问题:由于国内 docker.io 镜像仓库关闭了,所以想配置镜像加速,但是配置好像一直没有生效,还是从官方仓库拉取镜像
containerd version:ctr github.com/containerd/containerd v1.7.27
containerd config:
version = 2
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0
[grpc]
address = "/run/containerd/containerd.sock"
uid = 0
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
[debug]
address = "/run/containerd/containerd-debug.sock"
uid = 0
gid = 0
level = "warn"
[timeouts]
"io.containerd.timeout.shim.cleanup" = "5s"
"io.containerd.timeout.shim.load" = "5s"
"io.containerd.timeout.shim.shutdown" = "3s"
"io.containerd.timeout.task.state" = "2s"
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "sealos.hub:5000/pause:3.9"
max_container_log_line_size = 16384
max_concurrent_downloads = 20
disable_apparmor = true
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "overlayfs"
default_runtime_name = "runc"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun.options]
BinaryName = "/usr/bin/crun"
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
certs.d 目录下有三个目录( docker.io registry.k8s.io sealos.hub:5000 ),每个目录各自配置了 hosts.toml
docker.io->hosts.toml
server = "https://docker.io"
[host."https://docker.1ms.run"]
capabilities = ["pull", "resolve"]
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
[host."https://dockerproxy.com"]
capabilities = ["pull", "resolve"]
registry.k8s.io->hosts.toml
server = "registry.k8s.io"
[host."k8s.m.daocloud.io"]
capabilities = ["pull", "resolve"]
使用 ctr 拉取镜像,还是拉取不了
root@localhost:/etc/containerd/certs.d/registry.k8s.io# ctr --debug images pull docker.io/library/nginx:latest
DEBU[0000] fetching image="docker.io/library/nginx:latest"
DEBU[0000] resolving host=registry-1.docker.io
DEBU[0000] do request host=registry-1.docker.io request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.27 request.method=HEAD url="https://registry-1.docker.io/v2/library/nginx/manifests/latest"
INFO[0030] trying next host error="failed to do request: Head \"https://registry-1.docker.io/v2/library/nginx/manifests/latest\": dial tcp 118.193.240.41:443: i/o timeout" host=registry-1.docker.io
ctr: failed to resolve reference "docker.io/library/nginx:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp 118.193.240.41:443: i/o timeout
但是还有个奇怪的问题就是 使用 crictl 拉取镜像是能够正常拉取的
root@localhost:/etc/containerd/certs.d/registry.k8s.io# crictl pull nginx:latest
Image is up to date for sha256:47ef8710c9f5a9276b3e347e3ab71ee44c8483e20f8636380ae2737ef4c27758
这个问题困扰小弟很久了,跪求各位大佬帮忙看看是啥问题
containerd version:ctr github.com/containerd/containerd v1.7.27
containerd config:
version = 2
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0
[grpc]
address = "/run/containerd/containerd.sock"
uid = 0
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
[debug]
address = "/run/containerd/containerd-debug.sock"
uid = 0
gid = 0
level = "warn"
[timeouts]
"io.containerd.timeout.shim.cleanup" = "5s"
"io.containerd.timeout.shim.load" = "5s"
"io.containerd.timeout.shim.shutdown" = "3s"
"io.containerd.timeout.task.state" = "2s"
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "sealos.hub:5000/pause:3.9"
max_container_log_line_size = 16384
max_concurrent_downloads = 20
disable_apparmor = true
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "overlayfs"
default_runtime_name = "runc"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun.options]
BinaryName = "/usr/bin/crun"
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
certs.d 目录下有三个目录( docker.io registry.k8s.io sealos.hub:5000 ),每个目录各自配置了 hosts.toml
docker.io->hosts.toml
server = "https://docker.io"
[host."https://docker.1ms.run"]
capabilities = ["pull", "resolve"]
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
[host."https://dockerproxy.com"]
capabilities = ["pull", "resolve"]
registry.k8s.io->hosts.toml
server = "registry.k8s.io"
[host."k8s.m.daocloud.io"]
capabilities = ["pull", "resolve"]
使用 ctr 拉取镜像,还是拉取不了
root@localhost:/etc/containerd/certs.d/registry.k8s.io# ctr --debug images pull docker.io/library/nginx:latest
DEBU[0000] fetching image="docker.io/library/nginx:latest"
DEBU[0000] resolving host=registry-1.docker.io
DEBU[0000] do request host=registry-1.docker.io request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.27 request.method=HEAD url="https://registry-1.docker.io/v2/library/nginx/manifests/latest"
INFO[0030] trying next host error="failed to do request: Head \"https://registry-1.docker.io/v2/library/nginx/manifests/latest\": dial tcp 118.193.240.41:443: i/o timeout" host=registry-1.docker.io
ctr: failed to resolve reference "docker.io/library/nginx:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp 118.193.240.41:443: i/o timeout
但是还有个奇怪的问题就是 使用 crictl 拉取镜像是能够正常拉取的
root@localhost:/etc/containerd/certs.d/registry.k8s.io# crictl pull nginx:latest
Image is up to date for sha256:47ef8710c9f5a9276b3e347e3ab71ee44c8483e20f8636380ae2737ef4c27758
这个问题困扰小弟很久了,跪求各位大佬帮忙看看是啥问题
16 条回复 • 2025-09-01 09:23:55 +08:00
 |
1
cheng6563 3 天前
把地址打全吧,别镜像了
|
 |
2
hefish 3 天前
翻墙就行啦。镜像之前吃过亏,为了避免不必要的麻烦,都从官方走,不用镜像。
|
 |
3
isxzlhhh OP 地址打全确实可以,但是就是想知道问题到底出在哪
|
|
4
isxzlhhh OP 有没有运维大佬能帮忙看下这个问题啦,跪求跪求跪求,帮帮小弟吧
|
 |
5
skiy 3 天前
只会 docker 。只知道修改 `/etc/docker/daemon.json`。没了。其它的啥也不懂。
cat /etc/docker/daemon.json { "registry-mirrors": [] } |
 |
6
SeanChang PRO 如果这些免费的镜像不可用或者不稳定也会回退到官方。
看下轩辕镜像这个文档~ https://xuanyuan.cloud/usage/containerd |
|
7
isxzlhhh OP 已经确定免费镜像是可以用的哦
|
 |
8
feedcode 3 天前
ctr 不走 containerd 的 plugin 配置,plugins."io.containerd.grpc.v1.cri".registry 对 ctr 无用
The ctr utility is a command-line interface for directly interacting with the containerd daemon. It uses containerd's native API, not the CRI plugin's API. Therefore, when you use ctr image pull, it does not consult the registry mirror configurations set up for the CRI plugin. |
 |
10
gsw945 3 天前 via iPhone  1
如果你有梯子(提供 socks5)的话,可以使用 skopeo( https://github.com/containers/skopeo),它支持通过环境变量 HTTP_PROXY 或 HTTPS_PROXY 走代理,一个纯二进制工具,仅仅下镜像的话,系统上连 socker 都不需要。我一般这样用:
使用示例(以镜像 redis:latest 为例): ```bash # 示例 1: 下载镜像到文件夹(文件夹需要存在的空目录) skopeo copy docker://redis:latest dir:/home/xxx/redis-image # 示例 2: 从目录镜像导入到 docker skopeo copy dir:/home/xxx/redis-image docker-daemon:redis:latest # 示例 3: 拉取镜像并导入到 docker skopeo copy docker://redis:latest docker-daemon:redis:latest ``` |
|
11
isxzlhhh OP @gsw945 我主要是想 k8s 下载镜像的时候方便一点,到现在配了镜像加速,k8s 还是下不了镜像,虽然还有别的方法能下载到镜像,但是我还是更纠结于这个原因是什么
|
 |
12
billzhuang 3 天前 via iPhone
你这个 k8s 是自己玩的还是公司的?
|
|
13
isxzlhhh OP @billzhuang 自己玩的
|
|
14
gsw945 3 天前 via iPhone
@isxzlhhh 个人感觉加速源不稳定,/etc/docker/daemon.json 我配置了大概 6 个左右的加速源,但效果时好时坏,有时候镜像一个大一点儿的 layer ,能拉几个小时。自从找到 skopeo 后,拉镜像时就不那么烦躁了,而且 clash 切换源,skopeo 不会断开,唯一缺点时,skopeo 进程如果 Ctrl+C 强杀了,不会断点续传。skopeo 传输镜像, 是使用 source 和 target 的概念,对于 k8s 也很方便,target 可以是自托管的镜像仓库,命令行也直接支持传递认证信息。
|
 |
16
ExplodingFKL 19 小时 2 分钟前
不要用 ctr ,用 nerdctl 来管理 containerd
|
Select Language