containerd 1.6 以上的版本在配置私有镜像和加速弃用了之前的配置方案。
一、配置Containerd配置拉取镜像加速
1、修改config.toml
vim /etc/containerd/config.toml
config_path 值设置为 /etc/containerd/certs.d:
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
[plugins."io.containerd.grpc.v1.cri".registry.auths]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.headers]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
tls_cert_file = ""
tls_key_file = ""
2、新建目录
创建/etc/containerd/certs.d目录
mkdir -p /etc/containerd/certs.d
3、配置dockerhub加速
新建目录
mkdir -p /etc/containerd/certs.d/docker.io
在/etc/containerd/certs.d/docker.io下创建文件hosts.toml
server = "https://docker.io"
[host."https://hub-mirror.c.163.com"]
capabilities = ["pull", "resolve"]
4、配置私有镜像harbor
新建目录,以实际配置的私有域名为准,如这里私有镜像地址为harbor.node.com,则需要新建这个域名的目录
mkdir -p /etc/containerd/certs.d/harbor.node.com
在/etc/containerd/certs.d/harbor.node1.com创建hosts.toml
server = "https://harbor.node.com"
[host."https://harbor.node.com"]
capabilities = ["pull", "resolve"]
skip_verify = true # 跳过证书验证
5、重启containerd
systemctl restart containerd.service
二、拉取验证
ctrctl命令验证
crictl pull docker.io/library/alpine:3.18
ctr命令验证,未生效
配置文件、目录结构与 crictl 一致,但是 ctr 命令仍是 未生效 加速地址拉起镜像。
解决方法 :ctr 命令拉起镜像添加 --hosts-dir 可以实现到拉取镜像加速。
示例:
ctr --debug image pull docker.io/library/alpine:3.18 --hosts-dir /etc/containerd/certs.d
nerdctl命令配置
配置文件、目录结构与 crictl 一致。
注意:配置路径 只能 是 /etc/containerd/certs.d 目录下
三、抓包验证
判断是否使用代理?
- docker服务:
docker info | grep Proxy - containerd服务:
systemctl cat containerd | grep Environment查看是否有环境变量
使用代理
tcpdump -enn -vvv -i [网卡名] 'host [proxy地址] or host [镜像加速地址]'
示例:tcpdump -enn -vvv -i eth0 ' host x.x.x.x or host dockerproxy.com'
参数值说明:
- 网卡名:通 proxy地址 的网卡名
- proxy地址:上面查到的地址(网络代理)
- 镜像加速地址:运行时配置的镜像加速地址
未使用代理
tcpdump -enn -vvv -i [出公网网卡名] host [镜像加速地址]
示例:tcpdump -enn -vvv -i eth1 host dockerproxy.com
最后通过抓包结果,来确认。
更多
docker.io示例
sudo mkdir -p /etc/containerd/certs.d/docker.io
cat <<'EOF' | sudo tee /etc/containerd/certs.d/docker.io/hosts.toml > /dev/null
server = "https://docker.io"
[host."https://dockerproxy.com"]
capabilities = ["pull", "resolve"]
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
[host."https://hub-mirror.c.163.com"]
capabilities = ["pull", "resolve"]
EOF
registry.k8s.io示例
sudo mkdir -p /etc/containerd/certs.d/registry.k8s.io
cat <<'EOF' | sudo tee /etc/containerd/certs.d/registry.k8s.io/hosts.toml > /dev/null
server = "https://registry.k8s.io"
[host."https://k8s.m.daocloud.io"]
capabilities = ["pull", "resolve"]
EOF
k8s.gcr.io示例
sudo mkdir -p /etc/containerd/certs.d/k8s.gcr.io
cat <<'EOF' | sudo tee /etc/containerd/certs.d/k8s.gcr.io/hosts.toml > /dev/null
server = "https://k8s.gcr.io"
[host."k8s-gcr.m.daocloud.io"]
capabilities = ["pull", "resolve"]
EOF
