Mirroring images to the final location
Do the steps in this section on your host that is connected to both the local Docker registry and the Red Hat® OpenShift® Container Platform cluster.
-
For mirroring from a bastion host (connected mirroring) mirror images to the
TARGET_REGISTRY:a. Do the following steps to mirror the curated catalog:
oc mirror \ --config /root/.ibm-pak/data/publish/latest/image-set-config.yaml \ docker://$TARGET_REGISTRY \ --v1 \ --dest-skip-tls \ --max-per-registry=6b. Do the following steps to mirror the non-curated catalog:
oc mirror \ --config /root/.ibm-pak/data/mirror/ibm-process-mining/$CASE_NAME/$CASE_VERSION/image-set-config.yaml \ docker://$TARGET_REGISTRY \ --v1 \ --dest-skip-tls \ --max-per-registry=6 -
Use the following command to view a live stream of the data being added to .oc.mirror.log during the mirroring:
tail -f .oc.mirror.log -
If you generated manifests in the previous steps to mirror images to an intermediate registry server followed by a final registry server, do the following steps:
a. Mirror images to the intermediate registry server:
oc mirror \ --config /root/.ibm-pak/data/publish/latest/image-set-config.yaml \ docker://$INTERMEDIATE_REGISTRY --filter-by-os '.*' \ --insecure \ --skip-multiple-scopes \ --v1 \ --max-per-registry=1 \ --continue-on-error=true > mirror-progress.txt 2>&1 &b. Mirror images from the intermediate registry server to the final registry server:
oc mirror \ --config /root/.ibm-pak/data/publish/latest/image-set-config.yaml \ docker://$TARGET_REGISTRY --filter-by-os '.*' \ --insecure \ --skip-multiple-scopes \ --v1 \ --max-per-registry=1 \ --continue-on-error=true > mirror-progress.txt 2>&1 &For more information on issuing the command on a remote machine, see Troubleshooting on Red Hat® OpenShift® Container Platform.
c. Optional: View the progress of the mirror by running the following command on the remote machine:
tail -f my-mirror-progress.txt -
For mirroring from a file system (disconnected mirroring):
a. Mirror images to your file system:
export IMAGE_PATH=file://<image-path> oc mirror \ --config /root/.ibm-pak/data/publish/latest/image-set-config.yaml \ --filter-by-os '.*' \ --insecure \ --skip-multiple-scopes \ --v1 \ --max-per-registry=1 \ --continue-on-error=true \ "$IMAGE_PATH"The
<image-path>refers to the local path to store the images. For example, in the previous section if providedfile://localas input during generate mirror-manifests, then the preceding command creates a subdirectory v2/local inside the directory that is referred by<image-path>and copy the images under it.b. Run one of the following commands for
oc-mirrorv1 or v2 to see all the options available on the mirror command. Note thatcontinue-on-erroris used to indicate that the command should try to mirror as much as possible and continue on errors.oc mirror --help --v1oc mirror --help --v2For more information on issuing the command on a remote machine, see Troubleshooting on Red Hat® OpenShift® Container Platform.
c. Optional: View the progress of the mirror by running the following command on the remote machine:
tail -f my-mirror-progress.txtd. Move the following items to your file system:
- The
<image-path>directory that you specified in the previous step - The
authfile referred by$REGISTRY_AUTH_FILE -
~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping-from-filesystem.txt
e. Mirror images to the target registry from file system.
- The
Copying the images to the $TARGET_REGISTRY
Complete the steps in this section on your file system to copy
the images from the file system to the
$TARGET_REGISTRY. Your file system must be connected
to the target docker registry.
-
Optional: Find and replace the placeholder value of
TARGET_REGISTRYin theimages-mapping-from-filesystem.txtfile with the actual registry where you want to mirror the images if you used the placeholder value ofTARGET_REGISTRYas a parameter to--final-registrywhile generating mirror manifests. -
Run the following command to copy the images (referred in the
images-mapping-from-filesystem.txtfile) from the directory that is referred by<image-path>to the final target registry:export IMAGE_PATH=<image-path> oc mirror \ -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/images-mapping-from-filesystem.txt \ -a $REGISTRY_AUTH_FILE \ --from-dir "$IMAGE_PATH" \ --filter-by-os '.*' \ --insecure \ --skip-multiple-scopes \ --max-per-registry=1 \ --continue-on-error=true
Configuring the cluster
-
Update the global image pull secret for your Red Hat OpenShift cluster. Follow the steps in Updating the global cluster pull secret.
You can enable your cluster to have proper authentication credentials in place to pull images from your
TARGET_REGISTRYas specified in theimage-digest-mirror-set.yaml. -
Create
ImageDigestMirrorSet:-
Important: Before you run the command in this step, you must be logged in to your OpenShift cluster. Using the oc login command, log in to the Red Hat OpenShift Container Platform cluster where your final location resides. You can identify your specific oc login by clicking the user drop-down menu in the Red Hat OpenShift Container Platform console, then clicking Copy Login Command.
If you used the placeholder value of TARGET_REGISTRY as a parameter to --final-registry at the time of generating mirror manifests, then before running the following command, find and replace the placeholder value of TARGET_REGISTRY in file, ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-digest-mirror-set.yaml with the actual registry where you want to mirror the images. For example, replace TARGET_REGISTRY with myregistry.com/mynamespace.
Run the following command to create
ImageDigestMirrorSet:oc apply -f ~/.ibm-pak/data/mirror/$CASE_NAME/$CASE_VERSION/image-digest-mirror-set.yamlIf you are using Red Hat OpenShift Container Platform version 4.7 or earlier, this step might cause your cluster nodes to drain and restart sequentially to apply the configuration changes.
-
-
Verify that the
ImageDigestMirrorSetresource is created:oc get ImageDigestMirrorSet oc describe ImageDigestMirrorSet -
Verify your cluster node status and wait for all the nodes to be restarted before proceeding:
oc get MachineConfigPool$ oc get MachineConfigPool -w NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-53bda7041038b8007b038c08014626dc True False False 3 3 3 0 10d worker rendered-worker-b54afa4063414a9038958c766e8109f7 True False False 3 3 3 0 10dAfter the
ImageDigestMirrorSetand global image pull secret are applied, the configuration of your nodes will be updated sequentially. Wait until allMachineConfigPoolsare in theUPDATED=Truestatus before proceeding. -
Log in to a cluster and create a new project for the CA`SE commands by running the following commands:
export NAMESPACE=<YOUR_NAMESPACE>oc new-project $NAMESPACE -
Optional: If you use an insecure registry, you must add the target registry to the cluster insecureRegistries list.
oc patch image.config.openshift.io/cluster --type=merge \ -p '{"spec":{"registrySources":{"insecureRegistries":["'${TARGET_REGISTRY}'"]}}}' -
Verify your cluster node status and wait for all the nodes to be restarted before proceeding.
oc get MachineConfigPool -wAfter the
ImageDigestMirrorSetand global image pull secret are applied, the configuration of your nodes will be updated sequentially. Wait until allMachineConfigPoolsare updated.