mirrors."docker.io" is ignored

[jclab-joseph]

Environmental Info:
RKE2 Version:

rke2 version v1.26.11+rke2r1 (7ee1cfc93db32d05f3270711b24c429515019e8a)
go version go1.20.11 X:boringcrypto

Node(s) CPU architecture, OS, and Version:

Linux ... 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:
2 servers

Describe the bug:

Only docker.io in registries.yaml is ignored.

Steps To Reproduce:

1. Install RKE2

2. Write /etc/rancher/rke2/registries.yaml

mirrors:
  "docker.io":
    endpoint":
      - "http://10.43.251.176:15001/v2/docker.io/"
  "ghcr.io":
    endpoint:
      - "http://10.43.251.176:15001/v2/ghcr.io/"
  "quay.io":
    endpoint:
      - "http://10.43.251.176:15001/v2/quay.io/"
  "k8s.gcr.io":
    endpoint:
      - "http://10.43.251.176:15001/v2/k8s.gcr.io/"

3. Restart systemctl restart rke2-server.service

4. Wrong containerd config.toml

/var/lib/rancher/rke2/agent/etc/containerd/config.toml

# File generated by rke2. DO NOT EDIT. Use config.toml.tmpl instead.
version = 2

[plugins."io.containerd.internal.v1.opt"]
  path = "/var/lib/rancher/rke2/agent/containerd"
[plugins."io.containerd.grpc.v1.cri"]
  stream_server_address = "127.0.0.1"
  stream_server_port = "10010"
  enable_selinux = false
  enable_unprivileged_ports = true
  enable_unprivileged_icmp = true
  sandbox_image = "index.docker.io/rancher/pause:3.6"

[plugins."io.containerd.grpc.v1.cri".containerd]
  snapshotter = "overlayfs"
  disable_snapshot_annotations = true



[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
  runtime_type = "io.containerd.runc.v2"

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
  SystemdCgroup = true



[plugins."io.containerd.grpc.v1.cri".registry.mirrors]

[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
  endpoint = []


[plugins."io.containerd.grpc.v1.cri".registry.mirrors."ghcr.io"]
  endpoint = ["http://10.43.251.176:15001/v2/ghcr.io/"]


[plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
  endpoint = ["http://10.43.251.176:15001/v2/k8s.gcr.io/"]


[plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
  endpoint = ["http://10.43.251.176:15001/v2/quay.io/"]

Expected behavior:

Like everything else, docker.io also needs to have an endpoint applied.

Actual behavior:

Only docker.io in registries.yaml is ignored.

[brandond]

Is your registry v2 API really at /v2/docker.io/, or are you trying to prepend docker.io/ to the image names when you pull them from your registry?

I suspect that what you want is:

mirrors:
  "docker.io":
    endpoint":
      - "http://10.43.251.176:15001/v2"
    rewrite:
      "(.*)": "docker.io/$1"
  "ghcr.io":
    endpoint:
      - "http://10.43.251.176:15001/v2"
    rewrite:
      "(.*)": "ghcr.io/$1"
  "quay.io":
    endpoint:
      - "http://10.43.251.176:15001/v2"
    rewrite:
      "(.*)": "quay.io/$1"
  "k8s.gcr.io":
    endpoint:
      - "http://10.43.251.176:15001/v2"
    rewrite:
      "(.*)": "k8s.gcr.io/$1"

[brandond]

I would also encourage you to try this again with a more recent release of RKE2. We have made significant changes to containerd registry mirror handling in the last few releases, and no longer write the mirror config into config.toml at all.

[jclab-joseph]

@brandond
I configured nexus(cache) + docker-path-proxy for an airgap environment. The URL is correct.

We are in an environment where it is so difficult to upgrade rke2... 🥲

[brandond]

A better choice would be to use a namespace-aware registry mirror. containerd already passes the original registry namespace as the ns query parameter in the request URI when pulling from a mirror, you don't have to make it part of the registry API path.

[brandond]

You're going to need to upgrade one way or another in order to get this fixed, regardless of whether it's been fixed already, or will be fixed in the future.

[brandond]

I will say that there still does appear to be something wrong with handling of mirror endpoint paths that contain docker.io though... so I suspect there is something else going on. I'll have to dig into it a bit.

Can you modify your docker-path-proxy thing to use the ns query parameter, instead of embedding it in the registry API path?

[jclab-joseph]

Since docker-path-proxy is behind nexus, it cannot be used for ns unless nexus is modified.

I also checked that the problem still exists in the latest rke2.

rke2 version v1.27.11+rke2r1 (6665618680112568f79b1f5992aecf4655e3cf8b)
go version go1.21.7 X:boringcrypto

time="2024-03-14T02:17:12.259279453Z" level=error msg="PullImage \"index.docker.io/rancher/rke2-cloud-provider:v1.26.3-build20230406\" failed" error="rpc error: code = DeadlineExceeded desc = failed to pull and unpack image \"docker.io/rancher/rke2-cloud-provider:v1.26.3-build20230406\": failed to resolve reference \"docker.io/rancher/rke2-cloud-provider:v1.26.3-build20230406\": failed to do request: Head \"https://registry-1.docker.io/v2/rancher/rke2-cloud-provider/manifests/v1.26.3-build20230406\": dial tcp 54.236.113.205:443: i/o timeout"
time="2024-03-14T02:18:58.268390657Z" level=error msg="PullImage \"ghcr.io/jc-lab/docker-path-proxy-go:tag-0.1.2\" failed" error="rpc error: code = DeadlineExceeded desc = failed to pull and unpack image \"ghcr.io/jc-lab/docker-path-proxy-go:tag-0.1.2\": failed to resolve reference \"ghcr.io/jc-lab/docker-path-proxy-go:tag-0.1.2\": failed to do request: Head \"https://ghcr.io/v2/jc-lab/docker-path-proxy-go/manifests/tag-0.1.2\": dial tcp 20.200.245.241:443: i/o timeout"

Just curious, if not in config.toml, where is the registry information stored in the latest rke2? Is containerd's config.toml completely deprecated?

[brandond]

• Containerd CRI registry mirrors and configs config via config.toml have been deprecated k3s-io/k3s#8972

[brandond]

My understanding was that nexus already supports the ns query parameter for passing through the original registry namespace. If you're using nexus, why do you need to also modify the path?

[jclab-joseph]

I understand that nexus does not have any processing for "ns" queries.
So, we created one docker registry(10.43.251.176:15001 is just one docker registry) in nexus and recognized the namespace as part of the path.

docker-path-proxy behind nexus recognizes the first part of the path as a domain, so when nexus finds an image called "(proxy)/docker.io/hello/world:1.2.3", it goes to hello/world in docker.io.

[brandond]

I'm not sure how, but I've worked with several users who have nexus doing the same thing with the ns query parameter that you're doing with the path. I'm not sure if they're doing it directly in nexus, or with nginx or haproxy in front of it rewriting the requests. Based on what you're doing, I suspect it may be the latter.

[brandond]

OK this had me stumped for WAYYYYYY too long. There is no bug in RKE2. You have an extra trailing quote in your YAML. It's valid, but the key is endpoint" not endpoint. The unknown key is ignored when deserializing the struct, so you have no endpoints listed.

mirrors:
  "docker.io":
    endpoint":
      - "http://10.43.251.176:15001/v2/docker.io/"

My eyes just didn't want to see it, I had to convert it to JSON to actually notice it:

{
  "mirrors": {
    "quay.io": {
      "endpoint": [
        "http://10.43.251.176:15001/v2/quay.io/"
      ]
    }, 
    "k8s.gcr.io": {
      "endpoint": [
        "http://10.43.251.176:15001/v2/k8s.gcr.io/"
      ]
    }, 
    "docker.io": {
      "endpoint\"": [
        "http://10.43.251.176:15001/v2/docker.io/"
      ]
    }, 
    "ghcr.io": {
      "endpoint": [
        "http://10.43.251.176:15001/v2/ghcr.io/"
      ]
    }
  }
}

[jclab-joseph]

@brandond OMG... I didn't see it at all. I'm sorry for my mistake, and thank you for finding my mistake.