Fix containerd 2.x registry TLS config via hosts.toml#5972
Merged
Conversation
Fixes #5161. containerd 2.0 removed inline registry.configs from config.toml. Migrated to per-registry hosts.toml under /etc/containerd/certs.d/ to support AL2023 (ships containerd 2.x by default) while maintaining 1.x compatibility. - kubeadm: rewrite kubeadm_registry_containerd_configure() to use hosts.toml - containerd addon: enable config_path in base install for future 1.x support - gitignore: ignore AI/editor metadata and local workflow directories
emosbaugh
previously approved these changes
Apr 15, 2026
Member
Author
|
I'm still testing the fix in Amazon Linux 2023 and other distribution. |
containerd v2.x `config default` generates config_path with colon-separated /etc/docker/certs.d suffix. The transfer service io.containerd.transfer.v1.local silently ignores such paths and never reads hosts.toml, causing registry TLS x509 verification failures. Strip the suffix to ensure hosts.toml is read. Fixes: containerd/containerd#12415
Member
Author
|
Sed ordering, for a fresh containerd v2.x default config:
Tested on Amazon Linux 2023 / containerd 2.2.1 / kURL kubeadm-based cluster against the latest commits. What we verifiedConfig state after install.sh runs:
Both gaps we originally identified are now addressed:
End-to-end pull test passed:
Idempotent on re-run - none of the three seds match after the first apply. |
Member
Author
|
Tested on Ubuntu 22.04 / containerd v1.7.29 Verified the containerd 1.x config and end-to-end registry flow on a kURL single-node cluster. /etc/containerd/config.toml checks
Per-registry hosts.toml checks
End-to-end registry flow
|
replemos
approved these changes
Apr 20, 2026
emosbaugh
approved these changes
Apr 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Amazon Linux 2023 ships containerd 2.x by default. containerd 2.0 removed the
plugins."io.containerd.grpc.v1.cri".registry.configsinline TOML approach from config.toml, breaking registry TLS configuration.Solution
Migrated to the
hosts.tomlper-registry approach under/etc/containerd/certs.d/<server>/. This is the official containerd 2.x registry configuration method and aligns with containerd's current architecture.Changes
kubeadm_registry_containerd_configure()to write per-registryhosts.tomlfiles instead of appending inline TOML toconfig.tomlsedto setconfig_path = "/etc/containerd/certs.d"for containerd 1.x forward compatibilityFixes #5161