当前位置：首页 > news >正文

如何令containerd连接私有harbor

news 来源：原创 2024/5/20 20:58:41

尝试用kubeadmin安装k8s 1.27.6，并使用containerd来运行容器，结果containerd连harbor这个问题搞了我一天，终于搞通了
首先，我的环境
centos 8

harbor使用自签证书安装

containerd版本1.6.26

接着参考网上很多方法，搞了一天，结果都失败
例如：

参考Containerd＋Harbor私有仓（https） - AGou's Blog 改 config.toml 配置文件，最终尝试失败

参考 https://medium.com/@schottz/how-to-skip-tls-verify-fot-internal-registry-on-containerd-e039887bcb83也是失败

心灰意冷，准备换回docker，后来找到这篇文章https://www.cnblogs.com/hukey/p/17293126.html发现情况跟我一样，我的harbor也是只有IP，虽然使用的是https，但端口号改了3443，参考做法，居然成功了，总结步骤如下

1、建立一个名字与harbor IP地址一样的目录，一定要包括端口号，例如：
mkdir -p /etc/containerd/certs.d/10.1.40.101:3443

2、在这个目录下建立一个 hosts.toml文件，录入如下内容：
server = "https://10.1.40.101:3443"
[host."https://10.1.40.101:3443"]
capabilities = ["pull", "resolve","push"]
skip_verify = true

3、编辑containerd的配置文件vim /etc/containerd/config.toml，增加如下内容

[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d" #指向/etc/containerd/certs.d这个目录

4、重启containerd，systemctl restart containerd

验证结果，尝试拉取镜像：

没有配置之前，报错如下：
[root@master-3-133 containerd]# crictl pull 10.1.40.101:3443/common/redis/redis-stack:6.2.6-v9
I0122 08:30:15.462578 2413225 util_unix.go:103] "Using this endpoint is deprecated, please consider using full URL format" endpoint="/run/containerd/containerd.sock" URL="unix:///run/containerd/containerd.sock"
E0122 08:30:15.497197 2413225 remote_image.go:171] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"10.10.40.101:3443/common/redis/redis-stack:6.2.6-v9\": failed to resolve reference \"10.10.40.101:3443/common/redis/redis-stack:6.2.6-v9\": failed to do request: Head \"https://10.10.40.101:3443/v2/common/redis/redis-stack/manifests/6.2.6-v9\": tls: failed to verify certificate: x509: cannot validate certificate for 10.1.40.101 because it doesn't contain any IP SANs" image="10.10.40.101:3443/common/redis/redis-stack:6.2.6-v9"
FATA[0000] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "10.1.40.101:3443/common/redis/redis-stack:6.2.6-v9": failed to resolve reference "10.1.40.101:3443/common/redis/redis-stack:6.2.6-v9": failed to do request: Head "https://10.1.40.101:3443/v2/common/redis/redis-stack/manifests/6.2.6-v9": tls: failed to verify certificate: x509: cannot validate certificate for 10.1.40.101 because it doesn't contain any IP SANs

配置后，
[root@master-3-133 containerd]# crictl pull 10.1.40.101:3443/common/redis/redis-stack:6.2.6-v9
I0122 08:44:31.147642 2419281 util_unix.go:103] "Using this endpoint is deprecated, please consider using full URL format" endpoint="/run/containerd/containerd.sock" URL="unix:///run/containerd/containerd.sock"
Image is up to date for sha256:b1a05aca249e8ae184495b7dc225bee8fcb76a44d980a3ad127e1aaf0bb0c996

搞了一天，终于搞通了，无论做科研，搞研究，只要不放弃，肯努力一定会有收获的