hello云胜

技术与生活

0%

containerd配置镜像加速

发表于 更新于 分类于

cover_image

containerd配置镜像加速

原创 hello云胜 hello云胜 运维开发笔记

在小说阅读器中沉浸阅读

总结写在前面:

我在配置镜像加速的过程中是走了不少弯路的。下面的文章是记录了整个配置的过程,你需要看完全部文字后再操作,不要按照我写的步骤来。

正确的配置步骤是:

  • 获取镜像加速器地址
  • 配置certs.d下的配置文件
  • 配置containerd加速,修改/etc/containerd/config.toml
  • 配置nerdctl加速,修改/etc/nerdctl/nerdctl.toml

获取镜像加速器地址

之前使用阿里云的镜像加速器,现在已经不好用了,拉不到外网镜像,换成了华为云的,测试是好用的。

使用华为云的私有镜像加速器

Image

修改containerd的配置文件

containerd文件配置的修改需要根据自己的containerd版本查询官方文档

https://github.com/containerd/containerd/blob/v1.6.33/docs/cri/registry.md


vim /etc/containerd/config.toml

config.toml内容比以前docker daemon.json多很多。

在 [plugins.”io.containerd.grpc.v1.cri”.registry] 下添加 mirrors (镜像源),格式如下:


[plugins.”io.containerd.grpc.v1.cri”.registry]
  # 对docker.io进行私有镜像加速源
  [plugins.”io.containerd.grpc.v1.cri”.registry.mirrors.”docker.io”]
    endpoint = [
      “https://你自己的id.mirror.swr.myhuaweicloud.com”  # 替换为你的华为云云私有加速地址
    ]
  # 对registry.k8s.io官方镜像加速
  [plugins.”io.containerd.grpc.v1.cri”.registry.mirrors.”registry.k8s.io”]
    endpoint = [
        “https://你自己的id.mirror.swr.myhuaweicloud.com” # 替换为你的
    ]

测试crictl

现在使用crictl pull测试一下


[root@k8s-node0 ~]# crictl pull nginx:latest
Image is up to date for sha256:60adc2e137e757418d4d771822fa3b3f5d3b4ad58ef2385d200c9ee78375b6d5
[root@k8s-node0 ~]# crictl images | grep nginx
docker.io/library/nginx                                                           latest              60adc2e137e75       59.8MB

没有问题,但是测试nerdctl pull会报错


[root@k8s-node0 ~]# nerdctl pull nginx:latest
docker.io/library/nginx:latest: resolving      |————————————–|
elapsed: 29.9s                  total:   0.0 B (0.0 B/s)
INFO[0030] fetch failed                                  error=”failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest\“: dial tcp 96.44.137.28:443: i/o timeout” host=registry-1.docker.io
ERRO[0030] active check failed                           error=”context canceled”
FATA[0030] failed to resolve reference “docker.io/library/nginx:latest”: failed to do request: Head “https://registry-1.docker.io/v2/library/nginx/manifests/latest“: dial tcp 96.44.137.28:443: i/o timeout

拉取失败,并没有使用加速镜像

配置nerdctl

网上很多说的都不对。

查看nerdctl的官方说明,发现这么一条

Image

那就是nerdctl会忽略[plugins.”io.containerd.grpc.v1.cri”.registry]配置,所以上面的配置对containerd生效,但是对nerdctl不生效

对nerdctl应该这么配置

nerdctl.toml

nerdctl使用自己的nerdctl.toml配置文件。(我是root模式)


vim /etc/nerdctl/nerdctl.toml


# This is an example of /etc/nerdctl/nerdctl.toml .
# Unrelated to the daemon’s /etc/containerd/config.toml . 

address        = "unix:///run/containerd/containerd.sock"  
namespace      = "k8s.io"  
snapshotter    = "overlayfs"  
cgroup_manager = "systemd"  
hosts_dir      = ["/etc/containerd/certs.d"]  
insecure_registry = true

创建certs.d目录,然后根据你要加速的域名创建对应的目录


mkdir -p /etc/containerd/certs.d
mkdir -p /etc/containerd/certs.d/docker.io
mkdir -p /etc/containerd/certs.d/registry.k8s.io

域名目录下创建hosts.toml文件,内容如下


server = “https://docker.io

[host."https://你自己的id.mirror.swr.myhuaweicloud.com"]  
  capabilities = ["pull", "resolve"]

registry.k8s.io下创建hosts.toml文件,内容如下


server = “https://registry.k8s.io

[host."https://你自己的id.mirror.swr.myhuaweicloud.com"]  
  capabilities = ["pull", "resolve"]

再次测试


[root@k8s-node0 certs.d]# crictl rmi docker.io/library/nginx:latest
Deleted: docker.io/library/nginx:latest
[root@k8s-node0 certs.d]# nerdctl pull nginx:latest
WARN[0000] skipping verifying HTTPS certs for “docker.io”
docker.io/library/nginx:latest:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|
docker.io/library/nginx:latest:                                                   resolved       |++++++++++++++++++++++++++++++++++++++|
index-sha256:553f64aecdc31b5bf944521731cd70e35da4faed96b2b7548a3d8e2598c52a42:    done           |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:5c733364e9a8f7e6d7289ceaad623c6600479fe95c3ab5534f07bfd7416d9541: done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:60adc2e137e757418d4d771822fa3b3f5d3b4ad58ef2385d200c9ee78375b6d5:   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:de57a609c9d5148f10b38f5c920d276e9e38b2856fe16c0aae1450613dc12051:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:0e4bc2bd6656e6e004e3c749af70e5650bac2258243eb0949dea51cb8b7863db:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:b5feb73171bf1bcf29fdd1ba642c3d30cdf4c6329b19d89be14d209d778c89ba:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:108ab82928207dabd9abfddbc960dd842364037563fc560b8f6304e4a91454fe:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:53d743880af45adf9f141eec1fe3a413087e528075a5d8884d6215ddfdd2b806:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:77fa2eb0631772679b0e48eca04f4906fba5fe94377e01618873a4a1171107ce:    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:192e2451f8751fb74549c932e26a9bcfd7b669fe2f5bd8381ea5ac65f09b256b:    done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 19.1s                                                                    total:  57.0 M (3.0 MiB/s)

可以了。

再回头改下/etc/containerd/config.toml

这样我们对containerd和nerdctl使用了两处不同的配置。

这样不好,其实可以将containerd的加速镜像也配置到/etc/containerd/certs.d。

修改如下,把之前配置的[plugins.”io.containerd.grpc.v1.cri”.registry]下的内容都删除即可。


[plugins.”io.containerd.grpc.v1.cri”.registry]
      config_path = “/etc/containerd/certs.d”

重启下containerd


systemctl restart containerd