---

1_Harbor准备

---

2_Harbor主机名解析

在所有安装containerd宿主机上添加此配置信息。

echo "192.168.150.117 hub.harbor.com" >> /etc/hosts

说明

• 192.168.150.117是harbor的IP
• hub.harbor.com建议用FQDN形式，如果用类似harbor这种短名，后面下载镜像会出问题

---

3_修改Containerd配置文件

此配置文件已提前准备过，仅修改本地容器镜像仓库地址即可，如果配置文件不存在，可以生成默认配置：

containerd config default > /etc/containerd/config.toml

老版本方式(会有警告出现)：编辑 /etc/containerd/config.toml，找到或添加 plugins."io.containerd.grpc.v1.cri".registry.mirrors 部分，设置私有仓库地址。

[plugins."io.containerd.grpc.v1.cri".image_decryption]
  key_model = "node"

[plugins."io.containerd.grpc.v1.cri".registry]
  config_path = ""

  [plugins."io.containerd.grpc.v1.cri".registry.auths]

  [plugins."io.containerd.grpc.v1.cri".registry.configs]

  [plugins."io.containerd.grpc.v1.cri".registry.headers]

  [plugins."io.containerd.grpc.v1.cri".registry.mirrors] 在此处添加下面这一段
  
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."hub.harbor.com:80"]
          endpoint = ["http://hub.harbor.com:80"]

如果你的私有仓库需要HTTPS，但没有使用有效证书，可以添加不验证证书的配置：

[plugins."io.containerd.grpc.v1.cri".registry.configs."hub.harbor.com:80".tls]
  insecure_skip_verify = true

重启containerd服务，以便于重新加载配置文件。

systemctl restart containerd

新版本方式：创建私有仓库配置目录及文件

mkdir -p /etc/containerd/certs.d/hub.harbor.com:80
touch /etc/containerd/certs.d/hub.harbor.com:80/hosts.toml

添加如下内容

server = "http://hub.harbor.com:80"

[host."http://hub.harbor.com:80"]
  capabilities = ["pull", "resolve"]

# 如果需要跳过证书验证(如不安全的 HTTPS 环境),添加以下内容：
[host."https://hub.harbor.com:80"]
  skip_verify = true

修改 containerd 主配置，编辑 /etc/containerd/config.toml，确保 [plugins."io.containerd.grpc.v1.cri".registry] 中使用 config_path 指向 /etc/containerd/certs.d：

[plugins."io.containerd.grpc.v1.cri".registry]
  config_path = "/etc/containerd/certs.d"

配置完成后，重启 containerd 服务以应用更改：

systemctl restart containerd

---

4_ctr下载镜像

从Docker Hub下载容器镜像

ctr images pull --platform linux/amd64 docker.io/library/nginx:latest

说明：--platform linux/amd64 指定系统平台，也可以使用--all-platforms指定所有平台镜像。

输出：

docker.io/library/nginx:latest:                                                   resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:3d696e8357051647b844d8c7cf4a0aa71e84379999a4f6af9b8ca1f7919ade42: done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:bc0965b23a04fe7f2d9fb20f597008fcf89891de1c705ffc1c80483a1f098e4f:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:650ee30bbe5efddbef9cc0245ba52b133d3c8897a6565faa6c5c87bc552b5305:    done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:66f8bdd3810c96dc5c28aec39583af731b34a2cd99471530f53c8794ed5b423e:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:13e320bf29cd3ef51b06a3dfe259b2582d48be27a9ac4c6b7af6fbb99429d210:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:8cc1569e58f52d008e232130d8fca2411f417ea423305cd7d7b513fb96d22947:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:362f35df001b4bd6f8733cd4abe8e1493582782404fefc2393129a5dfb5e72df:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:7b50399908e1c0958c409f3c844d61736fd41e37a58dca4832927715508dd3aa:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:57b64962dd94d4818372adf30dc0e2ca4803c46d4f638b7712fe01a149c705c5:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 20.5s                                                                    total:  68.8 M (3.4 MiB/s)                                       
unpacking linux/amd64 sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be...
done: 3.739692168s  

查看已下载容器镜像

[root@localhost ~]# ctr images ls
REF                            TYPE                                    DIGEST                                                                  SIZE     PLATFORMS                                                                                               LABELS 
docker.io/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be 68.8 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x -

---

5_ctr上传镜像

上传到Harbor library公有项目，重新生成新的tag

[root@localhost ~]# ctr images tag docker.io/library/nginx:latest hub.harbor.com/library/nginx:latest
hub.harbor.com/library/nginx:latest

查看已生成容器镜像

[root@localhost ~]# ctr images ls
REF                                 TYPE                                    DIGEST                                                                  SIZE     PLATFORMS                                                                                               LABELS 
docker.io/library/nginx:latest      application/vnd.oci.image.index.v1+json sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be 68.8 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x -      
hub.harbor.com/library/nginx:latest application/vnd.oci.image.index.v1+json sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be 68.8 MiB linux/386,linux/amd64,linux/arm/v5,linux/arm/v7,linux/arm64/v8,linux/mips64le,linux/ppc64le,linux/s390x -

推送容器镜像至Harbor

ctr images push --platform linux/amd64 --plain-http -u admin:Harbor12345 hub.harbor.com/library/nginx:latest

说明：

• 先tag再push
• 因为我们harbor是http协议，不是https协议，所以需要加上--plain-http
• --user admin:Harbor12345指定harbor的用户名与密码

输出：

manifest-sha256:3d696e8357051647b844d8c7cf4a0aa71e84379999a4f6af9b8ca1f7919ade42: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:66f8bdd3810c96dc5c28aec39583af731b34a2cd99471530f53c8794ed5b423e:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 1.6 s                                                                    total:  10.6 K (6.6 KiB/s)

下载已上传容器镜像

ctr images pull --plain-http hub.harbor.com/library/nginx:latest

---