$ tar xvzf <file>
Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. Installations on a restricted network are supported on only infrastructure that you provision, not infrastructure that the installer provisions. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.
You must have access to the internet to obtain the necessary container images. In this procedure, you place the mirror registry on a mirror host that has access to both your network and the internet. If you do not have access to a mirror host, use the disconnected procedure to copy images to a device you can move across network boundaries with. |
You can mirror the images that are required for OpenShift Container Platform installation and subsequent product updates to a mirror registry. These actions use the same process. The release image, which contains the description of the content, and the images it references are all mirrored. In addition, the Operator catalog source image and the images that it references must be mirrored for each Operator that you use. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.
The mirror registry can be any container registry that supports the most recent container image API, which is referred to as schema2
. All major cloud provider registries, as well as Red Hat Quay, Artifactory, and the open source Docker distribution registry have the necessary support. Using one of these registries ensures that OpenShift Container Platform can verify the integrity of each image in disconnected environments.
The mirror registry must be reachable by every machine in the clusters that you provision. If the registry is unreachable installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OpenShift Container Platform clusters.
When you populate a mirror registry with OpenShift Container Platform images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.
Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.
You can install the OpenShift cli (oc
) in order to interact with OpenShift Container Platform from a
command-line interface. You can install oc
on Linux, Windows, or macOS.
If you installed an earlier version of |
You can install the OpenShift cli (oc
) binary on Linux by using the following procedure.
Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
Select your infrastructure provider, and, if applicable, your installation type.
In the Command-line interface section, select Linux from the drop-down menu and click Download command-line tools.
Unpack the archive:
$ tar xvzf <file>
Place the oc
binary in a directory that is on your PATH
.
To check your PATH
, execute the following command:
$ echo $PATH
After you install the cli, it is available using the oc
command:
$ oc <command>
You can install the OpenShift cli (oc
) binary on Windows by using the following procedure.
Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
Select your infrastructure provider, and, if applicable, your installation type.
In the Command-line interface section, select Windows from the drop-down menu and click Download command-line tools.
Unzip the archive with a ZIP program.
Move the oc
binary to a directory that is on your PATH
.
To check your PATH
, open the command prompt and execute the following command:
C:\> path
After you install the cli, it is available using the oc
command:
C:\> oc <command>
You can install the OpenShift cli (oc
) binary on macOS by using the following procedure.
Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
Select your infrastructure provider, and, if applicable, your installation type.
In the Command-line interface section, select MacOS from the drop-down menu and click Download command-line tools.
Unpack and unzip the archive.
Move the oc
binary to a directory on your PATH.
To check your PATH
, open a terminal and execute the following command:
$ echo $PATH
After you install the cli, it is available using the oc
command:
$ oc <command>
Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry. |
This process requires that you have write access to a container image registry on the mirror registry and adds the credentials to a registry pull secret. |
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry. |
You configured a mirror registry to use in your restricted network.
You identified an image repository location on your mirror registry to mirror images into.
You provisioned a mirror registry account that allows images to be uploaded to that image repository.
Complete the following steps on the installation host:
Download your registry.redhat.io
pull secret from the
Pull Secret page on the Red Hat OpenShift Cluster Manager site and save it to a .json
file.
Generate the base64-encoded user name and password or token for your mirror registry:
$ echo -n '<user_name>:<password>' | base64 -w0 (1)
BGVtbYk3ZHAtqXs=
1 | For <user_name> and <password> , specify the user name and password that
you configured for your registry. |
Make a copy of your pull secret in JSON format:
$ cat ./pull-secret.text | jq . > <path>/<pull-secret-file>(1)
1 | Specify the path to the folder to store the pull secret in and a name for the JSON file that you create. |
The contents of the file resemble the following example:
{
"auths": {
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
}
}
}
Edit the new file and add a section that describes your registry to it:
"auths": {
"<mirror_registry>": { (1)
"auth": "<credentials>", (2)
"email": "you@example.com"
},
1 | For <mirror_registry> , specify the registry domain name, and optionally the
port, that your mirror registry uses to serve content. For example,
registry.example.com or registry.example.com:5000 |
2 | For <credentials> , specify the base64-encoded user name and password for
the mirror registry. |
The file resembles the following example:
{
"auths": {
"<mirror_registry>": {
"auth": "<credentials>",
"email": "you@example.com"
},
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
}
}
}
Edit the new file and add a section that describes your registry to it:
"auths": { ... "<mirror_registry>": { (1) "auth": "<credentials>", (2) "email": "you@example.com" }, ...
1 | For <mirror_registry> , specify the registry domain name, and optionally the
port, that your mirror registry uses to serve content. For example,
registry.example.com or registry.example.com:5000 |
2 | For <credentials> , specify the base64-encoded user name and password for
the mirror registry. |
The file resembles the following example:
{ "auths": { "cloud.openshift.com": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "quay.io": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "registry.connect.redhat.com": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" }, "<mirror_registry>": { "auth": "<credentials>", "email": "you@example.com" }, "registry.redhat.io": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" } } }
Mirror the OpenShift Container Platform image repository to your registry to use during cluster installation or upgrade.
Your mirror host has access to the internet.
You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.
You downloaded the pull secret from the Pull Secret page on the Red Hat OpenShift Cluster Manager site and modified it to include authentication to your mirror repository.
Complete the following steps on the mirror host:
Review the OpenShift Container Platform downloads page to determine the version of OpenShift Container Platform that you want to install and determine the corresponding tag on the Repository Tags page.
Set the required environment variables:
$ export OCP_RELEASE=<release_version> (1) $ export LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' (2) $ export LOCAL_REPOSITORY='<local_repository_name>' (3) $ export PRODUCT_REPO='openshift-release-dev' (4) $ export LOCAL_SECRET_JSON='<path_to_pull_secret>' (5) $ export RELEASE_NAME="ocp-release" (6) $ export ARCHITECTURE=<server_architecture> (7) $ REMOVABLE_MEDIA_PATH=<path> (8)
1 | For <release_version> , specify the tag that corresponds to the version of OpenShift Container Platform to
install for your architecture, such as 4.3.0 . |
2 | For <local_registry_host_name> , specify the registry domain name for your mirror
repository, and for <local_registry_host_port> , specify the port that it
serves content on. |
3 | For <local_repository_name> , specify the name of the repository to create in your
registry, such as ocp4/openshift4 . |
4 | The repository to mirror. For a production release, you must specify
openshift-release-dev . |
5 | For <path_to_pull_secret> , specify the absolute path to and file name of
the pull secret for your mirror registry that you created. |
6 | The release mirror. For a production release, you must specify
ocp-release . |
7 | For server_architecture , specify the architecture of the server, such as x86_64 . |
8 | For <path> , specify the path to the directory to host the mirrored images. |
Mirror the version images to the internal container registry:
If your mirror host does not have internet access, take the following actions:
Connect the removable media to a system that is connected to the internet.
Review the images and configuration manifests to mirror:
$ oc adm -a ${LOCAL_SECRET_JSON} release mirror --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --run-dry
Record the entire imageContentSources
section from the output of the previous
command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources
section to the install-config.yaml
file during installation.
Mirror the images to a directory on the removable media:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
Take the media to the restricted network environment and upload the images to the local container registry.
$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}
If the local container registry is connected to the mirror host, take the following actions:
Directly push the release images to the local registry by using following command:
$ oc adm -a ${LOCAL_SECRET_JSON} release mirror \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}
This command pulls the release information as a digest, and its output includes
the imageContentSources
data that you require when you install your cluster.
Record the entire imageContentSources
section from the output of the previous
command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources
section to the install-config.yaml
file during installation.
The image name gets patched to Quay.io during the mirroring process, and the podman images will show Quay.io in the registry on the bootstrap virtual machine. |
To create the installation program that is based on the content that you mirrored, extract it and pin it to the release:
$ oc adm -a ${LOCAL_SECRET_JSON} release extract --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"
To ensure that you use the correct images for the version of OpenShift Container Platform that you selected, you must extract the installation program from the mirrored content. You must perform this step on a machine with an active internet connection. |
Clusters using a restricted network must import the default must-gather image in order to gather debugging data for Red Hat support. The must-gather image is not imported by default, and clusters on a restricted network do not have access to the internet to pull the latest image from a remote repository.
Import the default must-gather image from your installation payload:
$ oc import-image is/must-gather -n openshift
Most imagestreams in the OpenShift namespace managed by the Samples Operator point to images located in the Red Hat registry at registry.redhat.io. Mirroring will not apply to these imagestreams.
The Setting the The Samples Operator prevents the use of the following registries for the Jenkins imagestreams: |
The |
Access to the cluster as a user with the cluster-admin
role.
Create a pull secret for your mirror registry.
Access the images of a specific imagestream to mirror, for example:
$ oc get is <imagestream> -n openshift -o json | jq .spec.tags[].from.name | grep registry.redhat.io
Mirror images from registry.redhat.io associated with any imagestreams you need in the restricted network environment into one of the defined mirrors, for example:
$ oc image mirror registry.redhat.io/rhscl/ruby-25-rhel7:latest ${MIRROR_ADDR}/rhscl/ruby-25-rhel7:latest
Add the required trusted CAs for the mirror in the cluster’s image configuration object:
$ oc create configmap registry-config --from-file=${MIRROR_ADDR_HOSTNAME}..5000=$path/ca.crt -n openshift-config $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
Update the samplesRegistry
field in the Samples Operator configuration object
to contain the hostname
portion of the mirror location defined in the mirror
configuration:
$ oc edit configs.samples.operator.openshift.io -n openshift-cluster-samples-operator
This is required because the imagestream import process does not use the mirror or search mechanism at this time. |
Add any imagestreams that are not mirrored into the skippedImagestreams
field
of the Samples Operator configuration object. Or if you do not want to support
any of the sample imagestreams, set the Samples Operator to Removed
in the
Samples Operator configuration object.
Any unmirrored imagestreams that are not skipped, or if the Samples Operator is
not changed to |
Many of the templates in the OpenShift namespace
reference the imagestreams. So using Removed
to purge both the imagestreams
and templates will eliminate the possibility of attempts to use them if they
are not functional because of any missing imagestreams.
Install a cluster on infrastructure that you provision in your restricted nework, such as on VMware vSphere, bare metal, or Amazon Web Services.