Mirror the Backup & Restore images to your
enterprise registry.
About this task
High level steps to mirror
Backup & Restore service:
- Log in to the relevant Docker registries
- Define variables to configure and mirror the Backup & Restore component of IBM Fusion.
- Run the
ibm-pak configuration tool to automatically generate the files needed
by the oc-mirror CLI tool.
- Run the
oc-mirror CLI tool to mirror the Backup & Restore components.
Note:
- Use this procedure only necessary if you plan to mirror specific
sub-components of IBM Fusion instead of following
the full end-to-end mirroring instructions. For more information about the end-to-end mirroring of
IBM Fusion and all its services, see End-to-end mirroring of IBM Fusion and its services.
- If you choose to mirror specific sub-components, use the same TARGET_PATH variable so that all
the components mirror into the same location, and the generated
ImageDigestMirrorSet remains the same across all components.
- Sometimes, the
quay.io/minio/minio image might miss from the mirroring process
which can cause ImagePullBackOff error during install or upgrade. For workaround
steps, see Troubleshooting and known issues in offline mirroring.
- For more information about Air gap setup for network restricted Red Hat®
OpenShift® Container Platform clusters, see Offline setup for network restricted Red Hat OpenShift Container
Platform clusters.
Procedure
-
Log in to your Docker registry:
- Run the following command to login to the Docker registry with your Red Hat enterprise credentials:
docker login registry.redhat.io -u <Red Hat enterprise registry username> -p <Red Hat enterprise registry password>
- To authenticate to quay.io by using the username and password from the pull-secret, do the
following steps:
- Download the pull-secret, see https://console.redhat.com/openshift/install/pull-secret and follow the instructions.
See
the following sample values:
"auths": {
"quay.io": {
"auth": "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==",
"email": <email-id>
}
}
}
- Get the username/password:
echo <auth-content> | base64 –decode
Example
echo command:
echo "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==" | base64 –decode
Example
output: openshift-release+ocmaccess0ab5738f6c3c42:CXKR2TSBQH7TAN9
Here,
openshift-release+ocmaccess0ab5738f6c3c42 is the user name and
CXKR2TSBQH7TAN9 is the password.
- Log in to the IBM Entitled Container Registry using the IBM entitlement key.
docker login cp.icr.io -u cp -p <your entitlement key>
Note: Ensure that your entitlement key for IBM Fusion contains the correct
entitlement.
- Set the following environment variables:
export LOCAL_ISF_REGISTRY="<Your enterprise registry host>:<port>"
export LOCAL_ISF_REPOSITORY="<Your image path>"
export TARGET_PATH="$LOCAL_ISF_REGISTRY/$LOCAL_ISF_REPOSITORY"
echo "$TARGET_PATH"
export CASE_NAME=ibm-fusion-bnr
export CASE_VERSION=2.9.0
Note: Port is a non-mandatory value when setting the LOCAL_ISF_REGISTRY variable.
You can ignore this if your enterprise registry is accessible and has a secure connection.
Sample value without
port:
export LOCAL_ISF_REGISTRY="registryhost.com"
export LOCAL_ISF_REGISTRY="registryhost.com:443"
export LOCAL_ISF_REPOSITORY="fusion-mirror"
- Run the command to login to the Docker registry with your enterprise registry
credentials.
docker login $LOCAL_ISF_REGISTRY -u <your enterprise registry username> -p <your enterprise registry password>
LOCAL_ISF_REGISTRY is your entitlement registry.
LOCAL_ISF_REPOSITORY is the image path in which you want to mirror the images.
You can choose your own repository paths. For example, sds-2.9.0/isf or sds-2.9.0.
- Ensure that the
redhat-oadp-operator and
amq-streams operator packages are present in your cluster.
- Configure the
ibm-pak plugin to use the oc-mirror
command:
oc ibm-pak config mirror-tools -e oc-mirror
- From the mirroring host, run the get command to download the mirroring metadata from
IBM’s public
CloudPak repository:
oc ibm-pak get --version "${CASE_VERSION}" "${CASE_NAME}"
Important: When you mirror the
Backup & Restore service in 2.9.0 with
ibm-pak (either individually or as part of the full
end-to-end mirror process), the
quay.io/minio/minio image goes missing from the
mirroring process. It causes
ImagePullBackOff error during both installation or
upgrade operation. To download it manually, see
Offline image missing for Backup & Restore service.
- Run the ibm-pak generate command to generate the
oc
mirror configuration files specific to your environment:
oc ibm-pak generate mirror-manifests --version "${CASE_VERSION}" "${CASE_NAME}" "${TARGET_PATH}"
An example output of a successfully completed
generate
command:
...
- To mirror the non curated catalog:
oc mirror --config /root/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/image-set-config.yaml docker://${TARGET_PATH}
Note: Use --dest-tls-verify=false parameter when you mirroring images to quay
repository.
Run the oc mirror command for the non curated catalog
provided in the output of the previous generated
command. Example:
oc mirror --config /root/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/image-set-config.yaml docker://${TARGET_PATH}
Example
output on successful
mirroring:
Writing image mapping to oc-mirror-workspace/results-1747667151/mapping.txt
Writing CatalogSource manifests to oc-mirror-workspace/results-1747667151
Writing ICSP manifests to oc-mirror-workspace/results-1747667151
In case of any failure,
refer
Troubleshooting and known issues in offline mirroring to get the resolution
steps.
- Go to the directory that contains the image-set-config.yaml file
that is referenced in the
oc-mirror command:
cd /root/.ibm-pak/data/mirror/${CASE_NAME}/${CASE_VERSION}/
This directory contains several files that were automatically generated by the
ibm-pak tool.
- Apply the
ImageDigestMirrorSet file to your
cluster: oc apply -f image-digest-mirror-set.yaml
There is no need
to apply the generated
catalog-source.yaml file in this directory as Fusion
applies the CatalogSource for
Backup & Restore.