Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[image-rs] How to pull an image from local registries #861

Open
billionairiam opened this issue Dec 30, 2024 · 2 comments
Open

[image-rs] How to pull an image from local registries #861

billionairiam opened this issue Dec 30, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@billionairiam
Copy link

Describe the bug

I want to create a pod that pulls an image from a local registry.

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginx
  name: nginx
  annotations:
    io.containerd.cri.runtime-handler: kata-qemu-tdx
spec:
  containers:
  - image: localhost:5000/nginx
    name: nginx
  dnsPolicy: ClusterFirst
  runtimeClassName: kata-qemu-tdx

It seems there are some credential issues.

  Normal   Scheduled  12s   default-scheduler  Successfully assigned default/nginx to ubuntu
  Normal   Pulling    5s    kubelet            Pulling image "localhost:5000/nginx"
  Warning  Failed     5s    kubelet            Failed to pull image "localhost:5000/nginx": failed to pull and unpack image "localhost:5000/nginx:latest": failed to resolve reference "localhost:5000/nginx:latest": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials
  Warning  Failed     5s    kubelet            Error: ErrImagePull
  Normal   BackOff    5s    kubelet            Back-off pulling image "localhost:5000/nginx"
  Warning  Failed     5s    kubelet            Error: ImagePullBackOff

How to reproduce

I have read this, but I'm not sure how to proceed.

CoCo version information

v0.11.0

What TEE are you seeing the problem on

None

Failing command and relevant log output

No response
@billionairiam billionairiam added the bug Something isn't working label Dec 30, 2024
@fitzthum
Copy link
Member

fitzthum commented Jan 2, 2025

A few things to consider. First, pulling from localhost might not work from inside your guest because localhost inside the VM is not the host. Unless this is what you intend, you might try using an IP address here.

Second, pulling from local registries often means pulling from a registry with a self-signed cert. This can cause problems. You may need to set the cert via this config or by manually adding it to ca-certificates inside your guest.

@billionairiam
Copy link
Author

You may need to set the cert via [this config](https://github.com/confidential-containers/guest-components/blob/main/image-rs/src/config.rs#L115) or by manually adding it to ca-certificates inside your guest. Could you provide an example of how to do this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fitzthum @billionairiam