Mirroring images to the final location

Do the steps in this section on your host that is connected to both the local Docker registry and the Red Hat® OpenShift® Container Platform cluster.

Important: After running the oc ibm-pak generate mirror-manifests commands when mirroring images to your private container registry in the previous steps, you might be prompted to run two further oc mirror commands for curated and non-curated catalogs. You can follow the prompt instead of the steps in this section. The steps in this section match the non-curated catalog command.
  1. For mirroring from a bastion host (connected mirroring) mirror images to the TARGET_REGISTRY:

    a. Do the following steps to mirror the curated catalog:

    oc mirror \ 
    --config /root/.ibm-pak/data/publish/latest/image-set-config.yaml \
    docker://$TARGET_REGISTRY \ 
    --v1 \
    --dest-skip-tls \ 
    --max-per-registry=6

    b. Do the following steps to mirror the non-curated catalog:

    oc mirror \ 
    --config /root/.ibm-pak/data/mirror/ibm-process-mining/$CASE_NAME/$CASE_VERSION/image-set-config.yaml \ 
    docker://$TARGET_REGISTRY \ 
    --v1 \
    --dest-skip-tls \ 
    --max-per-registry=6
  2. Use the following command to view a live stream of the data being added to .oc.mirror.log during the mirroring:

    tail -f .oc.mirror.log
    
  3. If you generated manifests in the previous steps to mirror images to an intermediate registry server followed by a final registry server, do the following steps:

    a. Mirror images to the intermediate registry server:

    oc mirror \
       --config /root/.ibm-pak/data/publish/latest/image-set-config.yaml \
       docker://$INTERMEDIATE_REGISTRY
       --filter-by-os '.*' \
       --insecure \
       --skip-multiple-scopes \
       --v1 \
       --max-per-registry=1 \
       --continue-on-error=true > mirror-progress.txt 2>&1 &
    

    b. Mirror images from the intermediate registry server to the final registry server:

    oc mirror \
       --config /root/.ibm-pak/data/publish/latest/image-set-config.yaml \
       docker://$TARGET_REGISTRY
       --filter-by-os '.*' \
       --insecure \
       --skip-multiple-scopes \
       --v1 \
       --max-per-registry=1 \
       --continue-on-error=true > mirror-progress.txt 2>&1 &
    

    For more information on issuing the command on a remote machine, see Troubleshooting on Red Hat® OpenShift® Container Platform.

    c. Optional: View the progress of the mirror by running the following command on the remote machine:

    tail -f my-mirror-progress.txt
    
  4. For mirroring from a file system (disconnected mirroring):

    a. Mirror images to your file system:

    export IMAGE_PATH=file://<image-path>
       oc mirror \
       --config /root/.ibm-pak/data/publish/latest/image-set-config.yaml \
       --filter-by-os '.*' \
       --insecure \
       --skip-multiple-scopes \
       --v1 \
       --max-per-registry=1 \
       --continue-on-error=true \
       "$IMAGE_PATH"
    

    The <image-path> refers to the local path to store the images. For example, in the previous section if provided file://local as input during generate mirror-manifests, then the preceding command creates a subdirectory v2/local inside the directory that is referred by <image-path> and copy the images under it.

    b. Run one of the following commands for oc-mirror v1 or v2 to see all the options available on the mirror command. Note that continue-on-error is used to indicate that the command should try to mirror as much as possible and continue on errors.

    oc mirror --help --v1
    
    oc mirror --help --v2

    For more information on issuing the command on a remote machine, see Troubleshooting on Red Hat® OpenShift® Container Platform.

    c. Optional: View the progress of the mirror by running the following command on the remote machine:

    tail -f my-mirror-progress.txt
    

    d. Move the following items to your file system:

    • The <image-path> directory that you specified in the previous step
    • The auth file referred by $REGISTRY_AUTH_FILE
    • ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping-from-filesystem.txt

    e. Mirror images to the target registry from file system.

Copying the images to the $TARGET_REGISTRY

Complete the steps in this section on your file system to copy the images from the file system to the $TARGET_REGISTRY. Your file system must be connected to the target docker registry.

  1. Optional: Find and replace the placeholder value of TARGET_REGISTRY in the images-mapping-from-filesystem.txt file with the actual registry where you want to mirror the images if you used the placeholder value of TARGET_REGISTRY as a parameter to --final-registry while generating mirror manifests.

  2. Run the following command to copy the images (referred in the images-mapping-from-filesystem.txt file) from the directory that is referred by <image-path> to the final target registry:

    export IMAGE_PATH=<image-path>
    oc mirror \
      -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping-from-filesystem.txt \
      -a $REGISTRY_AUTH_FILE \
      --from-dir "$IMAGE_PATH" \
      --filter-by-os '.*' \
      --insecure \
      --skip-multiple-scopes \
      --max-per-registry=1 \
      --continue-on-error=true
    

Configuring the cluster

  1. Update the global image pull secret for your Red Hat OpenShift cluster. Follow the steps in Updating the global cluster pull secret.

    You can enable your cluster to have proper authentication credentials in place to pull images from your TARGET_REGISTRY as specified in the image-digest-mirror-set.yaml.

  2. Create ImageDigestMirrorSet:

    • Important: Before you run the command in this step, you must be logged in to your OpenShift cluster. Using the oc login command, log in to the Red Hat OpenShift Container Platform cluster where your final location resides. You can identify your specific oc login by clicking the user drop-down menu in the Red Hat OpenShift Container Platform console, then clicking Copy Login Command.

      If you used the placeholder value of TARGET_REGISTRY as a parameter to --final-registry at the time of generating mirror manifests, then before running the following command, find and replace the placeholder value of TARGET_REGISTRY in file, ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-digest-mirror-set.yaml with the actual registry where you want to mirror the images. For example, replace TARGET_REGISTRY with myregistry.com/mynamespace.

    Run the following command to create ImageDigestMirrorSet:

    oc apply -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-digest-mirror-set.yaml

    If you are using Red Hat OpenShift Container Platform version 4.7 or earlier, this step might cause your cluster nodes to drain and restart sequentially to apply the configuration changes.

  3. Verify that the ImageDigestMirrorSet resource is created:

    oc get ImageDigestMirrorSet
    oc describe ImageDigestMirrorSet
  4. Verify your cluster node status and wait for all the nodes to be restarted before proceeding:

    oc get MachineConfigPool
    
    $ oc get MachineConfigPool -w
    NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
    master   rendered-master-53bda7041038b8007b038c08014626dc   True      False      False      3              3                   3                     0                      10d
    worker   rendered-worker-b54afa4063414a9038958c766e8109f7   True      False      False      3              3                   3                     0                      10d
    

    After the ImageDigestMirrorSet and global image pull secret are applied, the configuration of your nodes will be updated sequentially. Wait until all MachineConfigPools are in the UPDATED=True status before proceeding.

  5. Log in to a cluster and create a new project for the CA`SE commands by running the following commands:

    export NAMESPACE=<YOUR_NAMESPACE>
    
    oc new-project $NAMESPACE
    
  6. Optional: If you use an insecure registry, you must add the target registry to the cluster insecureRegistries list.

    oc patch image.config.openshift.io/cluster --type=merge \
    -p '{"spec":{"registrySources":{"insecureRegistries":["'${TARGET_REGISTRY}'"]}}}'
    
  7. Verify your cluster node status and wait for all the nodes to be restarted before proceeding.

    oc get MachineConfigPool -w
    

    After the ImageDigestMirrorSet and global image pull secret are applied, the configuration of your nodes will be updated sequentially. Wait until all MachineConfigPools are updated.