Error: ImagePullBackOff - using private docker registry

praveenm24 · August 29, 2024, 3:27am

HI i have setup k8s using kubeadm. Whne i deoply the job using doccker hub registry image will be pulled and job is deployed successfuly.
When i use private docker registry getting below error
Failed to pull image “dssdsd”: failed to pull and unpack image “” failed to resolve reference “fdfdfd”: failed to do request: Head “ddfdfdfd/manifests/v10”: http: server gave HTTP response to HTTPS client
Warning Failed 30s (x3 over 74s) kubelet Error: ErrImagePull
Normal BackOff 2s (x4 over 74s) kubelet Back-off pulling image “serverip:5000/image:v10”
Warning Failed 2s (x4 over 74s) kubelet Error: ImagePullBackOf

Alistair_KodeKloud · August 29, 2024, 4:55am

Your private registry is not configured to serve HTTPS hence the error “server gave HTTP response to HTTPS client”

If you don’t want to configure the registry for https, you need to tell containerd that the registry is insecure

ibrahim.mensi.94 · August 29, 2024, 5:28am

Adding to what Alistair said in his reply, if you are using containers based on containerd you already got the solution, otherwise, if you are using docker daemon, you can do the following:

sudo nano /etc/docker/daemon.json
Put the following inside it:

{
“insecure-registries” : [ “private.registry:Port” ]
}

You can reload the daemon:
sudo systemctl daemon-reload

Restart docker:
sudo systemctl restart docker

praveenm24 · August 29, 2024, 5:48am

added the below entry & restarted the containerd - same error

/etc/containerd/certs.d/hostip:5000# cat hosts.toml

server = “https://hostip:5000”
[host.“http://{hostip:5000”]
capabilities = [“pull”, “resolve”, “push”]
skip_verify = true

Alistair_KodeKloud · August 29, 2024, 5:59am

Is the server where the private registry installed really called hostip?

praveenm24 · August 29, 2024, 6:21am

hostip → docker registry server ip

Santosh_KodeKloud · August 29, 2024, 6:29am

Have you tried after restarting the containerd service?
systemctl restart containerd

praveenm24 · August 29, 2024, 6:32am

yes restarted the `containerd & kubelet service

Santosh_KodeKloud · August 29, 2024, 6:43am

Confirm whether your configs are present in the config.toml.
sudo containerd config dump

Refer: How to pull docker image from a insecure private registry with latest Kubernetes - Stack Overflow

praveenm24 · August 29, 2024, 6:49am

disabled_plugins = []
imports = [“/etc/containerd/config.toml”]
oom_score = 0
plugin_dir = “”
required_plugins = []
root = “/var/lib/containerd”
state = “/run/containerd”
temp = “”
version = 2

[cgroup]
path = “”

[debug]
address = “”
format = “”
gid = 0
level = “”
uid = 0

[grpc]
address = “/run/containerd/containerd.sock”
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216
tcp_address = “”
tcp_tls_ca = “”
tcp_tls_cert = “”
tcp_tls_key = “”
uid = 0

[metrics]
address = “”
grpc_histogram = false

[plugins]

[plugins.“io.containerd.gc.v1.scheduler”]
deletion_threshold = 0
mutation_threshold = 100
pause_threshold = 0.02
schedule_delay = “0s”
startup_delay = “100ms”

[plugins.“io.containerd.grpc.v1.cri”]
cdi_spec_dirs = [“/etc/cdi”, “/var/run/cdi”]
device_ownership_from_security_context = false
disable_apparmor = false
disable_cgroup = false
disable_hugetlb_controller = true
disable_proc_mount = false
disable_tcp_service = true
drain_exec_sync_io_timeout = “0s”
enable_cdi = false
enable_selinux = false
enable_tls_streaming = false
enable_unprivileged_icmp = false
enable_unprivileged_ports = false
ignore_image_defined_volumes = false
image_pull_progress_timeout = “5m0s”
max_concurrent_downloads = 3
max_container_log_line_size = 16384
netns_mounts_under_state_dir = false
restrict_oom_score_adj = false
sandbox_image = “registry.k8s.io/pause:3.8”
selinux_category_range = 1024
stats_collect_period = 10
stream_idle_timeout = “4h0m0s”
stream_server_address = “127.0.0.1”
stream_server_port = “0”
systemd_cgroup = false
tolerate_missing_hugetlb_controller = true
unset_seccomp_profile = “”

[plugins."io.containerd.grpc.v1.cri".cni]
  bin_dir = "/opt/cni/bin"
  conf_dir = "/etc/cni/net.d"
  conf_template = ""
  ip_pref = ""
  max_conf_num = 1
  setup_serially = false

[plugins."io.containerd.grpc.v1.cri".containerd]
  default_runtime_name = "runc"
  disable_snapshot_annotations = true
  discard_unpacked_layers = false
  ignore_blockio_not_enabled_errors = false
  ignore_rdt_not_enabled_errors = false
  no_pivot = false
  snapshotter = "overlayfs"

  [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
    base_runtime_spec = ""
    cni_conf_dir = ""
    cni_max_conf_num = 0
    container_annotations = []
    pod_annotations = []
    privileged_without_host_devices = false
    privileged_without_host_devices_all_devices_allowed = false
    runtime_engine = ""
    runtime_path = ""
    runtime_root = ""
    runtime_type = ""
    sandbox_mode = ""
    snapshotter = ""

    [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]

  [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]

    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
      base_runtime_spec = ""
      cni_conf_dir = ""
      cni_max_conf_num = 0
      container_annotations = []
      pod_annotations = []
      privileged_without_host_devices = false
      privileged_without_host_devices_all_devices_allowed = false
      runtime_engine = ""
      runtime_path = ""
      runtime_root = ""
      runtime_type = "io.containerd.runc.v2"
      sandbox_mode = "podsandbox"
      snapshotter = ""

      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
        BinaryName = ""
        CriuImagePath = ""
        CriuPath = ""
        CriuWorkPath = ""
        IoGid = 0
        IoUid = 0
        NoNewKeyring = false
        NoPivotRoot = false
        Root = ""
        ShimCgroup = ""
        SystemdCgroup = true

  [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
    base_runtime_spec = ""
    cni_conf_dir = ""
    cni_max_conf_num = 0
    container_annotations = []
    pod_annotations = []
    privileged_without_host_devices = false
    privileged_without_host_devices_all_devices_allowed = false
    runtime_engine = ""
    runtime_path = ""
    runtime_root = ""
    runtime_type = ""
    sandbox_mode = ""
    snapshotter = ""

    [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]

[plugins."io.containerd.grpc.v1.cri".image_decryption]
  key_model = "node"

[plugins."io.containerd.grpc.v1.cri".registry]
  config_path = ""

  [plugins."io.containerd.grpc.v1.cri".registry.auths]

  [plugins."io.containerd.grpc.v1.cri".registry.configs]

  [plugins."io.containerd.grpc.v1.cri".registry.headers]

  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

[plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
  tls_cert_file = ""
  tls_key_file = ""

[plugins.“io.containerd.internal.v1.opt”]
path = “/opt/containerd”

[plugins.“io.containerd.internal.v1.restart”]
interval = “10s”

[plugins.“io.containerd.internal.v1.tracing”]
sampling_ratio = 1.0
service_name = “containerd”

[plugins.“io.containerd.metadata.v1.bolt”]
content_sharing_policy = “shared”

[plugins.“io.containerd.monitor.v1.cgroups”]
no_prometheus = false

[plugins.“io.containerd.nri.v1.nri”]
disable = true
disable_connections = false
plugin_config_path = “/etc/nri/conf.d”
plugin_path = “/opt/nri/plugins”
plugin_registration_timeout = “5s”
plugin_request_timeout = “2s”
socket_path = “/var/run/nri/nri.sock”

[plugins.“io.containerd.runtime.v1.linux”]
no_shim = false
runtime = “runc”
runtime_root = “”
shim = “containerd-shim”
shim_debug = false

[plugins.“io.containerd.runtime.v2.task”]
platforms = [“linux/amd64”]
sched_core = false

[plugins.“io.containerd.service.v1.diff-service”]
default = [“walking”]

[plugins.“io.containerd.service.v1.tasks-service”]
blockio_config_file = “”
rdt_config_file = “”

[plugins.“io.containerd.snapshotter.v1.aufs”]
root_path = “”

[plugins.“io.containerd.snapshotter.v1.blockfile”]
fs_type = “”
mount_options = []
root_path = “”
scratch_file = “”

[plugins.“io.containerd.snapshotter.v1.btrfs”]
root_path = “”

[plugins.“io.containerd.snapshotter.v1.devmapper”]
async_remove = false
base_image_size = “”
discard_blocks = false
fs_options = “”
fs_type = “”
pool_name = “”
root_path = “”

[plugins.“io.containerd.snapshotter.v1.native”]
root_path = “”

[plugins.“io.containerd.snapshotter.v1.overlayfs”]
mount_options = []
root_path = “”
sync_remove = false
upperdir_label = false

[plugins.“io.containerd.snapshotter.v1.zfs”]
root_path = “”

[plugins.“io.containerd.tracing.processor.v1.otlp”]
endpoint = “”
insecure = false
protocol = “”

[plugins.“io.containerd.transfer.v1.local”]
config_path = “”
max_concurrent_downloads = 3
max_concurrent_uploaded_layers = 3

[[plugins."io.containerd.transfer.v1.local".unpack_config]]
  differ = ""
  platform = "linux/amd64"
  snapshotter = "overlayfs"

[proxy_plugins]

[stream_processors]

[stream_processors.“io.containerd.ocicrypt.decoder.v1.tar”]
accepts = [“application/vnd.oci.image.layer.v1.tar+encrypted”]
args = [“–decryption-keys-path”, “/etc/containerd/ocicrypt/keys”]
env = [“OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf”]
path = “ctd-decoder”
returns = “application/vnd.oci.image.layer.v1.tar”

[stream_processors.“io.containerd.ocicrypt.decoder.v1.tar.gzip”]
accepts = [“application/vnd.oci.image.layer.v1.tar+gzip+encrypted”]
args = [“–decryption-keys-path”, “/etc/containerd/ocicrypt/keys”]
env = [“OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf”]
path = “ctd-decoder”
returns = “application/vnd.oci.image.layer.v1.tar+gzip”

[timeouts]
“io.containerd.timeout.bolt.open” = “0s”
“io.containerd.timeout.metrics.shimstats” = “2s”
“io.containerd.timeout.shim.cleanup” = “5s”
“io.containerd.timeout.shim.load” = “5s”
“io.containerd.timeout.shim.shutdown” = “3s”
“io.containerd.timeout.task.state” = “2s”

[ttrpc]
address = “”
gid = 0
uid = 0