Can containerd set a http proxy to download image?

[allencloud]

Hi, All,

Here I have a question for containerd. Do container support setting a proxy when downloading images?

We all know that in docker, we can set a proxy to help download images. While I think contained 1.0.0 starts to take over the image downloading things.

~ # dockerd --help | grep proxy
      --userland-proxy                          Use userland proxy for loopback traffic (default true)
      --userland-proxy-path string              Path to the userland proxy binary

Does container support this? If not, is this in the roadmap of containerd? Maybe we can contribute to this.

Thanks.

[cpuguy83]

@allencloud containerd does not download images itself, this operation is all performed on the client.

In the case of dockerd... currently dockerd still performs all pull operations and is not using the image/content store provided by containerd, but even if/when dockerd does rely on containerd for this, dockerd will still do the actual pull and shove the pits into containerd.

[stevvooe]

@allencloud ctr should honor http_proxy env variable. Give that a try and let me know if there is a problem.

[stevvooe]

@allencloud Closing this, as we have solution. If that doesn't work, let me know.

[hmtai]

@stevvooe another question:
yeah, ctr can pull images with the env variable http_proxy, but crictl cannot~

[crosbymichael]

@hmtai that should be a PR to crictl to honor the env var

[hmtai]

@crosbymichael yeah,I really need this feature. Does anyone else prepare to do this?Anyway,that's very kind of you to answer my question.

[dmcgowan]

With crictl, I believe the pull will be done by the cri plugin in the containerd daemon. Have you tried setting HTTP_PROXY on the daemon?

[varuntalus]

I am trying to setup kubernetes cluster with containerd 1.1. But when I am running kubeadm init, the setup is failing because the required images are not getting pulled. I have proper proxy setting in place but still images are not getting pulled.

Please find below the logs:

# kubeadm init --kubernetes-version=1.11.0 --token-ttl=0 --cri-socket=/var/run/containerd/containerd.sock

I0706 20:29:14.471588 30718 feature_gate.go:230] feature gates: &{map[]}
[init] using Kubernetes version: v1.11.0
[preflight] running pre-flight checks
[WARNING HTTPProxy]: Connection to "https://192.X.X.X" uses proxy "https://X.X.X.X:XXXX/". If that is not intended, adjust your proxy settings
[WARNING HTTPProxyCIDR]: connection to "10.96.X.X/XX" uses proxy "https://X.X.X.X:XXXX/". This may lead to malfunctional cluster setup. Make sure that Pod and Services IP ranges specified correctly as exceptions in proxy configuration
I0706 20:29:14.500644 30718 kernel_validator.go:81] Validating kernel version
I0706 20:29:14.500840 30718 kernel_validator.go:96] Validating kernel config
[preflight/images] Pulling images required for setting up a Kubernetes cluster
[preflight/images] This might take a minute or two, depending on the speed of your internet connection
[preflight/images] You can also perform this action in beforehand using 'kubeadm config images pull'
[preflight] Some fatal errors occurred:
[ERROR ImagePull]: failed to pull image [k8s.gcr.io/kube-apiserver-amd64:v1.11.0]: exit status 1
[ERROR ImagePull]: failed to pull image [k8s.gcr.io/kube-controller-manager-amd64:v1.11.0]: exit status 1
[ERROR ImagePull]: failed to pull image [k8s.gcr.io/kube-scheduler-amd64:v1.11.0]: exit status 1
[ERROR ImagePull]: failed to pull image [k8s.gcr.io/kube-proxy-amd64:v1.11.0]: exit status 1
[ERROR ImagePull]: failed to pull image [k8s.gcr.io/pause-amd64:3.1]: exit status 1
[ERROR ImagePull]: failed to pull image [k8s.gcr.io/etcd-amd64:3.2.18]: exit status 1
[ERROR ImagePull]: failed to pull image [k8s.gcr.io/coredns:1.1.3]: exit status 1
[preflight] If you know what you are doing, you can make a check non-fatal with --ignore-preflight-errors=...

[dmcgowan]

I have proper proxy setting in place but still images are not getting pulled.

How so, can you test this by using crictl to see if pull works? The containerd process should have the proxy set, cri just appears to be using the default client which gets the proxy configuration from the environment of the containerd process.

[hchenxa]

add a environment variable in containerd can work fine in my environment, and the service file like below:

[Service]
ExecStartPre=/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerd
Restart=always
Environment="HTTP_PROXY=http://9.21.61.141:3128/"

[varuntalus]

@hchenxa

I made the entries in service file and it worked. Thanks!

[bengbeng-pp]

Can containerd set multiple http proxy to download image? Similar to docker，When there is a problem with the first http proxy, downgrade to the second http proxy。

[crstian19]

You can use HTTP_PROXY=http://your-proxy ctr images pull k8s.gcr.io/pause:3.2 command to download an image for example.

[ghost]

You can use HTTP_PROXY=http://your-proxy ctr images pull k8s.gcr.io/pause:3.2 command to download an image for example.

Solved my problem, thanks 😃