Mirroring prerequisites

Complete the following perquisites before you mirror images of IBM Fusion and its services.

Prepare your mirroring host

  • The mirror host must have access to the internet and enterprise registry.
  • Ensure that you install the following tools on your system from where you can connect to Red Hat® registry and enterprise registry:
  • Download and install ibm-pak OC plugin tool. For more information about the procedure, see https://github.com/IBM/ibm-pak.
  • Download pull-secret.txt.

    To download the pull-secret, see https://console.redhat.com/openshift/install/pull-secret and follow the instructions.

    Edit the downloaded pull-secret with registry credentials:

    Add a new section of key-value pair under auths. For example,
    "<Your enterprise registry>:<port>": {
    "auth": "<base64 encoded 'user_name:password'>",
    email: "<your email>" }
    As a prerequisite to run base64, you must install base64 or jq.
    See the following sample values:
    
    { 
    "auths": { 
       "cloud.openshift.com": { 
          .... 
       "registryhost.com:443": { 
           "auth": "dXNlcl9uYW1lOnBhc3N3b3Jk",   
            "email": "user_name@ibm.com" 
        }
      }
    }
    
    Here, user_name and password are credentials to connect to enterprise registry.
    Note: If you want to use multiple repositories, add an auth section for both repositories.
    To authenticate to quay.io by using the username and password from the pull-secret, do the following steps:
    1. Look for quay.io in the json and copy auth. Example:
      
      
        "auths": {
          "quay.io": {
            "auth": "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==",
            "email": <email-id>
          }
        }
      }
      It is a base64 encoded value of username:password.
    2. Get the username/password.
      echo <auth-content> | base64 –decode 
      Example echo command:
      echo "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==" | base64 –decode
      Example output:
      openshift-release+ocmaccess0ab5738f6c3c42:CXKR2TSBQH7TAN9
      Here, openshift-release+ocmaccess0ab5738f6c3c42 is the user name and CXKR2TSBQH7TAN9 is the password.

    Command line to get the username/password :echo <auth-content> | base64 –decode

  • Ensure that you have entitlement key to access IBM Fusion HCI System appliance images. For more information about entitlement key, see Activating IBM Fusion HCI System Software to be downloaded.

General prerequisites

  • Provide the port number as follows:
    For installation
    If you want to use default port (443) then make sure that you provide the port number. If you want to use custom port then provide the custom details.
    For example, <Your enterprise registry>:9443. To verify, you can also try login to your registry:port using docker or podman. Use the following podman command:
    "podman login registryhost:registryport" 
  • The registry must have at least one directory path specified.

    For example:

    https://<enterprise registry host>:<enterprise registry port>/<mandatory root path>
  • Ensure that you must use the recent enterprise registry images for mirroring.
  • Ensure that your secure enterprise registry is already setup and ready for use. From 2.8, support is available for Quay and registries with self signed certificate.
    Important: Ensure that you have the most recent images at any point in time.
  • Run a pull command in your network to test the network speed. If that time is more than 2 to 5 minutes, there may be an overall reduction in network speed that can cause installation failure. Example command:
    time podman pull cp.icr.io/cp/isf/isf-compute-operator@sha256:414275e851972db2b7172642f7f7827c42da14914061bd5d82ea0584e6ce7fc8

Single or multiple repositories

You can either host your images in a single repository or host your OpenShift and IBM Fusion images separately. Choose the latter option if you want to manage their OpenShift images separately from other software.
Single repository
If you want to use Single repository, mirror all the images to IBM Fusion images repository, so your $LOCAL_OCP_REGISTRY remains same as $LOCAL_ISF_REGISTRY.
Multiple repositories
If you want to use Multiple repositories, mirror the OpenShift images to the OpenShift images repository ($LOCAL_OCP_REGISTRY) and all other images to the IBM Fusion images repository ($LOCAL_ISF_REGISTRY).

Considerations for your enterprise registry

  • There must not be a huge latency between cluster nodes and your enterprise registry. Slow image pull can cause OpenShift Container Platform installation to fail.
  • You must have a container image registry that supports Docker v2-2 in the location that hosts the Red Hat OpenShift Container Platform cluster. For more information about image manifest, see opm CLI reference .
    Important: Artifactory is the recommended registry because it supports the following must have capabilities:
    • Import and export
    • Untagged images

    JFrog Artifactory version 7.55.8 is tested on IBM Fusion HCI System. The port that is specified in the URL is used to login and pull the images from the enterprise repository. For a secured enterprise registry, specify 443. If you do not provide the port value, then no default port is considered in its absence. The API key is the only supported authentication method.

  • For disconnected installation, you need a firewall type proxy server and for an air break installation, the registry must have import and export capabilities.
  • If you are using self-signed certificate registry, then ensure that you have updated the container tools configuration with insecure registries to skip certificate validation.
    • For Podman, see https://docs.podman.io/en/stable/markdown/podman-login.1.html.
    • For Docker, follow the steps to skip certificate validation:
      • To trust the certificate in the Docker daemon:

        For Linux, copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on your mirroring host, Where domain.crt is a self-signed generated certificate and myregistrydomain.com is your Docker registry and 5000 is port for registry.

      • For configuring an insecure registry:
        Note: It is insecure and not recommended.

        Edit the daemon.json file that present in the default location of /etc/docker/daemon.json on the Linux Server.

        If the daemon.json file does not exist, then create it. Ensure it contains the following contents:
        {
          "insecure-registries" : ["myregistrydomain.com:5000"]
        }