Containerd cannot pull image from insecure registry

[qianzhangxa]

Description
I deployed Harbor (172.17.1.201) in my Kubernetes cluster and pushed an image (172.17.1.201/library/alpine) into it. When I tried to manually pull the image from a worker node (it uses containerd as container runtime and there is no Docker on this node at all) of my Kubernetes cluster, it failed:

$ crictl pull 172.17.1.201/library/alpine 
FATA[0000] pulling image failed: rpc error: code = Unknown desc = failed to resolve image "172.17.1.201/library/alpine:latest": no available registry endpoint: failed to do request: Head https://172.17.1.201/v2/library/alpine/manifests/latest: x509: certificate signed by unknown authority

I have already setup 172.17.1.201 as an insecure registry of containerd, and restarted containerd.

    [plugins.cri.registry]
      [plugins.cri.registry.mirrors]
        [plugins.cri.registry.mirrors."172.17.1.201"]
          endpoint = ["http://172.17.1.201"]
        [plugins.cri.registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]

Steps to reproduce the issue:

1. Push an image into Harbor
2. Pull the image from Harbor

Describe the results you received:
Failed to pull image from Harbor.

Describe the results you expected:
Successfully pull image from Harbor.

Output of containerd --version:

containerd containerd.io 1.2.6 894b81a4b802e4eb2a91d1ce216b8817763c29fb

Any other relevant information:

$ crictl info 
{
  "status": {
    "conditions": [
      {
        "type": "RuntimeReady",
        "status": true,
        "reason": "",
        "message": ""
      },
      {
        "type": "NetworkReady",
        "status": true,
        "reason": "",
        "message": ""
      }
    ]
  },
  "config": {
    "containerd": {
      "snapshotter": "overlayfs",
      "defaultRuntime": {
        "runtimeType": "io.containerd.runtime.v1.linux",
        "runtimeEngine": "",
        "runtimeRoot": "",
        "options": null
      },
      "untrustedWorkloadRuntime": {
        "runtimeType": "",
        "runtimeEngine": "",
        "runtimeRoot": "",
        "options": null
      },
      "runtimes": null,
      "noPivot": false
    },
    "cni": {
      "binDir": "/opt/cni/bin",
      "confDir": "/etc/cni/net.d",
      "confTemplate": ""
    },
    "registry": {
      "mirrors": {
        "172.17.1.201": {
          "endpoint": [
            "http://172.17.1.201"
          ]
        },
        "docker.io": {
          "endpoint": [
            "https://registry-1.docker.io"
          ]
        }
      },
      "auths": null
    },
    "streamServerAddress": "127.0.0.1",
    "streamServerPort": "0",
    "enableSelinux": false,
    "sandboxImage": "k8s.gcr.io/pause:3.1",
    "statsCollectPeriod": 10,
    "systemdCgroup": false,
    "enableTLSStreaming": false,
    "x509KeyPairStreaming": {
      "tlsCertFile": "",
      "tlsKeyFile": ""
    },
    "maxContainerLogSize": 16384,
    "containerdRootDir": "/var/lib/containerd",
    "containerdEndpoint": "/run/containerd/containerd.sock",
    "rootDir": "/var/lib/containerd/io.containerd.grpc.v1.cri",
    "stateDir": "/run/containerd/io.containerd.grpc.v1.cri"
  },
  "golang": "go1.11.8"
}

$ crictl version 
Version:  0.1.0
RuntimeName:  containerd
RuntimeVersion:  1.2.6
RuntimeApiVersion:  v1alpha2

[fuweid]

@qianzhangxa thanks for reporting. Could you show your whole containerd configuration, please? And could you retry it with upgrading to last version of containerd? Thanks

[qianzhangxa]

@fuweid Here is the whole containerd configuration:

$ cat /etc/containerd/config.toml
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0

[grpc]
  address = "/run/containerd/containerd.sock"
  uid = 0
  gid = 0
  max_recv_message_size = 16777216
  max_send_message_size = 16777216

[debug]
  address = ""
  uid = 0
  gid = 0
  level = ""

[metrics]
  # Set the metrics TCP address
  address = "172.17.0.2:1338"
  grpc_histogram = false

[cgroup]
  path = ""

[plugins]
  [plugins.cgroups]
    no_prometheus = false
  [plugins.cri]
    stream_server_address = "127.0.0.1"
    stream_server_port = "0"
    enable_selinux = false
    sandbox_image = "k8s.gcr.io/pause:3.1"
    stats_collect_period = 10
    systemd_cgroup = false
    enable_tls_streaming = false
    max_container_log_line_size = 16384
    [plugins.cri.containerd]
      snapshotter = "overlayfs"
      no_pivot = false
      [plugins.cri.containerd.default_runtime]
        runtime_type = "io.containerd.runtime.v1.linux"
        runtime_engine = ""
        runtime_root = ""
      [plugins.cri.containerd.untrusted_workload_runtime]
        runtime_type = ""
        runtime_engine = ""
        runtime_root = ""
    [plugins.cri.cni]
      bin_dir = "/opt/cni/bin"
      conf_dir = "/etc/cni/net.d"
      conf_template = ""
    [plugins.cri.registry]
      [plugins.cri.registry.mirrors]
        [plugins.cri.registry.mirrors."172.17.1.201"]
          endpoint = ["http://172.17.1.201"]
        [plugins.cri.registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
    [plugins.cri.x509_key_pair_streaming]
      tls_cert_file = ""
      tls_key_file = ""
  [plugins.diff-service]
    default = ["walking"]
  [plugins.linux]
    shim = "containerd-shim"
    runtime = "runc"
    runtime_root = ""
    no_shim = false
    shim_debug = false
  [plugins.opt]
    path = "/opt/containerd"
  [plugins.restart]
    interval = "10s"
  [plugins.scheduler]
    pause_threshold = 0.02
    deletion_threshold = 0
    mutation_threshold = 100
    schedule_delay = "0s"
    startup_delay = "100ms"

Do you mean there is no such issue with the latest version of containerd?

[qianzhangxa]

@nustiueudinastea I think they are different, what you are trying to pull from is a secure registry (https), right? But my issue is about insecure registry (http).

[nustiueudinastea]

It was totally my fault, so I deleted my previous comment to not confuse other people. Problem was that containerd did not have access to the root certificates.

[fuweid]

@qianzhangxa it seems your registry has certificates and cri-containerd will check the certificate presented by the server. You can retry it with adding certificate in your client side.

[qianzhangxa]

@fuweid What I want to try is the insecure registry feature of containerd, that's why I did not add Harbor's certificate to containerd.

[fuweid]

ping @Random-Liu , @mikebrow and @dmcgowan

it is ok to set http.Client InsecureSkipVerify to true if mirror endpoint's scheme is http?
https://github.com/containerd/cri/blob/0dcaf6e98719b02ad9a1cf93aa3c7dcb4225f7fc/pkg/server/image_pull.go#L313

cc @qianzhangxa

[dmcgowan]

it is ok to set http.Client InsecureSkipVerify to true if mirror endpoint's scheme is http?

no, this should be an explicit configuration

[Random-Liu]

@fuweid @dmcgowan We can add an option explicitly for InsecureSkipVerify.

Here is Docker's doc for insecure-registries:

With insecure registries enabled, Docker goes through the following steps:

First, try using HTTPS.
If HTTPS is available but the certificate is invalid, ignore the error about the certificate.
If HTTPS is not available, fall back to HTTP.

Not sure whether we want that.

[qianzhangxa]

@fuweid @dmcgowan @Random-Liu So containerd does not support insecure registry yet? I just followed the instructions here: https://github.com/containerd/cri/blob/master/docs/registry.md#configure-registry-endpoint, and it clearly describes an example for insecure registry:

  [plugins.cri.registry.mirrors."test.insecure-registry.io"]
    endpoint = ["http://HostIP2:Port2"]

So such insecure registry configuration in containerd actually cannot work as expected?

[Random-Liu]

Yeah, I think we should fix it.

…

On Mon, Nov 25, 2019 at 5:34 PM Qian Zhang ***@***.***> wrote: @fuweid <https://github.com/fuweid> @dmcgowan <https://github.com/dmcgowan> @Random-Liu <https://github.com/Random-Liu> So containerd does not support insecure registry yet? I just followed the instructions here: https://github.com/containerd/cri/blob/master/docs/registry.md#configure-registry-endpoint, and it clearly mentioned an example for insecure registry: [plugins.cri.registry.mirrors."test.insecure-registry.io"] endpoint = ["http://HostIP2:Port2"] So such insecure registry configuration in containerd actually cannot work as expected? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3847?email_source=notifications&email_token=ABMNLOZX6H6W7RLIQO7ECOTQVR4KVA5CNFSM4JRCIJJ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFEMTNQ#issuecomment-558418358>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABMNLO2CXDJFVXKQEDZ5QLLQVR4KVANCNFSM4JRCIJJQ> .

[Random-Liu]

The fix: containerd/cri#1345