本文永久链接: https://www.xtplayer.cn/rancher/rancher-rke2-pulls-image-from-the-http-registries/

问题背景

截止当前 rancher 最新版本 2.7.5,当使用的镜像仓库为 http 访问时,在部署 rke2 时可以看到 rancher-system-agent.service 日志中报 http: server gave HTTP response to HTTPS client,无法正常拉取镜像,比如如下日志

Aug 10 17:56:23 rke2-2 rancher-system-agent[1658]: time="2023-08-10T17:56:23+08:00" level=warning msg="Failed to get image from endpoint: Get \"https://192.168.110.110:80/v2/\": http: server gave HTTP response to HTTPS client; Get \"https://192.168.110.110:80/v2/\": http: server gave HTTP response to HTTPS client"

Aug 10 17:56:23 rke2-2 rancher-system-agent[1658]: time="2023-08-10T17:56:23+08:00" level=error msg="error while staging: all endpoints failed: Get \"https://192.168.110.110:80/v2/\": http: server gave HTTP response to HTTPS client; Get \"https://192.168.110.110:80/v2/\": http: server gave HTTP response to HTTPS client: failed to get image 192.168.110.110:80/rancher/system-agent-installer-rke2:v1.26.7-rke2r1"

这个问题目前只在 rke2 侧修复,相关 issue:

https://github.com/rancher/rke2/issues/4308

rancher 侧暂时还没有修复,相关 issue:

https://github.com/rancher/rancher/issues/42373

临时解决方法

  1. 全局系统设置的 system-default-registry ,需要添加端口。根据镜像仓库实际使用的端口进行设置,80 端口不能省略。

  2. 如果你是 docker run 的 rancher server,需要自定义 registries.yaml 配置,然后将其映射到 rancher 容器中,参考 docker run 配置如下:

    mirrors:
      # 私有仓库域名
      192.168.110.110:80:
        endpoint:
          - "http://192.168.110.110"
    configs:
      "192.168.110.110:80":
        auth:
          username: admin  # 这是私有镜像仓库的用户名
          password: Harbor12345  # 这是私有镜像仓库的密码

  3. 如果 rancher server 是 HA 架构运行在 rke2 集群上,那么也需要按照 2 步骤的配置给 rke2 自定义 registries.yaml 配置,配置方法相同,配置文件保存到 /etc/rancher/rke2/registries.yaml。(https://docs.rke2.io/install/containerd_registry_configuration)

  4. rancher 安装下游 rke2 集群,需要在 registries 中为镜像仓库访问地址添加端口号。