: failed to resolve reference "192.168.2.22:443/lidabai/busybox:1.28": unexpected status code [manifests 1.28]: 401 Unauthorized
【原因】401未经授权
【解决】通过-u参数指定Harbor用户名和密码。
x509: certificate signed by unknown authority
【报错描述】在拉取镜像时报出错误:
error="failed to do request: Head \"https://192.168.2.22:443/v2/library/prepare/manifests/v2.5.1\": x509: certificate signed by unknown authority" host="192.168.2.22:443"
ctr: failed to resolve reference "192.168.2.22:443/library/prepare:v2.5.1": failed to do request: Head "https://192.168.2.22:443/v2/library/prepare/manifests/v2.5.1": x509: certificate signed by unknown authority
【解决办法】:
1)通过-k参数跳过证书校验。
2)指定CA证书、Harbor相关证书文件路径。
$ scp /app/harbor-cert/{ca.pem,harbor.pem,harbor-key.pem} 192.168.2.41:/etc/containerd/harbor/
$ ctr -n harbor.lidabai images pull 192.168.2.22:443/library/prepare:v2.5.1 \
--tlscacert /etc/containerd/harbor/ca.pem \ #或ca.crt
--tlscert /etc/containerd/harbor/harbor.pem \ #或harbor.crt
--tlskey /etc/containerd/harbor/harbor-key.pem #或harbor.key
精品文章阅读
Harbor高可用集群设计及部署(实操+视频),基于离线安装方式
Harbor进阶:使用Harbor存储Helm chart
Python实现Harbor私有镜像仓库的垃圾自动化
Harbor jobservice组件异常问题处理
- 2赞
- 2收藏
- 评论
- 分享
- 举报
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK