https://rancher.com/ logo
Title
a

able-wall-25846

11/29/2022, 5:25 PM
I think that's right
d

damp-painting-69352

11/29/2022, 5:26 PM
Look into rke2/k3s registries.yaml in the /etc/rancher/rke2 directory
a

able-wall-25846

11/29/2022, 5:28 PM
ya that's how I got to
root@knode03:~# cat /etc/rancher/rke2/registries.yaml
mirrors:
  <http://registry01.sys.nc4.iad0.nsscloud.net|registry01.sys.nc4.iad0.nsscloud.net>:
    endpoint:
      - "<http://registry01.sys.nc4.iad0.nsscloud.net:5000>"
root@knode03:~#
but that doesn't seem to be working
d

damp-painting-69352

11/29/2022, 5:28 PM
you may need to add a config for that to allow insecure
a

able-wall-25846

11/29/2022, 5:29 PM
I don't have any auth
and it doesn't have TLS
d

damp-painting-69352

11/29/2022, 5:29 PM
as far as my testing this config is super finicky/buggy give the
insecure_skip_verify
flag a try
a

able-wall-25846

11/29/2022, 5:30 PM
I will try that
d

damp-painting-69352

11/29/2022, 5:30 PM
you can check the kubelet and containerd logs after and see what errors are being thrown
you shouldn't set the domain as a mirror to iteself that is recursive
a

able-wall-25846

11/29/2022, 5:33 PM
I shouldn't use the fqdn for the key?
d

damp-painting-69352

11/29/2022, 5:35 PM
That is ment for mirrors like docker.io to your registry
you shouldn't need this file if you are specifically calling this registry in the container image invocation. You would use this to direct containerd to check other mirrors for the same image path
a

able-wall-25846

11/29/2022, 5:38 PM
ok then how can I pull from a private registry then? cause I always get this error
even if the image is the full path
d

damp-painting-69352

11/29/2022, 5:38 PM
which error
a

able-wall-25846

11/29/2022, 5:39 PM
root@knode03:~# export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
root@knode03:~# export PATH=$PATH:/var/lib/rancher/rke2/bin/
root@knode03:~# crictl pull <http://registry01.sys.nc4.iad0.nsscloud.net:5000/ns-ubuntu-20-04-qemu:latest|registry01.sys.nc4.iad0.nsscloud.net:5000/ns-ubuntu-20-04-qemu:latest>
FATA[0000] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "<http://registry01.sys.nc4.iad0.nsscloud.net:5000/ns-ubuntu-20-04-qemu:latest|registry01.sys.nc4.iad0.nsscloud.net:5000/ns-ubuntu-20-04-qemu:latest>": failed to resolve reference "<http://registry01.sys.nc4.iad0.nsscloud.net:5000/ns-ubuntu-20-04-qemu:latest|registry01.sys.nc4.iad0.nsscloud.net:5000/ns-ubuntu-20-04-qemu:latest>": failed to do request: Head "<https://registry01.sys.nc4.iad0.nsscloud.net:5000/v2/ns-ubuntu-20-04-qemu/manifests/latest>": http: server gave HTTP response to HTTPS client
root@knode03:~#
it's trying to connect with HTTPS to my HTTP registry
d

damp-painting-69352

11/29/2022, 5:39 PM
it is
a

able-wall-25846

11/29/2022, 5:40 PM
if I'm just using continerd outside rke2
[plugins."io.containerd.grpc.v1.cri".registry.configs]
    [plugins."io.containerd.grpc.v1.cri".registry.configs."198.18.0.157:5000".tls]
      insecure_skip_verify = true
is working for me
I can pull the image no issue
but if I'm using the rke2 socket for containerd I cannot pull the image
d

damp-painting-69352

11/29/2022, 5:42 PM
I can't say i have ever tried to pull from a HTTP endpoint, sorry
a

able-wall-25846

11/29/2022, 5:44 PM
what would happen if I manually updated this file
/var/lib/rancher/rke2/agent/etc/containerd/config.toml
does that file get created every time I restart rke2-server?
d

damp-painting-69352

11/29/2022, 5:48 PM
it would get replaced yes