bored-teacher-80901
02/06/2025, 7:21 PMregistries.yaml
. I am using k3s through k3d.
cat /etc/rancher/k3s/registries.yaml
returns:
mirrors:
'*':
endpoint:
- <http://k3d-foobar-registry:5000>
rewrite: {}
k3d-foobar-registry:5000:
endpoint:
- <http://k3d-foobar-registry:5000>
rewrite: {}
k3d-foobar-registry:59943:
endpoint:
- <http://k3d-foobar-registry:5000>
rewrite: {}
configs: {}
auths: {}
But `cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/k3d-foobar-registry:5000/hosts.toml`returns:
# File generated by k3s. DO NOT EDIT.
server = "<https://k3d-foobar-registry:5000/v2>"
capabilities = ["pull", "resolve", "push"]
[host]
[host."<http://k3d-foobar-registry:5000/v2>"]
capabilities = ["pull", "resolve"]
In other words, it's defaulting to using HTTPS in spite of registries.yaml
. I checked containerd.log
and there is no mention of registries.yaml
. It tries using https
right away with no attempt to use http
. Any idea on how to debug this further? Thanks in advance.creamy-pencil-82913
02/06/2025, 7:25 PMbored-teacher-80901
02/06/2025, 7:25 PMcreamy-pencil-82913
02/06/2025, 7:25 PMcreamy-pencil-82913
02/06/2025, 7:26 PMbored-teacher-80901
02/06/2025, 7:26 PMbored-teacher-80901
02/06/2025, 7:27 PMcreamy-pencil-82913
02/06/2025, 7:27 PMk3d-foobar-registry:5000
. It will try the mirror host first which is http, and if that does not work it will fall back to the default endpoint which is httpsbored-teacher-80901
02/06/2025, 7:28 PMcontainerd.log
bored-teacher-80901
02/06/2025, 7:29 PMtime="2025-02-06T14:52:35.921324308Z" level=info msg="Start cri plugin with config {PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc DefaultRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:} UntrustedWorkloadRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:} Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[SystemdCgroup:false] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:podsandbox}] NoPivot:false DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/bin NetworkPluginConfDir:/var/lib/rancher/k3s/agent/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath:/var/lib/rancher/k3s/agent/etc/containerd/certs.d Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:10010 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:rancher/mirrored-pause:3.6 StatsCollectPeriod:10 SystemdCgroup:false EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s ImagePullWithSyncFs:false IgnoreDeprecationWarnings:[]} ContainerdRootDir:/var/lib/rancher/k3s/agent/containerd ContainerdEndpoint:/run/k3s/containerd/containerd.sock RootDir:/var/lib/rancher/k3s/agent/containerd/io.containerd.grpc.v1.cri StateDir:/run/k3s/containerd/io.containerd.grpc.v1.cri}"
bored-teacher-80901
02/06/2025, 7:29 PMMirrors:map[]
somewhere near the middle.creamy-pencil-82913
02/06/2025, 7:29 PMcreamy-pencil-82913
02/06/2025, 7:30 PMConfigPath:/var/lib/rancher/k3s/agent/etc/containerd/certs.d
creamy-pencil-82913
02/06/2025, 7:30 PMbored-teacher-80901
02/06/2025, 7:31 PMhosts.toml
I pasted instructs containerd to try the http endpoint first, and if it fails to use https as fallback? And the reason it's using https is that http is failing?
Or are you saying something else?
You mentioned reading teh k3s registry docs about default endpoints, but is https://docs.k3s.io/installation/private-registry#default-endpoint-fallback the one you meant?creamy-pencil-82913
02/06/2025, 7:31 PMcreamy-pencil-82913
02/06/2025, 7:32 PMcreamy-pencil-82913
02/06/2025, 7:32 PMbored-teacher-80901
02/06/2025, 7:33 PMbored-teacher-80901
02/06/2025, 7:37 PM[debug]
level = "debug"
to /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl
and restarting the cluster, then I'll check /var/lib/rancher/k3s/agent/containerd/containerd.log
again.bored-teacher-80901
02/06/2025, 7:46 PMcreamy-pencil-82913
02/06/2025, 7:51 PMcreamy-pencil-82913
02/06/2025, 7:52 PMbored-teacher-80901
02/06/2025, 7:53 PMcreamy-pencil-82913
02/06/2025, 7:53 PMbored-teacher-80901
02/06/2025, 7:53 PM