How to pull image from a private repository using containerd?

I using the below containerd command to pull an image from a private repository, but it's failing with the below error message.

sudo crictl pull qtech/graphql:latest

FATA[0002] pulling image: rpc error: code = Unknown desc = failed to pull and unpack image "": failed to resolve reference "": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

I did log in using my docker credentials and pulled the same image with success.

azureuser@zk-master:~$ sudo docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to to create one.
Username: qtech
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See

Login Succeeded

azureuser@zk-master:~$ sudo docker pull qtech/graphql:latest
latest: Pulling from qtech/graphql
40e059520d19: Pull complete 
e640ca4424de: Pull complete 
3ee146eff338: Pull complete 
7a51ccd0399b: Pull complete 
c49798e0169e: Pull complete 
519f1a159b82: Pull complete 
6200637fe07c: Pull complete 
5789d71f6f43: Pull complete 
Digest: sha256:186ba59f4d3ccb03fd84888fc33aa12a8854f23e566c6e5a870ef7a43c3fb1f1
Status: Downloaded newer image for qtech/graphql:latest

But containerd seems to be not picking up those credentials during run time.

So how to pull images from a private repository using containerd?


There are 2 best solutions below


If you also want to be able to access from kubernetes, you need to add this:

1- Create Kubernetes Secret:

kubectl create secret docker-registry registry-credential --docker-username=<your-username-of-your-private-registry> --docker-password=<your-password-of-your-private-registry> --docker-email=<your-email>

2- Modify default service account:

kubectl get serviceaccounts default -o yaml > ./service-account.yaml 

vim ./service-account.yaml

apiVersion: v1
kind: ServiceAccount
  creationTimestamp: 2015-08-07T22:02:39Z
  name: default
  namespace: default
  uid: 052fb0f4-3d50-11e5-b066-42010af0d7b6
- name: default-token-uudge
- name: registry-credential


kubectl replace serviceaccount default -f ./service-account.yaml

In this way, Kubernetes already has the credentials for specifically this registry.

for example, if you add this:

mkdir -p /etc/containerd/certs.d/_default
vim /etc/containerd/certs.d/_default/hosts.toml

server = "https://<your-registry-server>"

  capabilities = ["pull", "resolve", push]
  skip_verify = true # this is optional 

Now modify the containerd conf

 vim /etc/containerd/config.toml

    config_path = "/etc/containerd/certs.d"

Afer restart containerd

systemctl restart containerd 

After of this you can use:

kubectl run NAME --image=qtech/graphql:latest

This worked for me:

crictl pull --creds "UserName:Password" "image details from private registry@SHA details"