Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release-1.28] - Custom agent/etc/containerd/certs.d/* files are deleted by k3s on startup #10841

Closed
brandond opened this issue Sep 5, 2024 · 1 comment
Closed

[Release-1.28] - Custom agent/etc/containerd/certs.d/* files are deleted by k3s on startup #10841

brandond opened this issue Sep 5, 2024 · 1 comment
Assignees
@brandond @fmoral2
Milestone
v1.28.14+k3s1

Comments

@brandond
Copy link
Contributor

brandond commented Sep 5, 2024

Backport fix for Custom agent/etc/containerd/certs.d/* files are deleted by k3s on startup
@brandond brandond self-assigned this Sep 5, 2024
@brandond brandond mentioned this issue Sep 5, 2024
Merged
@brandond brandond added this to the v1.28.14+k3s1 milestone Sep 6, 2024
@fmoral2 fmoral2 self-assigned this Sep 10, 2024
@brandond brandond mentioned this issue Sep 10, 2024
Merged
@fmoral2
Copy link
Contributor

fmoral2 commented Sep 11, 2024

Validated on Version:

-$ k3s version v1.28.13+k3s-d5b7bac7 (d5b7bac7)

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
ubuntu
AMD

Cluster Configuration:
-1 node server

Steps to validate the fix

  1. Install k3s
  2. Create your own host dir at /var/lib/rancher/k3s/agent/etc/containerd/certs.d/MYREGISTRY and add custom hosts.toml and/or certs.
  3. Add an entry for MYREGISTRY in registries.yaml and restart k3s, note that the custom files are cleaned up and replaced with the K3s-managed hosts.toml
  4. Edit the file at /var/lib/rancher/k3s/agent/etc/containerd/certs.d/MYREGISTRY/hosts.toml to remove the DO NOT EDIT header and restart k3s; note that it is reverted to the managed content.
  5. Remove MYREGISTRY from registries.yaml and restart k3s. Note that /var/lib/rancher/k3s/agent/etc/containerd/certs.d/MYREGISTRY is removed.

Reproduction Issue:


k3s version v1.30.4+k3s1 (98262b5d)



:~$  sudo mkdir -p /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test

:~$  sudo tee /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test/hosts.toml <<EOF
server = "https://fran.test:443"
[host."https://fran.test:443"]
  capabilities = ["pull", "resolve"]
EOF

:~$   ls /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test
ls: cannot access '/var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test': No such file or directory

 


:~$  sudo systemctl restart k3s


:~$ sudo tee /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "fran.test:443":
    endpoint:
      - "https://fran.test:443"
EOF


:~$  sudo systemctl restart k3s

 



~$  sudo sed -i '/DO NOT EDIT/d' /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test/hosts.toml


~$ cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test/hosts.toml
cat: /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test/hosts.toml: No such file or directory



sudo sed -i '/fran.test.test/d' /etc/rancher/k3s/registries.yaml

sudo systemctl restart k3s

 $ ls /var/lib/rancher/k3s/agent/etc/containerd/certs.d/
ls: cannot access '/var/lib/rancher/k3s/agent/etc/containerd/certs.d/': No such file or directory

Validation Results:

  

Step 2: 
 
 sudo mkdir -p /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000

$  sudo tee /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml <<EOF
server = "https://localhost:5000"
[host."https://localhost:5000"]
  capabilities = ["pull", "resolve"]
EOF

~$ sudo cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml
server = "https://localhost:5000"
[host."https://localhost:5000"]
  capabilities = ["pull", "resolve"]


$  sudo systemctl restart k3s

~$ sudo ls /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000
hosts.toml

 



Step 3:

~$  sudo tee /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "localhost:5000":
    endpoint:
      - "https://localhost:5000"
EOF


$ sudo cat /etc/rancher/k3s/registries.yaml 
mirrors:
  "localhost:5000":
    endpoint:
      - "https://localhost:5000"


 

$  sudo systemctl restart k3s

 
 

~$ sudo cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml
# File generated by k3s. DO NOT EDIT.

server = "http://localhost:5000/v2"
capabilities = ["pull", "resolve", "push"]


[host]
[host."https://localhost:5000/v2"]
  capabilities = ["pull", "resolve"]





 Step 4: 
sudo sed -i '/DO NOT EDIT/d' /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml

$  sudo systemctl restart k3s


$ sudo cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml
# File generated by k3s. DO NOT EDIT.

server = "http://localhost:5000/v2"
capabilities = ["pull", "resolve", "push"]


[host]
[host."https://localhost:5000/v2"]
  capabilities = ["pull", "resolve"]







~$  sudo truncate -s 0 /etc/rancher/k3s/registries.yaml 

$ cat /etc/rancher/k3s/registries.yaml
 <EMPTY>


~$ sudo systemctl restart k3s




$ sudo ls /var/lib/rancher/k3s/agent/etc/containerd/certs.d/  
<EMPTY>

@fmoral2 fmoral2 closed this as completed Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@fmoral2 fmoral2

Labels
None yet
Projects
K3s Development
Status: Done Issue
Milestone
v1.28.14+k3s1
Development

No branches or pull requests
2 participants
@brandond @fmoral2