使用 containerd 配置镜像加速不生效问题

问题：由于国内 docker.io 镜像仓库关闭了，所以想配置镜像加速，但是配置好像一直没有生效，还是从官方仓库拉取镜像

containerd version:ctr github.com/containerd/containerd v1.7.27

containerd config:

version = 2
root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0

[grpc]
address = "/run/containerd/containerd.sock"
uid = 0
gid = 0
max_recv_message_size = 16777216
max_send_message_size = 16777216

[debug]
address = "/run/containerd/containerd-debug.sock"
uid = 0
gid = 0
level = "warn"

[timeouts]
"io.containerd.timeout.shim.cleanup" = "5s"
"io.containerd.timeout.shim.load" = "5s"
"io.containerd.timeout.shim.shutdown" = "3s"
"io.containerd.timeout.task.state" = "2s"

[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "sealos.hub:5000/pause:3.9"
max_container_log_line_size = 16384
max_concurrent_downloads = 20
disable_apparmor = true
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshotter = "overlayfs"
default_runtime_name = "runc"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.crun.options]
BinaryName = "/usr/bin/crun"
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".registry]
config_path = "/etc/containerd/certs.d"
certs.d 目录下有三个目录（ docker.io registry.k8s.io sealos.hub:5000 ）,每个目录各自配置了 hosts.toml
docker.io->hosts.toml
server = "https://docker.io"

[host."https://docker.1ms.run"]
capabilities = ["pull", "resolve"]
[host."https://docker.m.daocloud.io"]
capabilities = ["pull", "resolve"]
[host."https://dockerproxy.com"]
capabilities = ["pull", "resolve"]
registry.k8s.io->hosts.toml
server = "registry.k8s.io"

[host."k8s.m.daocloud.io"]
capabilities = ["pull", "resolve"]




使用 ctr 拉取镜像，还是拉取不了

root@localhost:/etc/containerd/certs.d/registry.k8s.io# ctr --debug images pull docker.io/library/nginx:latest

DEBU[0000] fetching image="docker.io/library/nginx:latest"
DEBU[0000] resolving host=registry-1.docker.io
DEBU[0000] do request host=registry-1.docker.io request.header.accept="application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, */*" request.header.user-agent=containerd/v1.7.27 request.method=HEAD url="https://registry-1.docker.io/v2/library/nginx/manifests/latest"
INFO[0030] trying next host error="failed to do request: Head \"https://registry-1.docker.io/v2/library/nginx/manifests/latest\": dial tcp 118.193.240.41:443: i/o timeout" host=registry-1.docker.io
ctr: failed to resolve reference "docker.io/library/nginx:latest": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/latest": dial tcp 118.193.240.41:443: i/o timeout


但是还有个奇怪的问题就是 使用 crictl 拉取镜像是能够正常拉取的

root@localhost:/etc/containerd/certs.d/registry.k8s.io# crictl pull nginx:latest
Image is up to date for sha256:47ef8710c9f5a9276b3e347e3ab71ee44c8483e20f8636380ae2737ef4c27758


这个问题困扰小弟很久了，跪求各位大佬帮忙看看是啥问题