首页 > 网站技巧 > 服务器 > 云和虚拟化 > 云其它 > containerd2.x配置Harbor私有仓库

containerd2.x配置Harbor私有仓库实践

2026-05-11 16:16:08 作者：小小的木头人

文章主要介绍了两种配置containerd2.x连接Harbor私有仓库的方法,推荐使用certs.d方式,无需修改config.toml,更简洁,同时,对于特定环境下的HTTPS + 自签名证书问题,给出了通过hosts.toml配置和修改config.toml配置两种方案,并强调了不同环境下的注意事项和配置验证方法

containerd 2.x 配置 Harbor 私有仓库，推荐两种方式：

方式一（推荐）：certs.d方式（containerd 1.5+ / 2.x 推荐）

这种方式不用改 config.toml，更干净。

假设 Harbor 地址：

192.168.30.221

1. 创建目录

sudo mkdir -p /etc/containerd/certs.d/192.168.30.221

2. 创建hosts.toml

sudo vi /etc/containerd/certs.d/192.168.30.221/hosts.toml

内容：

如果是 HTTP（内网常用）

server = "http://192.168.30.221"

[host."http://192.168.30.221"]
  capabilities = ["pull", "resolve", "push"]
  skip_verify = true

排错

出现错误

HTTP/1.1 308 Permanent Redirect
Location: https://10.2.2.240:443/v2/

说明 Harbor 强制 HTTP 跳转 HTTPS，不是纯 HTTP，需要将 hosts.toml 改为

server = "https://192.168.30.221"

[host."https://192.168.30.221"]
  capabilities = ["pull", "resolve", "push"]
  skip_verify = true

最后现象

root@master:/etc/containerd# sudo ctr images pull \
  --hosts-dir /etc/containerd/certs.d \
  --user admin:Aa12345 \
  192.168.30.221/library/mysql:latest
192.168.30.221/library/mysql:latest         	saved	
└──manifest (88b1423f0c31)              	complete   	|++++++++++++++++++++++++++++++++++++++|	
   ├──config (2c5440daffa8)             	complete   	|++++++++++++++++++++++++++++++++++++++|	
   ├──layer (4ea0fa0ace0c)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
   ├──layer (9effc86d91a3)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
   ├──layer (500d7b2546c4)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
   ├──layer (fc5138e88017)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
   ├──layer (b534c7c08c95)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
   ├──layer (5525b1bd2d5d)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
   ├──layer (fc3e1c37f699)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
   ├──layer (a1bcea418c7c)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
   ├──layer (30e3c68e682c)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
   └──layer (50786f9db9d5)              	extracted  	|++++++++++++++++++++++++++++++++++++++|	
application/vnd.docker.distribution.manifest.v2+json sha256:88b1423f0c3138fc488828126472b669fb6e442c2f9080701e18478a3b3a8171
Completed pull from OCI Registry (192.168.30.221/library/mysql:latest)	elapsed: 56.4s	total:  262.8 	(4.7 MiB/s)	
root@master:/etc/containerd# sudo ctr images ls
REF                             TYPE                                                 DIGEST                                                                  SIZE      PLATFORMS   LABELS 
192.168.30.221/library/mysql:latest application/vnd.docker.distribution.manifest.v2+json sha256:88b1423f0c3138fc488828126472b669fb6e442c2f9080701e18478a3b3a8171 262.8 MiB linux/amd64 -

如果是 HTTPS + 自签名证书

server = "https://192.168.30.221"

[host."https://192.168.30.221"]
  capabilities = ["pull", "resolve", "push"]
  ca = "/etc/containerd/certs.d/192.168.30.221/ca.crt"
  skip_verify = true

然后把 Harbor CA 放进去：

sudo cp ca.crt /etc/containerd/certs.d/192.168.30.221/

3. 重启 containerd

sudo systemctl restart containerd

4. 拉取测试

sudo ctr images pull \
  --user admin:Aa12345 \
  192.168.30.221/library/mysql:latest

方式二：修改config.toml

先生成默认配置（如果没有）：

sudo containerd config default > /etc/containerd/config.toml

编辑：

sudo vi /etc/containerd/config.toml

找到：

[plugins."io.containerd.grpc.v1.cri".registry]

改成：

[plugins."io.containerd.grpc.v1.cri".registry]

  [plugins."io.containerd.grpc.v1.cri".registry.mirrors]

    [plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.30.221"]
      endpoint = ["http://192.168.30.221"]

保存后：

sudo systemctl restart containerd

验证配置是否生效

查看：

sudo ctr version

测试：

sudo ctr images pull --user admin:Aa12345 192.168.30.221/library/mysql:latest

成功会看到：

unpacking linux/amd64 sha256:...
done

推荐你用哪个？

你的环境是：

Harbor 用 IP：192.168.30.221
证书报 IP SAN 错误
内网

建议直接用 方式一（certs.d + http）：

server = "http://192.168.30.221"

最快，最稳，不折腾证书。

kubelet

ctr：靠 --hosts-dir 成功
kubelet：直接走 HTTPS → x509 报错

在config.toml里加

方案 1（推荐：最简单

[plugins."io.containerd.grpc.v1.cri".registry]

  [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.30.221".tls]
    insecure_skip_verify = true

方案 2（mirror 方式）

[plugins."io.containerd.grpc.v1.cri".registry.mirrors."192.168.30.221"]
  endpoint = ["https://192.168.30.221"]

你这个环境必须注意: 你 Harbor 是 HTTP -> 308 -> HTTPS 所以必须走 HTTPS，但跳过证书验证

修改后必须执行

sudo systemctl restart containerd
sudo systemctl restart kubelet

验证 kubelet 是否生效

crictl pull 192.168.30.221/library/mysql:latest
# 或者
kubectl run test --image=192.168.30.221/library/mysql:latest

总结

以上为个人经验，希望能给大家一个参考，也希望大家多多支持脚本之家。