validate CRI v1 image API for endpoint “unix:///run/containerd/containerd.sock“

发布于：2025-07-08 ⋅ 阅读:(42) ⋅ 点赞:(0)

1.现象

pull image failed: Failed to exec command: sudo -E /bin/bash -c "env PATH=$PATH crictl pull 172.23.123.117:8443/kubesphereio/pause:3.9"

FATA[0000] validate service connection: validate CRI v1 image API for endpoint "unix:///run/containerd/containerd.sock": rpc error: code = Unimplemented desc = unknown service runtime.v1.ImageService: Process exited with status 1

2.原因

这个错误表明 crictl 无法通过当前配置与容器运行时（如 containerd）进行通信。具体来说，crictl 正在尝试使用 CRI v1 的 ImageService API，但目标端点（containerd）似乎没有实现该服务，或者其配置不正确。

3.解决方案

3.1查看当前 crictl 配置

cat /etc/crictl.yaml

说明它正在使用 containerd，而 containerd 没有启用 CRI 支持就会报错。

3.2使用 ctr 命令测试

ctr plugins ls

3.3 使用 crictl 测试连接

sudo crictl --runtime-endpoint unix:///run/containerd/containerd.sock info

3.4编辑 containerd 的config.toml配置文件

vi /etc/containerd/config.toml

disabled_plugins = []

[plugins."io.containerd.grpc.v1.cri"]

  enable_selinux = false

  sandbox_image = "172.23.123.117:8443/kubesphereio/pause:3.9"

[plugins."io.containerd.grpc.v1.cri".registry]

[plugins."io.containerd.grpc.v1.cri".registry.configs]

  [plugins."io.containerd.grpc.v1.cri".registry.configs."172.23.123.117:8443"]

    tls = true

    cert_file = "/etc/containerd/certs.d/172.23.123.117:8443/172.23.123.117.cert"

    key_file = "/etc/containerd/certs.d/172.23.123.117:8443/172.23.123.117.key"

    ca_file = "/etc/containerd/certs.d/172.23.123.117:8443/ca.crt"

    skip_verify = false

[plugins."io.containerd.grpc.v1.cri".registry.mirrors]

  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"]

    endpoint = ["https://172.23.123.117:8443"]

  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]

    endpoint = ["https://172.23.123.117:8443"]

3.4创建证书目录并复制证书：

sudo mkdir -p /etc/containerd/certs.d/172.23.123.117:8443

sudo cp /etc/docker/certs.d/172.23.123.117:8443/ca.crt /etc/containerd/certs.d/172.23.123.117:8443/ca.crt

sudo cp /etc/docker/certs.d/172.23.123.117:8443/172.23.123.117.cert /etc/containerd/certs.d/172.23.123.117:8443/172.23.123.117.cert

sudo cp /etc/docker/certs.d/172.23.123.117:8443/172.23.123.117.key /etc/containerd/certs.d/172.23.123.117:8443/172.23.123.117.key

3.5重启

sudo systemctl daemon-reload

sudo systemctl restart containerd

3.6手动测试是否可以拉取镜像

sudo crictl pull 172.23.123.117:8443/kubesphereio/pause:3.9