关于 K3s 和 containerd

K3s 默认的 containerd 配置文件目录为/var/lib/rancher/k3s/agent/etc/containerd/config.toml,但直接操作 containerd 的配置文件去设置镜像仓库或加速器相比于操作 docker 要复杂许多。K3s 为了简化配置 containerd 镜像仓库的复杂度,K3s 会在启动时检查/etc/rancher/k3s/中是否存在 registries.yaml 文件,如果存在该文件,就会根据 registries.yaml 的内容转换为 containerd 的配置并存储到/var/lib/rancher/k3s/agent/etc/containerd/config.toml,从而降低了配置 containerd 镜像仓库的复杂度。

/etc/rancher/k3s/registries.yaml 文件内容示例如下:

mirrors:
  docker.io:
    endpoint:
      - "http://hub-mirror.c.163.com"
  registry.k8s.io:
    endpoint:
      - "https://mirror.baidubce.com"
      - "https://docker.mirrors.ustc.edu.cn"

如果是需要登录的私有仓库,则可以这样配置(如果是 http ,只需要把 https 替换成 http 即可):

mirrors:
  "harbor.kingsd.top":
    endpoint:
      - "https://harbor.kingsd.top"
configs:
  "harbor.kingsd.top":
    auth:
      username: admin # this is the registry username
      password: Harbor12345 # this is the registry password

如果后端仓库使用的是自签名的 ssl 证书,那么需要配置 CA 证书 用于 ssl 证书的校验。

mirrors:
  "harbor-ksd.kingsd.top":
    endpoint:
      - "https://harbor-ksd.kingsd.top"
configs:
  "harbor-ksd.kingsd.top":
    auth:
      username: admin # this is the registry username
      password: Harbor12345 # this is the registry password
    tls:
      ca_file: /opt/certs/ca.crt

重启 k3s:

systemctl restart k3s

接下来,可以看到/var/lib/rancher/k3s/agent/etc/containerd/certs.d/目录生成对应的·hosts.toml文件:

# File generated by k3s. DO NOT EDIT.
server = "https://registry-1.docker.io/v2"
capabilities = ["pull", "resolve", "push"]

[host]

[host."http://hub-mirror.c.163.com"]
  capabilities = ["pull", "resolve"]

参考:https://forums.rancher.cn/t/k3s-containerd/703/1