Mirroring the images with a bastion host

The process of mirroring images pulls the image from the internet and pushes it to your local registry. After mirroring your images, you can configure your cluster and complete the air-gapped installation. Complete the following steps to mirror the images from your host to your air-gapped environment:

Procedure

Mirror the images from your host to your air-gaped environment by completing the following set of steps:
Generate mirror manifests
A mirror manifest is a YAML file that directs the ibm-pak tool what images to mirror and where to mirror them.
  1. Define the environment variable $TARGET_REGISTRY by running the following command:
    export TARGET_REGISTRY=<target-registry
    The <target-registry> refers to the registry (hostname and port) where your images are mirrored to and accessed by the oc cluster. For example: 172.16.0.10:5000.

    If you want the images to use a specific namespace in the target registry, you can specify it here, for example: registry.private/cp4i.

  2. Generate mirror manifests by running the following command:
    oc ibm-pak generate mirror-manifests $OPERATOR_PACKAGE_NAME --version $OPERATOR_VERSION $TARGET_REGISTRY --filter db2

    This generates the following files at ~/.ibm-pak/data/mirror/$OPERATOR_PACKAGE_NAME/$OPERATOR_VERSION:

    • catalog-sources.yaml
    • catalog-sources-linux-<arch>.yaml (if there are arch specific catalog sources)
    • image-content-source-policy.yaml
    • images-mapping.txt
Authenticate the entitled registry
You must authenticate to the entitled registry to mirror the required images.

  1. Export the path to the file which stores the auth credentials that are generated from podman login or docker login. The authentication file is typically located at $HOME/.docker/config.json on Linux or %USERPROFILE%/.docker/config.json on Windows:

    export REGISTRY_AUTH_FILE=$HOME/.docker/config.json

  2. Login to the cp.icr.io registry with podman or docker:

    podman login cp.icr.io
    See Finding and applying your entitlement key (online installation) for how to obtain your entitlement key.
Authenticate the local registry
  1. Login to the local registry with podman or docker using an account that can write images to the local registry.:
    podman login $TARGET_REGISTRY
Mirror the images
  1. Run the following command to copy the images to the local registry. Your device must be connected to both the internet and the restricted network environment that contains the local registry.
    oc image mirror \
  -f ~/.ibm-pak/data/mirror/$OPERATOR_PACKAGE_NAME/$OPERATOR_VERSION/images-mapping.txt \
  -a $REGISTRY_AUTH_FILE \
  --filter-by-os '.*' \
  --skip-multiple-scopes \
  --max-per-registry=1

    The oc image mirror command starts by planning what images and layers need to be transferred. It can take a couple of minutes before you start seeing output. If the local registry is not secured by TLS, or the certificate presented by the local registry is not trusted by your device, add the --insecure option to the command.

Configure the cluster
  1. Log in to your Red Hat® OpenShift® Container Platform by using the oc CLI.
  2. Update the global image pull secret for your Red Hat OpenShift cluster.

    Follow the procedure in Updating the global cluster pull secret. These steps enable your cluster to have proper authentication credentials in place so that it can pull images from your TARGET_REGISTRY (as specified in the image-content-source-policy.yaml).

  3. Run the flowing commands:
    1. Create the ImageContentSourcePolicy resource:
      oc apply -f  ~/.ibm-pak/data/mirror/$OPERATOR_PACKAGE_NAME/$OPERATOR_VERSION/image-content-source-policy.yaml
    2. Verify that the ImageContentSourcePolicy resource is created:
      oc get imageContentSourcePolicy
    3. Verify your cluster node status and wait for all nodes to be updated before proceeding:
      oc get MachineConfigPool -w
Install the catalog source
  1. Run the following command to get the catalog source:
    cat ~/.ibm-pak/data/mirror/${OPERATOR_PACKAGE_NAME}/${OPERATOR_VERSION}/catalog-sources.yaml
  2. Run the following command to apply the catalog sources for the Db2® Operator to the cluster.
    oc apply -f ~/.ibm-pak/data/mirror/${OPERATOR_PACKAGE_NAME}/${OPERATOR_VERSION}/catalog-sources.yaml
Install the Db2 Operator
  1. Run the following command to install the Db2 Operator:
    export NAMESPACE=<namespace>
 oc ibm-pak launch $OPERATOR_PACKAGE_NAME\
            --version $OPERATOR_VERSION\ 
            --action installOperator\
            --inventory db2uOperatorStandaloneSetup\
            --namespace $NAMESPACE
Deploy the Db2 Warehouse instance
  1. Deploy Db2 Warehouse using the Db2uCluster API.