Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Release-1.28] - Custom agent/etc/containerd/certs.d/* files are deleted by k3s on startup #10841

Closed
brandond opened this issue Sep 5, 2024 · 1 comment
Closed

[Release-1.28] - Custom agent/etc/containerd/certs.d/* files are deleted by k3s on startup #10841

brandond opened this issue Sep 5, 2024 · 1 comment
Assignees
@brandond @fmoral2
Milestone
v1.28.14+k3s1

Comments

@brandond
Copy link
Member

brandond commented Sep 5, 2024

Backport fix for Custom agent/etc/containerd/certs.d/* files are deleted by k3s on startup
@brandond brandond self-assigned this Sep 5, 2024
@brandond brandond mentioned this issue Sep 5, 2024
Merged
@brandond brandond moved this from New to To Test in K3s Development Sep 6, 2024
@brandond brandond added this to the v1.28.14+k3s1 milestone Sep 6, 2024
@fmoral2 fmoral2 self-assigned this Sep 10, 2024
@brandond brandond mentioned this issue Sep 10, 2024
Merged
@fmoral2
Copy link
Contributor

fmoral2 commented Sep 11, 2024

Validated on Version:

-$ k3s version v1.28.13+k3s-d5b7bac7 (d5b7bac7)

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
ubuntu
AMD

Cluster Configuration:
-1 node server

Steps to validate the fix

  1. Install k3s
  2. Create your own host dir at /var/lib/rancher/k3s/agent/etc/containerd/certs.d/MYREGISTRY and add custom hosts.toml and/or certs.
  3. Add an entry for MYREGISTRY in registries.yaml and restart k3s, note that the custom files are cleaned up and replaced with the K3s-managed hosts.toml
  4. Edit the file at /var/lib/rancher/k3s/agent/etc/containerd/certs.d/MYREGISTRY/hosts.toml to remove the DO NOT EDIT header and restart k3s; note that it is reverted to the managed content.
  5. Remove MYREGISTRY from registries.yaml and restart k3s. Note that /var/lib/rancher/k3s/agent/etc/containerd/certs.d/MYREGISTRY is removed.

Reproduction Issue:


k3s version v1.30.4+k3s1 (98262b5d)



:~$  sudo mkdir -p /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test

:~$  sudo tee /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test/hosts.toml <<EOF
server = "https://fran.test:443"
[host."https://fran.test:443"]
  capabilities = ["pull", "resolve"]
EOF

:~$   ls /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test
ls: cannot access '/var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test': No such file or directory

 


:~$  sudo systemctl restart k3s


:~$ sudo tee /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "fran.test:443":
    endpoint:
      - "https://fran.test:443"
EOF


:~$  sudo systemctl restart k3s

 



~$  sudo sed -i '/DO NOT EDIT/d' /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test/hosts.toml


~$ cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test/hosts.toml
cat: /var/lib/rancher/k3s/agent/etc/containerd/certs.d/fran.test/hosts.toml: No such file or directory



sudo sed -i '/fran.test.test/d' /etc/rancher/k3s/registries.yaml

sudo systemctl restart k3s

 $ ls /var/lib/rancher/k3s/agent/etc/containerd/certs.d/
ls: cannot access '/var/lib/rancher/k3s/agent/etc/containerd/certs.d/': No such file or directory

Validation Results:

  

Step 2: 
 
 sudo mkdir -p /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000

$  sudo tee /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml <<EOF
server = "https://localhost:5000"
[host."https://localhost:5000"]
  capabilities = ["pull", "resolve"]
EOF

~$ sudo cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml
server = "https://localhost:5000"
[host."https://localhost:5000"]
  capabilities = ["pull", "resolve"]


$  sudo systemctl restart k3s

~$ sudo ls /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000
hosts.toml

 



Step 3:

~$  sudo tee /etc/rancher/k3s/registries.yaml <<EOF
mirrors:
  "localhost:5000":
    endpoint:
      - "https://localhost:5000"
EOF


$ sudo cat /etc/rancher/k3s/registries.yaml 
mirrors:
  "localhost:5000":
    endpoint:
      - "https://localhost:5000"


 

$  sudo systemctl restart k3s

 
 

~$ sudo cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml
# File generated by k3s. DO NOT EDIT.

server = "http://localhost:5000/v2"
capabilities = ["pull", "resolve", "push"]


[host]
[host."https://localhost:5000/v2"]
  capabilities = ["pull", "resolve"]





 Step 4: 
sudo sed -i '/DO NOT EDIT/d' /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml

$  sudo systemctl restart k3s


$ sudo cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/localhost:5000/hosts.toml
# File generated by k3s. DO NOT EDIT.

server = "http://localhost:5000/v2"
capabilities = ["pull", "resolve", "push"]


[host]
[host."https://localhost:5000/v2"]
  capabilities = ["pull", "resolve"]







~$  sudo truncate -s 0 /etc/rancher/k3s/registries.yaml 

$ cat /etc/rancher/k3s/registries.yaml
 <EMPTY>


~$ sudo systemctl restart k3s




$ sudo ls /var/lib/rancher/k3s/agent/etc/containerd/certs.d/  
<EMPTY>

@fmoral2 fmoral2 closed this as completed Sep 11, 2024
@github-project-automation github-project-automation bot moved this from To Test to Done Issue in K3s Development Sep 11, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@brandond brandond

@fmoral2 fmoral2

Labels
None yet
Projects
K3s Development
Status: Done Issue
Milestone
v1.28.14+k3s1
Development

No branches or pull requests
2 participants
@brandond @fmoral2