If your installation is behind a firewall and you can’t access public container registries directly, it can be an option to use a local mirror. That is a server which either may download images from public registries or holds images that you manually uploaded.

To use such a mirror, you need to tell your container-runtime to pull all images from there instead of a public registry.

First you need to specify a path where to put all your registry-configurations. This is done by editing /etc/containerd/config.toml.

[plugins."io.containerd.grpc.v1.cri".registry]
      config_path = "/etc/containerd/certs.d"

Then create this directory

$ mkdir /etc/containerd/certs.d

In there you will always need a new directory for every registry that you want to mirror. Examples would be registry.k8s.io or docker.io.

$ mkdir /etc/containerd/certs.d/registry.k8s.io
$ mkdir /etc/containerd/certs.d/docker.io

In this directory you need to create a hosts.toml with the following content

[host."http://my-registry.home:5000"]
	capabilities = ["pull", "resolve"]

Then restart containerd to load the configuration changes.

$ systemctl restart containerd

Now if you pull an image from e.g., docker.io, it should get pulled from your local registry.