Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: cri-o documentation #158

Merged
merged 3 commits into from
Sep 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
284 changes: 168 additions & 116 deletions docs/operations/integrations/container-runtime/containerd.md
Original file line number Diff line number Diff line change
Expand Up @@ -396,117 +396,11 @@ Restart containerd:
systemctl restart containerd
```

### Private registry using self-signed certificates
### Container Registry using self-signed certificates

Take Harbor as an example of a private registry using self-signed certificates.
Use Harbor as an example of a container registry using self-signed certificates.
Harbor generates self-signed certificate, refer to [Harbor](https://goharbor.io/docs/2.11.0/install-config/configure-https/).

#### Install Dragonfly with Binaries

Copy Harbor's ca.crt file to `/etc/certs/yourdomain.crt`.

```shell
cp ca.crt /etc/certs/yourdomain.crt
```

Install Dragonfly with Binaries, refer to [Binaries](../../../getting-started/installation/binaries.md).

##### Setup Dfdaemon as Seed Peer and configure self-signed certificate

Configure Dfdaemon yaml file, The default path in Linux is `/etc/dragonfly/dfdaemon.yaml` in linux,
refer to [Dfdaemon](../../../reference/configuration/client/dfdaemon.md).

```shell
manager:
addrs:
- http://dragonfly-manager:65003
seedPeer:
enable: true
type: super
clusterID: 1
proxy:
registryMirror:
# addr is the default address of the registry mirror. Proxy will start a registry mirror service for the
# client to pull the image. The client can use the default address of the registry mirror in
# configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address
# of registry mirror.
addr: https://yourdomain.com
## certs is the client certs path with PEM format for the registry.
## If registry use self-signed cert, the client should set the
## cert for the registry mirror.
certs: /etc/certs/yourdomain.crt
```

##### Setup Dfdaemon as Peer and configure self-signed certificate

Configure Dfdaemon yaml file, The default path in Linux is `/etc/dragonfly/dfdaemon.yaml` in linux,
refer to [Dfdaemon](../../../reference/configuration/client/dfdaemon.md).

```shell
manager:
addrs:
- http://dragonfly-manager:65003
proxy:
registryMirror:
# addr is the default address of the registry mirror. Proxy will start a registry mirror service for the
# client to pull the image. The client can use the default address of the registry mirror in
# configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address
# of registry mirror.
addr: https://yourdomain.com
## certs is the client certs path with PEM format for the registry.
## If registry use self-signed cert, the client should set the
## cert for the registry mirror.
certs: /etc/certs/yourdomain.crt
```

##### Configure containerd self-signed certificate

Modify your `config.toml` (default location: `/etc/containerd/config.toml`), refer to [registry-configuration-examples](https://github.com/containerd/containerd/blob/main/docs/hosts.md#registry-configuration---examples).

> Notice: config_path is the path where containerd looks for registry configuration files.

```toml
# explicitly use v2 config format
version = 2

[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
```

Create the registry configuration file `/etc/containerd/certs.d/yourdomain.com/hosts.toml`:

> Notice: `https://yourdomain.com` is the Harbor service address.

```toml
server = "https://yourdomain.com"

[host."http://127.0.0.1:4001"]
capabilities = ["pull", "resolve"]
ca = "/etc/certs/yourdomain.crt"

[host."http://127.0.0.1:4001".header]
X-Dragonfly-Registry = "https://yourdomain.com"
```

To bypass the TLS verification for a private registry at `yourdomain.com`.

```toml
server = "https://yourdomain.com"

[host."http://127.0.0.1:4001"]
capabilities = ["pull", "resolve"]
skip_verify = true

[host."http://127.0.0.1:4001".header]
X-Dragonfly-Registry = "https://yourdomain.com"
```

Restart containerd:

```shell
systemctl restart containerd
```

#### Install Dragonfly with Helm Charts

Create a Namespace:
Expand Down Expand Up @@ -554,6 +448,18 @@ manager:
config:
verbose: true
pprofPort: 18066
job:
preheat:
tls:
insecureSkipVerify: false
caCert: /etc/certs/yourdomain.crt
extraVolumes:
- name: seed-client-secret
secret:
secretName: seed-client-secret
extraVolumeMounts:
- name: seed-client-secret
mountPath: /etc/certs

scheduler:
image:
Expand All @@ -577,14 +483,10 @@ seedClient:
registryMirror:
certs: /etc/certs/yourdomain.crt
extraVolumes:
- name: logs
emptyDir: {}
- name: seed-client-secret
secret:
secretName: seed-client-secret
extraVolumeMounts:
- name: logs
mountPath: /var/log/dragonfly/dfdaemon/
- name: seed-client-secret
mountPath: /etc/certs

Expand Down Expand Up @@ -651,6 +553,11 @@ manager:
config:
verbose: true
pprofPort: 18066
job:
preheat:
tls:
insecureSkipVerify: false
caCert: /etc/certs/yourdomain.crt

scheduler:
image:
Expand Down Expand Up @@ -683,14 +590,10 @@ client:
registryMirror:
certs: /etc/certs/yourdomain.crt
extraVolumes:
- name: logs
emptyDir: {}
- name: client-secret
secret:
secretName: client-secret
extraVolumeMounts:
- name: logs
mountPath: /var/log/dragonfly/dfdaemon/
- name: client-secret
mountPath: /etc/certs
dfinit:
Expand All @@ -708,3 +611,152 @@ client:
capabilities: ['pull', 'resolve']
skipVerify: true
```

#### Install Dragonfly with Binaries

Copy Harbor's ca.crt file to `/etc/certs/yourdomain.crt`.

```shell
cp ca.crt /etc/certs/yourdomain.crt
```

Install Dragonfly with Binaries, refer to [Binaries](../../../getting-started/installation/binaries.md).

##### Setup Manager and configure self-signed certificate

To support preheating for harbor with self-signed certificates, the Manager configuration needs to be modified.

Configure Manager yaml file, The default path in Linux is `/etc/dragonfly/manager.yaml` in linux,
refer to [Manager](../../../reference/configuration/manager.md).

> Notice: `yourdomain.crt` is Harbor's ca.crt.

```shell
job:
# Preheat configuration.
preheat:
# registryTimeout is the timeout for requesting registry to get token and manifest.
registryTimeout: 1m
tls:
# insecureSkipVerify controls whether a client verifies the server's certificate chain and hostname.
insecureSkipVerify: false
# # caCert is the CA certificate for preheat tls handshake, it can be path or PEM format string.
caCert: /etc/certs/yourdomain.crt
```

Skip TLS verification, set `job.preheat.tls.insecureSkipVerify` to true.

```shell
job:
# Preheat configuration.
preheat:
# registryTimeout is the timeout for requesting registry to get token and manifest.
registryTimeout: 1m
tls:
# insecureSkipVerify controls whether a client verifies the server's certificate chain and hostname.
insecureSkipVerify: true
# # caCert is the CA certificate for preheat tls handshake, it can be path or PEM format string.
# caCert: ''
```

##### Setup Dfdaemon as Seed Peer and configure self-signed certificate

Configure Dfdaemon yaml file, The default path in Linux is `/etc/dragonfly/dfdaemon.yaml` in linux,
refer to [Dfdaemon](../../../reference/configuration/client/dfdaemon.md).

```shell
manager:
addrs:
- http://dragonfly-manager:65003
seedPeer:
enable: true
type: super
clusterID: 1
proxy:
registryMirror:
# addr is the default address of the registry mirror. Proxy will start a registry mirror service for the
# client to pull the image. The client can use the default address of the registry mirror in
# configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address
# of registry mirror.
addr: https://yourdomain.com
## certs is the client certs path with PEM format for the registry.
## If registry use self-signed cert, the client should set the
## cert for the registry mirror.
certs: /etc/certs/yourdomain.crt
```

##### Setup Dfdaemon as Peer and configure self-signed certificate

Configure Dfdaemon yaml file, The default path in Linux is `/etc/dragonfly/dfdaemon.yaml` in linux,
refer to [Dfdaemon](../../../reference/configuration/client/dfdaemon.md).

```shell
manager:
addrs:
- http://dragonfly-manager:65003
proxy:
registryMirror:
# addr is the default address of the registry mirror. Proxy will start a registry mirror service for the
# client to pull the image. The client can use the default address of the registry mirror in
# configuration to pull the image. The `X-Dragonfly-Registry` header can instead of the default address
# of registry mirror.
addr: https://yourdomain.com
## certs is the client certs path with PEM format for the registry.
## If registry use self-signed cert, the client should set the
## cert for the registry mirror.
certs: /etc/certs/yourdomain.crt
```

##### Configure containerd self-signed certificate

Modify your `config.toml` (default location: `/etc/containerd/config.toml`), refer to [registry-configuration-examples](https://github.com/containerd/containerd/blob/main/docs/hosts.md#registry-configuration---examples).

> Notice: config_path is the path where containerd looks for registry configuration files.

```toml
# explicitly use v2 config format
version = 2

[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
```

Create the registry configuration file `/etc/containerd/certs.d/yourdomain.com/hosts.toml`:

> Notice: `https://yourdomain.com` is the Harbor service address.

```toml
server = "https://yourdomain.com"

[host."http://127.0.0.1:4001"]
capabilities = ["pull", "resolve"]
ca = "/etc/certs/yourdomain.crt"

[host."http://127.0.0.1:4001".header]
X-Dragonfly-Registry = "https://yourdomain.com"
```

To bypass the TLS verification for a private registry at `yourdomain.com`.

```toml
server = "https://yourdomain.com"

[host."http://127.0.0.1:4001"]
capabilities = ["pull", "resolve"]
skip_verify = true

[host."http://127.0.0.1:4001".header]
X-Dragonfly-Registry = "https://yourdomain.com"
```

Restart containerd:

```shell
systemctl restart containerd
```

##### containerd downloads harbor images through Dragonfly

```shell
crictl pull yourdomain.com/alpine:3.19
```
Loading