Open amenasse opened 4 years ago
I can't resolve registry.dev.fullbacksystems.com from within the cluster because the systemd resolver is bound to loopback (127.0.0.53) apparently this can't be modified
Possibly relevant:
https://coredns.io/plugins/k8s_external/
Possibly related issues:
https://github.com/rancher/k3s/issues/1640
For now i've installed dnsmasq and disabled the systemd DNS stub resolver. In other words, local name resolution is handled by dnsmasq now which unlike systemd resolver can be configured to listen on a specific interface (not just loopback)
I then modified the coredns config map to use this resolver:
fallthrough
}
prometheus :9153
- forward . /etc/resolv.conf
+ forward . 192.168.0.107
cache 30
loop
reload
This works :tada: but will need to be done in a repeatable manner. Restarting k3s will revert to the old coredns map. Creating a seperate ticket for this.
Replicating directly with containerd not running in cluster with --debug , looks like same issue, extra debug info shows its not a resolution error though but a 404 response from the registry
$ sudo ctr --debug image pull registry.dev.fullbacksystems.com/fullbacksystems-website:8523786
DEBU[0000] fetching image="registry.dev.fullbacksystems.com/fullbacksystems-website:8523786"
DEBU[0000] resolving
DEBU[0000] do request request.headers=map[Accept:[application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, *]] request.method=HEAD url="https://registry.dev.fullbacksystems.com/v2/fullbacksystems-website/manifests/8523786"
DEBU[0000] fetch response received response.headers=map[Content-Length:[97] Content-Type:[application/json; charset=utf-8] Date:[Tue, 11 Aug 2020 08:06:55 GMT] Docker-Distribution-Api-Version:[registry/2.0] Vary:[Accept-Encoding] X-Content-Type-Options:[nosniff]] status="404 Not Found" url="https://registry.dev.fullbacksystems.com/v2/fullbacksystems-website/manifests/8523786"
ctr: failed to resolve reference "registry.dev.fullbacksystems.com/fullbacksystems-website:8523786": registry.dev.fullbacksystems.com/fullbacksystems-website:8523786 not found
On registry:
$ kubectl logs docker-registry-7d6758cbcb-5xh2c
10.42.0.6 - - [11/Aug/2020:11:06:20 +0000] "HEAD /v2/fullbacksystems-website/manifests/8523786 HTTP/1.1" 404 97 "" "containerd/1.2.12"
time="2020-08-11T11:06:20.822302582Z" level=error msg="response completed with error" err.code="manifest unknown" err.detail="unknown tag=8523786" err.message="manifest unknown" go.version=go1.11.2 http.request.host=registry.dev.fullbacksystems.com http.request.id=3cb0db45-49e4-4107-bbde-8e141f4280a0 http.request.method=HEAD http.request.remoteaddr=10.42.0.1 http.request.uri="/v2/fullbacksystems-website/manifests/8523786" http.request.useragent="containerd/1.2.12" http.response.contenttype="application/json; charset=utf-8" http.response.duration=1.538491ms http.response.status=404 http.response.written=97 vars.name=fullbacksystems-website vars.reference=8523786
This works so not sure why its 404'ing via containerd:
$ curl -H "Accept: application/vnd.oci.image.manifest.v1+json" -v https://registry.dev.fullbacksystems.com/v2/fb/fullback-systems-website/manifests/8523786c |jq
Oh theres a typo in the repository name, repository is fullback-systems-website not fullbacksystems-website
But now getting new errror:
ctr: failed to extract layer sha256:13cb14c2acd34e45446a50af25cb05095a17624678dbafbcc9e26086547c1d74: mount callback failed on /var/lib/containerd/tmpmounts/containerd-mount550143959: archive/tar: invalid tar header: unknown
Works fine with podman:
podman image pull registry.dev.fullbacksystems.com/fullback-systems-website:8523786c
Looks like the failed to extract layer issue was due to the image being pushed with podman, repushing with docker and pulling again with ctr worked. Will investigate this separately. See #6
Nodes can't pull images on deployment when referencing the private registry (registry.dev.fullbacksystems.com)
Tried using both internal and external dns names.
Using the external dns name (registry.dev.fullbacksystems.com)
This is resolvable on the node:
But not within the cluster via coredns:
Using internal dns name (docker-regsitry.default.svc.cluster.local):