All Products
Search

This Product

    Container Compute Service:Create an ACS workload by using a self-managed image repository

    Document Center

    Container Compute Service:Create an ACS workload by using a self-managed image repository

    Last Updated:Mar 26, 2026

    If your self-managed image repository uses HTTP, a self-signed certificate, or a custom DNS server, ACS may fail to pull images and trigger an ErrImagePull event. This topic explains how to resolve image pull failures for each of these scenarios.

    Note

    The network between ACS and your image repository must remain connected before you apply any of the following configurations.

    Failure scenarios

    Scenario Cause Solution
    The repository uses HTTP ACS pulls images over HTTPS by default. A protocol mismatch causes the pull to fail. Configure ACS to use HTTP for that repository.
    The repository uses a self-signed certificate The self-signed certificate fails the default certificate authentication check. Skip certificate authentication for that repository.
    The repository domain uses a custom DNS server ACS uses Alibaba Cloud DNS (100.100.2.136 and 100.100.2.138) by default. If the repository domain is only resolvable through your own DNS server, the pull fails. Configure a custom DNS server for the Pod.

    Prerequisites

    Before you begin, ensure that you have:

    • An ACS cluster with network connectivity to the self-managed image repository

    • An existing workload or a Deployment to create

    Configure Pod annotations for HTTP or self-signed certificate repositories

    For HTTP and self-signed certificate scenarios, add the corresponding annotation to the Pod.

    Annotation Type Example value When to use
    registry.alibabacloud.com/plain-http-registry String "harbor***.pre.com,192.168.XX.XX:5000,reg***.test.com:80" The repository uses HTTP instead of HTTPS.
    registry.alibabacloud.com/insecure-registry String "harbor***.pre.com,192.168.XX.XX:5000,reg***.test.com:80" The repository uses a self-signed certificate and you want to skip certificate authentication.

    To pull from multiple repositories, separate their addresses with commas. Example: harbor***.pre.com,192.168.XX.XX.

    Configure annotations in the ACS console

    The following steps use a Deployment (stateless application) as an example.

    1. Log on to the ACS console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster you want to manage and click its ID. In the left-side navigation pane of the cluster details page, choose Workloads > Deployments.

    3. On the Deployments tab, click Create from Image.

    4. Configure the parameters on the Basic Information tab, then click Next.

    5. Configure the parameters on the Container tab, then click Next.

    6. On the Advanced tab, configure the Pod Annotations parameter:

      • Set Name to registry.alibabacloud.com/plain-http-registry or registry.alibabacloud.com/insecure-registry based on your scenario.

      • Set Value to the address of your image repository.

      image

    7. Click Create.

    Configure a custom DNS server for a DNS-based failure

    If the image pull fails because ACS cannot resolve the repository domain name, configure a custom DNS server for the Pod. For details, see Configure a custom DNS server for a pod in an ACS cluster.