When you pull an image from a self-managed image repository, the image may fail to be pulled due to various factors, such as different protocols, certificate authentication failures, or the use of a self-managed DNS server. This topic describes how to pull an image from a self-managed image repository to create Alibaba Cloud Container Compute Service (ACS) workloads if the self-managed image repository uses the HTTP protocol, a self-signed certificate, or a self-managed DNS server.
Feature description
When you pull an image from a self-managed image repository, an alert event named ErrImagePull may be triggered, and the image cannot be pulled. The following table describes the causes of and solutions to the preceding issue based on the requirements that the network between ACS and the image repository must remain connected.
Scenario | Cause | Solution |
The self-managed image repository uses the HTTP protocol. | By default, ACS pulls images over HTTPS. Using different protocols causes image pull failures. | Configure ACS to use the HTTP protocol to interact with the image repository. |
The self-managed image repository uses the HTTPS protocol but also uses a self-signed certificate. | The self-managed image repository uses a self-signed certificate. This causes a certificate authentication failure when you pull images from the repository. As a result, the images cannot be pulled. | Skip certificate authentication. |
The domain name of the self-managed image repository uses the self-managed DNS server. | By default, ACS uses Alibaba Cloud DNS (100.100.2.136 and 100.100.2.138) to resolve the image repository. If the domain name of the image repository is recorded by a DNS server that you create, the image fails to be pulled. | For more information, see Configure a custom DNS server for a pod in an ACS cluster. |
Configuration description
If a self-managed image repository uses the HTTP protocol or a self-signed certificate when you pull an image from the image repository, you must configure annotations for the pod to prevent image pull failures.
Annotation | Type | Example | Description |
| String |
| If you pull an image from a self-managed image repository that uses the HTTP protocol, you must configure this parameter. This way, ACS uses the HTTP protocol to pull the image. This prevents image pull failures due to different protocols. |
| String |
| When you pull an image from a self-managed image repository that uses a self-signed certificate, you must configure this parameter to skip certificate authentication. This prevents image pull failures due to certificate authentication failures. |
If you want to pull multiple container images from different image repositories, you can specify multiple image repository addresses. Separate multiple addresses with commas (,). Example: harbor***.pre.com,192.168.XX.XX.
In following example, a stateless application is used:
Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its ID. In the left-side navigation pane of the cluster details page, choose .
On the Deployments tab, click Create from Image.
After you configure the parameters on the Basic Information tab, click Next.
After you configure the parameters on the Container tab, click Next.
On the Advanced tab, configure the Pod Annotations parameter based on the preceding settings and your business requirements. For example, if you set the Name parameter to
registry.alibabacloud.com/plain-http-registryandregistry.alibabacloud.com/insecure-registry, you can configure the Value parameters based on the following figure. Then, click Create.