Mirroring your images to the enterprise registry
If you are planing a disconnected or offline installation, then you must mirror images to your enterprise registry.
Before you begin
- Considerations for your enterprise registry:
- There must not be a huge latency between cluster nodes and your enterprise registry. Slow image pull can cause OpenShift® Container Platform installation to fail.
- You must have a container image registry that supports Docker v2-2 in the location that hosts
the Red Hat®
OpenShift Container Platform cluster. For more information about
image manifest, see opm CLI reference .Important: Artifactory is the recommended registry because it supports the following must have capabilities:
- Import and export
- Untagged images
JFrog Artifactory version 7.55.8 is tested on IBM Storage Fusion HCI System. The port that is specified in the URL is used to login and pull the images from the enterprise repository. For a secured enterprise registry, specify 443. If you do not provide the port value, then no default port is considered in its absence. The API key is the only supported authentication method.
- For disconnected installation, you need a firewall type proxy server and for an air break installation, the registry must have import and export capabilities.
- If you are using self-signed certificate registry, then ensure that you have updated the
container tools configuration with insecure registries to skip certificate validation.
- For Podman, see https://docs.podman.io/en/stable/markdown/podman-login.1.html.
- For Docker, follow the steps to skip certificate validation:
- To trust the certificate in the Docker daemon:
For Linux, copy the
domain.crt
file to/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
on your mirroring host. wheredomain.crt
is a self-signed generated certificate andmyregistrydomain.com
is your Docker registry. - For configuring an insecure registry:Note: It is insecure and not recommended.
Edit the
daemon.json
file that present in the default location of/etc/docker/daemon.json
on the Linux Server.If thedaemon.json
file does not exist, then create it. Ensure it contains the following contents:{ "insecure-registries" : ["myregistrydomain.com:5000"] }
- To trust the certificate in the Docker daemon:
- The registry must have at least one directory path specified.
For example:
https://<enterprise registry host>:<enterprise registry port>/<mandatory root path>
- Ensure that you must use the recent enterprise registry images for mirroring.
- Ensure that your secure enterprise registry is already setup and ready for use. From 2.8,
support is available for Quay and registries with self signed certificate. Important: Ensure that you have the most recent images at any point in time.
- Prepare your mirroring host:
- The mirror host must have access to the internet and enterprise registry.
- Ensure that you install the following tools on your system from where you can connect to Red Hat registry and enterprise registry:
- Install Docker or Podman.
- Install skopeo for image copy operation. For more information to install skopeo, see https://github.com/containers/skopeo.
- Install OC command tool from any of the Red Hat
OpenShift Container Platform cluster:
- Log in to the system from where you want to run commands.
- Log in to OpenShift Container Platform.
- Click bell icon and select Command line tools.
- Click the appropriate oc download option based on your operating system.
Alternatively, you can also download the platform based
oc
client from the following OpenShift Container Platform link: https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/4.14.14/.For example, use the following link to download
oc
client for Linux platform: https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/4.14.14/openshift-client-linux-4.14.14.tar.gz.
- Download pull-secret.txt.
To download the pull-secret, see https://console.redhat.com/openshift/install/pull-secret and follow the instructions.
Edit the downloaded
pull-secret
with registry credentials:Add a new section of key-value pair underauths
. For example,
As a prerequisite to run base64, you must install base64 or jq."<Your enterprise registry>:<port>": { "auth": "<base64 encoded 'user_name:password'>", email: "<your email>" }
See the following sample values:{ "auths": { "cloud.openshift.com": { .... "registryhost.com:443": { "auth": "dXNlcl9uYW1lOnBhc3N3b3Jk", "email": "user_name@ibm.com" } } }
Here,user_name
andpassword
are credentials to connect to enterprise registry.Note: If you want to use multiple repositories, add an auth section for both repositories.To authenticate to quay.io by using the username and password from the pull-secret, do the following steps:- Look for quay.io in the json and copy
auth
. Example:
It is a base64 encoded value of"auths": { "quay.io": { "auth": "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==", "email": <email-id> } } }
username:password
. - Get the username/password.
Example echo command:echo <auth-content> | base64 –decode
Example output:echo "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==" | base64 –decode
openshift-release+ocmaccess0ab5738f6c3c42:CXKR2TSBQH7TAN9
Here,openshift-release+ocmaccess0ab5738f6c3c42
is the user name andCXKR2TSBQH7TAN9
is the password.
Command line to get the username/password :echo <auth-content> | base64 –decode
- Look for quay.io in the json and copy
- Ensure that you have entitlement key to access IBM Storage Fusion HCI System appliance images. For more information about entitlement key, see Activating IBM Storage Fusion HCI System Software to be downloaded.
- Run a pull command in your network to test the network speed. If that time is more than 2 to 5
minutes, there may be an overall reduction in network speed that can cause installation failure.
Example command:
time podman pull cp.icr.io/cp/isf/isf-compute-operator@sha256:414275e851972db2b7172642f7f7827c42da14914061bd5d82ea0584e6ce7fc8
About this task
- Repository and target path must be the same for IBM Storage Fusion and IBM Storage Scale images.
- Run all commands as root user.
- In the commands, replace
<your enterprise registry>
with your enterprise registry and its corresponding pull-secret. - Provide the port number as follows:
- For installation
- If you want to use default port (443) then make sure that you provide the port number. If you
want to use custom port then provide the custom details.For example,
<Your enterprise registry>:9443
. To verify, you can also try login to your registry:port using docker or podman. Use the following podman command:"podman login registryhost:registryport"
- You can mirror the images into a Single repository or Multiple repositories.
- If you want to use Single repository, mirror all the images to IBM Storage Fusion
images repository, so your
$LOCAL_OCP_REGISTRY
should be same as$LOCAL_ISF_REGISTRY
. - If you want to use Multiple repositories, mirror the OpenShift images to the OpenShift
images repository (
$LOCAL_OCP_REGISTRY
) and all other images to the IBM Storage Fusion images repository ($LOCAL_ISF_REGISTRY
).
- If you want to use Single repository, mirror all the images to IBM Storage Fusion
images repository, so your
Procedure
- Mirror Red Hat
OpenShift Container Platform release images.
For the actual procedure, see Mirroring OpenShift Container Platform release images to enterprise registry.
- Mirror images for Red Hat
operator.
For the actual procedure, see Mirroring Red Hat operator images to enterprise registry.
- Run the following steps to mirror IBM Storage Fusion HCI System images. For the actual procedure, see Mirroring IBM Storage Fusion HCI images.
- Mirror IBM Storage Scale
images. For the actual procedure, see Mirroring IBM Storage Scale images.
- Mirror Backup & Restore images.
For the actual procedure, see Mirroring Backup & Restore images.
- Mirror IBM® Spectrum Discover images.
For the actual procedure, see Mirroring Data Cataloging images.