Mirroring the images with a bastion host
The process of mirroring images pulls the image from the internet and pushes it to your local registry. After mirroring your images, you can configure your cluster and complete the air-gapped installation. Complete the following steps to mirror the images from your host to your air-gapped environment:
Procedure
- Generate mirror manifests
- A mirror manifest is a YAML file that directs the
ibm-paktool what images to mirror and where to mirror them. - Authenticate the entitled registry
- You must authenticate to the entitled registry to mirror the required images.
-
Export the path to the file which stores the auth credentials that are generated from
podman loginordocker login. The authentication file is typically located at$HOME/.docker/config.jsonon Linux or%USERPROFILE%/.docker/config.jsonon Windows:export REGISTRY_AUTH_FILE=$HOME/.docker/config.json Login to the
cp.icr.ioregistry with podman or docker:
See Finding and applying your entitlement key (online installation) for how to obtain your entitlement key.podman login cp.icr.io
-
- Authenticate the local registry
-
- Login to the local registry with podman or docker using an account that can write images to the
local registry.:
podman login $TARGET_REGISTRY
- Login to the local registry with podman or docker using an account that can write images to the
local registry.:
- Mirror the images
-
- Run the following command to copy the images to the local registry. Your device must be
connected to both the internet and the restricted network environment that contains the local
registry.
oc image mirror \ -f ~/.ibm-pak/data/mirror/$OPERATOR_PACKAGE_NAME/$OPERATOR_VERSION/images-mapping.txt \ -a $REGISTRY_AUTH_FILE \ --filter-by-os '.*' \ --skip-multiple-scopes \ --max-per-registry=1The
oc image mirrorcommand starts by planning what images and layers need to be transferred. It can take a couple of minutes before you start seeing output. If the local registry is not secured by TLS, or the certificate presented by the local registry is not trusted by your device, add the--insecureoption to the command.
- Run the following command to copy the images to the local registry. Your device must be
connected to both the internet and the restricted network environment that contains the local
registry.
- Configure the cluster
-
- Log in to your Red Hat®
OpenShift® Container
Platform by using the
ocCLI. - Update the global image pull secret for your Red Hat
OpenShift
cluster.
Follow the procedure in Updating the global cluster pull secret. These steps enable your cluster to have proper authentication credentials in place so that it can pull images from your
TARGET_REGISTRY(as specified in theimage-content-source-policy.yaml). - Run the flowing commands:
- Create the
ImageContentSourcePolicyresource:oc apply -f ~/.ibm-pak/data/mirror/$OPERATOR_PACKAGE_NAME/$OPERATOR_VERSION/image-content-source-policy.yaml - Verify that the
ImageContentSourcePolicyresource is created:oc get imageContentSourcePolicy - Verify your cluster node status and wait for all nodes to be updated before
proceeding:
oc get MachineConfigPool -w
- Create the
- Log in to your Red Hat®
OpenShift® Container
Platform by using the
- Install the catalog source
-
- Run the following command to get the catalog
source:
cat ~/.ibm-pak/data/mirror/${OPERATOR_PACKAGE_NAME}/${OPERATOR_VERSION}/catalog-sources.yaml - Run the following command to apply the catalog sources for the Db2® Operator to the
cluster.
oc apply -f ~/.ibm-pak/data/mirror/${OPERATOR_PACKAGE_NAME}/${OPERATOR_VERSION}/catalog-sources.yaml
- Run the following command to get the catalog
source:
- Install the Db2 Operator
-
- Run the following command to install the Db2
Operator:
export NAMESPACE=<namespace> oc ibm-pak launch $OPERATOR_PACKAGE_NAME\ --version $OPERATOR_VERSION\ --action installOperator\ --inventory db2uOperatorStandaloneSetup\ --namespace $NAMESPACE
- Run the following command to install the Db2
Operator:
- Deploy the Db2 or Db2 Warehouse instance
-
- Deploy Db2 or Db2 Warehouse using the Db2uCluster API