Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Second mirror registry with rewrite configuration not working properly #11191

Closed
flyfax opened this issue Oct 30, 2024 · 19 comments
Closed

Second mirror registry with rewrite configuration not working properly #11191

flyfax opened this issue Oct 30, 2024 · 19 comments
Assignees
Labels
kind/bug Something isn't working

Comments

@flyfax
Copy link

flyfax commented Oct 30, 2024

Environmental Info:
K3s Version:
k3s version v1.30.5+k3s1
go version go1.22.6

Node(s) CPU architecture, OS, and Version:
Linux 5.14.0-284.30.1.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Aug 25 09:13:12 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:
1 server, 1 agent

Describe the bug:
I set up two mirror registries with rewrite configuration in registries.yaml in k3s(both server and agent)

mirrors:
  icr.io:
    endpoint:
      - "https://docker-na-public.artifactory.test.com"
    rewrite:
      "cpopen": "se-next-gen-docker-local/$1"
  cp.icr.io:
    endpoint:
      - "https://docker-na-public.artifactory.test.com"
    rewrite:
      "cp/se-data-center-edge": "se-next-gen-docker-local/$1"
configs:
  docker-na-public.artifactory.test.com:
    auth:
      username: <userid>
      password: <userpwd>

The first mirror registry configuration works well. I can start a pod that needs to pull image from icr.io/cpopen/edge-operator-catalog@sha256:4f9725b23c8560eae25be0a9fac01c74c9d4a9fee8200e31aad9842f7c338433, but actually pull image from mirror registry:
https://docker-na-public.artifactory.test.com/se-next-gen-docker-local/edge-operator-catalog@sha256:4f9725b23c8560eae25be0a9fac01c74c9d4a9fee8200e31aad9842f7c338433 successfully

However, the second mirror registry configuration does not work properly. Another pod which needs to pull image from cp.icr.io/cp/se-data-center-edge/mini-test@sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687 can not pull image from mirror registry
https://docker-na-public.artifactory.test.com/se-next-gen-docker-local/mini-test@sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687.

The error shows

Warning  Failed                  3s    kubelet                  Failed to pull image "cp.icr.io/cp/se-data-center-edge/mini-test@sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687": failed to pull and unpack image "cp.icr.io/cp/se-data-center-edge/mini-test@sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687": failed to resolve reference "cp.icr.io/cp/se-data-center-edge/mini-test@sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687": failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://docker-na-public.artifactory.test.com/artifactory/api/docker/null/v2/token?scope=repository%3Acp%2Fse-data--center-edge%2Fmini-test%3Apull&service=docker-na-public.artifactory.test.com: 401 Unauthorized

The thing is I could manually pull that image from mirror registry

ctr images pull --user <userid>:<userpwd> docker-na-public.artifactory.test.com/se-next-gen-docker-local/mini-test@sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687

WARN[0000] DEPRECATION: The `configs` property of `[plugins."io.containerd.grpc.v1.cri".registry]` is deprecated since containerd v1.5 and will be removed in containerd v2.1. Use `config_path` instead.
docker-na-public.artifactory.test.com/se-next-gen-docker-local/mini-test@sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687: resolved       |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687:                                                                                 done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:fde0050e6f120d9f47af9acd6401c0b606c8cc1a6993c8c54f940cb6d24558be:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:6d8a6fbf9f6a54c22b8f0d81aae09ee82f797fb5443dbbfb99659184cd9bea63:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:f50ab65647ec96ba313779f24c41e04bc6fde3e3ee79ee377ea8fd1901b896d5:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:82eae36a21fa93555db3ec8ca3b77e7e324264c7a5a877f19246f47805b71cc0:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:8f00d7682eb5816c6994c45b79851f9a708d3c20c5c75765b394bf96fcf1fe23:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:8829ee938b6487b295faf2ae62e7c650852273789afef2fcb8107653bb176b07:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:1021e82d93c8d7b0cb457c78327e2a9ec3109cc8afd672963f7cd71d79b52c31:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:65596b15a29de038d9ae9b60eed4056ac8a4a8563dd34526c97f235da4e1de84:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:2e1e56a9cbfc710dac4f3c047087d1a1863d569682a9a05c90cdd51c85ade7ab:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:a0f054cc0d49337016d542527abb33472dea611f22d4d0155f7a8af2a04a12ab:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:682c9aa5525e750605c9078cc5359d711a1b38442572d690bed120563cc88409:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3a4a7a3b1aaac402c2a5de6603b8220b09db3213f0d11b2c1973e499813fe95e:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:5f69e3f397b1441dd4cd6ca12f51d10c855775415db522157cba24c6a8dacb1c:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:930e121e757df0828f0e7d582b1fb422eac393a83da2e472bb5e81177b0ed1c7:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
config-sha256:480e2acfac9c8e5a3d872c20b98cd2f16a8e61d974afb7a08a8ffa2afc921848:                                                                                   done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:7f4b105bd855c23cb1ef1c9a4084cd219275a4d7c4716432ca64627de1f18cd5:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c3bb0e9cc4713d8f4d9fec6b912adde92254084c7e865e511ac62b16903a87c0:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:e2dccfaa2865e846135b8a2bc705630ef39b36499a2e14e7ad6b2957f02da593:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:88134de2e9e8e03ef2ffe812237ee7b4784283022f09267929400c9589265516:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c06fb0f70af454b3a4b4119caa92a54de20313c0aea0bd4b01eb6972aab6531a:                                                                                    done           |++++++++++++++++++++++++++++++++++++++|
elapsed: 7.1 s                                                                                                                                                    total:  204.4  (28.8 MiB/s)
unpacking linux/amd64 sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687...
done: 9.420890146s

Is that rewrite configuration wrong for the second mirror registry?

Steps To Reproduce:

  • Installed K3s:

Expected behavior:

Actual behavior:

Additional context / logs:

@brandond
Copy link
Member

brandond commented Oct 30, 2024

You're using $1 in your rewrite but do not have a capture group in the regex so this will not be filled with anything. What exactly are you trying to do? Please check the docs for examples.

@flyfax
Copy link
Author

flyfax commented Oct 30, 2024

I'm trying to let the pod pull image from the mirror registry docker-na-public.artifactory.test.com/se-next-gen-docker-local/mini-test@sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687 instead of original image definition cp.icr.io/cp/se-data-center-edge/mini-test@sha256:c718d3f996061aef92966a2171713af1cfdbac93cbea7a753107e3d5430c3687
using rewrite part to replace cp/se-data-center-edge to se-next-gen-docker-local

I look at the example here: https://docs.k3s.io/installation/private-registry. And also try to both configuration in rewrite part

 rewrite:
      "cp/se-data-center-edge": "se-next-gen-docker-local/$1"

and

 rewrite:
      "cp/se-data-center-edge/(.*)": "se-next-gen-docker-local/$1"

But I got the same error which seems rewrite part does not effect it.

@brandond
Copy link
Member

brandond commented Oct 30, 2024

Can you confirm that you're not using a custom containerd.toml.tmpl?

Also, verify the contents of /var/lib/rancher/k3s/agent/etc/containerd/certs.d/cp.icr.io/hosts.toml - do you see the rewrite in there?

You might also check the containerd logs to see if it contains any interesting errors regarding the pull.

@github-project-automation github-project-automation bot moved this from New to Done Issue in K3s Development Oct 30, 2024
@brandond brandond reopened this Oct 30, 2024
@brandond
Copy link
Member

brandond commented Oct 30, 2024

failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://docker-na-public.artifactory.test.com/artifactory/api/docker/null/v2/token?scope=repository%3Acp%2Fse-data--center-edge%2Fmini-test%3Apull&service=docker-na-public.artifactory.test.com: 401 Unauthorized

https://docker-na-public.artifactory.test.com/artifactory/api/docker/null/v2/token

The null in this URL looks weird. Are you still getting that after fixing the regex?

The message also suggests that there is an extra hyphen coming from somewhere... the scope is repository:cp/se-data--center-edge/mini-test:pull which does not match what you said you're trying to pull. Did you perhaps typo the image in your pod spec as cp.icr.io/cp/se-data--center-edge/mini-test:latest, or add an extra hyphen in your replacement string?

@flyfax
Copy link
Author

flyfax commented Oct 30, 2024

I did not use containerd.toml.tmpl, and rewrite part is in the host

[root@qb-reg5-m1 containerd]# ls
certs.d  config.toml
[root@qb-reg5-m1 containerd]# pwd
/var/lib/rancher/k3s/agent/etc/containerd

[root@qb-reg5-m1 containerd]# cat certs.d/cp.icr.io/hosts.toml
# File generated by k3s. DO NOT EDIT.

server = "https://cp.icr.io/v2"
capabilities = ["pull", "resolve", "push"]


[host]
[host."https://docker-na-public.artifactory.test.com/v2"]
  capabilities = ["pull", "resolve"]
  [host."https://docker-na-public.artifactory.test.com/v2".rewrite]
    "cp/se-data-center-edge/(.*)" = "se-next-gen-docker-local/$1"

@flyfax
Copy link
Author

flyfax commented Oct 30, 2024

The message also suggests that there is an extra hyphen coming from somewhere... the scope is repository:cp/se-data--center-edge/mini-test:pull which does not match what you said you're trying to pull. Did you perhaps typo the image in your pod spec as cp.icr.io/cp/se-data--center-edge/mini-test:latest, or add an extra hyphen in your replacement string?

Yes, I still get the same error after fixing the regex.

The interesting thing is the first registry mirror working well.
I could pull image from docker-na-public.artifactory.test.com/se-next-gen-docker-local/edge-operator-catalog@sha256:4f9725b23c8560eae25be0a9fac01c74c9d4a9fee8200e31aad9842f7c338433 instead of original path
icr.io/cpopen/edge-operator-catalog@sha256:4f9725b23c8560eae25be0a9fac01c74c9d4a9fee8200e31aad9842f7c338433

Not sure if the issue is because of registry name 'cp.icr.io' includes 'cp' which part of regex?

@brandond
Copy link
Member

It occurs to me - you've got registries.yaml on BOTH the nodes, right? That is node-specific configuration; it is not global cluster config. You need to configure that on the agent AND the server individually.

Assuming you've don that, You might try doing the following on whatever node the pod is being pulled from:
echo CONTAINERD_LOG_LEVEL=debug >> /etc/sysconfig/k3s && systemctl restart k3s (on a server)
echo CONTAINERD_LOG_LEVEL=debug >> /etc/sysconfig/k3s-agent && systemctl restart k3s-agent (on an agent)

That'll give you more info in the containerd.log

@flyfax
Copy link
Author

flyfax commented Oct 30, 2024

Yes, I put registries.yaml in both server and agent nodes.
Thanks for the suggestion, I will try to enable debug to see how it looks.

@brandond
Copy link
Member

brandond commented Oct 30, 2024

Just on the off chance the replacement is doing something weird, you might also try anchoring it?

  rewrite:
    "^cp/se-data-center-edge/(.+)$": "se-next-gen-docker-local/$1"

@codering
Copy link

codering commented Nov 1, 2024

I have similar problem.

k3s version v1.29.4+k3s1 (94e29e2e)
go version go1.21.9

I cannot access Docker Hub, so I have placed the images on my own registry.

/etc/rancher/k3s/registries.yaml

mirrors:
  "docker.io":
    endpoint:
      - https://swr.cn-east-3.myhuaweicloud.com
    rewrite:
      "(.*)": "hmirror/$1"
configs:
  swr.cn-east-3.myhuaweicloud.com:
    auth:
      username: xx
      password: yy

Install k3s on a single node

curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_SKIP_SELINUX_RPM=true K3S_KUBECONFIG_MODE="644" INSTALL_K3S_MIRROR=cn K3S_TOKEN=SECRET INSTALL_K3S_VERSION="v1.29.4+k3s1" sh -

I can see images have pulled normally from my registry when k3s install.

[root@ecs-free-0001 tmp]# crictl images
IMAGE                                        TAG                    IMAGE ID            SIZE
docker.io/rancher/klipper-helm               v0.8.3-build20240228   0929b4140ada6       91.2MB
docker.io/rancher/klipper-lb                 v0.4.7                 edc812b8e25d0       4.78MB
docker.io/rancher/local-path-provisioner     v0.0.26                c54dcef6214cb       17.2MB
docker.io/rancher/mirrored-coredns-coredns   1.10.1                 ead0a4a53df89       16.2MB
docker.io/rancher/mirrored-library-traefik   2.10.7                 ee69e8120b64a       43.2MB
docker.io/rancher/mirrored-metrics-server    v0.7.0                 b9a5a1927366a       19.3MB
docker.io/rancher/mirrored-pause             3.6                    6270bb605e12e       298kB
[root@ecs-free-0001 tmp]# kubectl get po -A
NAMESPACE         NAME                                        READY   STATUS             RESTARTS   AGE
kube-system       local-path-provisioner-6c86858495-m7p9f     1/1     Running            0          15m
kube-system       svclb-traefik-839f5d4c-rkz2c                2/2     Running            0          12m
kube-system       helm-install-traefik-crd-tssm4              0/1     Completed          0          15m
kube-system       helm-install-traefik-frdwz                  0/1     Completed          1          15m
kube-system       coredns-6799fbcd5-9z2gm                     1/1     Running            0          15m
kube-system       traefik-7d5f6474df-kfzgh                    1/1     Running            0          12m
kube-system       metrics-server-54fd9b65b-fd5nn              1/1     Running            0          15m

when I pull another one image with original url from my registry , it's OK.

[root@ecs-free-0001 ~]# crictl pull swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.8.0
Image is up to date for sha256:c0a9306b27689ddde5429e1333bac7b5ca9dc49cf005918a49518fbebbfd9d8b
[root@ecs-free-0001 ~]# crictl images | grep cluster-operator
swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator            2.8.0                                      c0a9306b27689       26MB
[root@ecs-free-0001 ~]#

but I can't pull it with rewrite. I don't know why.

[root@ecs-free-0001 tmp]# crictl pull rabbitmqoperator/cluster-operator:2.8.0
E1101 17:31:20.620215   16360 remote_image.go:180] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"docker.io/rabbitmqoperator/cluster-operator:2.8.0\": failed to resolve reference \"docker.io/rabbitmqoperator/cluster-operator:2.8.0\": failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/?scope=repository%3Ahmirror%2Frabbitmqoperator%2Fcluster-operator%3A&scope=repository%3Arabbitmqoperator%2Fcluster-operator%3Apull&service=dockyard: 404 Not Found" image="rabbitmqoperator/cluster-operator:2.8.0"
FATA[0000] pulling image: failed to pull and unpack image "docker.io/rabbitmqoperator/cluster-operator:2.8.0": failed to resolve reference "docker.io/rabbitmqoperator/cluster-operator:2.8.0": failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/?scope=repository%3Ahmirror%2Frabbitmqoperator%2Fcluster-operator%3A&scope=repository%3Arabbitmqoperator%2Fcluster-operator%3Apull&service=dockyard: 404 Not Found

Did I make a mistake in my configuration somewhere? But why is it able to normally pull the rancher images during the k3s installation?

@brandond
Copy link
Member

brandond commented Nov 1, 2024

@codering this looks like an issue with the registry you're using as a mirror. I don't know why it would be returning a 404 when you're authenticating to use it as a mirror. I do see that the auth request has the scope set twice, once for the original image repo, and once with the rewritten name. I don't think I've seen this before, but I suspect this is confusing the auth service. You might turn on containerd debug and trace the requests to see where this is coming from.

@flyfax
Copy link
Author

flyfax commented Nov 3, 2024

@brandond
After modifying regex in rewrite part, I could pull image from both server and agent using 'crictl'

#crictl pull cp.icr.io/cp/se-data--center-edge/mini-test:@sha256:ca9a0906f7810d2a827648960ee2c6a8c9980817474ce30eee546e19d7f78132
Image is up to date for sha256:2f6e40f487db28d0d728d3f7c05248edd7a270a8c72726e9ef311d718c8f2dde

But I don't understand why image pull inside the pod still failed. Do you have any other suggestions? Thank you.

  Warning  Failed     3m38s (x4 over 5m10s)  kubelet            Failed to pull image "cp.icr.io/cp/se-data-center-edge/mini-test:@sha256:ca9a0906f7810d2a827648960ee2c6a8c9980817474ce30eee546e19d7f78132": failed to pull and unpack image "cp.icr.io/cp/se-data-center-edge/mini-test:@sha256:ca9a0906f7810d2a827648960ee2c6a8c9980817474ce30eee546e19d7f78132": failed to resolve reference "cp.icr.io/cp/se-data-center-edge/mini-test:@sha256:ca9a0906f7810d2a827648960ee2c6a8c9980817474ce30eee546e19d7f78132": failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://docker-na-public.artifactory.swg-devops.com/artifactory/api/docker/null/v2/token?scope=repository%3Acp%2Fse-data-center-edge%2Fmini-test%3Apull&service=docker-na-public.artifactory.swg-devops.com: 401 Unauthorized

@brandond
Copy link
Member

brandond commented Nov 3, 2024

One of these has a double hyphen and the other does not. I point this out earlier. Is this intentional?

@codering
Copy link

codering commented Nov 4, 2024

@codering this looks like an issue with the registry you're using as a mirror. I don't know why it would be returning a 404 when you're authenticating to use it as a mirror. I do see that the auth request has the scope set twice, once for the original image repo, and once with the rewritten name. I don't think I've seen this before, but I suspect this is confusing the auth service. You might turn on containerd debug and trace the requests to see where this is coming from.

@brandond Set containerd debug level to debug. Here are the detail logs. Any ideas on the issue?

crictl pull docker.io/rabbitmqoperator/cluster-operator:2.7.0
time="2024-11-04T09:23:59.282048240+08:00" level=info msg="PullImage \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\""
time="2024-11-04T09:23:59.282126759+08:00" level=debug msg="PullImage \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\" with snapshotter overlayfs"
time="2024-11-04T09:23:59.283737151+08:00" level=debug msg="loading host directory" dir=/var/lib/rancher/k3s/agent/etc/containerd/certs.d/docker.io
time="2024-11-04T09:23:59.283970296+08:00" level=debug msg=resolving host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-04T09:23:59.283997031+08:00" level=debug msg="do request" host=swr.cn-east-3.myhuaweicloud.com request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=HEAD url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0?ns=docker.io"
time="2024-11-04T09:23:59.324497576+08:00" level=debug msg="fetch response received" host=swr.cn-east-3.myhuaweicloud.com response.header.connection=keep-alive response.header.content-length=61 response.header.content-type="application/json;charset=UTF-8" response.header.date="Mon, 04 Nov 2024 01:23:59 GMT" response.header.forserver=swr response.header.keep-alive="timeout=300" response.header.server="Web Server" response.header.www-authenticate="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"" response.status="401 Unauthorized" url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0?ns=docker.io"
time="2024-11-04T09:23:59.324542691+08:00" level=debug msg=Unauthorized header="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"" host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-04T09:23:59.324578114+08:00" level=debug msg="do request" host=swr.cn-east-3.myhuaweicloud.com request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=HEAD url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0?ns=docker.io"
time="2024-11-04T09:23:59.617911572+08:00" level=info msg="trying next host" error="failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/?scope=repository%3Ahmirror%2Frabbitmqoperator%2Fcluster-operator%3A&scope=repository%3Arabbitmqoperator%2Fcluster-operator%3Apull&service=dockyard: 404 Not Found" host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-04T09:23:59.617949396+08:00" level=debug msg=resolving host=registry-1.docker.io
time="2024-11-04T09:23:59.617966636+08:00" level=debug msg="do request" host=registry-1.docker.io request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=HEAD url="https://registry-1.docker.io/v2/rabbitmqoperator/cluster-operator/manifests/2.7.0"
time="2024-11-04T09:23:59.829470795+08:00" level=info msg="trying next host" error="failed to do request: Head \"https://registry-1.docker.io/v2/rabbitmqoperator/cluster-operator/manifests/2.7.0\": read tcp 192.168.0.101:59858->54.236.113.205:443: read: connection reset by peer" host=registry-1.docker.io
time="2024-11-04T09:23:59.830960725+08:00" level=error msg="PullImage \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\" failed" error="failed to pull and unpack image \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\": failed to resolve reference \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\": failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/?scope=repository%3Ahmirror%2Frabbitmqoperator%2Fcluster-operator%3A&scope=repository%3Arabbitmqoperator%2Fcluster-operator%3Apull&service=dockyard: 404 Not Found"
time="2024-11-04T09:23:59.831067745+08:00" level=info msg="stop pulling image docker.io/rabbitmqoperator/cluster-operator:2.7.0: active requests=0, bytes read=194"

crictl pull swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0
time="2024-11-04T09:40:51.926426596+08:00" level=info msg="PullImage \"swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0\""
time="2024-11-04T09:40:51.926489223+08:00" level=debug msg="PullImage \"swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0\" with snapshotter overlayfs"
time="2024-11-04T09:40:51.927968493+08:00" level=debug msg="loading host directory" dir=/var/lib/rancher/k3s/agent/etc/containerd/certs.d/swr.cn-east-3.myhuaweicloud.com
time="2024-11-04T09:40:51.928107089+08:00" level=debug msg=resolving host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-04T09:40:51.928129911+08:00" level=debug msg="do request" host=swr.cn-east-3.myhuaweicloud.com request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=HEAD url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0"
time="2024-11-04T09:40:51.955075769+08:00" level=debug msg="fetch response received" host=swr.cn-east-3.myhuaweicloud.com response.header.connection=keep-alive response.header.content-length=61 response.header.content-type="application/json;charset=UTF-8" response.header.date="Mon, 04 Nov 2024 01:40:52 GMT" response.header.forserver=swr response.header.keep-alive="timeout=300" response.header.server="Web Server" response.header.www-authenticate="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"" response.status="401 Unauthorized" url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0"
time="2024-11-04T09:40:51.955120497+08:00" level=debug msg=Unauthorized header="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"" host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-04T09:40:51.955151765+08:00" level=debug msg="do request" host=swr.cn-east-3.myhuaweicloud.com request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=HEAD url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0"
time="2024-11-04T09:40:52.458440519+08:00" level=debug msg="fetch response received" host=swr.cn-east-3.myhuaweicloud.com response.header.cache-control="no-cache, no-store, must-revalidate" response.header.connection=keep-alive response.header.content-length=946 response.header.content-type=application/vnd.docker.distribution.manifest.v2+json response.header.date="Mon, 04 Nov 2024 01:40:52 GMT" response.header.docker-content-digest="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" response.header.forserver=swr response.header.keep-alive="timeout=300" response.header.pragma=no-cache response.header.record-context-id=d91caf1a-e647-405f-9bc3-ed7cac40a09f response.header.server="Web Server" response.header.strict-transport-security="max-age=31536000; includeSubdomains;" response.header.x-content-type-options=nosniff response.header.x-download-options=noopen response.header.x-xss-protection="1; mode=block" response.status="200 OK" url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0"
time="2024-11-04T09:40:52.458494997+08:00" level=debug msg=resolved desc.digest="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-04T09:40:52.458534621+08:00" level=debug msg="loading host directory" dir=/var/lib/rancher/k3s/agent/etc/containerd/certs.d/swr.cn-east-3.myhuaweicloud.com
time="2024-11-04T09:40:52.458746900+08:00" level=debug msg=fetch digest="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" mediatype=application/vnd.docker.distribution.manifest.v2+json size=946
time="2024-11-04T09:40:52.464990700+08:00" level=debug msg="do request" digest="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" mediatype=application/vnd.docker.distribution.manifest.v2+json request.header.accept="application/vnd.docker.distribution.manifest.v2+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=GET size=946 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c"
time="2024-11-04T09:40:52.496004396+08:00" level=debug msg="fetch response received" digest="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" mediatype=application/vnd.docker.distribution.manifest.v2+json response.header.connection=keep-alive response.header.content-length=61 response.header.content-type="application/json;charset=UTF-8" response.header.date="Mon, 04 Nov 2024 01:40:52 GMT" response.header.forserver=swr response.header.keep-alive="timeout=300" response.header.server="Web Server" response.header.www-authenticate="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:pull\"" response.status="401 Unauthorized" size=946 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c"
time="2024-11-04T09:40:52.496056098+08:00" level=debug msg=Unauthorized digest="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" header="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:pull\"" mediatype=application/vnd.docker.distribution.manifest.v2+json size=946
time="2024-11-04T09:40:52.496125955+08:00" level=debug msg="do request" digest="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" mediatype=application/vnd.docker.distribution.manifest.v2+json request.header.accept="application/vnd.docker.distribution.manifest.v2+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=GET size=946 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c"
time="2024-11-04T09:40:52.732902088+08:00" level=debug msg="fetch response received" digest="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" mediatype=application/vnd.docker.distribution.manifest.v2+json response.header.cache-control="no-cache, no-store, must-revalidate" response.header.connection=keep-alive response.header.content-length=946 response.header.content-type=application/vnd.docker.distribution.manifest.v2+json response.header.date="Mon, 04 Nov 2024 01:40:53 GMT" response.header.docker-content-digest="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" response.header.forserver=swr response.header.keep-alive="timeout=300" response.header.pragma=no-cache response.header.record-context-id=a76b6c60-08df-4a8e-99e8-659062d1d4f4 response.header.server="Web Server" response.header.strict-transport-security="max-age=31536000; includeSubdomains;" response.header.x-content-type-options=nosniff response.header.x-download-options=noopen response.header.x-xss-protection="1; mode=block" response.status="200 OK" size=946 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c"
time="2024-11-04T09:40:52.749338863+08:00" level=debug msg=fetch digest="sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd" mediatype=application/vnd.docker.container.image.v1+json size=2169
time="2024-11-04T09:40:52.755289897+08:00" level=debug msg="do request" digest="sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd" mediatype=application/vnd.docker.container.image.v1+json request.header.accept="application/vnd.docker.container.image.v1+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=GET size=2169 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/blobs/sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd"
time="2024-11-04T09:40:52.937208009+08:00" level=debug msg="fetch response received" digest="sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd" mediatype=application/vnd.docker.container.image.v1+json response.header.accept-ranges=bytes response.header.connection=keep-alive response.header.content-length=2169 response.header.content-type=binary/octet-stream response.header.date="Mon, 04 Nov 2024 01:40:53 GMT" response.header.etag="\"501498a4e7f27eb87471ad6614a88204\"" response.header.last-modified="Mon, 17 Jun 2024 10:23:51 GMT" response.header.server=OBS response.header.x-amz-id-2=32AAAQAAEAABAAAQAAEAABAAAQAAEAABCSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA response.header.x-amz-request-id=00000192F4D50189B924EB46C4172C71 response.header.x-amz-tagging-count=0 response.header.x-reserved="amazon, aws and amazon web services are trademarks or registered trademarks of Amazon Technologies, Inc" response.status="200 OK" size=2169 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/blobs/sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd"
time="2024-11-04T09:40:52.948956200+08:00" level=debug msg=fetch digest="sha256:f64c8f418cb03a7c30ffe585d63beddccadbae2468a802f6c59ad713e15d307f" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip size=123555
time="2024-11-04T09:40:52.949006150+08:00" level=debug msg=fetch digest="sha256:315d362218bb7f6cb1d3ad08799c92a30e7dc43e48a1fc8cee05c38e247a9138" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip size=25836762
time="2024-11-04T09:40:52.949027721+08:00" level=debug msg=fetch digest="sha256:ed3710ae7c65e8f0f4ef30639ff831de697979201507848469a341c1a1e9e1d7" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip size=219
time="2024-11-04T09:40:52.955347530+08:00" level=debug msg="do request" digest="sha256:f64c8f418cb03a7c30ffe585d63beddccadbae2468a802f6c59ad713e15d307f" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip request.header.accept="application/vnd.docker.image.rootfs.diff.tar.gzip, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=GET size=123555 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/blobs/sha256:f64c8f418cb03a7c30ffe585d63beddccadbae2468a802f6c59ad713e15d307f"
time="2024-11-04T09:40:52.963426729+08:00" level=debug msg="do request" digest="sha256:315d362218bb7f6cb1d3ad08799c92a30e7dc43e48a1fc8cee05c38e247a9138" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip request.header.accept="application/vnd.docker.image.rootfs.diff.tar.gzip, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=GET size=25836762 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/blobs/sha256:315d362218bb7f6cb1d3ad08799c92a30e7dc43e48a1fc8cee05c38e247a9138"
time="2024-11-04T09:40:52.968779188+08:00" level=debug msg="do request" digest="sha256:ed3710ae7c65e8f0f4ef30639ff831de697979201507848469a341c1a1e9e1d7" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip request.header.accept="application/vnd.docker.image.rootfs.diff.tar.gzip, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=GET size=219 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/blobs/sha256:ed3710ae7c65e8f0f4ef30639ff831de697979201507848469a341c1a1e9e1d7"
time="2024-11-04T09:40:53.062104025+08:00" level=debug msg="fetch response received" digest="sha256:f64c8f418cb03a7c30ffe585d63beddccadbae2468a802f6c59ad713e15d307f" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip response.header.accept-ranges=bytes response.header.connection=keep-alive response.header.content-length=123555 response.header.content-type=binary/octet-stream response.header.date="Mon, 04 Nov 2024 01:40:53 GMT" response.header.etag="\"52ea2d3679acc6544bb93e694f9ca78b\"" response.header.last-modified="Mon, 17 Jun 2024 10:23:04 GMT" response.header.server=OBS response.header.x-amz-id-2=32AAAQAAEAABAAAQAAEAABAAAQAAEAABCSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA response.header.x-amz-request-id=00000192F4D50213B924EB46C4172C73 response.header.x-amz-tagging-count=0 response.header.x-reserved="amazon, aws and amazon web services are trademarks or registered trademarks of Amazon Technologies, Inc" response.status="200 OK" size=123555 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/blobs/sha256:f64c8f418cb03a7c30ffe585d63beddccadbae2468a802f6c59ad713e15d307f"
time="2024-11-04T09:40:53.194398712+08:00" level=debug msg="fetch response received" digest="sha256:315d362218bb7f6cb1d3ad08799c92a30e7dc43e48a1fc8cee05c38e247a9138" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip response.header.accept-ranges=bytes response.header.connection=keep-alive response.header.content-length=25836762 response.header.content-type=binary/octet-stream response.header.date="Mon, 04 Nov 2024 01:40:53 GMT" response.header.etag="\"718af2a39601292680b52d232986eddc\"" response.header.last-modified="Mon, 17 Jun 2024 10:23:47 GMT" response.header.server=OBS response.header.x-amz-id-2=32AAAQAAEAABAAAQAAEAABAAAQAAEAABCSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA response.header.x-amz-request-id=00000192F4D50275B664641F9D9F8BBF response.header.x-amz-tagging-count=0 response.header.x-reserved="amazon, aws and amazon web services are trademarks or registered trademarks of Amazon Technologies, Inc" response.status="200 OK" size=25836762 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/blobs/sha256:315d362218bb7f6cb1d3ad08799c92a30e7dc43e48a1fc8cee05c38e247a9138"
time="2024-11-04T09:40:53.834965790+08:00" level=debug msg="diff applied" d=312.014418ms digest="sha256:315d362218bb7f6cb1d3ad08799c92a30e7dc43e48a1fc8cee05c38e247a9138" media=application/vnd.docker.image.rootfs.diff.tar.gzip size=25836762
time="2024-11-04T09:40:53.841669479+08:00" level=debug msg="layer unpacked" duration=898.965785ms layer="sha256:315d362218bb7f6cb1d3ad08799c92a30e7dc43e48a1fc8cee05c38e247a9138"
time="2024-11-04T09:40:54.206225497+08:00" level=debug msg="fetch response received" digest="sha256:ed3710ae7c65e8f0f4ef30639ff831de697979201507848469a341c1a1e9e1d7" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip response.header.accept-ranges=bytes response.header.connection=keep-alive response.header.content-length=219 response.header.content-type=binary/octet-stream response.header.date="Mon, 04 Nov 2024 01:40:54 GMT" response.header.etag="\"99e2a9f018cd5e0a7912c811ab1112cf\"" response.header.last-modified="Mon, 17 Jun 2024 10:23:05 GMT" response.header.server=OBS response.header.x-amz-id-2=32AAAQAAEAABAAAQAAEAABAAAQAAEAABCSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA response.header.x-amz-request-id=00000192F4D5027AB16588C7EC5058ED response.header.x-amz-tagging-count=0 response.header.x-reserved="amazon, aws and amazon web services are trademarks or registered trademarks of Amazon Technologies, Inc" response.status="200 OK" size=219 url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/blobs/sha256:ed3710ae7c65e8f0f4ef30639ff831de697979201507848469a341c1a1e9e1d7"
time="2024-11-04T09:40:54.213011589+08:00" level=debug msg="diff applied" d="908.773µs" digest="sha256:ed3710ae7c65e8f0f4ef30639ff831de697979201507848469a341c1a1e9e1d7" media=application/vnd.docker.image.rootfs.diff.tar.gzip size=219
time="2024-11-04T09:40:54.217570977+08:00" level=debug msg="layer unpacked" duration=375.869091ms layer="sha256:ed3710ae7c65e8f0f4ef30639ff831de697979201507848469a341c1a1e9e1d7"
time="2024-11-04T09:40:54.223826732+08:00" level=debug msg="diff applied" d=1.954618ms digest="sha256:f64c8f418cb03a7c30ffe585d63beddccadbae2468a802f6c59ad713e15d307f" media=application/vnd.docker.image.rootfs.diff.tar.gzip size=123555
time="2024-11-04T09:40:54.228790020+08:00" level=debug msg="layer unpacked" duration=11.18742ms layer="sha256:f64c8f418cb03a7c30ffe585d63beddccadbae2468a802f6c59ad713e15d307f"
time="2024-11-04T09:40:54.230122120+08:00" level=debug msg="image unpacked" chainID="sha256:da5de361912d14caf254878f4dfc0ac2e97c87b83ef452fa591aa2c99155213a" config="sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd" duration=1.28756063s
time="2024-11-04T09:40:54.230158721+08:00" level=debug msg="create image" name="swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0" target="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c"
time="2024-11-04T09:40:54.231445140+08:00" level=debug msg="Received containerd event timestamp - 2024-11-04 01:40:54.231343703 +0000 UTC, namespace - \"k8s.io\", topic - \"/images/create\""
time="2024-11-04T09:40:54.231525688+08:00" level=info msg="ImageCreate event name:\"swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0\" labels:{key:\"io.cri-containerd.image\" value:\"managed\"}"
time="2024-11-04T09:40:54.232429041+08:00" level=info msg="stop pulling image swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0: active requests=0, bytes read=25973122"
time="2024-11-04T09:40:54.232490307+08:00" level=debug msg="create image" name="sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd" target="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c"
time="2024-11-04T09:40:54.233877091+08:00" level=debug msg="Received containerd event timestamp - 2024-11-04 01:40:54.233710466 +0000 UTC, namespace - \"k8s.io\", topic - \"/images/create\""
time="2024-11-04T09:40:54.233931868+08:00" level=info msg="ImageCreate event name:\"sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd\" labels:{key:\"io.cri-containerd.image\" value:\"managed\"}"
time="2024-11-04T09:40:54.234142279+08:00" level=debug msg="create image" name="swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0" target="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c"
time="2024-11-04T09:40:54.234602279+08:00" level=debug msg="create image" name="swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator@sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c" target="sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c"
time="2024-11-04T09:40:54.236086579+08:00" level=debug msg="Received containerd event timestamp - 2024-11-04 01:40:54.235934993 +0000 UTC, namespace - \"k8s.io\", topic - \"/images/create\""
time="2024-11-04T09:40:54.236127103+08:00" level=info msg="ImageCreate event name:\"swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator@sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c\" labels:{key:\"io.cri-containerd.image\" value:\"managed\"}"
time="2024-11-04T09:40:54.236487865+08:00" level=info msg="Pulled image \"swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0\" with image id \"sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd\", repo tag \"swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0\", repo digest \"swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator@sha256:7628e022b4159342a8c4056228023e7030875a131675cae73248dea86875d68c\", size \"25963651\" in 2.310026116s"
time="2024-11-04T09:40:54.236517667+08:00" level=info msg="PullImage \"swr.cn-east-3.myhuaweicloud.com/hmirror/rabbitmqoperator/cluster-operator:2.7.0\" returns image reference \"sha256:2324be6c5743ad72bedb72bec9beaf989bd5bace9ed49992566ee2bcda03dcdd\""

@brandond
Copy link
Member

brandond commented Nov 4, 2024

time="2024-11-04T09:23:59.283997031+08:00" level=debug msg="do request" host=swr.cn-east-3.myhuaweicloud.com request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=HEAD url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0?ns=docker.io"
time="2024-11-04T09:23:59.324497576+08:00" level=debug msg="fetch response received" host=swr.cn-east-3.myhuaweicloud.com response.header.connection=keep-alive response.header.content-length=61 response.header.content-type="application/json;charset=UTF-8" response.header.date="Mon, 04 Nov 2024 01:23:59 GMT" response.header.forserver=swr response.header.keep-alive="timeout=300" response.header.server="Web Server" response.header.www-authenticate="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"" response.status="401 Unauthorized" url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0?ns=docker.io"
time="2024-11-04T09:23:59.324542691+08:00" level=debug msg=Unauthorized header="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"" host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-04T09:23:59.324578114+08:00" level=debug msg="do request" host=swr.cn-east-3.myhuaweicloud.com request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.15-k3s1 request.method=HEAD url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0?ns=docker.io"
time="2024-11-04T09:23:59.617911572+08:00" level=info msg="trying next host" error="failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/?scope=repository%3Ahmirror%2Frabbitmqoperator%2Fcluster-operator%3A&scope=repository%3Arabbitmqoperator%2Fcluster-operator%3Apull&service=dockyard: 404 Not Found" host=swr.cn-east-3.myhuaweicloud.com

msg=Unauthorized header="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"" host=swr.cn-east-3.myhuaweicloud.com
unexpected status from GET request to https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/?scope=repository%3Ahmirror%2Frabbitmqoperator%2Fcluster-operator%3A&scope=repository%3Arabbitmqoperator%2Fcluster-operator%3Apull&service=dockyard: 404 Not Found"

It looks like containerd is failing to modify the repository name in the second scope. I'm not sure why that'd be, but I do note that you're using containerd v1.7.15-k3s1 which we haven't shipped since May of 2024. Please try a newer release of K3s, and let us know if the issue persists.

@codering
Copy link

codering commented Nov 5, 2024

@brandond same error in newer version (v1.29.10+k3s1)

crictl pull docker.io/rabbitmqoperator/cluster-operator:2.7.0

time="2024-11-05T09:56:23.718495322+08:00" level=info msg="PullImage \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\""
time="2024-11-05T09:56:23.718550765+08:00" level=debug msg="PullImage \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\" with snapshotter overlayfs"
time="2024-11-05T09:56:23.721729505+08:00" level=debug msg="loading host directory" dir=/var/lib/rancher/k3s/agent/etc/containerd/certs.d/docker.io
time="2024-11-05T09:56:23.721921417+08:00" level=debug msg=resolving host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-05T09:56:23.721945017+08:00" level=debug msg="do request" host=swr.cn-east-3.myhuaweicloud.com request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.22-k3s1 request.method=HEAD url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0?ns=docker.io"
time="2024-11-05T09:56:23.754841177+08:00" level=debug msg="fetch response received" host=swr.cn-east-3.myhuaweicloud.com response.header.connection=keep-alive response.header.content-length=61 response.header.content-type="application/json;charset=UTF-8" response.header.date="Tue, 05 Nov 2024 01:56:24 GMT" response.header.forserver=swr response.header.keep-alive="timeout=300" response.header.server="Web Server" response.header.www-authenticate="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"" response.status="401 Unauthorized" url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0?ns=docker.io"
time="2024-11-05T09:56:23.754880209+08:00" level=debug msg=Unauthorized header="Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"" host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-05T09:56:23.754922509+08:00" level=debug msg="do request" host=swr.cn-east-3.myhuaweicloud.com request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.22-k3s1 request.method=HEAD url="https://swr.cn-east-3.myhuaweicloud.com/v2/hmirror/rabbitmqoperator/cluster-operator/manifests/2.7.0?ns=docker.io"
time="2024-11-05T09:56:24.024202297+08:00" level=info msg="trying next host" error="failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/?scope=repository%3Ahmirror%2Frabbitmqoperator%2Fcluster-operator%3A&scope=repository%3Arabbitmqoperator%2Fcluster-operator%3Apull&service=dockyard: 404 Not Found" host=swr.cn-east-3.myhuaweicloud.com
time="2024-11-05T09:56:24.024248431+08:00" level=debug msg=resolving host=registry-1.docker.io
time="2024-11-05T09:56:24.024269825+08:00" level=debug msg="do request" host=registry-1.docker.io request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.22-k3s1 request.method=HEAD url="https://registry-1.docker.io/v2/rabbitmqoperator/cluster-operator/manifests/2.7.0"
time="2024-11-05T09:56:24.262991073+08:00" level=info msg="trying next host" error="failed to do request: Head \"https://registry-1.docker.io/v2/rabbitmqoperator/cluster-operator/manifests/2.7.0\": read tcp 192.168.0.101:47928->54.198.86.24:443: read: connection reset by peer" host=registry-1.docker.io
time="2024-11-05T09:56:24.264423988+08:00" level=error msg="PullImage \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\" failed" error="failed to pull and unpack image \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\": failed to resolve reference \"docker.io/rabbitmqoperator/cluster-operator:2.7.0\": failed to authorize: failed to fetch oauth token: unexpected status from GET request to https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/?scope=repository%3Ahmirror%2Frabbitmqoperator%2Fcluster-operator%3A&scope=repository%3Arabbitmqoperator%2Fcluster-operator%3Apull&service=dockyard: 404 Not Found"
time="2024-11-05T09:56:24.264497137+08:00" level=info msg="stop pulling image docker.io/rabbitmqoperator/cluster-operator:2.7.0: active requests=0, bytes read=194"


@brandond
Copy link
Member

brandond commented Nov 5, 2024

I'm not sure why you have two scopes there, but I can see if I can reproduce this internally and figure out if this is a containerd bug, or what.

brandond added a commit to brandond/containerd that referenced this issue Nov 6, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Copy link
Member

brandond commented Nov 6, 2024

The issue here is that there are two scopes in the auth request. One of them comes from the Unauthorized response:

Bearer realm=\"https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/\",service=\"dockyard\",scope=\"repository:hmirror/rabbitmqoperator/cluster-operator:\"

The other is generated internally by containerd based on the repository of the image being pulled, but unfortunately this is not properly rewritten. I suspect that most auth providers just ignore the unknown claim for the unmodified registry scope and use the one that they do recognize, or perhaps only evaluate the first scope, but this one apparently returns a 404 for the bearer token request because it does not recognize all of the requested scopes. To be fair, this is probably safer behavior.

https://swr.cn-east-3.myhuaweicloud.com/swr/auth/v2/registry/auth/?scope=repository%3Ahmirror%2Frabbitmqoperator%2Fcluster-operator%3A&scope=repository%3Arabbitmqoperator%2Fcluster-operator%3Apull&service=dockyard: 404 Not Found

scope=repository:hmirror/rabbitmqoperator/cluster-operator:
scope=repository:rabbitmqoperator/cluster-operator:pull

I believe I have addressed this in brandond/containerd@c18a421

Note for QA: This may be difficult to reproduce, as it requires specific behavior from the registry auth provider. It appears that only artifactory and huawei cloud are affected?

@brandond brandond moved this from Done Issue to Peer Review in K3s Development Nov 6, 2024
@brandond brandond added this to the 2024-11 Release Cycle milestone Nov 6, 2024
@brandond brandond self-assigned this Nov 6, 2024
@brandond brandond added the kind/bug Something isn't working label Nov 6, 2024
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Nov 6, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond brandond moved this from Peer Review to To Test in K3s Development Nov 6, 2024
brandond added a commit to brandond/containerd that referenced this issue Nov 7, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Nov 8, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Nov 8, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Nov 11, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Nov 12, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Nov 15, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Nov 20, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Nov 21, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Nov 22, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
brandond added a commit to brandond/containerd that referenced this issue Dec 2, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
brandond added a commit to k3s-io/containerd that referenced this issue Dec 3, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Dec 4, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
muicoder pushed a commit to k3s-vip/containerd that referenced this issue Dec 4, 2024
Support CRI configuration to allow for request-time rewrite rules
applicable only to the repository portion of resource paths when pulling
images. Because the rewrites are applied at request time, images
themselves will not be "rewritten" -- images as stored by CRI (and the
underlying containerd facility) will continue to present as normal.

As an example, if you use the following config for your containerd:
```toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io/v2"]
       	  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io".rewrite]
            "^library/(.*)" = "my-org/$1"
```

And then subsequently invoke `crictl pull alpine:3.13` it will pull
content from `docker.io/my-org/alpine:3.13` but still show up as
`docker.io/library/alpine:3.13` in the `crictl images` listing.

This commit has been reworked from the original implementation. Rewites
are now done when resolving instead of when building the request, so
that auth token scopes stored in the context properly reflect the
rewritten repository path. For the original implementation, see
06c4ea9.
Ref: k3s-io/k3s#11191 (comment)

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@ShylajaDevadiga
Copy link
Contributor

Validated using commit id from release-1.31 branch

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
Ubuntu 22.04

Cluster Configuration:
Single node

Steps followed:

  1. Create an artifactory repository is of type local.
  2. Pull an example image
  3. Tag and push the image to the artifactory
  4. Install rke2 using registries.yaml as below
  5. Deploy a workload using the above image.
  6. Verify the pod is up and running and pulling the image from the mirror registry

registries.yaml

cat registries.yaml 
mirrors:
  registry.example.com:
    endpoint:
      - "https://trialartifactory.jfrog.io"
    rewrite:
      "^rancher/(.*)$": "testartifactory/$1"
configs:
  trialartifactory.jfrog.io:
    auth:
      username: "username"
      password: "password"

pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
spec:
  containers:
  - image: registry.example.com/rancher/busybox
    command:
      - sleep
      - "3600"
    imagePullPolicy: IfNotPresent
    name: busybox
  restartPolicy: Always
k3s -v
k3s version v1.31.3+k3s-6e6af988 (6e6af988)

$ kubectl get pods
NAME      READY   STATUS    RESTARTS   AGE
busybox   1/1     Running   0          21s
$ kubectl describe pod
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  15s   default-scheduler  Successfully assigned default/busybox to ip-172-31-1-109
  Normal  Pulling    15s   kubelet            Pulling image "registry.example.com/rancher/busybox"
  Normal  Pulled     13s   kubelet            Successfully pulled image "registry.example.com/rancher/busybox" in 2.695s (2.695s including waiting). Image size: 2224057 bytes.
  Normal  Created    13s   kubelet            Created container busybox
  Normal  Started    13s   kubelet            Started container busybox

Validated using commit id from release-1.30 branch

ubuntu@ip-172-31-1-109:~$ k3s -v
k3s version v1.30.7-rc2+k3s1 (00f90180)
go version go1.22.8
ubuntu@ip-172-31-1-109:~$ kubectl get pod
NAME      READY   STATUS    RESTARTS   AGE
busybox   1/1     Running   0          18s
ubuntu@ip-172-31-1-109:~$ kubectl describe pod
...
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  20s   default-scheduler  Successfully assigned default/busybox to ip-172-31-1-109
  Normal  Pulling    19s   kubelet            Pulling image "registry.example.com/rancher/busybox"
  Normal  Pulled     16s   kubelet            Successfully pulled image "registry.example.com/rancher/busybox" in 3.223s (3.223s including waiting). Image size: 2224057 bytes.
  Normal  Created    16s   kubelet            Created container busybox
  Normal  Started    16s   kubelet            Started container busybox

Validated using commit id from release-1.29 branch

ubuntu@ip-172-31-1-109:~$ k3s -v
k3s version v1.29.11-rc2+k3s1 (666b590a)
go version go1.22.8
ubuntu@ip-172-31-1-109:~$ kubectl get pod
NAME      READY   STATUS    RESTARTS   AGE
busybox   1/1     Running   0          8s
ubuntu@ip-172-31-1-109:~$ kubectl describe pod
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  13s   default-scheduler  Successfully assigned default/busybox to ip-172-31-1-109
  Normal  Pulling    12s   kubelet            Pulling image "registry.example.com/rancher/busybox"
  Normal  Pulled     9s    kubelet            Successfully pulled image "registry.example.com/rancher/busybox" in 3.479s (3.479s including waiting)
  Normal  Created    9s    kubelet            Created container busybox
  Normal  Started    9s    kubelet            Started container busybox

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working
Projects
Status: Done Issue
Development

No branches or pull requests

4 participants