Login to an insecure container registry¶
When you need to Pull or Push images from an insecure container registry, you may encounter the x509: certificate signed by unknown authority error. This occurs when the container registry is either using the http protocol or the https certificate is self-signed.
I will explain how to resolve this issue using three different runtimes, using test.registry.com as an example.
Docker¶
Add the following configuration to the /etc/docker/daemon.json file:
After making the changes, restart Docker using the command systemctl restart docker
containerd¶
There are two methods to configure an insecure registry in containerd: a new method introduced in version 1.4, and an old method that existed until version 2.0.
New Method¶
Edit the /etc/containerd/config.toml file and locate the config_path configuration option, which has a default value of /etc/containerd/certs.d.
Create a folder inside the /etc/containerd/certs.d directory named after your registry, such as test.registry.com, and create a hosts.toml file inside it.
If the registry includes a port number, you also need to run:
server = "http://test.registry.com"
[host."http://test.registry.com"]
capabilities = ["pull", "resolve", "push"]
skip_verify = true
After configuring, there is no need to restart. You can use it directly.
Old Method¶
Add the following configuration to the /etc/containerd/config.toml file:
[plugins."io.containerd.grpc.v1.cri".registry.configs."test.registry.com".tls]
insecure_skip_verify = true
After making the changes, restart containerd: systemctl restart containerd.
CRI-O¶
Modify the /etc/crio/crio.conf configuration file:
Restart crio: systemctl restart crio.