I am running into a problem where k3s seems to be ignoring ` Rancher Users #general

I am running into a problem where k3s seems to be ...

bored-teacher-80901

02/06/2025, 7:21 PM

I am running into a problem where k3s seems to be ignoring

registries.yaml

. I am using k3s through k3d.

cat /etc/rancher/k3s/registries.yaml

returns:

Copy code

mirrors:
  '*':
    endpoint:
    - <http://k3d-foobar-registry:5000>
    rewrite: {}
  k3d-foobar-registry:5000:
    endpoint:
    - <http://k3d-foobar-registry:5000>
    rewrite: {}
  k3d-foobar-registry:59943:
    endpoint:
    - <http://k3d-foobar-registry:5000>
    rewrite: {}
configs: {}
auths: {}

But `cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/k3d-foobar-registry:5000/hosts.toml`returns:

Copy code

# File generated by k3s. DO NOT EDIT.

server = "<https://k3d-foobar-registry:5000/v2>"
capabilities = ["pull", "resolve", "push"]


[host]
[host."<http://k3d-foobar-registry:5000/v2>"]
  capabilities = ["pull", "resolve"]

In other words, it's defaulting to using HTTPS in spite of

registries.yaml

. I checked

containerd.log

and there is no mention of

registries.yaml

. It tries using

https

right away with no attempt to use

http

. Any idea on how to debug this further? Thanks in advance.

creamy-pencil-82913

02/06/2025, 7:25 PM

that’s not whats happening

bored-teacher-80901

02/06/2025, 7:25 PM

👀

creamy-pencil-82913

02/06/2025, 7:25 PM

there is a mirror with http as you requested, and then the default (as always) is https

creamy-pencil-82913

02/06/2025, 7:26 PM

read the k3s registry docs about default endpoints

bored-teacher-80901

02/06/2025, 7:26 PM

Right. That's what I thought. So instead of the mirror applying to https, it's applying to http. And since no one tries using http then the mirror is ignored. Is that correct?

bored-teacher-80901

02/06/2025, 7:27 PM

Do you mean this? https://docs.k3s.io/installation/private-registry#default-endpoint-fallback Or something else?

creamy-pencil-82913

02/06/2025, 7:27 PM

your registry is

k3d-foobar-registry:5000

. It will try the mirror host first which is http, and if that does not work it will fall back to the default endpoint which is https

bored-teacher-80901

02/06/2025, 7:28 PM

That's what I thought too, but I don't see it trying http first in

containerd.log

bored-teacher-80901

02/06/2025, 7:29 PM

I also noticed this line in containerd.log which seems to imply that the list of mirrors is empty...

Copy code

time="2025-02-06T14:52:35.921324308Z" level=info msg="Start cri plugin with config {PluginConfig:{ContainerdConfig:{Snapshotter:overlayfs DefaultRuntimeName:runc DefaultRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:} UntrustedWorkloadRuntime:{Type: Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:} Runtimes:map[runc:{Type:io.containerd.runc.v2 Path: Engine: PodAnnotations:[] ContainerAnnotations:[] Root: Options:map[SystemdCgroup:false] PrivilegedWithoutHostDevices:false PrivilegedWithoutHostDevicesAllDevicesAllowed:false BaseRuntimeSpec: NetworkPluginConfDir: NetworkPluginMaxConfNum:0 Snapshotter: SandboxMode:podsandbox}] NoPivot:false DisableSnapshotAnnotations:true DiscardUnpackedLayers:false IgnoreBlockIONotEnabledErrors:false IgnoreRdtNotEnabledErrors:false} CniConfig:{NetworkPluginBinDir:/bin NetworkPluginConfDir:/var/lib/rancher/k3s/agent/etc/cni/net.d NetworkPluginMaxConfNum:1 NetworkPluginSetupSerially:false NetworkPluginConfTemplate: IPPreference:} Registry:{ConfigPath:/var/lib/rancher/k3s/agent/etc/containerd/certs.d Mirrors:map[] Configs:map[] Auths:map[] Headers:map[]} ImageDecryption:{KeyModel:node} DisableTCPService:true StreamServerAddress:127.0.0.1 StreamServerPort:10010 StreamIdleTimeout:4h0m0s EnableSelinux:false SelinuxCategoryRange:1024 SandboxImage:rancher/mirrored-pause:3.6 StatsCollectPeriod:10 SystemdCgroup:false EnableTLSStreaming:false X509KeyPairStreaming:{TLSCertFile: TLSKeyFile:} MaxContainerLogLineSize:16384 DisableCgroup:false DisableApparmor:false RestrictOOMScoreAdj:false MaxConcurrentDownloads:3 DisableProcMount:false UnsetSeccompProfile: TolerateMissingHugetlbController:true DisableHugetlbController:true DeviceOwnershipFromSecurityContext:false IgnoreImageDefinedVolumes:false NetNSMountsUnderStateDir:false EnableUnprivilegedPorts:true EnableUnprivilegedICMP:true EnableCDI:false CDISpecDirs:[/etc/cdi /var/run/cdi] ImagePullProgressTimeout:5m0s DrainExecSyncIOTimeout:0s ImagePullWithSyncFs:false IgnoreDeprecationWarnings:[]} ContainerdRootDir:/var/lib/rancher/k3s/agent/containerd ContainerdEndpoint:/run/k3s/containerd/containerd.sock RootDir:/var/lib/rancher/k3s/agent/containerd/io.containerd.grpc.v1.cri StateDir:/run/k3s/containerd/io.containerd.grpc.v1.cri}"

bored-teacher-80901

02/06/2025, 7:29 PM

Sorry for the long paste. It says

Mirrors:map[]

somewhere near the middle.

creamy-pencil-82913

02/06/2025, 7:29 PM

yes, because the mirrors are not in the config.

creamy-pencil-82913

02/06/2025, 7:30 PM

they are under

ConfigPath:/var/lib/rancher/k3s/agent/etc/containerd/certs.d

creamy-pencil-82913

02/06/2025, 7:30 PM

which is the non-deprecated way to configure mirrors

bored-teacher-80901

02/06/2025, 7:31 PM

Okay, so let's take a step back... are you saying that the

hosts.toml

I pasted instructs containerd to try the http endpoint first, and if it fails to use https as fallback? And the reason it's using https is that http is failing? Or are you saying something else? You mentioned reading teh k3s registry docs about default endpoints, but is https://docs.k3s.io/installation/private-registry#default-endpoint-fallback the one you meant?

creamy-pencil-82913

02/06/2025, 7:31 PM

yes

creamy-pencil-82913

02/06/2025, 7:32 PM

if you see it trying https that means that it is falling back to that, because it was unable to pull from https

creamy-pencil-82913

02/06/2025, 7:32 PM

if you turn the log level up to trace or debug you will see all the http requests

bored-teacher-80901

02/06/2025, 7:33 PM

Okay, so if I increase the log level of k3s (or k3d in my case) I should see evidence of the http endpoint being used in containerd.log? Or should I look somewhere else?

bored-teacher-80901

02/06/2025, 7:37 PM

I'm going to try adding:

Copy code

[debug]
  level = "debug"

/var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl

and restarting the cluster, then I'll check

/var/lib/rancher/k3s/agent/containerd/containerd.log

again.

bored-teacher-80901

02/06/2025, 7:46 PM

@creamy-pencil-82913 You're right. I had to use "trace" logging level instead of "debug" but sure enough it's making the request to HTTP first, gets back HTTP 404 and tries again against HTTPS. Thanks for your help!

creamy-pencil-82913

02/06/2025, 7:51 PM

yep. containerd works pretty well. if it’s not doing what you think it should be doing, the error is almost always on the user side.

creamy-pencil-82913

02/06/2025, 7:52 PM

it doesn’t always tell you that though ;)

bored-teacher-80901

02/06/2025, 7:53 PM

👍 though you might want to considering indicating the use of the endpoint at a higher logging level. I've seen this question come up very often on GitHub.

creamy-pencil-82913

02/06/2025, 7:53 PM

I’m not a containerd maintainer, you can find them on CNCF slack or at https://github.com/containerd/containerd

👀 1

bored-teacher-80901

02/06/2025, 7:53 PM

Thanks

Open in Slack

Previous Next