Struggling to understand how to configure containerd.toml for a private registry #1482
Comments
|
Thank you. The node's kubelet (Krustlet) does not (yet) implement using Am I unable to do this by some form of the configuration I show? |
|
hmm :) |
|
let's see the whole config |
|
It's mostly the default configuration created by MicroK8s: oom_score = 0
[grpc]
uid = 0
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
[debug]
address = ""
uid = 0
gid = 0
[metrics]
address = "127.0.0.1:1338"
grpc_histogram = false
[cgroup]
path = ""
[plugins]
[plugins.cgroups]
no_prometheus = false
[plugins.cri]
stream_server_address = "127.0.0.1"
stream_server_port = "0"
enable_selinux = false
sandbox_image = "k8s.gcr.io/pause:3.1"
stats_collect_period = 10
systemd_cgroup = false
enable_tls_streaming = false
max_container_log_line_size = 16384
[plugins.cri.containerd]
snapshotter = "overlayfs"
no_pivot = false
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = ""
runtime_root = ""
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = ""
runtime_engine = ""
runtime_root = ""
[plugins.cri.cni]
bin_dir = "${SNAP}/opt/cni/bin"
conf_dir = "${SNAP_DATA}/args/cni-network"
conf_template = ""
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
[plugins.cri.registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
[plugins.cri.registry.mirrors."local.insecure-registry.io"]
endpoint = ["http://localhost:32000"]
[plugins.cri.registry.mirrors."gcr.io"]
endpoint = ["https://gcr.io"]
[plugins.cri.registry.configs]
[plugins.cri.registry.configs.auths]
[plugins.cri.registry.configs.auths."https://gcr.io"]
auth = "b2F1dGgy..."
[plugins.diff-service]
default = ["walking"]
[plugins.linux]
shim = "containerd-shim"
runtime = "${RUNTIME}"
runtime_root = ""
no_shim = false
shim_debug = true
[plugins.scheduler]
pause_threshold = 0.02
deletion_threshold = 0
mutation_threshold = 100
schedule_delay = "0s"
startup_delay = "100ms"
In the comment reply that I referenced, a different value was used |
|
[plugins.cri.registry.auths] |
|
|
seems to be missing v2 |
|
Hmmm... this suggests that the gcloud auth print-access-token \
| docker login -u oauth2accesstoken --password-stdin https://gcr.ioThis updates and entry in {
"auths": {
"https://gcr.io": {
"auth": "b2F1dGgy..."
}
}
}And I've been mirroring the same value in the containerd TOML. Yes, I am confused by the spec but it suggests that I don't need to explicit state the v2!? I will look into it some more. Thank you! |
|
I'm going to take my dog for a swim... Will look at this tomorrow. Thanks for looking into it for me! |
|
I've tried most permutations of |
|
Try this: |
|
if that works out for you I'll fix the docs .. |
|
It does not :-( But, I mostly understand why that approach should work. It seems redundant to have to provide the I'd prefer to not use a long-lived token (from a service account) as is done in that example (see Authentication Methods). The configuration is confusing. In this (and others) examples, the registry auth is referenced as: registry.authsBut, in the sources: Line 181 in 8252e54 Line 144 in 8252e54 Line 155 in 8252e54 I've tried [plugins.cri.registry.configs."https://gcr.io".auth]None of these work. Is there some way that I can inspect the URL that it is try to make against the registry?
But, if I take curl \
--request GET\
--header "Authorization: Bearer $(gcloud auth print-access-token)" \
https://gcr.io/v2/[redacted]/hello-world/manifests/latest
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 1510,
"digest": "sha256:bf756fb1..."
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2529,
"digest": "sha256:0e03bdcc..."
}
]
}
|
|
restarting micro k8s... is that the parent for the instance of containerd? if not you need to restart containerd.. |
|
IIUC, yes. microk8s.stop && microk8s.startyields: |
|
it may help to run containerd in debug (-D) but pretty sure we don't output the auth details for privacy reasons.. |
|
IIUC Perhaps I should ping the comment you cited from MicroK8s? There may be something particular to MicroK8s? And/or, someone there may have tried with GCR. |
|
Others reporting it does work.. maybe I need to get a gcr account or try it against a service account |
ah.. yeah while you can run with two containerd's you only need one containerd running... That should not cause you any problems... containerd/cri uses the docker resolver code to make the connection.. hoping this is still just a config issue.. |
note the single quotes due the to double quotes inside.. |
|
Hmmm... the issue says that it doesn't work quoting this way (which is what I tried). It may be that I must escape the string: Still (!) I should not need to use a service account. I should be able to authenticate using a access token. I can create a service account for you to use with my registry? |
|
yeah no.. I was just pointing out that these folks reported it working, in this fashion so there's hope. |
|
I'm going to try it on a different machine that's running MicroK8s too. Please email me my handle at gmail dot com and I'll reply you the service account credentials. I've given the account pull (and list only not push). |
|
i'm going to go dig some holes in the back yard :-) will put gcr auth testing on the todo list for containerd/cri integration test unless you can also report it working, I need a week-end off, cheers |
|
Thanks for your help! Have fun! :-) |
|
sure np it should be as simple as configure for gcr and run crictl to pull |
|
ikr :-) |
|
^ that way would eliminate anything microk8s is doing |
|
Escaping the Abandoning for the weekend. |
|
I downloaded a standalone Same-same :-( |
|
OK.... Something curious. I'm able to interact with sudo microk8s ctr --debug images pull gcr.io/[[PROJECT]]/hello-world:latestI'm able to use this to pull e.g. public docker images successfully. If I try to pull from GCR: I've redacted the tokens but they change each time which is OK except I should be able to base64 decode these and see something of the form: But I get a bunch of binary data beginning |
|
And: sudo microk8s ctr version
Client:
Version: v1.2.5
Revision: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
Server:
Version: v1.2.5
Revision: bb71b10fd8f58240ca47fbb579b9d1028eea7c84 |
|
it worked for me: |
|
|
@DazWilkin can you try with crictl? Let's try to minimize the surface area.. |
|
Exciting! I'd not actually tried using just I generally don't interact with these daemons directly so, my apologies for not being familiar with their tools either. I will work out how to use I'm walking my dog but will try this when home. Thank you! |
|
If you don't already have it... you could just clone this repo https://github.com/kubernetes-sigs/cri-tools then run make && make install. Otherwise I'd be surprised if the above config hack doesn't work for you. |
|
my config for crictl.. in case you already have it and it's not configured to use containerd by default: mike@mike-VirtualBox:~/go/src/github.com/kubernetes-sigs/cri-tools$ cat /etc/crictl.yaml |
|
Hmmm :-( I'd been using: [plugins.cri.registry.auths."gcr.io"]
But, [plugins.cri.registry.auths."https://gcr.io"]And, per your repro, I only used the However :-( Still 401s :-( |
|
In other good news, this mechanism also works using: username = "oauth2accesstoken"
password = "value from $(gcloud auth print-access-token)"Which is preferable and further validates that this mechanism is good. Very curiously (!) it also works in Kubernetes: kubectl run hello-world --image=gcr.io/${PROJECT}/hello-world:latest
kubectl describe pod/hello-world
Successfully assigned default/hello-world to hp-pavilion
Pulling image "gcr.io/${PROJECT}/hello-world:latest"
Successfully pulled image "gcr.io/${PROJECT}/hello-world:latest"
Created container hello-world
Started container hello-worldSo, my original problem is solved except I now don't understand why this doesn't work: sudo microk8s ctr --debug images pull gcr.io/${PROJECT}/hello-world:latest |
|
ctr isn't using containerd/cri so the CRI config won't modify how ctr tries to pull |
|
containerd/cri is a plugin that operates via CRI service requests then calls to containerd to execute crictl uses CRI services .. containerd/CRI uses the config ^ above to generate the pull request with auth |
|
i'm not familiar with microk8s code.. |
|
At some point we'll be refactoring the way we configure registry access, and that will include moving this config into containerd proper so ctr pulls would work with the same config. |
|
OK .... Well, thank you very much for your help! To conclude:
It appears that it's not possible to use |
|
You've been very helpful and patient. I appreciate the education on I didn't realize the Thank you! |
|
sure np.. I haven't played with GCP/GCR so learned some things. I'll draft some PRs maybe make this a bit easier, esp. the docs. FYI kublet uses crictl to integrate with dockershim, containerd, and cri-o. So a little more than just a node debugging tool. Not an end user tool.. by any means but supported nonetheless. |
|
Popping back from this rabbit hole... I'm going to update the Krustlet team on how GCR can be used (as well as Azure Container Registry) for OCI images. Krustlet doesn't support |
|
@DazWilkin Thx.. |
I found this and #835 but I receive unauthorized errors when trying to pull an image from GCR:
I'm using MicroK8s with Krustlet and the Krustlet does not yet support
imagePullSecretsso I'd like to configure MicroK8s' containerd to authenticate.Per the docs, I'm replicating the approach used with Docker:
I appreciate that I'll have limited time to use the token but...
I tried:
I'm restarting MicroK8s after changes.
Using Docker against the registry, works:
docker image ls gcr.io/[redacted]/hello-world REPOSITORY TAG IMAGE ID CREATED docker pull gcr.io/[redacted]/hello-world Using default tag: latest latest: Pulling from [redacted]/hello-world Digest: sha256:90659bf80b44ce6be8234e6ff90a1ac34acbeb826903b02cfa0da11c82cbc042 Status: Downloaded newer image for gcr.io/[redacted]/hello-world:latest docker image ls gcr.io/[redacted]/hello-world REPOSITORY TAG IMAGE ID CREATED gcr.io/[redacted]/hello-world latest bf756fb1ae65 4 months agoAny help would be appreciated.
The text was updated successfully, but these errors were encountered: