Skip to content
This repository has been archived by the owner on Mar 9, 2022. It is now read-only.

pulling localhost:5000 are forced to https only? #1327

Closed
liyimeng opened this issue Oct 26, 2019 · 4 comments · Fixed by #1328
Closed

pulling localhost:5000 are forced to https only? #1327

liyimeng opened this issue Oct 26, 2019 · 4 comments · Fixed by #1328
Labels
kind/question
Milestone
v1.4

Comments

@liyimeng
Copy link

liyimeng commented Oct 26, 2019
edited
Loading

There is a private registry running http at localhost, crictl pull images there result failing as below:

Normal   Scheduled  <unknown>             default-scheduler  Successfully assigned default/vm-0 to iserver
  Warning  Failed     39m (x2 over 40m)     kubelet, iserver   Failed to pull image "localhost:5000/vm-runner:dev": rpc error: code = Unknown desc = failed to pull and unpack image "localhost:5000/vm-runner:dev": failed to resolve reference "localhost:5000/vm-runner:dev": failed to do request: Head https://localhost:5000/v2/vm-runner/manifests/dev: http: server gave HTTP response to HTTPS client

iserver [~]$ crictl -v
crictl github.com/rancher/containerd v1.16.1-k3s.1

Is crictl behave differently from docker?, that is forcing to run https on localhost as well?
@Random-Liu
Copy link
Member

Random-Liu commented Oct 26, 2019
edited
Loading

The CRI plugin use https by default. If you want to use http, you need to explicitly configure it, see https://github.com/containerd/cri/blob/master/docs/registry.md#configure-registry-endpoint

But maybe we can use http by default for localhost. Let's see how Docker handle this.

@liyimeng
Copy link
Author

Thanks a lot @Random-Liu! The info is really helpful! could be nice to allow fallback into http on localhost. Since int many cases, especially in a development env. people want a quick and work solution.

@thaJeztah
Copy link
Member

Let's see how Docker handle this.

Docker automatically adds 127.0.0.0/8 as insecure registries;

 Insecure Registries:
  127.0.0.0/8

Whether or not that was a good decision is another discussion (it had been going back-and-forth for a long time, and initially was rejected moby/moby#2687 (comment), moby/moby#5817 (comment), after which it finally got added in moby/moby#9124).

For most uses, I guess that's ok, but there could be situations where you want to have that range to use a secure connection as well. I don't think that's currently possible (as it will always add that range to the list of insecure registries).

@Random-Liu
Copy link
Member

For the CRI plugin, we can make localhost insecure by default to keep consistency with Docker, but allow making it https.

@Random-Liu Random-Liu mentioned this issue Oct 28, 2019
Merged
@Random-Liu Random-Liu added this to the v1.4 milestone Oct 28, 2019
@erikwilson erikwilson mentioned this issue Oct 31, 2019
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/question
Projects
None yet
Milestone
v1.4
Development

Successfully merging a pull request may close this issue.

Use http for localhost and 127.0.0.1 by default. Random-Liu/cri-containerd
3 participants
@thaJeztah @liyimeng @Random-Liu