Mirroring images to a private container registry
IBM Cloud Pak® for Data images are accessible from the IBM® Entitled Registry. In most situations, it is strongly recommended that you mirror the necessary software images from the IBM Entitled Registry to a private container registry.
- Installation phase
- Setting up a client workstation
- Who needs to complete this task?
- A cluster administrator and private container registry administrator must work together to mirror images to the private container registry.
- When do you need to complete this task?
- If you want to mirror images to a private container registry, you must complete this
task in the following situations:
- Before you install Cloud Pak for Data for the first time.
- Before you upgrade to a newer release of Cloud Pak for Data
Before you begin
About this task
- Your cluster is air-gapped (also called an offline or disconnected cluster)
- Your cluster uses an allowlist to permit direct access by specific sites and the allowlist does not include the IBM Entitled Registry
- Your cluster uses a blocklist to prevent direct access by specific sites and the blocklist includes the IBM Entitled Registry
- Run security scans against the software images before you install them on your cluster
- Ensure that you have the same images available for multiple deployments, such as development or test environments and production environments
The only situation in which you might consider pulling images directly from the IBM Entitled Registry is when your cluster is not air-gapped, your network is extremely reliable, and latency is not a concern. However, for predictable and reliable performance, you should mirror the images to a private container registry.
There are several ways that you can mirror images from the IBM Entitled Registry to your private container registry. Choose the most appropriate method for your environment by answering the following question:
Can you set up a client workstation that can connect to the internet and the private container registry?
- Yes
- You can mirror the images directly from the IBM Entitled Registry to the private container registry.
- No, the private container registry is in a restricted network
- You must mirror the images to an intermediary container registry before you can mirror the
images to the private container registry. The
cpd-cli manage mirror-images
command automatically sets up an intermediary container registry on the client workstation. You must be able to move the intermediary container registry behind your firewall. For example, you can use:Options Details Use a portable compute device, such as a laptop, that you can move behind your firewall. You can use the same device to:- Mirror images from the IBM Entitled Registry to the intermediary container registry.
- Mirror images from the intermediary container registry to the private container registry.
Use a portable storage device, such as a USB drive, that you can move behind your firewall. You must set up two client workstations:- A workstation that can connect to the internet. From this workstation, you can mirror the images from the IBM Entitled Registry to the intermediary container registry on the portable storage device.
- A workstation that can connect to the private container registry. After you move the portable storage device to this workstation, you can mirror the images from the intermediary container registry to the private container registry.
Use a file transfer protocol, such as scp
orsftp
, to move images behind your firewall.You must set up two client workstations:- A workstation that can connect to the internet. From this workstation, you can mirror the images from the IBM Entitled Registry to the intermediary container registry.
- A workstation that can connect to the private container registry. After you transfer the intermediary container registry to this workstation, you can mirror the images from the intermediary container registry to the private container registry.