.If your cluster has no internet connectivity, you can use a portable device, such as a laptop, to store the product code and images and transfer them to a local, airgap network. You do not need a bastion device to install in your airgap environment.
An OpenShift Container Platform cluster must be installed. For the supported OpenShift Container Platform versions, see Supported OpenShift versions and platforms.
Your cluster must meet the requirements that are specified in Prepare for installation.
Your cluster nodes must be healthy and in a Ready state. Complete the checks in the Check cluster health section.
If you are Downloading images from IBM Passport Advantage, at least 250 GB of disk space must be available on your portable device for the images.
A local Docker registry in your airgap environment must be available and accessible from the OpenShift Container Platform cluster nodes. For more information, see Prepare a local Docker registry.
A portable device such as a laptop must be configured that can independently connect to the internet and to the air-gapped network. For more information, see Prepare a portable host.
Your portable device must have access to the following networks and domains:
github.com for the IBM Cloud Pak® CLI binary file and skopeo CLI package.
ibm.com, if you are downloading the IBM Cloud Pak for Multicloud Management installer image from IBM Passport Advantage.quay.io for mirroring common services images and for downloading IBM Cloud Pak for Multicloud Management installer image.redhat.com for OpenShift Container Platform upgrade docker.io for local registry Docker image pullcp.icr.io for mirroring IBM Cloud Pak for Multicloud Management imagesRun the following checks before you start the IBM Cloud Pak for Multicloud Management installation procedure. To resolve any issue, contact OpenShift Container Platform support .
Check the status of all the nodes in your cluster. All nodes must show the Ready status.
oc get nodes
Example output that shows nodes that are not ready:
NAME STATUS ROLES AGE VERSION
master0.test.abc.com Ready master 11d v1.18.3+47c0e71
master1.test.abc.com NotReady master 11d v1.18.3+47c0e71
master2.test.abc.com Ready master 11d v1.18.3+47c0e71
worker0.test.abc.com Ready worker 11d v1.18.3+47c0e71
worker1.test.abc.com Ready worker 11d v1.18.3+47c0e71
worker2.test.abc.com Ready worker 11d v1.18.3+47c0e71
worker3.test.abc.com Ready worker 11d v1.18.3+47c0e71
worker4.test.abc.com Ready,SchedulingDisabled worker 11d v1.18.3+47c0e71
Check the status of all OpenShift Container Platform cluster operators. All operators must show AVAILABLE: True and DEGRADED: False.
oc get clusteroperator
Example output that shows cluster operators that degraded:
NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE
authentication 4.5.11 True False False 11d
cloud-credential 4.5.11 True False False 11d
cluster-autoscaler 4.5.11 True False False 11d
config-operator 4.5.11 True False False 11d
console 4.5.11 True False False 10h
csi-snapshot-controller 4.5.11 True False False 18h
dns 4.5.11 True True False 10d
etcd 4.5.11 True False True 11d
image-registry 4.5.11 True False False 6d19h
ingress 4.5.11 True False False 10d
insights 4.5.11 True False False 11d
kube-apiserver 4.5.11 True False True 11d
kube-controller-manager 4.5.11 True False True 11d
kube-scheduler 4.5.11 True False True 11d
kube-storage-version-migrator 4.5.11 True False False 6h12m
machine-api 4.5.11 True False False 11d
machine-approver 4.5.11 True False False 11d
machine-config 4.5.11 False False True 9h
marketplace 4.5.11 True False False 17h
monitoring 4.5.11 False True True 10h
network 4.5.11 True True True 11d
node-tuning 4.5.11 True False False 10d
openshift-apiserver 4.5.11 True False True 12m
openshift-controller-manager 4.5.11 True False False 11d
openshift-samples 4.5.11 True False False 10d
operator-lifecycle-manager 4.5.11 True False False 11d
operator-lifecycle-manager-catalog 4.5.11 True False False 11d
operator-lifecycle-manager-packageserver 4.5.11 True False False 4h6m
service-ca 4.5.11 True False False 11d
storage 4.5.11 True False False 10d
Check the status of the Machine Config Pool. No config must be degraded.
oc get machineconfigpool
Example output that shows the Machine Config Pool is degraded.
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
master rendered-master-10a46c526a6fd4fd9d0de00d7189d350 False True False 3 2 3 0 11d
worker rendered-worker-bddaea4b3e04061af6b99cc81c9fa7e6 False True True 1 0 0 1 11d
You need a local, Docker registry for mirroring all images in your local environment. You can use an existing registry or create a registry. The registry that you use must meet the following requirements:
.If you need to create a registry, you can do so by completing the steps in the following OpenShift Container Platform documentation:
You must configure the registry that you are using. See Configure the portable Docker registry.
Configure the Docker registry.
Note: If the user account that you are going to use in the Mirror the images and configure the cluster step supports auto-creation of namespaces, then you do not need to complete the following step to create the registry namespaces. The namespaces are automatically created when you mirror the images.
Create registry namespaces.
Create a separate registry namespace for each public registry source.
ibmcom - Namespace to store all images from the dockerhub.io/ibmcom namespace. The ibmcom namespace is for all IBM images that are publicly available and do not require credentials to pull.cp - Namespace to store the IBM images from the cp.icr.io/cp repository. The cp namespace is for the images in the IBM Entitled Registry that require a product entitlement key and credentials to pull. For
more information, see Obtain the entitlement key.
Note: You do not need the cp namespace if you are downloading images from the IBM Passport Advantage® website.opencloudio - Namespace to store the images from quay.io/opencloudio. The opencloudio namespace is for select IBM open source component images that are available on quay.io.
The IBM Cloud Pak for Multicloud Management images are hosted on opencloudio. cp4mcm - Namespace to store the IBM Cloud Pak for Multicloud Management installer images from quay.io/cp4mcm.cp4mcm namespace is for some installer images that are available on quay.io.
The namespace is used when you mirror the images from the Entitled Registry.Verify that each namespace meets the following requirements:
Prepare a portable host that can be physically connected to the internet and to the airgap network with access to the OpenShift Container Platform cluster and the local Docker registry. The portable host must be on a Linux® x86_64 platform with any operating system that the IBM Cloud Pak® CLI and the OpenShift Container Platform CLI support.
The portable host must have sufficient storage to hold all of the software that is to be transferred to the local Docker registry.
Complete these steps on your portable host:
Install Docker or Podman. See the following required versions:
Podman version 0.6.1 or higher
To install Docker, run these commands:
yum check-update
yum install docker
Start the Docker service.
systemctl enable docker
systemctl start docker
To install Podman, see Podman Installation Instructions .
Install httpd-tools.
yum install httpd-tools
Install the IBM Cloud Pak® CLI. Install the latest version of the binary file for your platform. For more information, see cloud-pak-cli .
Note: You can install IBM Cloud Pak® CLI Version 3.4.4 or higher in your IBM Cloud Pak for Multicloud Management cluster. However, installing the latest version is ideal.
wget https://github.com/IBM/cloud-pak-cli/releases/latest/download/<binary-file-name>
wget https://github.com/IBM/cloud-pak-cli/releases/latest/download/cloudctl-linux-amd64.tar.gz.tar -xf <binary-file-name>
chmod 755 <file-name>
mv <file-name> /usr/local/bin/cloudctl
cloudctl is installed:cloudctl --help
Install the oc OpenShift Container Platform CLI tool. For more information, see OpenShift Container Platform CLI tools.
Install the skopeo CLI version 1.1.1 or higher. For more information, see Installing skopeo from packages .
Create a directory that serves as the offline store, and set environment variable for this offline directory. The following is an example directory. This example is used in the subsequent steps.
mkdir $HOME/<offline_folder>
export OFFLINE_DIR=$HOME/<offline_folder>
You need to designate <offline_folder> with the real directory that you created as the offline store.
Notes:
Create the following environment variables with the installer CASE name and the image inventory.
export CASE_ARCHIVE=ibm-cp-management-100.2.0+2.2.7.tgz
export CASE_INVENTORY_SETUP=cp4mcmInstallerSetup
Note: This CASE version installs the latest fix pack version of IBM Cloud Pak for Multicloud Management. This fix pack includes the same functionality of the base version with additional fixes to address known issues.
Download the IBM Cloud Pak for Multicloud Management installer and image inventory to the portable host.
cloudctl case save \
--case https://github.com/IBM/cloud-pak/raw/master/repo/case/${CASE_ARCHIVE} \
--outputdir $OFFLINE_DIR/ \
--tolerance 1
Note: The directory $OFFLINE_DIR should be new, and do not reuse the existing offline directory that contains previous release installer and image inventory.
Complete these steps to create the Docker registry.
Create environment variables with the image and portable Docker registry information.
export PORTABLE_DOCKER_REGISTRY=<IP_or_FQDN_of_portable_Docker_registry>:<port>
export PORTABLE_DOCKER_USER=<username>
export PORTABLE_DOCKER_PASSWORD=<password>
Following are the parameter descriptions:
username is the username to access the registry.password is the password of the registry user.IP_or_FQDN_of_portable_Docker_registry is the IP address or hostname that your Docker registry uses to serve content. Ensure that the hostname is in DNS and that it resolves to the expected IP address. Using localhost is a good option.port is the port that your Docker registry uses to serve content: the default port is 5000.Create the Docker registry.
cloudctl case launch \
--case $OFFLINE_DIR/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action create-registry-airgap \
--args "--registry ${PORTABLE_DOCKER_REGISTRY} --user ${PORTABLE_DOCKER_USER} --pass ${PORTABLE_DOCKER_PASSWORD} --registryDir $HOME/cp4mcm-registry" \
--tolerance 1
Note: The "--registryDir" parameter is used to specify the local directory for the Docker registry. You can specify any directory that you want to use.
Verify that the registry is available.
curl -u ${PORTABLE_DOCKER_USER}:${PORTABLE_DOCKER_PASSWORD} -k https://${PORTABLE_DOCKER_REGISTRY}/v2/_catalog
If the request is successful, you see the following response:
{"repositories":[]}
Connect the portable host to the internet and disconnect it from the local, airgap network.
Complete one of these steps on your portable host:
This step is required only if you are mirroring the images from the entitled-registry. If you are downloading images from IBM® Passport Advantage® ,
see Download images from IBM Passport Advantage.
Download images from IBM Passport Advantage
This step is required only if you are not mirroring the images from the entitled-registry.
Note: If you are preparing to install, or upgrade, to a 2.2.x fix pack version, you must mirror from the IBM Entitled Registry. You cannot download the images from Passport Advantage.
Obtain the entitlement key that is assigned to your ID.
with the IBMid and password that are
associated with the entitled software.Before you download images, ensure that there is sufficient disk space available on the bastion host. See the Prerequisites.
To download images from Passport Advantage, see Passport Advantage part numbers for part numbers and links to the IBM® Passport Advantage® website.
Download the images.
ibm-cp4mcm-core-2.2-x86_64.tar.gz file.Create an environment variable with the file name and path.
export PPA_TAR=<full_path_to_the_TAR_file>
Complete these steps to mirror the images:
Note: Do not use the tilde within double quotation marks in any command. For example, do not use args "--registry <registry> --user <registry userid> --pass <registry password> --inputDir ~/offline".
The tilde does not expand and your commands might fail.
Store authentication credentials for all source Docker registries. The IBM Cloud Pak for Multicloud Management installer is stored in a public registry and does not require authentication. However, most of the components, including third-party components, require one or more authenticated registries. The following registry requires authentication:
cp.icr.io For more information about the registry, see Create registry namespaces. You must run the following command to configure authentication credentials for the registry:cloudctl case launch \
--case $OFFLINE_DIR/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action configure-creds-airgap \
--args "--registry cp.icr.io --user cp --pass <your-entitlement-key> --inputDir $OFFLINE_DIR" \
--tolerance 1
$HOME/.airgap/secrets location.Configure an authentication secret for the portable Docker registry. Note: This step needs to be done only one time.
cloudctl case launch \
--case $OFFLINE_DIR/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action configure-creds-airgap \
--args "--registry ${PORTABLE_DOCKER_REGISTRY} --user ${PORTABLE_DOCKER_USER} --pass ${PORTABLE_DOCKER_PASSWORD}" \
--tolerance 1
The command stores and caches the registry credentials in a file on your file system in the $HOME/.airgap/secrets location.
Mirror the images to the portable registry.
If you are mirroring from the entitled-registry, run the following command:
cloudctl case launch \
--case $OFFLINE_DIR/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action mirror-images \
--args "--registry ${PORTABLE_DOCKER_REGISTRY} --inputDir $OFFLINE_DIR" \
--tolerance 1
Note: After you run the command and when the images are mirroring, if you see the connection reset by peer message, run the command again.
If you downloaded the ibm-cp4mcm-core-2.2-x86_64.tar.gz file from IBM Passport Advantage, run the following command:
cloudctl case launch \
--case $OFFLINE_DIR/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action mirror-images \
--args "--registry ${LOCAL_DOCKER_REGISTRY} --user ${LOCAL_DOCKER_USER} --pass ${LOCAL_DOCKER_PASSWORD} --inputDir $OFFLINE_DIR --ppaTar ${PPA_TAR}" \
--tolerance 1
Connect the portable host to the airgap network and disconnect it from the internet.
The portable host must have access to the local Docker registry and to the OpenShift Container Platform cluster.
Following is an example command to log in to the OpenShift Container Platform cluster:
oc login <cluster host:port> --username=<cluster admin user> --password=<cluster admin password>
Complete these steps to create the installation resources and to mirror the images:
Create environment variables with namespaces to install the IBM Cloud Pak®. Then, create the namespaces. In the following command, replace <namespace-to-install-the-IBM Cloud Pak> with the namespace for your IBM Cloud Pak.
For example, you can replace it with cp4mcm.
export NAMESPACE=<namespace-to-install-the-IBM Cloud Pak>
export CS_NAMESPACE=common-service
oc create namespace ${NAMESPACE}
oc create namespace ${CS_NAMESPACE}
Create environment variables with the portable and local Docker registry connection information.
export PORTABLE_DOCKER_REGISTRY=<IP_or_FQDN_of_portable_Docker_registry>:<port>
export LOCAL_DOCKER_REGISTRY=<IP_or_FQDN_of_local_docker_registry>:<port>
export LOCAL_DOCKER_USER=<username>
export LOCAL_DOCKER_PASSWORD=<password>
Configure an authentication secret for the local Docker registry. Note: This step needs to be done only one time.
cloudctl case launch \
--case $OFFLINE_DIR/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action configure-creds-airgap \
--args "--registry ${LOCAL_DOCKER_REGISTRY} --user ${LOCAL_DOCKER_USER} --pass ${LOCAL_DOCKER_PASSWORD}" \
--tolerance 1
The command stores and caches the registry credentials in a file on your file system in the $HOME/.airgap/secrets location.
Mirror the images from the portable host Docker registry to the local registry.
cloudctl case launch \
--case $OFFLINE_DIR/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action mirror-images \
--args "--fromRegistry ${PORTABLE_DOCKER_REGISTRY} --registry ${LOCAL_DOCKER_REGISTRY} --inputDir $OFFLINE_DIR" \
--tolerance 1
Configure a global image pull secret and ImageContentSourcePolicy.
cloudctl case launch \
--case $OFFLINE_DIR/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action configure-cluster-airgap \
--namespace ${NAMESPACE} \
--args "--registry ${LOCAL_DOCKER_REGISTRY} --user ${LOCAL_DOCKER_USER} --pass ${LOCAL_DOCKER_PASSWORD} --inputDir $OFFLINE_DIR" \
--tolerance 1
Verify that the ImageContentSourcePolicy resource is created.
oc get imageContentSourcePolicy ibm-management-installer
Optional: If you are using an insecure registry, you must add the local registry to the cluster insecureRegistries list.
oc patch image.config.openshift.io/cluster --type=merge -p '{"spec":{"registrySources":{"insecureRegistries":["'${LOCAL_DOCKER_REGISTRY}'"]}}}'
Verify the MachineConfigPools (mcp). The MachineConfigPool reports whether all nodes are successfully updated and whether any nodes are degraded.
If the MachineConfigPool update is successful, the changes from the imageContentSourcePolicy
and global image pull secret are rolled out to all nodes successfully.
Note: If you only verify whether all nodes are ready instead of using the MachineConfigPool, you might not detect whether something is preventing the rollout
of configurations to your cluster nodes.
For example, to use the MachineConfigPool, run the following command:
oc get mcp
The results from this command can resemble the following sample output:
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
master rendered-master-701c25357febdcc8c625d9537075074b True False False 3 3 3 0 2d1h
worker rendered-worker-65da0d7b7b6cbbc91b818dab7a49e8c4 True False False 3 3 3 0 2d1h
Create a catalog source for IBM Cloud Pak for Multicloud Management and common services.
cloudctl case launch \
--case $OFFLINE_DIR/${CASE_ARCHIVE} \
--inventory ${CASE_INVENTORY_SETUP} \
--action install-catalog \
--namespace ${NAMESPACE} \
--args "--registry ${LOCAL_DOCKER_REGISTRY} --inputDir $OFFLINE_DIR --recursive" \
--tolerance 1
Verify that the package manifests for ibm-management-orchestrator and ibm-common-service-operator are available. It might take a few minutes for the manifests to be available.
oc get packagemanifest ibm-management-orchestrator
oc get packagemanifest ibm-common-service-operator
If you plan to install the IBM Cloud Pak for Multicloud Management by using the console, you need to create the entitled registry secret. Use the entitled registry key value that you got in the Obtain the entitlement key step.
Complete these steps to create the secret:
Log in to your OpenShift Container Platform cluster by using the oc login command.
Create these environment variables.
export ENTITLED_REGISTRY=cp.icr.io
export ENTITLED_REGISTRY_USER=cp
export ENTITLED_REGISTRY_KEY=<entitlement_key>
Create a Kubernetes Docker-registry secret in your IBM Cloud Pak for Multicloud Management namespace.
oc create secret docker-registry <any_name_for_the_secret> --docker-username=$ENTITLED_REGISTRY_USER --docker-password=$ENTITLED_REGISTRY_KEY --docker-email=<your_docker_email_address> --docker-server=$ENTITLED_REGISTRY -n <your_IBM Cloud Pak for Multicloud Management_namespace>
After your offline cluster is prepared, continue with the installation of the IBM Cloud Pak for Multicloud Management.