Hi I'm trying to do a fresh air-gap k3s install wi...
# k3sh
handsome-nail-26296
06/05/2024, 2:32 AMHi I'm trying to do a fresh air-gap k3s install with private registry. I loaded the images with this step. Any help is appreciated!
deploy step -
Copy code
K3S_SYSTEM_DEFAULT_REGISTRY=10.3.13.101:5000 INSTALL_K3S_SKIP_DOWNLOAD=true INSTALL_K3S_EXEC='server --token=k3s_secret --cluster-init --disable=servicelb --selinux --data-dir=/data/k3s' /usr
/local/bin/install.sh Copy code
failed to pull image \"10.3.13.101:5000/rancher/mirrored-pause:3.6\": failed to pull and unpack image \"10.3.13.101:50
00/rancher/mirrored-pause:3.6\": failed to resolve reference \"10.3.13.101:5000/rancher/mirrored-pause:3.6\": failed to do request: Head \"<https://10.3.13.101:5000/v2/rancher/mirrored-pause/manifests/3.6>\": htt
p: server gave HTTP response to HTTPS client Copy code
[root@bumblebee ~]# podman search 10.3.13.101:5000/ --tls-verify=false
NAME DESCRIPTION
10.3.13.101:5000/rancher/klipper-helm
10.3.13.101:5000/rancher/klipper-lb
10.3.13.101:5000/rancher/local-path-provisioner
10.3.13.101:5000/rancher/mirrored-coredns-coredns
10.3.13.101:5000/rancher/mirrored-library-busybox
10.3.13.101:5000/rancher/mirrored-library-traefik
10.3.13.101:5000/rancher/mirrored-metrics-server Copy code
mirrors:
10.3.13.101:5000:
endpoint:
- "<http://10.3.13.101:5000>"
configs:
"*":
tls:
insecure_skip_verify: truec
creamy-pencil-82913
06/05/2024, 4:06 AMThe system default registry must be https
creamy-pencil-82913
06/05/2024, 4:09 AMThe pause image isn't pulled via CRI so the registries.yaml CRI mirror config isn't used for it
h
handsome-nail-26296
06/05/2024, 4:10 AMAh okay, that makes sense. How is it pulled? I thought it was CRI because
crictl imageshandsome-nail-26296
06/05/2024, 4:12 AMI'm in the process of redeploying a secure registry.
c
creamy-pencil-82913
06/05/2024, 4:20 AMThe runtime pulls it implicitly if it's not present when a pod is started.
creamy-pencil-82913
06/05/2024, 4:20 AMIt's kind of a deficiency in the whole model, the same issue affects kubelet credential plugins because they are never invoked to pull the pause image either
creamy-pencil-82913
06/05/2024, 4:21 AMSo basically the pause image needs to be available anonymously, on a registry that uses https
creamy-pencil-82913
06/05/2024, 4:21 AMOr you can preload it
h
handsome-nail-26296
06/05/2024, 4:21 AMI understand, thank you for explaining. So the easiest solution would be to enable tls on my internal registry?
handsome-nail-26296
06/05/2024, 4:24 AMWould preloading be putting the
k3s-airgap-images-amd64.ar.zst/var/lib/rancher/k3s/agent/imageshandsome-nail-26296
06/05/2024, 4:24 AMI was going to go that route, but I need the registries to be available to other nodes internally.
c
creamy-pencil-82913
06/05/2024, 4:26 AMhttps://github.com/k3s-io/k3s/issues/3463#issuecomment-1030173992
Maybe that's been fixed, honestly it's been a while since I checked.
creamy-pencil-82913
06/05/2024, 4:27 AMCRI has added an interface to let the kubelet query the runtime to see what the pause image is, maybe it explicitly pulls it now. I can check tomorrow.
creamy-pencil-82913
06/05/2024, 4:27 AMIn general you're best off using https if at all possible though
👍 2
h
handsome-nail-26296
06/05/2024, 4:27 AMNo don't worry about it...I'm just going to setup a secure registry.
handsome-nail-26296
06/05/2024, 4:27 AMI appreciate your time and help.
237 Views