错误信息:
root@workstation-alg-test:/etc/containerd# ctr images pull ecr.harbor.com/lift/lift-baseapi-system:dev_6
INFO[0000] trying next host error="failed to do request: Head \"https://ecr.harbor.com/v2/lift/lift-baseapi-system/manifests/dev_6\": x509: certificate signed by unknown authority" host=ecr.harbor.com
ctr: failed to resolve reference "ecr.harbor.com/lift/lift-baseapi-system:dev_6": failed to do request: Head "https://ecr.harbor.com/v2/lift/lift-baseapi-system/manifests/dev_6": x509: certificate signed by unknown authority
无效的解决办法:
containerd config default > /etc/containerd/config.toml
vim /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = ""
[plugins."io.containerd.grpc.v1.cri".registry.auths]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."ecr.harbor.com".tls]####harbor仓库的地址(ip/域名+端口)
insecure_skip_verify = true ###跳过认证(如果不配置,需要使用harbor证书)
################
ca_file = "/etc/containerd/certs.d/ecr.harbor.com/ca.crt" #ca证书
cert_file = "/etc/containerd/certs.d/ecr.harbor.com/ecr.harbor.com.cert" #harbor证书
key_file = "/etc/containerd/certs.d/ecr.harbor.com/ecr.harbor.com.key" #密钥
[plugins."io.containerd.grpc.v1.cri".registry.configs."ecr.harbor.com".auth]####harbor仓库的地址(ip/域名+端口)
username = "admin" ###harbor的登录用户名
password = "Harbor12345" ###harbor的登录密码
[plugins."io.containerd.grpc.v1.cri".registry.headers]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."ecr.harbor.com"]####harbor仓库的地址(ip/域名+端口)
endpoint = ["http://ecr.harbor.com:443"] ###harbor仓库的地址
systemctl daemon-reload && systemctl restart containerd.service
有效的决绝办法:
1、如果可以修改命令,可使用如下命令:
#ctr命令增加 -k参数
ctr images pull -k ecr.harbor.com/lift/lift-baseapi-system:dev_6
#nerdctl命令增加 --insecure-registry参数
nerdctl login ecr.harbor.com:443 -u admin -p Harbor123 --insecure-registry
1、如果不能修改命令,就准备harbor的ca证书:ca.crt,然后Ubuntu 和 Debian 派生发行版执行
sudo cp ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
CentOS、Fedora、RedHat 发行版执行:
cp ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
执行完后,重启机器(重启服务可能会不生效,不如直接reboot),就可以正常使用Harbor了。