Mirroring prerequisites
Complete the following perquisites before you mirror images of IBM Fusion and its services.
Prepare your mirroring host
- The mirror host must have access to the internet and enterprise registry.
- Ensure that you install the following tools on your system from where you can connect to Red Hat® registry and enterprise registry:
- Install Docker or Podman to create, run, and maintain images.
If you are using self-signed certificate registry, then ensure that you have updated the container tools configuration with insecure registries to skip certificate validation. For more information about how to update, see Update container tools configuration.
- Install skopeo for Global Data Platform storage image copy operation. For more information to install skopeo, see https://github.com/containers/skopeo.
- Install OC command tool from any of the Red Hat
OpenShift® Container Platform cluster:
- Log in to the system from where you want to run commands.
- Log in to OpenShift Container Platform.
- Click bell icon and select Command line tools.
- Click the appropriate oc download option based on your operating system.
Alternatively, you can also download the platform based
oc
client from the following OpenShift Container Platform link: https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/4.14.14/.For example, use the following link to download
oc
client for Linux platform: https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/4.14.14/openshift-client-linux-4.14.14.tar.gz.
- Install Docker or Podman to create, run, and maintain images.
- Download and install
ibm-pak
OC plugin tool. For more information about the procedure, see https://github.com/IBM/ibm-pak. - Download pull-secret.txt.
To download the pull-secret, see https://console.redhat.com/openshift/install/pull-secret and follow the instructions.
Edit the downloaded
pull-secret
with registry credentials:Add a new section of key-value pair underauths
. For example,
As a prerequisite to run base64, you must install base64 or jq."<Your enterprise registry>:<port>": { "auth": "<base64 encoded 'user_name:password'>", email: "<your email>" }
See the following sample values:{ "auths": { "cloud.openshift.com": { .... "registryhost.com:443": { "auth": "dXNlcl9uYW1lOnBhc3N3b3Jk", "email": "user_name@ibm.com" } } }
Here,user_name
andpassword
are credentials to connect to enterprise registry.Note: If you want to use multiple repositories, add an auth section for both repositories.To authenticate to quay.io by using the username and password from the pull-secret, do the following steps:- Look for quay.io in the json and copy
auth
. Example:
It is a base64 encoded value of"auths": { "quay.io": { "auth": "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==", "email": <email-id> } } }
username:password
. - Get the username/password.
Example echo command:echo <auth-content> | base64 –decode
Example output:echo "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==" | base64 –decode
openshift-release+ocmaccess0ab5738f6c3c42:CXKR2TSBQH7TAN9
Here,openshift-release+ocmaccess0ab5738f6c3c42
is the user name andCXKR2TSBQH7TAN9
is the password.
Command line to get the username/password :echo <auth-content> | base64 –decode
- Look for quay.io in the json and copy
- Ensure that you have entitlement key to access IBM Fusion HCI System appliance images. For more information about entitlement key, see Activating IBM Fusion HCI System Software to be downloaded.
General prerequisites
- Provide the port number as follows:
- For installation
- If you want to use default port (443) then make sure that you provide the port number. If you
want to use custom port then provide the custom details.For example,
<Your enterprise registry>:9443
. To verify, you can also try login to your registry:port using docker or podman. Use the following podman command:"podman login registryhost:registryport"
- The registry must have at least one directory path specified.
For example:
https://<enterprise registry host>:<enterprise registry port>/<mandatory root path>
- Ensure that you must use the recent enterprise registry images for mirroring.
- Ensure that your secure enterprise registry is already setup and ready for use. From 2.8,
support is available for Quay and registries with self signed certificate. Important: Ensure that you have the most recent images at any point in time.
- Run a pull command in your network to test the network speed. If that time is more than 2 to 5
minutes, there may be an overall reduction in network speed that can cause installation failure.
Example command:
time podman pull cp.icr.io/cp/isf/isf-compute-operator@sha256:414275e851972db2b7172642f7f7827c42da14914061bd5d82ea0584e6ce7fc8
Single or multiple repositories
- Single repository
- If you want to use Single repository, mirror all the images to IBM Fusion images
repository, so your
$LOCAL_OCP_REGISTRY
remains same as$LOCAL_ISF_REGISTRY
.
- Multiple repositories
- If you want to use Multiple repositories, mirror the OpenShift images to the OpenShift
images repository (
$LOCAL_OCP_REGISTRY
) and all other images to the IBM Fusion images repository ($LOCAL_ISF_REGISTRY
).
Considerations for your enterprise registry
- There must not be a huge latency between cluster nodes and your enterprise registry. Slow image pull can cause OpenShift Container Platform installation to fail.
- You must have a container image registry that supports Docker v2-2 in the location that hosts
the Red Hat
OpenShift Container Platform cluster. For more information about
image manifest, see opm CLI reference .Important: Artifactory is the recommended registry because it supports the following must have capabilities:
- Import and export
- Untagged images
JFrog Artifactory version 7.55.8 is tested on IBM Fusion HCI System. The port that is specified in the URL is used to login and pull the images from the enterprise repository. For a secured enterprise registry, specify 443. If you do not provide the port value, then no default port is considered in its absence. The API key is the only supported authentication method.
- For disconnected installation, you need a firewall type proxy server and for an air break installation, the registry must have import and export capabilities.
- If you are using self-signed certificate registry, then ensure that you have
updated the container tools configuration with insecure registries to skip certificate validation.
- For Podman, see https://docs.podman.io/en/stable/markdown/podman-login.1.html.
- For Docker, follow the steps to skip certificate validation:
- To trust the certificate in the Docker daemon:
For Linux, copy the
domain.crt
file to/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
on your mirroring host, Wheredomain.crt
is a self-signed generated certificate andmyregistrydomain.com
is your Docker registry and 5000 is port for registry. - For configuring an insecure registry:Note: It is insecure and not recommended.
Edit the
daemon.json
file that present in the default location of/etc/docker/daemon.json
on the Linux Server.If thedaemon.json
file does not exist, then create it. Ensure it contains the following contents:{ "insecure-registries" : ["myregistrydomain.com:5000"] }
- To trust the certificate in the Docker daemon: