bottlerocket-os
Requesting ability to set headers and sources in container-registry settings API
What I'd like:
We are attempting to use Dragonfly with Bottlerocket nodes our EKS environment
We'd like to be able to create the files required by Dragonfly in /etc/containerd/certs.d/<registry-host>.toml
For example:
- Addition to containerd configuration toml
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
- For each registry added:
File /etc/containerd/certs.d/<registry-host>.toml
server = "https://<registry-host>"
[host."http://127.0.0.1:4001"]
capabilities = ["pull", "resolve"]
[host."http://127.0.0.1:4001".header]
X-Dragonfly-Registry = "https://<registry-host>"
Is this a possibility? Or are we thinking about these settings the correct way?
Any alternatives you've considered:
I didn't see any directly related issues or PRs. We're investigating using bootstrap containers to add / modify these files.
Bootstrap containers don't have write permissions for configuration files under /etc, as stated in the docs and https://github.com/bottlerocket-os/bottlerocket/discussions/1957
To configure containerd mirrors (or other things) on bottlerocket nodes, you can use TOML/apiclient but only for settings its API currently supports, and in the format it supports. As of right now (1.51.x), the configuration for registry mirrors is still using the old inline format, and not the new approach with setting a config_path for the registry and then configuring mirrors in a separate directory (usually /etc/containerd/certs.d).
This basically makes tools like Spegel unusable with bottlerocket, and I assume the same applies for Dragonfly.
Hope someone can figure out a workaround and prove me wrong.
