#How to trust an insecure image registry?

#Problem description

The image registry hosting platform component images may not provide HTTPS service or may not have a valid TLS certificate issued by a public certificate authority. If you trust this registry, configure your container runtime by following the steps below.

#Configure trust for an insecure image registry

Configuration steps vary by container runtime. This document covers Docker and Containerd.

#Docker runtime

Steps

1. Run the following on every node in the import cluster:

   • Back up the Docker configuration file.

     mkdir -p '/var/backup-docker-confs/'
     if ! [ -f /etc/docker/daemon.json ]; then
         echo 'Docker config not found. Please check if Docker is correctly installed. If you still cannot resolve the issue, contact technical support.'
         exit 1
     else
         cp /etc/docker/daemon.json "/var/backup-docker-confs/daemon.json_$(date -u +%F_%R)"
     fi

   • Edit /etc/docker/daemon.json.

     Ensure the insecure-registries parameter exists and add the image registry address obtained earlier. For multiple registries, for example:

     {
         "insecure-registries": [
             "<registry-address>",
             "192.168.134.43"
         ],
         "registry-mirrors": ["https://6telrzl8.mirror.aliyuncs.com"],
         "log-opts": {
           "max-size": "100m",
           "max-file": "2"
         },
         "live-restore": true,
         "metrics-addr": "0.0.0.0:9323",
         "experimental": true,
         "storage-driver": "overlay2"
     }

2. (Optional) Validate Docker config syntax with jq.

   TIP

   Ensure jq is installed. For example: yum install jq -y.

   jq . < /etc/docker/daemon.json

3. Restart Docker on all nodes.

   systemctl daemon-reload
   systemctl restart docker

#Containerd runtime

Notes:

• All nodes that need to use images, including newly added nodes, must be configured and have Containerd restarted.
• The configuration differs slightly between Containerd v1.4/v1.5 and v1.6. Follow the appropriate steps for your version.

1. Run the following on every node in the import cluster:

   • Back up the configuration file

     mkdir -p '/var/backup-containerd-confs/'
     if ! [ -f /etc/containerd/config.toml ]; then
         echo 'Containerd config not found. Please check if containerd is correctly installed. If you still cannot resolve the issue, contact technical support.'
         exit 1
     else
         cp /etc/containerd/config.toml /var/backup-containerd-confs/config.toml_$(date +%F_%T)
     fi

   • Get the Containerd runtime version

     # Get the containerd version
     # Compare this version to v1.6. Choose steps accordingly
     ctr --version | grep -Eo 'v[0-9]+\.[0-9]+\.[0-9]+'
   Containerd v1.4 v1.5 configuration for insecure registries

2. Run the following on every node in the import cluster:

   • Edit /etc/containerd/config.toml

     # Example content to add to the config file
     # Lines in brackets are sections. If the file already has sections with the same name, merge their contents.
     [plugins."io.containerd.grpc.v1.cri".registry]
         [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
             [plugins."io.containerd.grpc.v1.cri".registry.mirrors."<registry-address>"]
                 endpoint = ["https://<registry-address>", "http://<registry-address>"]
             [plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.134.43"]
                 endpoint = ["https://192.168.134.43", "http://192.168.134.43"]
         [plugins."io.containerd.grpc.v1.cri".registry.configs]
             [plugins."io.containerd.grpc.v1.cri".registry.configs."<registry-address>".tls]
                 insecure_skip_verify = true
             [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.134.43".tls]
                 insecure_skip_verify = true

   • Restart Containerd.

     systemctl daemon-reload && systemctl restart containerd

Containerd v1.6 configuration for insecure registries

2. Run the following on every node in the import cluster:

   • Check whether config_path exists in the config.

     if ! grep -qF 'config_path' /etc/containerd/config.toml; then
         if grep -qE '\[plugins."io.containerd.grpc.v1.cri".registry.(mirrors|configs)(\.|\])' /etc/containerd/config.toml; then
             echo 'Follow the steps in "Containerd v1.4 v1.5 configuration for insecure registries".'
         else
             cat >> /etc/containerd/config.toml << 'EOF'
     [plugins."io.containerd.grpc.v1.cri".registry]
         config_path = "/etc/containerd/certs.d/"
     EOF
         fi
     fi
     
     config_path_var=$(grep -F '/etc/containerd/certs.d' /etc/containerd/config.toml)
     if [ -z "$config_path_var" ]; then
        echo 'The value of config_path in the file is unexpected. Please check!'
        exit 1
     fi

   • Create the hosts.toml file.

     If the previous command printed Follow the steps in "Containerd v1.4 v1.5 configuration for insecure registries"., see Containerd v1.4 v1.5 configuration for insecure registries.

     REGISTRY='<registry address obtained in the "Get the registry address" section>'    
     
     mkdir -p "/etc/containerd/certs.d/$REGISTRY/"
     cat > "/etc/containerd/certs.d/$REGISTRY/hosts.toml" << EOF
     server = "$REGISTRY"
     [host."http://$REGISTRY"]
       capabilities = ["pull", "resolve", "push"]
       skip_verify = true
     [host."https://$REGISTRY"]
       capabilities = ["pull", "resolve", "push"]
       skip_verify = true
     EOF

   • Restart Containerd.

     systemctl daemon-reload && systemctl restart containerd