Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error parsing hosts.toml without any host tree #10027

Open
brandond opened this issue Apr 1, 2024 · 3 comments
Open

Error parsing hosts.toml without any host tree #10027

brandond opened this issue Apr 1, 2024 · 3 comments
Labels

Comments

@brandond
Copy link
Contributor

brandond commented Apr 1, 2024

Description

The docs on using hosts.toml indicate that fields for the registry host namespace can be specified in the root level:
https://github.com/containerd/containerd/blob/release/1.7/docs/hosts.md

For each registry host namespace directory in your registry config_path you may include a hosts.toml configuration file. The following root level toml fields apply to the registry host namespace:

However, containerd fails to parse the config file if only root fields are passed, for example:

root@systemd-node-1:/# cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/172-17-0-7.sslip.io/hosts.toml
ca = ["/usr/local/share/ca-certificates/registry.crt"]

When pulling from 172-17-0-7.sslip.io, containerd will log the following error:

time="2024-04-01T22:11:02.070675417Z" level=error msg="failed to decode hosts.toml" error="invalid `host` tree"

However, the following file with a stub host tree will work as intended:

root@systemd-node-1:/# cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/172-17-0-7.sslip.io/hosts.toml
ca = ["/usr/local/share/ca-certificates/registry.crt"]
[host]

Steps to reproduce the issue

  1. provide a hosts.toml as described above
  2. start containerd

Describe the results you received and expected

hosts.toml should be usable with no hosts tree, just root-level fields, as described in the docs.

What version of containerd are you using?

v1.7.11-k3s2

Any other relevant information

No response

Show configuration if it is related to CRI plugin.

No response

@brandond
Copy link
Contributor Author

brandond commented Apr 1, 2024

The change from #9131 appears to have refactored some of this, but I'm not sure if it actually resolved the issue or not.

It does still affect the 1.7 branch:
https://github.com/containerd/containerd/blob/v1.7.14/remotes/docker/config/hosts.go#L529-L534

@dmcgowan
Copy link
Member

dmcgowan commented Apr 2, 2024

root@systemd-node-1:/# cat /var/lib/rancher/k3s/agent/etc/containerd/certs.d/172-17-0-7.sslip.io/hosts.toml
ca = ["/usr/local/share/ca-certificates/registry.crt"]
[host]

Does it work fine without the extra [host] in there? That shouldn't be a valid configuration, although it should be handled more gracefully.

@brandond
Copy link
Contributor Author

brandond commented Apr 2, 2024

Does it work fine without the extra [host] in there?

No, it does not work at all without the [host] in there. You could also add a [host."example.com"] entry but I don't need to configure any mirrors, I just want to set the ca for this registry namespace.

That shouldn't be a valid configuration

Nowhere in the docs does it indicate that you MUST have a host tree. If you just want to configure TLS for the registry namespace without specifying any mirrors, having root fields set without a host tree (ie no host blocks) is a perfectly valid use case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants