nerdctl build 如何拉取本地镜像
案例:dockerfile文件
FROM docker.io/goharbor/nginx-photon:v2.6.1
build命令:
nerdctl -n k8s.io --insecure-registry build -t tt:v1.0 -f dockerfile .
- 会出现如下错误
```[root@k8s-master-node1 image]# nerdctl -n k8s.io build -t tt:v1.0 -f dockerfile .
[+] Building 0.0s (3/3) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from dockerfile 0.0s
=> => transferring dockerfile: 81B 0.0s
=> ERROR [internal] load metadata for docker.io/goharbor/nginx-photon:v2.6.1 0.0s
------
> [internal] load metadata for docker.io/goharbor/nginx-photon:v2.6.1:
------
dockerfile:1
--------------------
1 | >>> FROM docker.io/goharbor/nginx-photon:v2.6.1
2 |
--------------------
error: failed to solve: docker.io/goharbor/nginx-photon:v2.6.1: failed to do request: Head "https://registry-1.docker.io/v2/goharbor/nginx-photon/manifests/v2.6.1": dial tcp: lookup registry-1.docker.io on [::1]:53: read udp [::1]:47169->[::1]:53: read: connection refused
FATA[0000] unrecognized image format
因为nerdctl会根据Dockerfie里FROM参数指定的镜像的域名去网上找这个镜像,而并不会像Docker一样在本地看到已经有这个镜像就直接使用它。
如果nerdctl找到了网络上的镜像,和本地同名镜像校验无误之后,它才会直接使用本地的镜像来构建新镜像。
这样安全性要高一点,因为构建镜像时引用的其他镜像名都必须具有唯一性,这不就是当年发明DNS的意义吗?
这种情况可以把镜像Push到仓库,然后进行构建。
上传镜像到Harbor仓库
- 这里Harbor默认已经安装,IP: 192.168.100.30
# 为镜像打上标签
[root@k8s-master-node1 image]# nerdctl -n k8s.io tag docker.io/goharbor/nginx-photon:v2.6.1 192.168.100.30/library/nginx-photon:v2.6.1
# 上传镜像到Harbor仓库
[root@k8s-master-node1 image]# nerdctl -n k8s.io push --insecure-registry 192.168.100.30/library/nginx-photon:v2.6.1
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.v2+json, sha256:4ab9d7dcefa99608c858b0d368d2b22c86ebad40110fdaeab20a02f0e0a5d384)
WARN[0000] skipping verifying HTTPS certs for "192.168.100.30"
manifest-sha256:4ab9d7dcefa99608c858b0d368d2b22c86ebad40110fdaeab20a02f0e0a5d384: waiting |--------------------------------------|
config-sha256:a4c36adb555e00fadb5e3f39f8f5e376b78fc69d2cef98923ebefe719e2922ae: waiting |--------------------------------------|
elapsed: 0.1 s total: 0.0 B (0.0 B/s)
WARN[0000] server "192.168.100.30" does not seem to support HTTPS, falling back to plain HTTP error="failed to do request: Head \"https://192.168.100.30/v2/library/nginx-photon/blobs/sha256:46e1d8c22785128c2dbdbf6dc2fbd178b124221d9aa03ca14d586ecefb56f062\": dial tcp 192.168.100.30:443: connect: connection refused"
manifest-sha256:4ab9d7dcefa99608c858b0d368d2b22c86ebad40110fdaeab20a02f0e0a5d384: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:a4c36adb555e00fadb5e3f39f8f5e376b78fc69d2cef98923ebefe719e2922ae: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 1.4 s total: 4.0 Ki (2.9 KiB/s)
直接build会默认连接https导致失败
[root@k8s-master-node1 image]# nerdctl -n k8s.io build -t tt:v1.0 -f dockerfile .
[+] Building 0.0s (3/3) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from dockerfile 0.0s
=> => transferring dockerfile: 81B 0.0s
=> ERROR [internal] load metadata for docker.io/goharbor/nginx-photon:v2.6.1 0.0s
------
> [internal] load metadata for docker.io/goharbor/nginx-photon:v2.6.1:
------
dockerfile:1
--------------------
1 | >>> FROM docker.io/goharbor/nginx-photon:v2.6.1
2 |
--------------------
error: failed to solve: docker.io/goharbor/nginx-photon:v2.6.1: failed to do request: Head "https://registry-1.docker.io/v2/goharbor/nginx-photon/manifests/v2.6.1": dial tcp: lookup registry-1.docker.io on [::1]:53: read udp [::1]:47169->[::1]:53: read: connection refused
nerdctl和buildkitd为了安全会默认连接https所以我们要修改配置文件使其允许访问不安全的仓库。
mkdir /etc/{buildkit,nerdctl}
cat <<EOF >/etc/buildkit/buildkitd.toml
[registry."harbor.wyh.net"] #harbor.wyh.net修改为自己Harbor地址
http = true
insecure = true
EOF
cat <<EOF >/etc/nerdctl/nerdctl.toml
namespace = "k8s.io"
debug = false
debug_full = false
insecure_registry = true
EOF
# 重启配置文件使其生效
systemctl daemon-reload
systemctl restart buildkit*
重新build 显示成功
[root@k8s-master-node1 image]# nerdctl -n k8s.io build -t tt:v1.0 -f dockerfile .
[+] Building 3.7s (6/6) FINISHED
=> [internal] load build definition from dockerfile 0.0s
=> => transferring dockerfile: 85B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for 192.168.100.30/library/nginx-photon:v2.6.1 0.1s
=> [auth] library/nginx-photon:pull token for 192.168.100.30 0.0s
=> [1/1] FROM 192.168.100.30/library/nginx-photon:v2.6.1@sha256:4ab9d7dcefa99608c858b0d368d2b22c86ebad40110fdaeab20a02f0e0a5d384 0.0s
=> => resolve 192.168.100.30/library/nginx-photon:v2.6.1@sha256:4ab9d7dcefa99608c858b0d368d2b22c86ebad40110fdaeab20a02f0e0a5d384 0.0s
=> exporting to oci image format 3.5s
=> => exporting layers 0.0s
=> => exporting manifest sha256:7bf31ceab135908d769a90f1e8cb8f315889f74af21b55e56d6592b9af951c2c 0.0s
=> => exporting config sha256:645185694d62c6b83f171cd43c057fb2a6ce4f0185d3ecacb35294b223a19ea9 0.0s
=> => sending tarball 3.5s
unpacking docker.io/library/tt:v1.0 (sha256:7bf31ceab135908d769a90f1e8cb8f315889f74af21b55e56d6592b9af951c2c)...
Loaded image: docker.io/library/tt:v1.0
containerd对接私有仓库harbor相关操作可参考文章zhuanlan.zhihu.com/p/539312133
