CRI-O 使用代理

为了能够直接拉取镜像不必去费劲找替代镜像和离线镜像可以直接对 CRIO 或 Containerd 服务设置代理，依靠代理将镜像 pull 到本地。
两者的配置是一样的，这里以 CRI-O 为例。

需要对 Service 单元文件进行更改，更改之前为了避免后续被覆盖，将单元文件复制到 /etc/systemd/system 下：

sudo cp /usr/lib/systemd/system/crio.service /etc/systemd/system/

修改 /etc/systemd/system/crio.service 文件，在 [Service] 中，通过 Environment 参数设置代理：

[Unit]
Description=Container Runtime Interface for OCI (CRI-O)
Documentation=https://github.com/cri-o/cri-o
Wants=network-online.target
Before=kubelet.service
After=network-online.target

[Service]
Type=notify
Environment="HTTP_PROXY=http://192.168.100.1:7890" "HTTPS_PROXY=http://192.168.100.1:7890" "NO_PROXY=docker.io, quay.io,127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
EnvironmentFile=-/etc/sysconfig/crio
Environment=GOTRACEBACK=crash
​ExecStart=/usr/bin/crio \
          $CRIO_CONFIG_OPTIONS \
          $CRIO_RUNTIME_OPTIONS \
          $CRIO_STORAGE_OPTIONS \
          $CRIO_NETWORK_OPTIONS \
          $CRIO_METRICS_OPTIONS
ExecReload=/bin/kill -s HUP $MAINPID
TasksMax=infinity
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity
OOMScoreAdjust=-999
TimeoutStartSec=0
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target
Alias=cri-o.service

修改好后，需要 reload ，然后重启服务：

systemctl daemon-reload
systemctl restart crio

验证此时使用的是修改后的 Service 单元文件：

systemctl status crio
​● crio.service - Container Runtime Interface for OCI (CRI-O)
     Loaded: loaded (/etc/systemd/system/crio.service; enabled; preset: disabled)
     ​Active: active (running) since Sat 2024-02-03 23:29:43 UTC; 8min ago
       Docs: https://github.com/cri-o/cri-o
   ​Main PID: 6336 (crio)
      Tasks: 10
     ​Memory: 106.8M
        CPU: 1.587s
     ​CGroup: /system.slice/crio.service
             └─6336 /usr/bin/crio

尝试拉取一个需要代理才能拉取的镜像：

sudo crictl pull  registry.k8s.io/sig-storage/csi-attacher:v4.4.2
Image is up to date for registry.k8s.io/sig-storage/csi-attacher@sha256:11b955fe4da278aa0e8ca9d6fd70758f2aec4b0c1e23168c665ca345260f1882