Pull images from private registries

[hellocloudnative]

ignite 无法拉取私有仓库的镜像嘛。

我执行ignite image import 我的私有仓库镜像
会报错

INFO[0000] containerd image "harbor.sh.deepin.com/amd64/golang:uos" not found locally, pulling...
FATA[0000] failed to resolve reference "harbor.sh.deepin.com/amd64/golang:uos": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

[darkowlzz]

Hi, if I understand it correctly, you're running ignite image import and it's failing to pull the image due to authorization issue.
Ignite uses containerd (default) or docker internally. Depending on the container runtime you're using, you can configure them by following their respective docs:

• containerd - https://github.com/containerd/cri/blob/release/1.4/docs/registry.md
• docker - https://docs.docker.com/engine/reference/commandline/login/

Hope that helps.

[stealthybox]

This could be a common thing to trip over.
Most people will use Docker to build/push/pull images from their registry -- their containerd will not be configured to auth to the registry directly, especially for the firecracker namespace.

We should have a section in the setup docs that accounts for setting up the proper containerd namespace.

It's hard to recommend changing the default runtime for only image-pull just to make this easier since it brings back other problems.

Docker users may benefit from doing ignite image import --runtime=docker, just for image pulls.

[talhazubairbutt]

@stealthybox just running ignite image import --runtime=docker does not work if the registry needs credentials even when your docker daemon is authenticated. An authentication error is thrown, however docker pull image_name and then running ignite image import --runtime=docker works as the image is locally fetched instead of being downloaded from remote with credentials. The issue that can be fixed is that ignite image import passes the credentials that docker uses to authenticate. I have experienced this with google container registry where all images are private.

[stealthybox]

@talhazubairbutt It looks like you are right.

The docker client does not pass any auth credential options.
I'm guessing this was assumed to be defaulted, but it may not be.
We should determine the right way to ocnfigure this:
https://github.com/weaveworks/ignite/blob/8c289b4/pkg/runtime/docker/client.go#L50

Have we tested that containerd works with private auth configs?
https://github.com/weaveworks/ignite/blob/8c289b4/pkg/runtime/containerd/client.go#L143

[darkowlzz]

@talhazubairbutt hi, I've created #833 to address this issue. It would be of great help if it's possible for you to try it out and provide some feedback.

[talhazubairbutt]

@talhazubairbutt hi, I've created #833 to address this issue. It would be of great help if it's possible for you to try it out and provide some feedback.

Sure, ill test this out tomorrow and get back to you