why insecureRegistries have different behavior between docker and containerd
Opened this issue · 3 comments
What is version of KubeKey has the issue?
any version
What is your os environment?
any environment
KubeKey config file
registry:
privateRegistry: "dockerhub.kubekey.local"
namespaceOverride: ""
registryMirrors: []
insecureRegistries: "xxx.a", "xxx.b"
A clear and concise description of what happend.
The same config.yaml but different container runtime: docker and containerd, why docker can set insecuryRegitries in daemon.json while containerd just set insecuryRegitries for mirrors。
container config
## container pkg/service/containermanager/templates/config.toml
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
{{- if .Mirrors }}
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = [{{ .Mirrors }}, "https://registry-1.docker.io"]
{{ else }}
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://registry-1.docker.io"]
{{- end}}
{{- range $value := .InsecureRegistries }}
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{$value}}"]
endpoint = ["http://{{$value}}"]
{{- end}}
## docker pkg/service/containermanager/templates/daemon.json
{{- if .InsecureRegistries }}
"insecure-registries": [{{ .InsecureRegistries }}],
{{- end}}
Can docker & containerd has the same behavior?
I try to use containerd instead of docker then found this question.
Relevant log output
No response
Additional information
No response
containerd并没有直接提供insecureRegistries的参数,这个方法利用containerd支持为任意仓库配置mirror来支持http吧。当然我看最新的文档已经弃用mirror了,推荐使用config_path的方式registry
// Registry is the configuration for a cluster registry
type Registry struct {
metav1.TypeMeta `json:",inline"`
// PrivateRegistry defines the private registry address of ContainerManager.
PrivateRegistry string `json:"privateRegistry"`
// InsecureRegistries defines the insecure registries of ContainerManager.
InsecureRegistries []string `json:"insecureRegistries,omitempty"`
// RegistryMirrors defines the registry mirrors of this PrivateRegistry.
RegistryMirrors []string `json:"registryMirrors,omitempty"`
// NamespaceOverride defines the namespace override of this PrivateRegistry.
NamespaceOverride string `json:"namespaceOverride"`
// Auth defines the auth of this PrivateRegistry.
Auth RegistryAuth `json:"auth"`
}
可以看下registry配置的结构体,对一个registry的描述,为何会有InsecureRegistries这种属性,这个属性和registry有什么关系?
我在实际使用中,通常是用kk init registry拉起一个registry,然后会把一些镜像推送到这个registry,但是镜像的地址可能是a.b.com/ns/docker:v1.0,其中的域名 可能不是PrivateRegistry,然后在拉取镜像的时候,仍沿用a.b.com这个域名的情况下,就需要设置InsecureRegistries。InsecureRegistries应该类似当前registry的别名的用法。
那么InsecureRegistries是http还是https,应该取决于Auth中的plainHttp配置。
所以对于containerd里仅根据insecureRegistries,就判断需要支持http的做法,我认为是不合理的。
另外 kk init registry启动的Registry服务默认只有https服务。
containerd does support insecure registries.
The configuration is harder to find as it has changed.
The recommendation is to move to using:
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
Now with this configuration each host has a directory and a configuration file.
The directory matches the hostname (and port if non-standard) of the registry.
Then a hosts.toml file in the directory
example from my system for an internal registry:
server = "http://registry-trow.registry.svc.cluster.local:8000"
[host."http://registry-trow.registry.svc.cluster.local:8000"]
capabilities = ["pull", "resolve", "push"]
skip_verify = true
mirrors can be added to these entries too.
like this:
server = "https://docker.io"
[host."https://mirror.gcr.io"]
capabilities = ["pull", "resolve"]