james-li
commented
1 day ago 我也碰到这个问题,是containerd的机制导致的。
# ctr images pull docker.dockerimage.site/library/busybox:latest --http-dump
WARN[0000] DEPRECATION: CRI API v1alpha2 is deprecated since containerd v1.7 and removed in containerd v2.0. Use CRI API v1 instead.
INFO[0000] HEAD /v2/library/busybox/manifests/latest HTTP/1.1
INFO[0000] Host: docker.dockerimage.site
INFO[0000] Accept: application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*
INFO[0000] User-Agent: containerd/1.6.33
INFO[0000]
docker.dockerimage.site/library/busybox:latest: resolving |--------------------------------------|
elapsed: 2.3 s total: 0.0 B (0.0 B/s)
INFO[0002] HTTP/1.1 401 Unauthorized
INFO[0002] Content-Length: 158
INFO[0002] Alt-Svc: h3=":443"; ma=86400
INFO[0002] Cf-Cache-Status: DYNAMIC
INFO[0002] Cf-Ray: 8dacb0f3ad3752a7-LAX
INFO[0002] Connection: keep-alive
INFO[0002] Content-Type: application/json
INFO[0002] Date: Wed, 30 Oct 2024 16:13:11 GMT
INFO[0002] Docker-Distribution-Api-Version: registry/2.0
INFO[0002] Docker-Ratelimit-Source: 172.69.34.71
INFO[0002] Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
INFO[0002] Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eCxfmwJynLDUZ57Fsf1DW8e3gpQh9glOwIfkSle72jTtm8fOESra46%2B7tCEaJ44oh2dVfBTc5D%2BlRree5qSHjIawJYqJy242B0LyjKi%2BSTTZsKPaImz6q3GkRr%2FhIgfQRuXpc3Y%3D"}],"group":"cf-nel","max_age":604800}
INFO[0002] Server: cloudflare
INFO[0002] Server-Timing: cfL4;desc="?proto=TCP&rtt=235288&sent=8&recv=9&lost=0&retrans=2&sent_bytes=4543&recv_bytes=678&delivery_rate=4479&cwnd=246&unsent_bytes=0&cid=8029cb73bf98260e&ts=1014&x=0"
INFO[0002] Strict-Transport-Security: max-age=31536000
INFO[0002] Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/busybox:pull"
INFO[0002]
INFO[0002] GET /token?scope=repository%3Alibrary%2Fbusybox%3Apull&service=registry.docker.io HTTP/1.1
INFO[0002] Host: auth.docker.io
docker.dockerimage.site/library/busybox:latest: resolving |--------------------------------------|
elapsed: 23.4s total: 0.0 B (0.0 B/s)
INFO[0023] trying next host error="failed to authorize: failed to fetch anonymous token: Get \"https://auth.docker.io/token?scope=repository%3Alibrary%2Fbusybox%3Apull&service=registry.docker.io\": dial tcp 199.59.149.231:443: connect: connection refused" host=docker.dockerimage.site
ctr: failed to resolve reference "docker.dockerimage.site/library/busybox:latest": failed to authorize: failed to fetch anonymous token: Get "https://auth.docker.io/token?scope=repository%3Alibrary%2Fbusybox%3Apull&service=registry.docker.io": dial tcp 199.59.149.231:443: connect: connection refused它仍然要去 auth.docker.io 获取 token 才行
There is no problem when using +docker+pull+
But some problems will arise when using +k8s+
Failed to pull image "docker.xxxxx.xxxxx/nginx:alpine": failed to pull and unpack image "docker.xxxxxxx.xxxxxx/nginx:alpine": failed to resolve reference "docker.xxxxxxx.xxxxx/nginx:alpine": failed to authorize: failed to fetch anonymous token: Get "https://auth.docker.io/token?scope=repository%3Alibrary%2Fnginx%3Apull&scope=repository%3Anginx%3Apull&service=registry.docker.io": dial tcp 199.59.149.230:443: connect: connection refused