运行时(docker, containerd)配置推拉镜像参数
拉取镜像
本文都是说明私有仓库配置(例如,harbor、registry)
docker
http协议
-
docker 配置文件添加
insecure-registries"insecure-registries" : ["192.168.11.11:5000"], -
重启docker服务
sudo systemctl restart docker -
验证
# 查看配置是否生效 $ docker info # 拉取镜像 $ docker pull 172.139.20.170:5000/k8s/pause:3.6 3.6: Pulling from k8s/pause fbe1a72f5dcd: Pull complete Digest: sha256:74bf6fc6be13c4ec53a86a5acf9fdbc6787b176db0693659ad6ac89f115e182c Status: Downloaded newer image for 172.139.20.170:5000/k8s/pause:3.6 172.139.20.170:5000/k8s/pause:3.6
https协议
-
域名解析hosts文件
cat <<'EOF' | sudo tee -a /etc/hosts > /dev/null x.x.x.x core.ecloud.com EOF -
docker拉取镜像证书。自行获取
harbor的证书。
需要三个证书,分别是
ca.crt、服务证书.cert与服务证书.key其中,
服务证书.cert与服务证书.crt是一样的内容。可以直接重命名。或者使用openssl x509 -inform PEM -in 服务证书.crt -out 服务证书.cert命令转换 -
验证
# 登录harbor仓库 $ docker login core.ecloud.com -u admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded # 拉取镜像 $ docker pull core.ecloud.com/library/nginx:1.25.4-alpine 1.25.4-alpine: Pulling from library/nginx Digest: sha256:0fbb1dbade9ea3f7e450741b97f6971cd7a57ef64d3a28e9ff092d04072e2e58 Status: Image is up to date for core.ecloud.com/library/nginx:1.25.4-alpine core.ecloud.com/library/nginx:1.25.4-alpine注意:如果
docker使用 proxy 网络代理的话,需要把 harbor 的地址加入到no_proxy里面,否则影响登录harbor
crictl
确认containerd服务是否有配置registry配置路径
sudo grep config_path `ps -ef | grep "[c]ontainerd " | awk '{print $NF}'`
http协议
-
创建私有仓库目录
sudo mkdir -p /etc/containerd/certs.d/192.168.32.146:8021 -
设置拉取镜像配置文件
cat <<EOF | sudo tee /etc/containerd/certs.d/172.139.20.170:5000/hosts.toml > /dev/null server = "http://172.139.20.170:5000" [host."http://172.139.20.170:5000"] capabilities = ["pull", "resolve","push"] skip_verify = true EOF -
目录结构
-
验证
$ sudo crictl pull 172.139.20.170:5000/k8s/pause:3.6 Image is up to date for sha256:6270bb605e12e581514ada5fd5b3216f727db55dc87d5889c790e4c760683fee
https协议
-
域名解析
cat <<'EOF' | sudo tee -a /etc/hosts > /dev/null x.x.x.x core.ecloud.com EOF -
创建harbor的私有仓库目录
sudo mkdir -p /etc/containerd/certs.d/core.ecloud.com -
设置拉取镜像配置文件
cat <<EOF | sudo tee /etc/containerd/certs.d/core.ecloud.com/hosts.toml > /dev/null server = "https://core.ecloud.com" [host."https://core.ecloud.com"] capabilities = ["pull", "resolve", "push"] capath = "/etc/containerd/certs.d/core.ecloud.com/ca.crt" client = { cert = "/etc/containerd/certs.d/core.ecloud.com/tls.cert", key = "/etc/containerd/certs.d/core.ecloud.com/tls.key" } EOF -
crictl拉取镜像证书,自行获取 harbor 的证书。
-
验证
# 公开仓库 $ sudo crictl pull core.ecloud.com/library/nginx:1.25.4-alpine Image is up to date for sha256:6913ed9ec8d009744018c1740879327fe2e085935b2cce7a234bf05347b670d7 # 私有仓库 $ sudo crictl pull -u admin core.ecloud.com/metrics-server/metrics-server:0.7.0 Enter Password: Image is up to date for sha256:96e000effc14947babfcfb19132d41503a190f0393168779a83fd43495286232注意:-u 参数不能放在镜像后面,否则报错 401 没有认证。
nerdctl
注意:配置文件 只能在 /etc/containerd/certs.d 目录下, 而 crictl 是跟随 registry 配置路径
说明:经过测试
nerdctl v1.7.4版本,在https拉取镜像会抛出http: server gave HTTP response to HTTPS client信息。在 github也有说明 错误。回退到v1.6.2可以解决
http协议
配置文件、目录结构与 crictl 一致。
验证拉取镜像
$ nerdctl pull 172.139.20.170:5000/k8s/pause:3.6
172.139.20.170:5000/k8s/pause:3.6: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:74bf6fc6be13c4ec53a86a5acf9fdbc6787b176db0693659ad6ac89f115e182c: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:6270bb605e12e581514ada5fd5b3216f727db55dc87d5889c790e4c760683fee: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:fbe1a72f5dcd08ba4ca3ce3468c742786c1f6578c1f6bb401be1c4620d6ff705: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.2 s total: 291.0 (1.4 MiB/s)
https协议
配置文件、目录结构与 crictl 一致。
验证拉取镜像
# 公开仓库
$ nerdctl pull core.ecloud.com/library/nginx:1.25.4-alpine
ERRO[0000] failed to decode hosts.toml error="invalid type map[cert:/etc/containerd/certs.d/core.ecloud.com/tls.cert key:/etc/containerd/certs.d/core.ecloud.com/tls.key] for \"client\""
core.ecloud.com/library/nginx:1.25.4-alpine: resolving |--------------------------------------|
elapsed: 0.1 s total: 0.0 B (0.0 B/s)
core.ecloud.com/library/nginx:1.25.4-alpine: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:0fbb1dbade9ea3f7e450741b97f6971cd7a57ef64d3a28e9ff092d04072e2e58: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:6913ed9ec8d009744018c1740879327fe2e085935b2cce7a234bf05347b670d7: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.3 s total: 0.0 B (0.0 B/s)
# 私有仓库
$ sudo nerdctl login core.ecloud.com -u admin
Enter Password:
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
$ sudo nerdctl pull core.ecloud.com/metrics-server/metrics-server:0.7.0
core.ecloud.com/metrics-server/metrics-server:0.7.0: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:0531e7021f68395c2a0a2c2f9b16032d2c551a6e8e5afd23990947c71deb7740: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:96e000effc14947babfcfb19132d41503a190f0393168779a83fd43495286232: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:664e78498bca43e9a878e11174f4f4ae07c2b7f33ef29d8d4db08c04bdbf0cf2: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 6.0 s total: 61.4 M (10.2 MiB/s)
注意:眼尖的同学已经发现第一行有个ERR信息。这个信息不影响下载镜像,为了美观把
/etc/containerd/certs.d/core.ecloud.com/hosts.toml删掉即可。
ctr
http协议
ctr 不读取 /etc/containerd/config.toml 配置文件。 此配置由 CRI 使用,这意味着 kubectl 或 crictl 将使用它。 对于 ctr 命令,您应该添加参数 --plain-http
ctr -n k8s.io image pull 172.139.20.170:5000/k8s/pause:3.6 --plain-http
https协议
域名解析
cat <<'EOF' | sudo tee -a /etc/hosts > /dev/null
x.x.x.x core.ecloud.com
EOF
操作系统信任ca证书
# redhat(centos)
sudo scp ops@core.ecloud.com:/data/tls/nginx/ca.crt /etc/pki/ca-trust/source/anchors/ca.crt
sudo update-ca-trust extract
# debian(ubuntu)
sudo scp ops@core.ecloud.com:/data/tls/nginx/ca.crt /etc/ssl/certs/
sudo update-ca-certificates
验证
# 公开仓库
sudo ctr image pull core.ecloud.com/library/pause:3.6
# 私有仓库
$ sudo ctr image pull core.ecloud.com/metrics-server/metrics-server:0.7.0 -u admin
Password:
core.ecloud.com/metrics-server/metrics-server:0.7.0: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:0531e7021f68395c2a0a2c2f9b16032d2c551a6e8e5afd23990947c71deb7740: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:664e78498bca43e9a878e11174f4f4ae07c2b7f33ef29d8d4db08c04bdbf0cf2: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:96e000effc14947babfcfb19132d41503a190f0393168779a83fd43495286232: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 1.9 s total: 61.4 M (32.3 MiB/s)
unpacking linux/amd64 sha256:0531e7021f68395c2a0a2c2f9b16032d2c551a6e8e5afd23990947c71deb7740...
done: 3.786383096s
推送镜像
推送镜像到仓库的话,大部分都是需要改变镜像地址的。所以除了测试push功能,还得测试tag功能
docker
$ docker tag haproxy:2.2.9-alpine core.ecloud.com/library/haproxy:2.2.9-alpine
$ docker push core.ecloud.com/library/haproxy:2.2.9-alpine
crictl
没有 修改tag 和 push 的功能。请用其他命令代替
nerdctl
nerdctl -n k8s.io tag 172.139.20.170:5000/k8s/pause:3.6 core.ecloud.com/library/pause:3.6
nerdctl -n k8s.io push core.ecloud.com/library/pause:3.6
ctr
ctr -n k8s.io images tag 172.139.20.170:5000/k8s/pause:3.6 core.ecloud.com/library/pause:3.6
ctr -n k8s.io image push core.ecloud.com/library/pause:3.6
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· DeepSeek 开源周回顾「GitHub 热点速览」
· 记一次.NET内存居高不下排查解决与启示
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· .NET10 - 预览版1新功能体验(一)