关于 K3s 和 containerd
K3s 默认的 containerd 配置文件目录为/var/lib/rancher/k3s/agent/etc/containerd/config.toml,但直接操作 containerd 的配置文件去设置镜像仓库或加速器相比于操作 docker 要复杂许多。K3s 为了简化配置 containerd 镜像仓库的复杂度,K3s 会在启动时检查/etc/rancher/k3s/中是否存在 registries.yaml 文件,如果存在该文件,就会根据 registries.yaml 的内容转换为 containerd 的配置并存储到/var/lib/rancher/k3s/agent/etc/containerd/config.toml,从而降低了配置 containerd 镜像仓库的复杂度。
/etc/rancher/k3s/registries.yaml 文件内容示例如下:
mirrors:
docker.io:
endpoint:
- "http://hub-mirror.c.163.com"
registry.k8s.io:
endpoint:
- "https://mirror.baidubce.com"
- "https://docker.mirrors.ustc.edu.cn"
如果是需要登录的私有仓库,则可以这样配置(如果是 http ,只需要把 https 替换成 http 即可):
mirrors:
"harbor.kingsd.top":
endpoint:
- "https://harbor.kingsd.top"
configs:
"harbor.kingsd.top":
auth:
username: admin # this is the registry username
password: Harbor12345 # this is the registry password
如果后端仓库使用的是自签名的 ssl 证书,那么需要配置 CA 证书 用于 ssl 证书的校验。
mirrors:
"harbor-ksd.kingsd.top":
endpoint:
- "https://harbor-ksd.kingsd.top"
configs:
"harbor-ksd.kingsd.top":
auth:
username: admin # this is the registry username
password: Harbor12345 # this is the registry password
tls:
ca_file: /opt/certs/ca.crt
重启 k3s:
systemctl restart k3s
接下来,可以看到/var/lib/rancher/k3s/agent/etc/containerd/certs.d/目录生成对应的·hosts.toml文件:
# File generated by k3s. DO NOT EDIT.
server = "https://registry-1.docker.io/v2"
capabilities = ["pull", "resolve", "push"]
[host]
[host."http://hub-mirror.c.163.com"]
capabilities = ["pull", "resolve"]
评论