containerd 使用了类似 k8s 中 svcendpoint 的概念。svc 可以理解为访问 url,这个 url 会解析到对应的 endpoint 上。也可以理解 mirror 配置就是一个反向代理,它把客户端的请求代理到 endpoint 配置的后端镜像仓库。mirror 名称可以随意填写,但是必须符合 IP 或域名 的定义规则。并且可以配置多个 endpoint,默认解析到第一个 endpoint,如果第一个 endpoint 没有返回数据,则自动切换到第二个 endpoint,以此类推。

比如以下配置示例:

mirrors:
  "*":
    endpoint:
      - "http://192.168.50.119"
  "192.168.50.119":
    endpoint:
      - "http://192.168.50.119"
  "reg.test.com":
    endpoint:
      - "http://192.168.50.119"
  "docker.io":
    endpoint:
      - "https://7bezldxe.mirror.aliyuncs.com"
      - "https://registry-1.docker.io"

可以通过 crictl pull 192.168.50.119/library/alpinecrictl pull reg.test.com/library/alpine 获取到镜像,但镜像都是从同一个后端仓库获取。

root@rancher-server:/etc/rancher/k3s# systemctl restart k3s.service
root@rancher-server:/etc/rancher/k3s# crictl pull 192.168.50.119/library/alpine
Image is up to date for sha256:a24bb4013296f61e89ba57005a7b3e52274d8edd3ae2077d04395f806b63d83e
root@rancher-server:/etc/rancher/k3s# crictl pull reg.test.com/library/alpine
Image is up to date for sha256:a24bb4013296f61e89ba57005a7b3e52274d8edd3ae2077d04395f806b63d83e
root@rancher-server:/etc/rancher/k3s#

注意: mirror 名称也可以设置为 * , 表示适配任意的仓库名称来获取到镜像,比如:

root@rancher-server:/etc/rancher/k3s# crictl pull 1.1.1.2/library/alpine
Image is up to date for sha256:a24bb4013296f61e89ba57005a7b3e52274d8edd3ae2077d04395f806b63d83e

root@rancher-server:/etc/rancher/k3s# crictl pull 1.1.1.3/library/alpine
Image is up to date for sha256:a24bb4013296f61e89ba57005a7b3e52274d8edd3ae2077d04395f806b63d83e

root@rancher-server:/etc/rancher/k3s# crictl pull x.x.x.x/library/alpine
Image is up to date for sha256:a24bb4013296f61e89ba57005a7b3e52274d8edd3ae2077d04395f806b63d83e

root@rancher-server:/etc/rancher/k3s# crictl pull x.x.x.3x/library/alpine
Image is up to date for sha256:a24bb4013296f61e89ba57005a7b3e52274d8edd3ae2077d04395f806b63d83e
root@rancher-server:/etc/rancher/k3s#

这样配置会出现很多镜像名称,不方便管理,不建议这样配置。

test.1/tttttt/alpine                                lates               a24bb4013296f       2.8MB
1.1.1.1/tttttt/alpine                               lates               a24bb4013296f       2.8MB
1.1.1.1/library/alpine                              latest              a24bb4013296f       2.8MB
1.1.1.3/library/alpine                              latest              a24bb4013296f       2.8MB
192.168.50.1/tttttt/alpine                          lates               a24bb4013296f       2.8MB
192.168.50.119/library/alpine                       latest              a24bb4013296f       2.8MB
test.com/tttttt/alpine                              lates               a24bb4013296f       2.8MB
x.x.x.x/library/alpine                              latest              a24bb4013296f       2.8MB
docker.io/tttttt/alpine                             lates               a24bb4013296f       2.8MB
192.168.50.110/tttttt/alpine                        lates               a24bb4013296f       2.8MB
192.168.50.119/tttttt/alpine                        lates               a24bb4013296f       2.8MB
x.x.x.3x/library/alpine                             latest              a24bb4013296f       2.8MB
reg.test.com/library/alpine                         latest              a24bb4013296f       2.8MB
1.1.1.2/library/alpine                              latest              a24bb4013296f       2.8MB

非安全(http)私有仓库配置

配置非安全(http)私有仓库,只需要在 endpoint 中指定 http 地址的后端仓库即可。

  • http://192.168.50.119 仓库为例
cat >> /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "192.168.50.119":
    endpoint:
      - "http://192.168.50.119"
EOF

systemctl restart k3s

安全(https)私有仓库配置

  • 使用授信 ssl 证书

与非安全(http)私有仓库配置类似,只需要配置 endpoint 中指定 https 地址的后端仓库即可。

cat >> /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "192.168.50.119":
    endpoint:
      - "https://192.168.50.119"
EOF

systemctl restart k3s
  • 使用自签 ssl 证书

如果后端仓库使用的是自签名的 ssl 证书,那么需要配置 CA 证书 用于 ssl 证书的校验。

cat >> /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "192.168.50.119":
    endpoint:
      - "https://192.168.50.119"
configs:
  "192.168.50.119":
    tls:
      ca_file:   # path to the ca file used in the registry
EOF

systemctl restart k3s
  • ssl 双向认证

如果镜像仓库配置了双向认证,这个时候 containerd 作为客户端,那么需要为 containerd 配置 ssl 证书用于镜像仓库对 containerd 做认证。

cat >> /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "192.168.50.119":
    endpoint:
      - "https://192.168.50.119"
configs:
  "192.168.50.119":
    tls:
      cert_file: # path to the cert file used in the registry
      key_file:  # path to the key file used in the registry
      ca_file:   # path to the ca file used in the registry
EOF

systemctl restart k3s
DIRECTIVEDESCRIPTION
cert_fileThe client certificate path that will be used to authenticate with the registry
key_fileThe client key path that will be used to authenticate with the registry
ca_fileDefines the CA certificate path to be used to verify the registry’s server cert file

仓库授权认证

对于仓库中的私有项目,需要用户名和密码认证授权才能获取镜像,可以通过添加 configs 来配置用户名和密码。配置仓库认证时,mirror 需要与 configs 匹配。比如,如果配置了一个 mirrors192.168.50.119,那么在 configs 中也需要配置一个 192.168.50.119

cat >> /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "192.168.50.119":
    endpoint:
      - "https://192.168.50.119"
configs:
  "192.168.50.119":
    auth:
      username: xxxxxx # this is the registry username
      password: xxxxxx # this is the registry password
    tls:
      cert_file: # path to the cert file used in the registry
      key_file:  # path to the key file used in the registry
      ca_file:   # path to the ca file used in the registry
EOF

systemctl restart k3s

加速器配置

containerd 与 docker 都有默认仓库,并且都为 docker.io。如果配置中未指定 mirror 为 docker.io,重启 containerd 后会自动加载 docker.io 配置。与 docker 不同的是,containerd 可以修改 docker.io 对应的 endpoint( 默认为 https://registry-1.docker.io ),而 docker 无法修改。

docker 中可以通过 registry-mirrors 设置镜像加速地址。如果 pull 的镜像不带仓库地址(项目名+镜像名:tag),则会从默认镜像仓库去拉取镜像。如果配置了镜像加速地址,会先访问镜像加速仓库,如果没有返回数据,再访问默认吧镜像仓库。

containerd 目前没有直接配置镜像加速的功能,因为 containerd 中可以修改 docker.io 对应的 endpoint,所以可以通过修改 endpoint 来实现镜像加速下载。因为 endpoint 是轮训访问,所以可以给 docker.io 配置多个仓库地址来实现 加速地址+默认仓库地址。如下配置示例:

cat >> /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "192.168.50.119":
    endpoint:
      - "http://192.168.50.119"
  "docker.io":
    endpoint:
      - "https://7bezldxe.mirror.aliyuncs.com"
      - "https://registry-1.docker.io"
EOF

systemctl restart k3s

完整配置示例

mirrors:
  "192.168.50.119":
    endpoint:
      - "http://192.168.50.119"
  "docker.io":
    endpoint:
      - "https://7bezldxe.mirror.aliyuncs.com"
      - "https://registry-1.docker.io"
configs:
  "192.168.50.119":
    auth:
      username: '' # this is the registry username
      password: '' # this is the registry password
    tls:
      cert_file: '' # path to the cert file used in the registry
      key_file: '' # path to the key file used in the registry
      ca_file: '' # path to the ca file used in the registry
  "docker.io":
    auth:
      username: '' # this is the registry username
      password: '' # this is the registry password
    tls:
      cert_file: '' # path to the cert file used in the registry
      key_file: '' # path to the key file used in the registry
      ca_file: '' # path to the ca file used in the registry

如果 docker.io 的 endpoint 对应了带有私有项目的镜像仓库,那么这里需要为 docker.io 添加 auth 配置。

参考