https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rke2
a
This message was deleted.
a
Perhaps I am misunderstanding the mirror rewrite section - would a mirror set up like this change the image tags to the configured mirror path? Such as 
<http://private.registry.com/foo/bar|private.registry.com/foo/bar>
Or keep all image tags as 
<http://docker.io/foo/bar|docker.io/foo/bar>
even though they're pulled through the mirror?
h
there is perhaps multiple ways to do this, and the way I have done it is; create a file 
/etc/rancher/rke2/registries.yaml
and put the registry info there..
Copy code
mirrors:
  <http://docker.io|docker.io>:
    endpoint:
      - "<https://private.reg.org>"
a
Yes, that's what I am doing but it doesn't filter through to the containerd config as far as i can tell
f
We are doing base url rewrites like that and it's been working fine. Are you getting image pull backoffs? You could use crictl to test pull images on the machine.
c
Did you look at the directories in the config path? That's where the mirrors and rewrites go...
Putting those in the config.toml has been deprecated for ages
a
I'm not putting them there... I'm going by the documentation and putting it at 
/etc/rancher/rke2/registries.yaml
c
nothing like so shows up in the containerd config.toml as I’d expect it to?
You are expecting the wrong thing.
> config_path = “/var/lib/rancher/rke2/agent/etc/containerd/certs.d” it is configured in files under that path, based on what you configure in registries.yaml
a
Thanks, I'm reading through the containerd docs here and I think it all works but I would expect a 
<http://private.registry.com/image:version|private.registry.com/image:version>
tag instead of 
<http://docker.io/image:version|docker.io/image:version>
when images are being pulled through the private registry.
c
nope
😄 1
they don’t have a different name just because you pulled them from a different endpoint
it’s still 
<http://docker.io/image:tag|docker.io/image:tag>
you just happened to pull it from a mirror endpoint instead of the default endpoint
a
But for RKE1 and Docker that is the case, yes?
c
no
a
Well that's exactly how it worked when I updated private_registry in the rke-config files..
c
explicitly pulling your images from a different registry is NOT the same thing as using that registry as a mirror for docker.io
a
Ah OK, then perhaps there-in lies the confusion
c
what you’re doing here is like setting registry-mirrors in docker’s daemon.json
a
I see - so then what is the correct procedure to set a default private registry for system images?
The first part here? From the Airgap docs
c
You can do either. You’ve done the second.
I tend to like the second, because it’s more flexible
a
Well, I'm trying to work around a pretty inconsistent corporate proxy so I'd like to be pretty rigid and only go through our private registry
I don't mind having internet as a fallback - but private registry first
c
using your registry as a mirror for docker.io will do that
that is exactly what it does
The k3s docs are a bit more in depth, you might take a look at those if you’re confused about what containerd is doing under the hood
a
Thanks, I'll take a look 👏
This is exactly what I'd expect to happen:
c
that is what’s happening. read on.
Note that when using mirrors and rewrites, images will still be stored under the original name. For example, 
crictl image ls
will show 
<http://docker.io/rancher/mirrored-pause:3.6|docker.io/rancher/mirrored-pause:3.6>
as available on the node, even if the image was pulled from a mirror with a different name.
a
Boom, there it is
Thanks Brad - sorry to waste your time
c
like I said above. you’re not pulling a different image, you’re pulling the same image from a different endpoint.
so it is stored under the original name
🙌 1
157 Views
Open in Slack
PreviousNext
Powered by