Kubeadm:无法从 docker.io 拉取 flannel docker 镜像,但从 registry.k8s.io 拉取镜像是可以的

Kubeadm:无法从 docker.io 拉取 flannel docker 镜像,但从 registry.k8s.io 拉取镜像是可以的

我想使用在我的主机上运行的 3 个 VMS 部署一个小型 k8s 测试集群,一个主服务器和两个工作服务器。在所有这些服务器上,都安装了所需的软件:docker、kubeadm、kubectl、kubelet。我按照官方文档中描述的步骤进行操作,但在尝试下载 flannel cni 时遇到问题。我不明白为什么...

这是我安装的工具版本

root@kubernetes-master:~# docker version
Client: Docker Engine - Community
 Version:           20.10.19
 API version:       1.41
 Go version:        go1.18.7
 Git commit:        d85ef84
 Built:             Thu Oct 13 16:46:17 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
root@kubernetes-master:~# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.3", GitCommit:"434bfd82814af038ad94d62ebe59b133fcb50506", GitTreeState:"clean", BuildDate:"2022-10-12T10:55:36Z", GoVersion:"go1.19.2", Compiler:"gc", Platform:"linux/amd64"}
root@kubernetes-master:~# 

所以我遵循的步骤

# init cluster
sudo kubeadm init --cri-socket=/var/run/containerd/containerd.sock

# deploy flannel
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

但法兰绒豆荚的状态是Init:ErrImagePull

oot@kubernetes-master:/home/awadmin# kubectl get pods -A -o wide
NAMESPACE      NAME                                        READY   STATUS              RESTARTS       AGE   IP                NODE                 NOMINATED NODE   READINESS GATES
kube-flannel   kube-flannel-ds-c4q56                       0/1     Init:ErrImagePull   0              9h    192.168.122.135   kubernetes-master    <none>           <none>
kube-flannel   kube-flannel-ds-ktfh4                       0/1     Init:ErrImagePull   0              9h    192.168.122.211   kubernetes-worker2   <none>           <none>
kube-flannel   kube-flannel-ds-ztcxk                       0/1     Init:ErrImagePull   0              9h    192.168.122.202   kubernetes-worker1   <none>           <none>
kube-system    coredns-565d847f94-5zmgs                    0/1     Pending             0              9h    <none>            
...

然后我尝试使用 ctr、crictl 在 worker 和 master 上获取图像,但无济于事。

root@kubernetes-worker1:/home/awadmin# ctr images pull docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0                                                                                    
docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0: resolving      |--------------------------------------|                                                                                  
elapsed: 11.1s                                                   total:   0.0 B (0.0 B/s)                                                                                                                 
INFO[0011] trying next host                              error="failed to authorize: failed to fetch anonymous token: Get \"https://auth.docker.io/token?scope=repository%3Arancher%2Fmirrored-flannelcni-flannel-cni-plugin%3Apull&service=registry.docker.io\": net/http: TLS handshake timeout" host=registry-1.docker.io                                                                                         
ctr: failed to resolve reference "docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0": failed to authorize: failed to fetch anonymous token: Get "https://auth.docker.io/token?scope=repository%3Arancher%2Fmirrored-flannelcni-flannel-cni-plugin%3Apull&service=registry.docker.io": net/http: TLS handshake timeout                                                                                  
root@kubernetes-worker1:/home/awadmin# crictl pull docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0
WARN[0000] image connect using default endpoints: [unix:///var/run/dockershim.sock unix:///run/containerd/containerd.sock unix:///run/crio/crio.sock unix:///var/run/cri-dockerd.sock]. As the default settings are now deprecated, you should set the endpoint instead. 
ERRO[0000] unable to determine image API version: rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial unix /var/run/dockershim.sock: connect: no such file or directory" 
E1020 11:26:29.791933   79655 remote_image.go:242] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0\": failed to resolve reference \"docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0\": failed to authorize: failed to fetch anonymous token: Get \"https://auth.docker.io/token?scope=repository%3Arancher%2Fmirrored-flannelcni-flannel-cni-plugin%3Apull&service=registry.docker.io\": dial tcp 44.207.96.114:443: i/o timeout" image="docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0"
FATA[0030] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0": failed to resolve reference "docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0": failed to authorize: failed to fetch anonymous token: Get "https://auth.docker.io/token?scope=repository%3Arancher%2Fmirrored-flannelcni-flannel-cni-plugin%3Apull&service=registry.docker.io": dial tcp 44.207.96.114:443: i/o timeout 
root@kubernetes-worker1:/home/awadmin# 

注册表 registry.k8s.io 显然运行良好。

我尝试检查 Docker Registry 是否存在连接问题,但显然没有

root@kubernetes-master:~# curl -v https://docker.io/v2/_catalog
*   Trying 54.165.156.197:443...
* TCP_NODELAY set
* Connected to docker.io (54.165.156.197) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Jun 12 00:00:00 2022 GMT
*  expire date: Jul 11 23:59:59 2023 GMT
*  subjectAltName: host "docker.io" matched cert's "docker.io"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> GET /v2/_catalog HTTP/1.1
> Host: docker.io
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< content-length: 0
< location: https://www.docker.com/v2/_catalog
<
* Connection #0 to host docker.io left intact

这肯定与 cri 端点有关,但我在 init 阶段明确指定了它。有什么想法吗?

相关内容