Mirroring your images to the enterprise registry

If you are planing a disconnected or offline installation, then you must mirror images to your enterprise registry.

Before you begin

  • Considerations for your enterprise registry:
    • There must not be a huge latency between cluster nodes and your enterprise registry. Slow image pull can cause OpenShift® Container Platform installation to fail.
    • You must have a container image registry that supports Docker v2-2 in the location that hosts the Red Hat® OpenShift Container Platform cluster. For more information about image manifest, see opm CLI reference .
      Important: Artifactory is the recommended registry because it supports the following must have capabilities:
      • Import and export
      • Untagged images

      JFrog Artifactory version 7.55.8 is tested on IBM Storage Fusion HCI System. The port that is specified in the URL is used to login and pull the images from the enterprise repository. For a secured enterprise registry, specify 443. If you do not provide the port value, then no default port is considered in its absence. The API key is the only supported authentication method.

    • For disconnected installation, you need a firewall type proxy server and for an air break installation, the registry must have import and export capabilities.
    • If you are using self-signed certificate registry, then ensure that you have updated the container tools configuration with insecure registries to skip certificate validation.
      • For Podman, see https://docs.podman.io/en/stable/markdown/podman-login.1.html.
      • For Docker, follow the steps to skip certificate validation:
        • To trust the certificate in the Docker daemon:

          For Linux, copy the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt on your mirroring host. where domain.crt is a self-signed generated certificate and myregistrydomain.com is your Docker registry.

        • For configuring an insecure registry:
          Note: It is insecure and not recommended.

          Edit the daemon.json file that present in the default location of /etc/docker/daemon.json on the Linux Server.

          If the daemon.json file does not exist, then create it. Ensure it contains the following contents:
          {
            "insecure-registries" : ["myregistrydomain.com:5000"]
          }
  • The registry must have at least one directory path specified.

    For example:

    https://<enterprise registry host>:<enterprise registry port>/<mandatory root path>
  • Ensure that you must use the recent enterprise registry images for mirroring.
  • Ensure that your secure enterprise registry is already setup and ready for use. From 2.8, support is available for Quay and registries with self signed certificate.
    Important: Ensure that you have the most recent images at any point in time.
  • Prepare your mirroring host:
    • The mirror host must have access to the internet and enterprise registry.
    • Ensure that you install the following tools on your system from where you can connect to Red Hat registry and enterprise registry:
    • Download pull-secret.txt.

      To download the pull-secret, see https://console.redhat.com/openshift/install/pull-secret and follow the instructions.

      Edit the downloaded pull-secret with registry credentials:

      Add a new section of key-value pair under auths. For example,
      "<Your enterprise registry>:<port>": {
      "auth": "<base64 encoded 'user_name:password'>",
      email: "<your email>" }
      As a prerequisite to run base64, you must install base64 or jq.
      See the following sample values:
      
      { 
      "auths": { 
         "cloud.openshift.com": { 
            .... 
         "registryhost.com:443": { 
             "auth": "dXNlcl9uYW1lOnBhc3N3b3Jk",   
              "email": "user_name@ibm.com" 
          }
        }
      }
      
      Here, user_name and password are credentials to connect to enterprise registry.
      Note: If you want to use multiple repositories, add an auth section for both repositories.
      To authenticate to quay.io by using the username and password from the pull-secret, do the following steps:
      1. Look for quay.io in the json and copy auth. Example:
        
        
          "auths": {
            "quay.io": {
              "auth": "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==",
              "email": <email-id>
            }
          }
        }
        It is a base64 encoded value of username:password.
      2. Get the username/password.
        echo <auth-content> | base64 –decode 
        Example echo command:
        echo "b3BlbnNoaWZ0LXJTczOGY2YzNjNDM2ZWI0JRSDdUQU45RFBWVUNXM0VZQUlVVDBOQTU3VFM2RE1JMg==" | base64 –decode
        Example output:
        openshift-release+ocmaccess0ab5738f6c3c42:CXKR2TSBQH7TAN9
        Here, openshift-release+ocmaccess0ab5738f6c3c42 is the user name and CXKR2TSBQH7TAN9 is the password.

      Command line to get the username/password :echo <auth-content> | base64 –decode

    • Ensure that you have entitlement key to access IBM Storage Fusion HCI System appliance images. For more information about entitlement key, see Activating IBM Storage Fusion HCI System Software to be downloaded.
  • Run a pull command in your network to test the network speed. If that time is more than 2 to 5 minutes, there may be an overall reduction in network speed that can cause installation failure. Example command:
    time podman pull cp.icr.io/cp/isf/isf-compute-operator@sha256:414275e851972db2b7172642f7f7827c42da14914061bd5d82ea0584e6ce7fc8

About this task

Points to note about this task:
  • Repository and target path must be the same for IBM Storage Fusion and IBM Storage Scale images.
  • Run all commands as root user.
  • In the commands, replace <your enterprise registry> with your enterprise registry and its corresponding pull-secret.
  • Provide the port number as follows:
    For installation
    If you want to use default port (443) then make sure that you provide the port number. If you want to use custom port then provide the custom details.
    For example, <Your enterprise registry>:9443. To verify, you can also try login to your registry:port using docker or podman. Use the following podman command:
    "podman login registryhost:registryport" 
  • You can mirror the images into a Single repository or Multiple repositories.
    1. If you want to use Single repository, mirror all the images to IBM Storage Fusion images repository, so your $LOCAL_OCP_REGISTRY should be same as $LOCAL_ISF_REGISTRY.
    2. If you want to use Multiple repositories, mirror the OpenShift images to the OpenShift images repository ($LOCAL_OCP_REGISTRY) and all other images to the IBM Storage Fusion images repository ($LOCAL_ISF_REGISTRY).

Procedure

  1. Mirror Red Hat OpenShift Container Platform release images.
  2. Mirror images for Red Hat operator.
  3. Run the following steps to mirror IBM Storage Fusion HCI System images.
    For the actual procedure, see Mirroring IBM Storage Fusion HCI images.
  4. Mirror IBM Storage Scale images.
    For the actual procedure, see Mirroring IBM Storage Scale images.
  5. Mirror Backup & Restore images.
    For the actual procedure, see Mirroring Backup & Restore images.
  6. Mirror IBM® Spectrum Discover images.
    For the actual procedure, see Mirroring Data Cataloging images.