Containerd runtime fails to pull docker images from private insecure Nexus registry


I’m upgrading my EKS cluster to version 1.24 which applies deprecation of dockerd runtime and uses containerd instead.

We have Nexus v3.25 with docker images that up until now were pulled successfully but since the move to containerd I get imagePullBackoff.
I’ve researched every link on the internet in trying to find the suitable configuration of containerd toml files and setup but without success.

‘ctr’ command is successfully pulling the image to the node, manually,

But ‘crictl’ is still failing - together with the pods themselves that are trying to pull the image and receive ‘ImagePullBackoff’.

This is the log from ‘journalctl’ for containerd:


level=info msg=“Stop container "a9e15cb80f8a8b8b08f2eb4b85896766aa3f1a60819a0c2787b0ec287f5542ee" with signal terminated”

level=info msg=“shim disconnected” id=a9e15cb80f8a8b8b08f2eb4b85896766aa3f1a60819a0c2787b0ec287f5542ee

level=warning msg=“cleaning up after shim disconnected” id=a9e15cb80f8a8b8b08f2eb4b85896766aa3f1a60819a0c2787b0ec287f5542ee

level=info msg=“cleaning up dead shim”

level=warning msg="cleanup warnings time="2023-11-22T09:09:49Z" level=info msg="starting signal loop" pid=506121 runtime=io.containerd.runc.v2

level=info msg=“StopContainer for "a9e15cb80f8a8b8b08f2eb4b85896766aa3f1a60819a0c2787b0ec287f5542ee" returns successfully”

level=info msg=“RemoveContainer for "c331f59b53a89683f5fb790fad73ea3af7cf7ba305d218a4efce27af06c77ea3"”

level=info msg=“RemoveContainer for "c331f59b53a89683f5fb790fad73ea3af7cf7ba305d218a4efce27af06c77ea3" returns successfully”

level=info msg=“PullImage ""”

level=info msg=“trying next host” error=“failed to do request: Head "\”: http: server gave HTTP response to HTTPS client"

level=error msg=“PullImage "" failed” error="failed to pull and unpack image "":


I’d appreciate some advice about this ‘shim’ error and for the fact that containerd is still trying to access the registry on HTTPS - although I’ve configured its toml files properly… as far as I’ve ready and verified.

How can I make the containerd use HTTP and not HTTP?
(I’ve already configured its config.toml with the necessary properties to skip TLS verification… and everything else that’s needed for this. As far as I understand from web articles.

Worth to mention: Using docker cli and ctr cli Im able to pull this exact image via the same EKS node.

I’ll appreciate every tip and answer,
Thank you.

Here is my containerd config.toml :
version = 2
root = “/var/lib/containerd”
state = “/run/containerd”

address = “/run/containerd/containerd.sock”

default_runtime_name = “runc”
discard_unpacked_layers = true

sandbox_image = “

endpoint = [“”]
insecure_skip_verify = true
username = “XXX”
password = “YYY”

runtime_type = “io.containerd.runc.v2”

SystemdCgroup = true

bin_dir = “/opt/cni/bin”
conf_dir = “/etc/cni/net.d”

I can’t speak to containerd, but 3.25 is very old at this point there are undoubtedly changes to Nexus since then.

1 Like

How can I make the containerd use HTTP and not HTTP?

Don’t fight it… docker really doesn’t want you to use HTTP. You might be able to get pulls working, but anything requiring authentication will not work. This is a limitation imposed by the docker format not Nexus Repo. Set up HTTPS in Nexus Repo. And yes, upgrade. 3.25.0 is very old.

Also, if you’re going to use a self signed certificate be aware that docker is also picky about those. See here:

1 Like

Thank you.
Eventually I chose to apply a real certificate and use HTTPS.
All good now.