Skip to content

Fix CRI-O image name resolution for localhost images #21252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix CRI-O image name resolution for localhost images #21252

wants to merge 1 commit into from

Conversation

elasticdotventures
Copy link

Summary

Fixes CRI-O's inability to resolve locally built images when using podman driver, eliminating InvalidImageName errors.

Problem

When using minikube start --driver=podman --container-runtime=cri-o, locally built images fail to deploy with:

Failed to apply default image tag "/app4dog/middleware:latest": invalid reference format

Root Cause

CRI-O's registries.conf only searched docker.io, causing unqualified names to be incorrectly resolved.

Solution

Configure CRI-O during setup to:

  • Search localhost first, then docker.io for unqualified names
  • Mark localhost as insecure registry
  • Add proper unqualified-search-registries configuration

Impact

  • ✅ Fixes podman + CRI-O custom image deployment
  • ✅ Zero impact on Docker runtime (99.99% of users)
  • ✅ Surgical change - only modifies CRI-O registry config
  • ✅ Backwards compatible

Related Issues

Testing

Enables successful deployment of locally built images referenced by unqualified names in K8s manifests.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Aug 6, 2025
@k8s-ci-robot k8s-ci-robot requested review from nirs and prezha August 6, 2025 03:20
@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 6, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @elasticdotventures. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Aug 6, 2025
@elasticdotventures elasticdotventures mentioned this pull request Aug 6, 2025
Open
@minikube-bot
Copy link
Collaborator

Can one of the admins verify this patch?

@elasticdotventures
Fix CRI-O image name resolution for localhost images
b063560 
Configure CRI-O registries.conf to resolve unqualified image names to localhost first,
then docker.io. This fixes InvalidImageName errors when deploying locally built images
with podman + CRI-O runtime.

Fixes kubernetes#21251
@elasticdotventures elasticdotventures force-pushed the fix/crio-image-resolution branch from a642c85 to b063560 Compare August 6, 2025 08:58
@k8s-ci-robot
Copy link
Contributor

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

  • b063560 Fix CRI-O image name resolution for localhost images

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Aug 6, 2025
@elasticdotventures elasticdotventures mentioned this pull request Aug 6, 2025
Open
@medyagh medyagh requested a review from afbjorklund August 6, 2025 17:48
afbjorklund
afbjorklund approved these changes Aug 6, 2025
View reviewed changes
Copy link
Collaborator

@afbjorklund afbjorklund left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to fix the broken config, not sure if the localhost workaround is actually needed - but I don't think it hurts either

afaik, it will still search the images with the fake "localhost" registry too - just like docker will name any images with the "docker.io" (even if the image is never pushed there). Maybe it doesn't work with subdirectories/slashes in the name?

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: afbjorklund, elasticdotventures
Once this PR has been reviewed and has the lgtm label, please assign spowelljr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@medyagh
Copy link
Member

medyagh commented Aug 6, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 6, 2025
@minikube-pr-bot
Copy link

kvm2 driver with docker runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 21252 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 50.4s    │ 50.0s                  │
│ enable ingress │ 15.0s    │ 15.1s                  │
└────────────────┴──────────┴────────────────────────┘

Times for minikube start: 50.5s 47.5s 52.0s 50.2s 51.8s
Times for minikube (PR 21252) start: 49.5s 48.9s 53.6s 48.9s 49.3s

Times for minikube (PR 21252) ingress: 14.9s 15.4s 14.9s 15.5s 14.9s
Times for minikube ingress: 15.4s 15.4s 14.9s 14.4s 15.0s

docker driver with docker runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 21252 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 22.5s    │ 23.5s                  │
│ enable ingress │ 12.6s    │ 12.8s                  │
└────────────────┴──────────┴────────────────────────┘

Times for minikube start: 21.9s 21.1s 23.2s 21.5s 24.7s
Times for minikube (PR 21252) start: 20.7s 22.4s 22.7s 26.0s 25.6s

Times for minikube ingress: 13.7s 10.7s 12.3s 13.2s 13.2s
Times for minikube (PR 21252) ingress: 13.7s 10.3s 13.7s 12.8s 13.2s

docker driver with containerd runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 21252 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 22.7s    │ 22.4s                  │
│ enable ingress │ 26.0s    │ 24.4s                  │
└────────────────┴──────────┴────────────────────────┘

Times for minikube start: 22.1s 22.2s 25.1s 22.1s 21.8s
Times for minikube (PR 21252) start: 23.6s 20.6s 20.3s 22.3s 25.6s

Times for minikube ingress: 22.7s 38.7s 22.7s 23.2s 22.8s
Times for minikube (PR 21252) ingress: 22.7s 23.3s 30.2s 23.2s 22.7s

@medyagh
Copy link
Member

medyagh commented Aug 6, 2025

@elasticdotventures can you plz check the KVM_Linux_CRIO test failures? they usually fail much lower this is failing 127/259
https://storage.googleapis.com/minikube-builds/logs/21252/40841/KVM_Linux_crio.html

medyagh
medyagh requested changes Aug 6, 2025
View reviewed changes
Copy link
Member

@medyagh medyagh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this Breaks integraiton test, please check
Docker Crio
https://storage.googleapis.com/minikube-builds/logs/21252/40841/Docker_Linux_crio.html
KVM Crio
https://storage.googleapis.com/minikube-builds/logs/21252/40841/KVM_Linux_crio.html

on mastter it has only 9-10 test failing on master, but this PR 127 test fail

https://gopogh-server-tts3vkcpgq-uc.a.run.app/?env=KVM_Linux_crio

@elasticdotventures
Copy link
Author

elasticdotventures commented Aug 7, 2025
edited
Loading

I just want to be clear - this presumes and is blocked by #21054
This is downstream & should be compartmentalized.
Unless somebody feels strongly - I'd prefer to keep them isolated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@medyagh medyagh medyagh requested changes

@afbjorklund afbjorklund afbjorklund approved these changes

@nirs nirs Awaiting requested review from nirs

@prezha prezha Awaiting requested review from prezha

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

podman-env CRI-O prepends '/' to unqualified image names causing InvalidImageName errors
6 participants
@elasticdotventures @k8s-ci-robot @minikube-bot @medyagh @minikube-pr-bot @afbjorklund