From 145c80e9abd7e740733cb716ddc30ef122711cd1 Mon Sep 17 00:00:00 2001
From: "rongfu.leng" <rongfu.leng@daocloud.io>
Date: Fri, 17 Feb 2023 12:57:39 +0800
Subject: [PATCH] Fix containerd config_path error when containerd_registries
is configed (#9770)
Signed-off-by: rongfu.leng <rongfu.leng@daocloud.io>
---
.../containerd/defaults/main.yml | 3 ++
.../containerd/tasks/main.yml | 41 +++++++++----------
.../containerd/templates/config.toml.j2 | 5 ++-
3 files changed, 26 insertions(+), 23 deletions(-)
diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml
index 83115c4fa..3ef43ba26 100644
--- a/roles/container-engine/containerd/defaults/main.yml
+++ b/roles/container-engine/containerd/defaults/main.yml
@@ -73,3 +73,6 @@ containerd_limit_proc_num: "infinity"
containerd_limit_core: "infinity"
containerd_limit_open_file_num: "infinity"
containerd_limit_mem_lock: "infinity"
+
+# If enabled it will use config_path and disable use mirrors config
+containerd_use_config_path: false
diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml
index b0e877f27..23cc283d4 100644
--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -111,27 +111,26 @@
mode: 0640
notify: restart containerd
-- name: containerd | Create registry directories
- file:
- path: "{{ containerd_cfg_dir }}/certs.d/{{ item.key }}"
- state: directory
- mode: 0755
- recurse: true
- with_dict: "{{ containerd_insecure_registries }}"
- when: containerd_insecure_registries is defined
-
-- name: containerd | Write hosts.toml file
- blockinfile:
- path: "{{ containerd_cfg_dir }}/certs.d/{{ item.key }}/hosts.toml"
- mode: 0640
- create: true
- block: |
- server = "{{ item.value }}"
- [host."{{ item.value }}"]
- capabilities = ["pull", "resolve", "push"]
- skip_verify = true
- with_dict: "{{ containerd_insecure_registries }}"
- when: containerd_insecure_registries is defined
+- block:
+ - name: containerd | Create registry directories
+ file:
+ path: "{{ containerd_cfg_dir }}/certs.d/{{ item.key }}"
+ state: directory
+ mode: 0755
+ recurse: true
+ with_dict: "{{ containerd_insecure_registries }}"
+ - name: containerd | Write hosts.toml file
+ blockinfile:
+ path: "{{ containerd_cfg_dir }}/certs.d/{{ item.key }}/hosts.toml"
+ mode: 0640
+ create: true
+ block: |
+ server = "{{ item.value }}"
+ [host."{{ item.value }}"]
+ capabilities = ["pull", "resolve", "push"]
+ skip_verify = true
+ with_dict: "{{ containerd_insecure_registries }}"
+ when: containerd_use_config_path is defined and containerd_use_config_path|bool and containerd_insecure_registries is defined
# you can sometimes end up in a state where everything is installed
# but containerd was not started / enabled
diff --git a/roles/container-engine/containerd/templates/config.toml.j2 b/roles/container-engine/containerd/templates/config.toml.j2
index 620bff546..63fd27754 100644
--- a/roles/container-engine/containerd/templates/config.toml.j2
+++ b/roles/container-engine/containerd/templates/config.toml.j2
@@ -47,9 +47,9 @@ oom_score = {{ containerd_oom_score }}
runtime_type = "io.containerd.runsc.v1"
{% endif %}
[plugins."io.containerd.grpc.v1.cri".registry]
-{% if containerd_insecure_registries is defined and containerd_insecure_registries|length>0 %}
+{% if containerd_use_config_path is defined and containerd_use_config_path|bool %}
config_path = "{{ containerd_cfg_dir }}/certs.d"
-{% endif %}
+{% else %}
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
{% for registry, addr in containerd_registries.items() %}
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ registry }}"]
@@ -60,6 +60,7 @@ oom_score = {{ containerd_oom_score }}
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."{{ registry }}"]
endpoint = ["{{ ([ addr ] | flatten ) | join('","') }}"]
{% endfor %}
+{% endif %}
{% for addr in containerd_insecure_registries.values() | flatten | unique %}
[plugins."io.containerd.grpc.v1.cri".registry.configs."{{ addr }}".tls]
insecure_skip_verify = true
--
GitLab