Mirroring images to your private container registry
IBM® Cloud Pak for Data images are accessible from the IBM Entitled Registry. In most situations, it is strongly recommended that you mirror the necessary software images from the IBM Entitled Registry to a private container registry.
- Your cluster is air-gapped (also called an offline or disconnected cluster)
- Your cluster uses an allowlist to permit direct access by specific sites and the allowlist does not include the IBM Entitled Registry
- Your cluster uses a blocklist to prevent direct access by specific sites and the blocklist includes the IBM Entitled Registry
- Run security scans against the software images before you install them on your cluster
- Ensure that you have the same images available for multiple deployments, such as development or test environments and production environments
The only situation in which you might consider pulling images directly from the IBM Entitled Registry is when your cluster is not air-gapped, your network is extremely reliable, and latency is not a concern. However, for predictable and reliable performance, you should mirror the images to a private container registry.
Setting up a private container registry
- Version 4.6: Registry overview
- Version 4.8: Registry overview
- Support the Docker Image Manifest Version 2, Schema 2
- Allow path separators in image names
- Be in close proximity to your Red Hat OpenShift Container Platform cluster
In addition, the private container registry must be accessible from all of the nodes in the cluster and all of the nodes must have permission to push to and pull from the private container registry.
- Version 4.6: Image configuration resources
- Version 4.8 Image configuration resources
Image prefixes
IBM Cloud Pak software uses the following prefixes to identify images:
| Tag | Used for |
|---|---|
cp.icr.io/cp |
Images that are pulled from the IBM Entitled Registry that require an entitlement key to download. Most of the IBM Cloud Pak for Data software uses this tag. |
icr.io/cpopen |
Publicly available images that are provided by IBM and that don't require an entitlement
key to download. The IBM Cloud Pak for Data operators use this tag. |
quay.io/opencloudio |
IBM open source images that are available on quay.io. The IBM Cloud Pak® foundational services software uses this tag. |
- Your private container registry is configured to allow these prefixes
- The credentials that you will use to push images to the private container registry can push images with these prefixes
Methods for mirroring images
There are several ways that you can mirror images from the IBM Entitled Registry to your private container registry. Choose the most appropriate method for your environment:
| Method | Description | Connected clusters | Air-gapped clusters |
|---|---|---|---|
| Portable compute device |
Example: A laptop that you can move behind your firewall is a
portable compute device.
High-level process using a portable compute device:
For the full process, see Mirroring images with an intermediary container registry. |
✓ | |
| File transfer |
Example: You can either use a portable storage device, such as
a USB drive, or use
scp or sftp to move images behind your
firewall. High-level process using a file transfer:
For the full process, see Mirroring images with an intermediary container registry. |
✓ | |
| Bastion node |
Example: A server with access to both the public internet and
the private container registry that is accessible from the Red Hat OpenShift Container Platform cluster.
High-level process using a bastion node:
For the full process, see Mirroring images with a bastion node. |
✓ | ✓ |
Mirroring images to a private container registry
Complete the appropriate task for your environment: