琼杰笔记在kubernetes v1.20版本之后开始用containerd作为集群运行时(runtime),替代了docker。对于containerd的使用和介绍以及源码可以直接在GitHub代码仓库查看。
- 报错:
默认情况下,安装部署高版本k8s后,在pull image的时候可能会遇到如下报错:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 17s default-scheduler Successfully assigned default/web-terminal-6b4bbf9888-vghxn to worker5
Normal BackOff 17s kubelet Back-off pulling image "harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0"
Warning Failed 17s kubelet Error: ImagePullBackOff
Normal Pulling 4s (x2 over 17s) kubelet Pulling image "harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0"
Warning Failed 4s (x2 over 17s) kubelet Failed to pull image "harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0": rpc error: code = Unknown desc = failed t o pull and unpack image "harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0": failed to resolve reference "harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0": failed to do req uest: Head "https://harbor.xxx.com/v2/cirrus/cirrus-terminal/main/manifests/1.2.0": x509: certificate signed by unknown authority
Warning Failed 4s (x2 over 17s) kubelet Error: ErrImagePull解决方法:
根据环境依赖的不同,可能需要配置镜像仓库参数,下面是一个示例(参考官方介绍)。
root@worker:/etc/containerd# tree
.
├── certs.d
│ ├── amaas.cec.lab.com:5074
│ │ ├── ca.crt
│ │ └── hosts.toml
│ └── harbor.xxx.com
│ ├── ca.crt
│ └── hosts.toml
└── config.toml
3 directories, 5 files
root@worker:/etc/containerd# cat config.toml
# /etc/containerd/config.toml
version = 2
[plugins."io.containerd.grpc.v1.cri".registry]
config_path="/etc/containerd/certs.d"
root@worker:/etc/containerd# cat certs.d/amaas.cec.lab.com\:5074/hosts.toml
server = "amaas.cec.lab.com:5074"
[host."amaas.cec.lab.com:5074"]
capabilities = ["pull", "resolve"]
ca = "ca.crt"
root@worker:/etc/containerd#
root@worker:/etc/containerd# cat certs.d/harbor.xxx.com/hosts.toml
server = "https://harbor.xxx.com"
[host."https://harbor.xxx.com"]
capabilities = ["pull", "resolve"]
ca = "ca.crt"获取私有证书:
echo -n | openssl s_client -showcerts -connect harbor.xxx.com:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/harbor.dell.com/ca.crt2. 报错:
root@worker5:~# crictl pull harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0
DEBU[0000] get image connection
DEBU[0000] PullImageRequest: &PullImageRequest{Image:&ImageSpec{Image:harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0,Annotations:map[string]string{},},Auth:nil,SandboxConf ig:nil,}
E0321 06:11:37.909786 3580468 remote_image.go:171] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"harbor.xxx.c om/cirrus/cirrus-terminal/main:1.2.0\": failed to resolve reference \"harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0\": failed to do request: Head \"https://harbor.xxx.co m/v2/cirrus/cirrus-terminal/main/manifests/1.2.0\": x509: certificate signed by unknown authority" image="harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0"
FATA[0000] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "harbor.xxx.com/cirrus/cirrus-terminal/main:1.2.0": failed to resolve reference "h arbor.dell.com/cirrus/cirrus-terminal/main:1.2.0": failed to do request: Head "https://harbor.xxx.com/v2/cirrus/cirrus-terminal/main/manifests/1.2.0": x509: certificate sign ed by unknown authority解决方法:
root@worker:/etc/containerd# cat /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 2
debug: true
pull-image-on-create: false
评论前必须登录!
注册