validate CRI v1 image API for endpoint “unix:///run/containerd/containerd.sock“

1.现象

pull image failed: Failed to exec command: sudo -E /bin/bash -c "env PATH=$PATH crictl pull 172.23.123.117:8443/kubesphereio/pause:3.9"

FATA[0000] validate service connection: validate CRI v1 image API for endpoint "unix:///run/containerd/containerd.sock": rpc error: code = Unimplemented desc = unknown service runtime.v1.ImageService: Process exited with status 1

2.原因

这个错误表明 crictl 无法通过当前配置与容器运行时(如 containerd)进行通信。具体来说,crictl 正在尝试使用 CRI v1 的 ImageService API,但目标端点(containerd)似乎没有实现该服务,或者其配置不正确。

3.解决方案

3.1查看当前 crictl 配置

cat /etc/crictl.yaml

说明它正在使用 containerd,而 containerd 没有启用 CRI 支持就会报错。

3.2使用 ctr 命令测试

ctr plugins ls

3.3 使用 crictl 测试连接

sudo crictl --runtime-endpoint unix:///run/containerd/containerd.sock info

3.4编辑 containerd 的config.toml配置文件

vi /etc/containerd/config.toml

disabled_plugins = []

plugins."io.containerd.grpc.v1.cri"

enable_selinux = false

sandbox_image = "172.23.123.117:8443/kubesphereio/pause:3.9"

plugins."io.containerd.grpc.v1.cri".registry

plugins."io.containerd.grpc.v1.cri".registry.configs

plugins."io.containerd.grpc.v1.cri".registry.configs."172.23.123.117:8443"

tls = true

cert_file = "/etc/containerd/certs.d/172.23.123.117:8443/172.23.123.117.cert"

key_file = "/etc/containerd/certs.d/172.23.123.117:8443/172.23.123.117.key"

ca_file = "/etc/containerd/certs.d/172.23.123.117:8443/ca.crt"

skip_verify = false

plugins."io.containerd.grpc.v1.cri".registry.mirrors

plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"

endpoint = ["https://172.23.123.117:8443"]

plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"

endpoint = ["https://172.23.123.117:8443"]

3.4创建证书目录并复制证书:

sudo mkdir -p /etc/containerd/certs.d/172.23.123.117:8443

sudo cp /etc/docker/certs.d/172.23.123.117:8443/ca.crt /etc/containerd/certs.d/172.23.123.117:8443/ca.crt

sudo cp /etc/docker/certs.d/172.23.123.117:8443/172.23.123.117.cert /etc/containerd/certs.d/172.23.123.117:8443/172.23.123.117.cert

sudo cp /etc/docker/certs.d/172.23.123.117:8443/172.23.123.117.key /etc/containerd/certs.d/172.23.123.117:8443/172.23.123.117.key

3.5重启

sudo systemctl daemon-reload

sudo systemctl restart containerd

3.6手动测试是否可以拉取镜像

sudo crictl pull 172.23.123.117:8443/kubesphereio/pause:3.9