Develop Reference

How to skip TLS cert check for crictl (containerd CR) while pulling the images from private repository

I have installed k8s 1.24 version and containerd (containerd://1.5.9) is the CR for my setup (ubuntu 20.04).
I have also installed docker on my VM and have added my private repository under /etc/docker/daemon.json with the following changes:
{ "insecure-registries" : ["myPvtRepo.com:5028"] }
When I am running docker pull myPvtRepo:123/image after login to my pvt repo by using docker login myPvtRepo:123 command, I am able to pull the images while running the same command with crictl pull myPvtRepo:123/image, I am facing:
E0819 06:49:01.200489 162610 remote_image.go:218] "PullImage from
image service failed" err="rpc error: code = Unknown desc = failed to
pull and unpack image "myPvtRepo.com:5028/centos:latest": failed to
resolve reference "myPvtRepo.com:5028/centos:latest": failed to do
request: Head https://myPvtRepo.com::5028/v2/centos/manifests/latest:
x509: certificate signed by unknown authority"
image="myPvtRepo.com::5028/centos:latest" FATA[0000] pulling image:
rpc error: code = Unknown desc = failed to pull and unpack image
"myPvtRepo.com::5028/centos:latest": failed to resolve reference
"myPvtRepo.com:5028/centos:latest": failed to do request: Head
https://myPvtRepo.com::5028/v2/centos/manifests/latest: x509:
certificate signed by unknown authority
FYI, I have modified /etc/containerd/config.toml with below content.
version = 2
[plugin."io.containerd.grpc.v1.cri".registry.configs."myPvtRepo.com:5028".tls]
insecure_skip_verify = true
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://myPvtRepo.com:5028", "https://myPvtRepo.com:5038", "https://myPvtRepo.com:5037",
"https://myPvtRepo.com:5039"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."IP:5000"]
endpoint = ["http://IP:5000"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."IP:5000"]
endpoint = ["http://IP:5000"]
I have also modified containerd's endpoint to point to containerd's sock.
Can you please help me out to understand and fix that even after setting insecure_skip_verify = true for my pvt repository and restarting the containerd service why I am getting this issue.

I got a solution:
cd /usr/local/share/ca-certificates/
curl -L --remote-name http://your-artifacts.com/xyz-bundle.crt
/usr/sbin/update-ca-certificates
This one work for me.
Also make sure to update your endpoints under /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: ""
timeout: 0
debug: false
pull-image-on-create: false
disable-pull-on-run: false

You will need to specify the hosts.toml file for the private registry and add skip-verify = true.
ref: https://github.com/containerd/containerd/blob/main/docs/hosts.md
Steps:
create folders: mkdir -p /etc/containerd/certs.d/<your registry>
add these config in /etc/containerd/config.toml:
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
create and edit hosts.toml under the just created folder
server = "https://<your registry>"
[host."https://<your registry>"]
capabilities = ["pull", "resolve"]
skip_verify = true

Ansible connection to docker engine on osx apple Silicon

I'm trying to connect to my local docker engine running on OSX (m1 chip) in order to create a dynamic inventory.
I've created a host file with the following config
I made sure that docker_containers module is well installed.
plugin: community.docker.docker_containers
docker_host: "unix://Users/ME/.docker/run/docker-cli-api.sock"
Then I run ansible-inventory --graph -i ./hosts/hosts-docker-local.yaml.
But I'm getting the following error:
[WARNING]: * Failed to parse /Users/ME/Projects/ansible-test/hosts/hosts-docker-local.yaml with auto plugin: inventory source '/Users/ME/Projects/ansible-test/hosts/hosts-docker-local.yaml' could not be
verified by inventory plugin 'community.docker.docker_containers'
[WARNING]: * Failed to parse /Users/ME/Projects/ansible-test/hosts/hosts-docker-local.yaml with yaml plugin: Plugin configuration YAML file, not YAML inventory
[WARNING]: * Failed to parse /Users/ME/Projects/ansible-test/hosts/hosts-docker-local.yaml with ini plugin: Invalid host pattern 'plugin:' supplied, ending in ':' is not allowed, this character is reserved to
provide a port.
[WARNING]: Unable to parse /Users/ME/Projects/ansible-test/hosts/hosts-docker-local.yaml as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
#all:
|--#ungrouped:
I tried
ansible-doc -t inventory -l | grep docker
community.docker.docker_containers Ansible dynamic inv...
community.docker.docker_machine Docker Machine inve...
community.docker.docker_swarm Ansible dynamic inv...
but somehow if I do this
ansible localhost -i ./hosts/hosts-docker-local.yaml -m community.docker.docker_containers
It complains
localhost | FAILED! => {
"msg": "The module community.docker.docker_containers was not found in configured module paths"
}
maybe something wrong with my module path, something wierd with OSX? (I installed Ansible with brew)

The inventory file must end in docker.yaml, as pointed out by #Zeitounator.
Uses a YAML configuration file that ends with docker.[yml|yaml].
https://docs.ansible.com/ansible/latest/collections/community/docker/docker_containers_inventory.html#synopsis

Bazel: How to extend existing docker image?

I know in Dockerfile I can extend existing docker image using:
FROM python/python
RUN pip install request
But how to extend it in bazel?
I am not sure if I should use container_import, but with that I am getting the following error:
container_import(
name = "postgres",
base_image_registry = "some.artifactory.com",
base_image_repository = "/existing-image:v1.5.0",
layers = [
"//docker/new_layer",
],
)
root#ba5cc0a3f0b7:/tcx# bazel build pkg:postgres-instance --verbose_failures --sandbox_debug
ERROR: /tcx/docker/postgres-operator/BUILD.bazel:12:17: in container_import rule //docker/postgres-operator:postgres:
Traceback (most recent call last):
File "/root/.cache/bazel/_bazel_root/2f47bbce04529f9da11bfed0fc51707c/external/io_bazel_rules_docker/container/import.bzl", line 98, column 35, in _container_import_impl
"config": ctx.files.config[0],
Error: index out of range (index is 0, but sequence has 0 elements)
ERROR: Analysis of target '//pkg:postgres-instance' failed; build aborted: Analysis of target '//docker/postgres-operator:postgres' failed
INFO: Elapsed time: 0.209s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (1 packages loaded, 2 targets configured)

container_import is the correct rule to import an existing image. However, all it does is import, it doesn't pull it from anywhere. I think you're looking for container_pull instead, which will pull an image from a repository and then automatically use container_import to translate it for other rules_docker rules.
To add a new layer, use container_image, with base set to the imported image and tars set to the additional files you want to add. Or, if you want to add things in other formats, see the docs for alternates to tars (like debs or files).
Putting it all together, something like this in your WORKSPACE:
container_pull(
name = "postgres",
registry = "some.artifactory.com",
repository = "existing-image",
tag = "v1.5.0",
)
and then this in a BUILD file:
container_image(
name = "postgres_plus",
base = "#postgres//image",
tars = ["//docker/new_layer"],
)
The specific problem you're running into is that container_pull.layers isn't for adding new layers, it's for specifying the layers of the image you're importing. You could import those some other way (http_archive, check in the tar files, etc) and then specify them all by hand instead of using container_pull if you're doing something unusual.

docker containers - missing attribute

I needed a custom centos image with docker installed. So I built it using centos image and tagged it custom (shown below).
$ docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
centos custom 84766562f881 4 hours ago 664MB
centos/systemd latest 05d3c1e2d0c1 7 weeks ago 202MB
I am trying to deploy couple of containers using Terraform on my local machine, each with a unique name that comes from another file. The docker images are on local machine. Here's the TF code.
$ cat main.tf
provider "docker" {
}
resource "docker_image" "centos" {
name = "centos:custom"
}
resource "docker_container" "app_swarm" {
image = "${docker_image.centos.custom}"
count = "${length(var.docker_cont)}"
name = "${element(var.docker_cont, count.index)}"
}
When I run terraform apply, I get this error which I am not sure how to fix. Can someone point me in the right direction please?
Error: Error running plan: 1 error(s) occurred:
* docker_container.app_swarm: 3 error(s) occurred:
* docker_container.app_swarm[0]: Resource 'docker_image.centos' does not have attribute 'custom' for variable 'docker_image.centos.custom'
* docker_container.app_swarm[1]: Resource 'docker_image.centos' does not have attribute 'custom' for variable 'docker_image.centos.custom'
* docker_container.app_swarm[2]: Resource 'docker_image.centos' does not have attribute 'custom' for variable 'docker_image.centos.custom'
Yes, the other file exists with names, its a simple list.
EDIT:
Thanks David, tried your suggestion and amended the code to look like-
provider "docker" {
}
resource "docker_image" "centos" {
name = "centos:custom"
}
resource "docker_container" "app_swarm" {
image = "${docker_image.centos.latest}"
count = "${length(var.docker_cont)}"
name = "${element(var.docker_cont, count.index)}"
}
But now I get this error.
Error: Error applying plan:
1 error(s) occurred:
* docker_image.centos: 1 error(s) occurred:
* docker_image.centos: Unable to read Docker image into resource: Unable to pull image centos:custom: error pulling image centos:custom: Error response from daemon: manifest for centos:custom not found
I guess I will have to setup a local Docker repository to get this working but I am not sure?

You can only use the specific fields listed in the docker_image resource documentation in the ${docker_image.centos...} interpolation. In particular, even though you don't use the tag :latest, you need a .latest property reference:
image = "${docker_image.centos.latest}"
(If the image actually is one you've built locally, you may also want to specify the keep_locally option on your docker_image resource so that terraform destroy won't delete it.)

ERROR: repository hyperledger/fabric-tools not found: does not exist or no pull access

I am trying to start up network using following command
./network_setup.sh up
After running this command I am receiving this errro
#
# Generating anchor peer update for Org2MSP
########################################################### 2017-06-05 18:16:35.716 CST [common/configtx/tool] main -> INFO 001
Loading configuration 2017-06-05 18:16:35.719 CST
[common/configtx/tool] doOutputAnchorPeersUpdate -> INFO 002
Generating anchor peer update 2017-06-05 18:16:35.719 CST
[common/configtx/tool] doOutputAnchorPeersUpdate -> INFO 003 Writing
anchor peer update
Pulling cli (hyperledger/fabric-tools:latest)...
ERROR: repository hyperledger/fabric-tools not found: does not exist or no pull access
ERROR !!!! Unable to pull the images
How I can remove this error?please help me

You can manually pull this (and any other Hyperledger Fabric image) image from DockerHub. There was a period when the fabric-tools image was not included in the helper script download-dockerimages.sh.
docker pull hyperledger/fabric-tools:x86_64-1.0.0-beta
docker tag hyperledger/fabric-tools:x86_64-1.0.0-beta hyperledger/fabric-tools
Note that it might be worth reviewing the set of published tags on DockerHub to be sure you are getting the latest.
https://hub.docker.com/u/hyperledger/

you write the command line : this :
docker pull hyperledger/fabric-tools:x86_64-1.1.0-rc1
after that
docker tag hyperledger/fabric-tools:x86_64-1.1.0-rc1 hyperledger/fabric-tools:latest