$ tar xvzf <file>
You can upgrade a restricted network OpenShift Container Platform cluster by using the oc
command-line interface (CLI).
A restricted network environment is the one in which your cluster nodes cannot access the internet. For this reason, you must populate a registry with the installation images. If your registry host cannot access both the internet and the cluster, you can mirror the images to a file system that disconnected from that environment and then bring that host or removable media across that gap. If the local container registry is connected to the mirror registry’s host, you can directly push the release images to the local registry.
If multiple clusters are present within the restricted network, mirror the required release images to a single container image registry and use that registry to update all the clusters.
Have access to the internet to obtain the necessary container images.
Have write access to a container registry in the restricted-network environment to push and pull images. The container registry must be compatible with Docker registry API v2.
You must have the oc
command-line interface (CLI) tool installed.
Have access to the cluster as a user with admin
privileges.
See Using RBAC to define and apply permissions.
Have a recent etcd backup in case your upgrade fails and you must restore your cluster to a previous state.
Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.
You can install the OpenShift CLI (oc
) in order to interact with OpenShift Container Platform from a
command-line interface. You can install oc
on Linux, Windows, or macOS.
If you installed an earlier version of |
You can install the OpenShift CLI (oc
) binary on Linux by using the following procedure.
Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
Select your infrastructure provider, and, if applicable, your installation type.
In the Command-line interface section, select Linux from the drop-down menu and click Download command-line tools.
Unpack the archive:
$ tar xvzf <file>
Place the oc
binary in a directory that is on your PATH
.
To check your PATH
, execute the following command:
$ echo $PATH
After you install the CLI, it is available using the oc
command:
$ oc <command>
You can install the OpenShift CLI (oc
) binary on Windows by using the following procedure.
Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
Select your infrastructure provider, and, if applicable, your installation type.
In the Command-line interface section, select Windows from the drop-down menu and click Download command-line tools.
Unzip the archive with a ZIP program.
Move the oc
binary to a directory that is on your PATH
.
To check your PATH
, open the command prompt and execute the following command:
C:\> path
After you install the CLI, it is available using the oc
command:
C:\> oc <command>
You can install the OpenShift CLI (oc
) binary on macOS by using the following procedure.
Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
Select your infrastructure provider, and, if applicable, your installation type.
In the Command-line interface section, select MacOS from the drop-down menu and click Download command-line tools.
Unpack and unzip the archive.
Move the oc
binary to a directory on your PATH.
To check your PATH
, open a terminal and execute the following command:
$ echo $PATH
After you install the CLI, it is available using the oc
command:
$ oc <command>
Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry. |
This process requires that you have write access to a container image registry on the mirror registry and adds the credentials to a registry pull secret. |
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry. |
You configured a mirror registry to use in your restricted network.
You identified an image repository location on your mirror registry to mirror images into.
You provisioned a mirror registry account that allows images to be uploaded to that image repository.
Complete the following steps on the installation host:
Download your registry.redhat.io
pull secret from the
Pull Secret page on the Red Hat OpenShift Cluster Manager site and save it to a .json
file.
Generate the base64-encoded user name and password or token for your mirror registry:
$ echo -n '<user_name>:<password>' | base64 -w0 (1)
BGVtbYk3ZHAtqXs=
1 | For <user_name> and <password> , specify the user name and password that
you configured for your registry. |
Make a copy of your pull secret in JSON format:
$ cat ./pull-secret.text | jq . > <path>/<pull-secret-file>(1)
1 | Specify the path to the folder to store the pull secret in and a name for the JSON file that you create. |
The contents of the file resemble the following example:
{
"auths": {
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
}
}
}
Edit the new file and add a section that describes your registry to it:
"auths": {
"<mirror_registry>": { (1)
"auth": "<credentials>", (2)
"email": "you@example.com"
},
1 | For <mirror_registry> , specify the registry domain name, and optionally the
port, that your mirror registry uses to serve content. For example,
registry.example.com or registry.example.com:5000 |
2 | For <credentials> , specify the base64-encoded user name and password for
the mirror registry. |
The file resembles the following example:
{
"auths": {
"<mirror_registry>": {
"auth": "<credentials>",
"email": "you@example.com"
},
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
}
}
}
Edit the new file and add a section that describes your registry to it:
"auths": { ... "<mirror_registry>": { (1) "auth": "<credentials>", (2) "email": "you@example.com" }, ...
1 | For <mirror_registry> , specify the registry domain name, and optionally the
port, that your mirror registry uses to serve content. For example,
registry.example.com or registry.example.com:5000 |
2 | For <credentials> , specify the base64-encoded user name and password for
the mirror registry. |
The file resembles the following example:
{ "auths": { "cloud.openshift.com": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "quay.io": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "registry.connect.redhat.com": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" }, "<mirror_registry>": { "auth": "<credentials>", "email": "you@example.com" }, "registry.redhat.io": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" } } }
Before you upgrade a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.
Review the OpenShift Container Platform upgrade paths to confirm that there is an upgrade path between your current and intended cluster versions.
Set the required environment variables:
$ OCP_RELEASE=<release_version> (1) $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' (2) $ LOCAL_REPOSITORY='<repository_name>' (3) $ PRODUCT_REPO='openshift-release-dev' (4) $ LOCAL_SECRET_JSON='<path_to_pull_secret>' (5) $ RELEASE_NAME='ocp-release' (6) $ ARCHITECTURE=<server_architecture> (7) $ REMOVABLE_MEDIA_PATH=<path> (8)
1 | For <release_version> , specify the tag that corresponds to the version of OpenShift Container Platform to which you want to upgrade, such as 4.5.0 . |
2 | For <local_registry_host_name> , specify the registry domain name for your mirror
repository, and for <local_registry_host_port> , specify the port that it
serves content on. |
3 | For <repository_name> , specify the name of the repository to create in your
registry, such as ocp4/openshift4 . |
4 | The repository to mirror. For a production release, you must specify
openshift-release-dev . |
5 | For <path_to_pull_secret> , specify the absolute path to and file name of
the pull secret for your mirror registry that you created. |
6 | For a production release, you must specify
ocp-release . |
7 | For <server_architecture> , specify the architecture of the server, such as x86_64 . |
8 | For <path> , specify the path to the directory to host the mirrored images. |
Review the images and configuration manifests to mirror:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run
Mirror the version images to the internal container registry.
If your mirror host does not have internet access, take the following actions:
Connect the removable media to a system that is connected to the internet.
Mirror the images and configuration manifests to a directory on the removable media:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
Take the media to the restricted network environment and upload the images to the local container registry.
$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror 'file://openshift/release:${OCP_RELEASE}*' ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}
If the local container registry is connected to the mirror host, directly push the release images to the local registry:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}
Before you update your cluster, you must manually create a configmap that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.
oc
CLIBefore you update your cluster, you must manually create a configmap that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.
If you are upgrading from a release prior to version 4.4.8, you must use the manual method for creating the configmap instead of this procedure. The commands that this procedure uses are not in earlier versions of the |
Install the OpenShift Command-line Interface (CLI), commonly known as oc
, version 4.4.8 or later.
Obtain the image signature for the version that you are upgrading to from either mirror.openshift.com or Google Cloud Storage (GCS).
Use oc
command-line interface (CLI) to log into the cluster that you are upgrading.
Apply the mirrored release image signature configmap to the connected cluster:
$ oc apply -f <image_signature_file> (1)
1 | For <image_signature_file> , specify the path and name of the file, for example, mirror/config/signature-sha256-81154f5c03294534.yaml . |
Create and apply the image signature configmap to the cluster that you want to update.
You must perform following steps each time that you update a cluster. |
Review the OpenShift Container Platform upgrade paths knowledge base article to determine a valid upgrade path for your cluster.
Add the version to the OCP_RELEASE_NUMBER
environment variable:
$ OCP_RELEASE_NUMBER=<release_version> (1)
1 | For <release_version> , specify the tag that corresponds to the version of OpenShift Container Platform you want
to update the cluster, such as 4.4.0 . |
Add the system architecture for your cluster to ARCHITECTURE
environment variable:
$ ARCHITECTURE=<server_architecture> (11)
1 | For server_architecture , specify the architecture of the server, such as x86_64 . |
Get the release image digest from Quay:
$ DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')"
Set the digest algorithm:
$ DIGEST_ALGO="${DIGEST%%:*}"
Set the digest signature:
$ DIGEST_ENCODED="${DIGEST#*:}"
Get the image signature from mirror.openshift.com website.
$ SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo)
Create the configmap:
$ cat >checksum-${OCP_RELEASE_NUMBER}.yaml <<EOF apiVersion: v1 kind: configmap metadata: name: release-image-${OCP_RELEASE_NUMBER} namespace: openshift-config-managed labels: release.openshift.io/verification-signatures: "" binaryData: ${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64} EOF
Apply the configmap to the cluster to update:
$ oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml
Update the restricted network cluster to the OpenShift Container Platform version that you downloaded the release images for.
You mirrored the images for the new release to your registry.
You applied the release image signature configmap for the new release to your cluster.
You obtained the sha256 sum value for the release from the image signature configmap.
Install the OpenShift Command-line Interface (CLI), commonly known as oc
, version 4.4.8 or later.
Update the cluster:
$ oc adm upgrade --allow-explicit-upgrade --to-image ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}<sha256_sum_value> (1)
1 | The <sha256_sum_value> value is the sha256 sum value for the release from the image signature configmap, for example, @sha256:81154f5c03294534e1eaf0319bef7a601134f891689ccede5d705ef659aa8c92 |
If you use an ImageContentSourcePolicy
for the mirror registry, you can use the canonical registry name instead of LOCAL_REGISTRY
.
Setting up container registry repository mirroring lets you:
Configure your OpenShift Container Platform cluster to redirect requests to pull images from a repository on a source image registry and have it resolved by a repository on a mirrored image registry.
Identify multiple mirrored repositories for each target repository, to make sure that if one mirror is down, another can be used.
Here are some of the attributes of repository mirroring in OpenShift Container Platform:
Image pulls are resilient to registry downtimes
Clusters in restricted networks can request to pull images from critical locations (such as quay.io) and have registries behind a company firewall provide the requested images.
A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried.
The mirror information you enter is added to the /etc/containers/registries.conf
file on every node in the OpenShift Container Platform cluster.
When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. Upon success, the image is pulled to the node.
Setting up repository mirroring can be done in the following ways:
At OpenShift Container Platform installation time: By pulling container images needed by OpenShift Container Platform and then bringing those images behind your company’s firewall, you can install OpenShift Container Platform into a datacenter that is in a restricted network. See Mirroring the OpenShift Container Platform image repository for details.
After OpenShift Container Platform installation time: Even if you don’t configure mirroring during OpenShift Container Platform
installation, you can do so later using the ImageContentSourcePolicy
object.
The following procedure provides a post-installation mirror configuration, where you create an ImageContentSourcePolicy
object that identifies:
The source of the container image repository you want to mirror
A separate entry for each mirror repository you want to offer the content requested from the source repository.
Access to the cluster as a user with the cluster-admin
role.
Configure mirrored repositories. To do that, you can either:
Set up a mirrored repository with Red Hat Quay, as described in Red Hat Quay Repository Mirroring. Using Red Hat Quay allows you to copy images from one repository to another and also automatically sync those repositories repeatedly over time.
Use a tool such as skopeo
to copy images manually
from the source directory to the mirrored repository.
For example, after installing the skopeo RPM package
on a Red Hat Enterprise Linux
(RHEL 7 or RHEL 8) system, use the skopeo
command as shown in this example:
$ skopeo copy \
docker://registry.access.redhat.com/ubi8/ubi-minimal@sha256:5cfbaf45ca96806917830c183e9f37df2e913b187adb32e89fd83fa455ebaa6 \
docker://example.io/ubi8/ubi-minimal
In this example, you have a container image registry that is named
example.io
with an image repository named example
to which
you want to copy the ubi8/ubi-minimal
image from
registry.access.redhat.com
.
After you create the registry, you can configure your OpenShift Container Platform
cluster to redirect requests made of the source repository to the
mirrored repository.
Log in to your OpenShift Container Platform cluster.
Create an ImageContentSourcePolicy
file (for example,
registryrepomirror.yaml
), replacing the source and
mirrors with those of your own registry and repository pairs and images:
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: ubi8repo
spec:
repositoryDigestMirrors:
- mirrors:
- example.io/example/ubi-minimal(1)
source: registry.access.redhat.com/ubi8/ubi-minimal(2)
- mirrors:
- example.com/example/ubi-minimal
source: registry.access.redhat.com/ubi8/ubi-minimal
1 | Indicates the name of the image registry and repository |
2 | Indicates the registry and repository containing the content that is mirrored |
Create the new ImageContentSourcePolicy
:
$ oc create -f registryrepomirror.yaml
After the ImageContentSourcePolicy
is created,
the new settings are deployed to each node
and shortly start using the mirrored repository
for requests to the source repository.
To check that the mirrored configuration worked, go to one of your nodes. For example:
List your nodes:
$ oc get node
NAME STATUS ROLES AGE VERSION
ip-10-0-137-44.ec2.internal Ready worker 7m v1.16.2
ip-10-0-138-148.ec2.internal Ready master 11m v1.16.2
ip-10-0-139-122.ec2.internal Ready master 11m v1.16.2
ip-10-0-147-35.ec2.internal Ready,SchedulingDisabled worker 7m v1.16.2
ip-10-0-153-12.ec2.internal Ready worker 7m v1.16.2
ip-10-0-154-10.ec2.internal Ready master 11m v1.16.2
You can see that scheduling on each worker node is disabled as the change is being applied.
Start the debugging process:
$ oc debug node/ip-10-0-147-35.ec2.internal
Starting pod/ip-10-0-147-35ec2internal-debug ...
To use host binaries, run `chroot /host`
Access the node’s files:
sh-4.2# chroot /host
Check the /etc/containers/registries.conf
file to make sure
the changes were made:
unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
[[registry]]
location = "registry.access.redhat.com/ubi8/"
insecure = false
blocked = false
mirror-by-digest-only = true
prefix = ""
[[registry.mirror]]
location = "example.io/example/ubi8-minimal"
insecure = false
[[registry.mirror]]
location = "example.com/example/ubi8-minimal"
insecure = false
Pull an image digest to the node from the source and check if it is actually
resolved by the mirror. The ImageContentSourcePolicy
supports image digests only, not image tags.
sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi8/ubi-minimal@sha256:5cfbaf45ca96806917830c183e9f37df2e913b187adb32e89fd83fa455ebaa6
If the repository mirroring procedure does not work as described, use the following information about how repository mirroring works to help troubleshoot the problem.
The first working mirror is used to supply the pulled image.
The main registry will only be used if no other mirror works.
From the system context, the Insecure
flags are used as fallback.
The format of the /etc/containers/registries
file has
changed recently. It is now version 2 and in TOML format.