CRI-O with Harbor 29 December 2021

CRI-O with Harbor

In the previous post We saw how to install a Harbor server that works as a cache for container images. To use it one should pull from this new registry, for example instead of:

docker pull alpine

We should do:

docker pull

It would be quite inconvenient to change this registry in all scripts, Dockerfiles and docker-compose. Because of this, we are going to show how to configure our container runtime to replace the registry by default for the one we use in our projects.


In the nodes that use CRI-O, the configuration files are located in the /etc/containers/registries.conf.d/ directory. In it we must create files with the following format:

prefix = ""
insecure = false
blocked = false
location = ""

location = ""
insecure = false

Create a similar file for each of the registries previously defined in Harbor. This results in any image requirements to the domain defined in prefix first trying to search in the registry indicated in [[registry.mirror]]. If this search is unsuccessful it will look in the main location.

The first time you make the request to the harbor-cache registry, it downloads the image from the original registry and saves it for future use. If, for any reason, Harbor is not working, the requirements will fall back to the original registry.

After this modifications, restart the container runtime:

systemctl daemon-reload
systemctl restart crio

By deploying any resource that downloads images, Harbor logs will show that the cache is being used.

Repeating these operations on each node would be hard work, in our cluster we had the tool Kubespray which allows us automate the creation of clusters, and particularly has a template for this configuration.