stargz-snapshotter icon indicating copy to clipboard operation
stargz-snapshotter copied to clipboard

Published 20 hours ago verified publisher icon containerd

cri_keychain: preserve access to private registries across restart

Open ktock opened this issue 9 months ago • 1 comments

Issue

Currently cri keychain holds registry creds only on memory. When stargz-snapshotter restarts, it doesn't have registry creds anymore so it starts to fail to access to the regisry. We should fix this behaviour to prevent issues like #1989 and https://github.com/containerd/stargz-snapshotter/pull/1584#issuecomment-2073686091 .

Current workaround

  • A. Use other authentication methods like dockerconfig-based one or kubeconfig-based one that enables the snapshotter to acquire creds during restarting.
  • B. Add a configuration to allow stargz-snapshotter to start even with restoration failure: 
    [snapshotter]
allow_invalid_mounts_on_restart = true
    Note: the user need to manually remove these (possibly empty) broken images after stargz-snapshotter started, using ctr image rm <image-name>. See also https://github.com/containerd/stargz-snapshotter/pull/901

ktock avatar Feb 22 '25 05:02 ktock

Hi, are there any updates on this?

dgaponcic avatar Apr 22 '25 08:04 dgaponcic