当前位置:网站首页>The "open source star picking program" container pulls private images from harbor, which is a necessary skill for cloud native advanced technology
The "open source star picking program" container pulls private images from harbor, which is a necessary skill for cloud native advanced technology
2022-06-23 19:45:00 【51CTO】
【 Abstract 】 To configure Containerd Pull harbor Image in private warehouse , The essential skills of migrant workers !
This article has participated in 「 Open source star picking program 」, Welcome to join us .
Activity Links : https://github.com/weopenprojects/WeOpen-Star
Preface
stay k8s Of 1.20 After the release , Announced that 1.23.x No longer use doker shim Run time as the default underlying container , But through Container Runtime Interface(CRI) Use containerd To run as a container , So it turned out that docker The personal warehouse environment configured in no longer works , Lead to k8s To configure pods Failed to pull the image on , This article will demonstrate how to containerd Configure from Harbor Private warehouses pull images .
Environmental statement
- operating system :CentOS
- Harbor Version:2.3.5
- Containerd Version:1.6.5
- Harbor Address : https://192.168.2.22:443
Containerd Use binary installation , For installation steps, see : https://blog.51cto.com/lidabai/5408290
Harbor Use https Deployed by certificate authentication , For deployment documents, see : https://blog.51cto.com/lidabai/5173694
modify containerd To configure
To configure Harbor Private image warehouse address
[[email protected] ~]
# vim /etc/containerd/config.toml
...
version
=
2
...
[plugins]
[plugins.
"io.containerd.grpc.v1.cri"]
[plugins.
"io.containerd.grpc.v1.cri".cni]
...
######################################################## Configure the following sections :
[plugins.
"io.containerd.grpc.v1.cri".registry]
config_path
=
""
[plugins.
"io.containerd.grpc.v1.cri".registry.auths]
[plugins.
"io.containerd.grpc.v1.cri".registry.headers]
[plugins.
"io.containerd.grpc.v1.cri".registry.mirrors]
[plugins.
"io.containerd.grpc.v1.cri".registry.mirrors.
"docker.io"]
endpoint
= [
"https://kvuwuws2.mirror.aliyuncs.com",
"http://hub-mirror.c.163.com"]
[plugins.
"io.containerd.grpc.v1.cri".registry.mirrors.
"harbor.lidabai"]
# name
endpoint
= [
"https://192.168.2.22:443"]
#Harbor Of Url Address
[plugins.
"io.containerd.grpc.v1.cri".registry.configs]
[plugin.
"io.containerd.grpc.v1.cri".registry.configs.
"harbor.lidabai".tls]
#tle,harbor Certificate authentication configuration
insecure_skip_verify
=
true
# Whether to skip Certificate Authentication
ca_file
=
"/etc/containerd/harbor/ca.crt"
# CA certificate
cert_file
=
"/etc/containerd/harbor/harbor.crt"
# harbor certificate
key_file
=
"/etc/containerd/harbor/harbor.key"
# harbor Private key
[plugin.
"io.containerd.grpc.v1.cri".registry.configs.
"harbor.lidabai".auth]
#auth, Configure registry credentials
username
=
"admin"
#Harbor user name
password
=
"Harbor12345"
#Harbor password
auth
=
""
identitytoken
=
""
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
restart containerd.service service
Reload load systemd Of daemon Daemon and restart containerd.service service , then k8s The cluster node can normally start from Harbor Pull the mirror image .
Pull the mirror image
Although the above method can make k8s Pull image directly , But using ctl command When manually pulling the image, the following error will be reported ( crater - After countless failed tests , I thought it was CA Issued by certificate harbor Certificate problem ), Even if you are in config.toml Middle configuration insecure_skip_verify by true No way , You can add -k Parameter to skip Certificate Validation .
View the downloaded image
Just now we downloaded the image through -n The parameter specifies namespace. When viewing, you should also pass -n Appoint namespace, Otherwise, I can't see .
Record on pit
unexpected status code [manifests 1.28]: 401 Unauthorized
【 Problem description 】
download Harbor There is an error in the private image in :
[[email protected] app]
# ctr -n harbor.lidabai images pull 192.168.2.22:443/lidabai/busybox:1.28 -k
ctr: failed to resolve reference
"192.168.2.22:443/lidabai/busybox:1.28": unexpected status code [manifests
1.28]:
401 Unauthorized
- 1.
- 2.
【 reason 】401 unaccredited
【 solve 】 adopt -u Parameter assignment Harbor User name and password .
x509: certificate signed by unknown authority
【 Error description 】 An error occurs when pulling the image :
[[email protected] ~]
# ctr images pull 192.168.2.22:443/library/prepare:v2.5.1
error
=
"failed to do request: Head \"https://192.168.2.22:443/v2/library/prepare/manifests/v2.5.1\": x509: certificate signed by unknown authority"
host
=
"192.168.2.22:443"
ctr: failed to resolve reference
"192.168.2.22:443/library/prepare:v2.5.1": failed to
do request: Head
"https://192.168.2.22:443/v2/library/prepare/manifests/v2.5.1": x509: certificate signed by unknown authority
- 1.
- 2.
- 3.
【 terms of settlement 】:
1) adopt -k Parameter to skip Certificate Validation .
2) Appoint CA certificate 、Harbor Relevant certificate file path .
$ mkdir /etc/containerd/harbor/
# Create certificate storage directory
$ scp /app/harbor-cert/{ca.pem,harbor.pem,harbor-key.pem}
192.168.2.41:/etc/containerd/harbor/
$ ctr
-n harbor.lidabai images pull
192.168.2.22:443/library/prepare:v2.5.1 \
--tlscacert /etc/containerd/harbor/ca.pem \
# or ca.crt
--tlscert /etc/containerd/harbor/harbor.pem \
# or harbor.crt
--tlskey /etc/containerd/harbor/harbor-key.pem
# or harbor.key
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
Read excellent articles
Harbor Advanced : Use Harbor Storage Helm chart
Python Realization Harbor Garbage automation of private image warehouse
Harbor jobservice Component exception handling
Harbor High availability design : External use Redis Cache part
Alicloud image migration to Harbor Detailed operation steps
How to integrate dockerhub The image on is migrated to Harbor In the private mirror Repository ?
边栏推荐
- Logstash start -r parameter
- Approximate fair queuing on programmable switches reading notes
- 开源 SPL 重新定义 OLAP Server
- 金九银十,靠这个细节,offer拿到手软!
- [comparative learning] koa JS, gin and asp Net core - Middleware
- 官宣.NET 7 预览版5
- 准备好迁移上云了?请收下这份迁移步骤清单
- Pisces: a programmable, protocol independent software switch (summary)
- vs2022scanf函数的使用,使用scanf的报错-返回值被忽略:解决·方法
- Development notes of wedding studio applet based on wechat applet
猜你喜欢
小程序开发框架推荐
LeetCode 1079. movable-type printing
Check four WiFi encryption standards: WEP, WPA, WPA2 and WPA3
火线沙龙第26期-多云安全专场
ZABBIX monitoring - Aruba AP operation data
如何使用物联网低代码平台进行流程管理?
IDEA控制台显示中文乱码
Hotline salon issue 26 - cloud security session
Naacl 2022 finds | byte proposes MTG: multilingual text generation data set
基于 ShardingSphere 的得物数据库中间件平台“彩虹桥”演进之路
随机推荐
[one by one series] identityserver4 (III) user name and password
Hardware development notes (6): basic process of hardware development, making a USB to RS232 module (5): creating USB package library and associating principle graphic devices
What are the useful personnel management software? Personnel management system software ranking!
Application de JDBC dans les essais de performance
ElastricSearch第二弹之分片原理
IDEA控制台显示中文乱码
LeetCode 1079. movable-type printing
GL Studio 5 installation and experience
Pisces: a programmable, protocol independent software switch (summary)
How to write a great online user manual in 7 steps
Leaders of Hangcheng street, Bao'an District and their delegation visited lianchengfa for investigation
20set introduction and API
SAP实施项目上的内部顾问与外部顾问,相互为难还是相互成就?
Real topic of the 13th National Competition of single chip microcomputer in the Blue Bridge Cup
Programmable, protocol independent software switch (read the paper)
MySQL时间函数的运用,简单问题
准备好迁移上云了?请收下这份迁移步骤清单
硬件开发笔记(六): 硬件开发基本流程,制作一个USB转RS232的模块(五):创建USB封装库并关联原理图元器件
打新债需要具备什么条件 打新债安全吗
Tcp/udp Fundamentals