Common Questions About Images and Image Repositories
How to Build an Image in UK8S?
The Docker configuration file of a UK8S node has been modified and the cluster above 1.19 defaults to install containerd, so it’s not recommended to directly Build images in UK8S. Images can be built by deploying CI/CD on this page or on UHost outside the cluster with Docker installed.
How to pull Images from repositories other than Uhub in UK8S Cluster?
UK8S enables interconnection of internal networks through VPC network. There’s no problem in pulling images from Uhub. However, to pull images from outer networks, you need to configure the gateway for the VPC subnet. Go to the VPC product under the region where UK8S is located and configure the NAT Gateway for the particular subnet so that the cluster nodes can pull images from the outer network through the NAT Gateway. For details, please see Create VPC NAT Gateway .
Why can’t I log in to my UHub?
- Please make sure whether you are logging in on the public network or within the UCloud Global (if the ip when pinging Uhub is 106.75.56.109, it means that the images are pulled through the public network)
- If you log in from the public Internet, make sure that the “Access from the public Internet” option is enabled on the UHub’s Console page.
- Make sure that you are using a separate password to log in. The UHub separate password is bound to the user, not to the image repository.
UHub download failed (slow)
ping uhub.ucloud-global.com
(if the ip is 106.75.56.109, it means it’s pulled through the public network, with a limited speed)curl https://uhub.ucloud-global.com/v2/
to check if the connection is available, normally it will return UNAUTHORIZED or 301systemctl show --property=Environment docker
to see if any proxies were configured- Run
iftop -i any -f 'host <uhub-ip>'
on the node that pulls the image. While doing this, try to pull the image from UHub, and check for the command output. Replace<uhub-ip>
with the IP address you get from step 1. - If you are a user pulling images from the public network, make sure that the “Access from the Public Internet” option is enabled on the Console page.
Pulling Self-built Image Library Certificate Errors
After upgrading to the new version of Docker, you may encounter issues with the certificate of a self-built image library. The specific error message is x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
This error is a new feature introduced in Go version 1.11, indicating that the HTTPS certificate does not conform to the SANs standard. This feature is enabled by default in version 1.15, and the flag GODEBUG=x509ignoreCN=0 is officially removed in version 1.17.
If you encounter the same error, you can do the following:
- Replace with a standard-conforming signature certificate. This solution is recommended and is the only viable solution after the Go version is upgraded to 1.17.
- For Docker nodes, temporarily allow ignoring checks as follows. Note that this solution can only be used as a temporary solution.
2.1 Modify/usr/lib/systemd/system/docker.service
and addEnvironment=GODEBUG=x509ignoreCN=0
under the [Service] structure
2.2 Executesystemctl daemon-reload
2.3 Executesystemctl restart docker
- For Containerd nodes, temporarily allow ignoring checks as follows. Note that this solution can only be used as a temporary solution.
3.1 Modify/usr/lib/systemd/system/containerd.service
and addEnvironment=GODEBUG=x509ignoreCN=0
under the [Service] structure
3.2 Executesystemctl daemon-reload
3.3 Executesystemctl restart containerd