$ tar xvzf <file>
You can update a restricted network OpenShift Container Platform cluster by using the oc
command-line interface (CLI).
A restricted network environment is the one in which your cluster nodes cannot access the internet. For this reason, you must populate a registry with the installation images. If your registry host cannot access both the internet and the cluster, you can mirror the images to a file system that disconnected from that environment and then bring that host or removable media across that gap. If the local container registry and the cluster are connected to the mirror registry’s host, you can directly push the release images to the local registry.
If multiple clusters are present within the restricted network, mirror the required release images to a single container image registry and use that registry to update all the clusters.
Have access to the internet to obtain the necessary container images.
Have write access to a container registry in the restricted-network environment to push and pull images. The container registry must be compatible with Docker registry API v2.
You must have the oc
command-line interface (CLI) tool installed.
Have access to the cluster as a user with admin
privileges.
See Using RBAC to define and apply permissions.
Have a recent etcd backup in case your update fails and you must restore your cluster to a previous state.
Ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy.
If your cluster uses manually maintained credentials, ensure that the Cloud Credential Operator (CCO) is in an upgradeable state. For more information, see Upgrading clusters with manually maintained credentials for AWS, Azure, or GCP.
If you are running cluster monitoring with an attached PVC for Prometheus, you might experience OOM kills during cluster update. When persistent storage is in use for Prometheus, Prometheus memory usage doubles during cluster update and for several hours after update is complete. To avoid the OOM kill issue, allow worker nodes with double the size of memory that was available prior to the update. For example, if you are running monitoring on the minimum recommended nodes, which is 2 cores with 8 GB of RAM, increase memory to 16 GB. For more information, see BZ#1925061. |
Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.
You can install the OpenShift CLI (oc
) to interact with OpenShift Container Platform from a
command-line interface. You can install oc
on Linux, Windows, or macOS.
If you installed an earlier version of |
You can install the OpenShift CLI (oc
) binary on Linux by using the following procedure.
Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
Select the appropriate version in the Version drop-down menu.
Click Download Now next to the OpenShift v4.7 Linux Client entry and save the file.
Unpack the archive:
$ tar xvzf <file>
Place the oc
binary in a directory that is on your PATH
.
To check your PATH
, execute the following command:
$ echo $PATH
After you install the OpenShift CLI, it is available using the oc
command:
$ oc <command>
You can install the OpenShift CLI (oc
) binary on Windows by using the following procedure.
Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
Select the appropriate version in the Version drop-down menu.
Click Download Now next to the OpenShift v4.7 Windows Client entry and save the file.
Unzip the archive with a ZIP program.
Move the oc
binary to a directory that is on your PATH
.
To check your PATH
, open the command prompt and execute the following command:
C:\> path
After you install the OpenShift CLI, it is available using the oc
command:
C:\> oc <command>
You can install the OpenShift CLI (oc
) binary on macOS by using the following procedure.
Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
Select the appropriate version in the Version drop-down menu.
Click Download Now next to the OpenShift v4.7 MacOSX Client entry and save the file.
Unpack and unzip the archive.
Move the oc
binary to a directory on your PATH.
To check your PATH
, open a terminal and execute the following command:
$ echo $PATH
After you install the OpenShift CLI, it is available using the oc
command:
$ oc <command>
Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry. |
This process requires that you have write access to a container image registry on the mirror registry and adds the credentials to a registry pull secret. |
You configured a mirror registry to use in your restricted network.
You identified an image repository location on your mirror registry to mirror images into.
You provisioned a mirror registry account that allows images to be uploaded to that image repository.
Complete the following steps on the installation host:
Download your registry.redhat.io
pull secret from the Red Hat OpenShift Cluster Manager and save it to a .json
file.
Generate the base64-encoded user name and password or token for your mirror registry:
$ echo -n '<user_name>:<password>' | base64 -w0 (1)
BGVtbYk3ZHAtqXs=
1 | For <user_name> and <password> , specify the user name and password that
you configured for your registry. |
Make a copy of your pull secret in JSON format:
$ cat ./pull-secret.text | jq . > <path>/<pull_secret_file_in_json>(1)
1 | Specify the path to the folder to store the pull secret in and a name for the JSON file that you create. |
Save the file either as ~/.docker/config.json
or $XDG_RUNTIME_DIR/containers/auth.json
.
The contents of the file resemble the following example:
{
"auths": {
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
}
}
}
Edit the new file and add a section that describes your registry to it:
"auths": {
"<mirror_registry>": { (1)
"auth": "<credentials>", (2)
"email": "you@example.com"
},
1 | For <mirror_registry> , specify the registry domain name, and optionally the
port, that your mirror registry uses to serve content. For example,
registry.example.com or registry.example.com:8443 |
2 | For <credentials> , specify the base64-encoded user name and password for
the mirror registry. |
The file resembles the following example:
{
"auths": {
"registry.example.com": {
"auth": "BGVtbYk3ZHAtqXs=",
"email": "you@example.com"
},
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
}
}
}
Before you update a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.
Use the Red Hat OpenShift Container Platform Upgrade Graph visualizer and update planner to plan an update from one version to another. The OpenShift Upgrade Graph provides channel graphs and a way to confirm that there is an update path between your current and intended cluster versions.
Set the required environment variables:
Export the release version:
$ export OCP_RELEASE=<release_version>
For <release_version>
, specify the tag that corresponds to the version of OpenShift Container Platform to which you want to update, such as 4.5.4
.
Export the local registry name and host port:
$ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'
For <local_registry_host_name>
, specify the registry domain name for your mirror
repository, and for <local_registry_host_port>
, specify the port that it
serves content on.
Export the local repository name:
$ LOCAL_REPOSITORY='<local_repository_name>'
For <local_repository_name>
, specify the name of the repository to create in your
registry, such as ocp4/openshift4
.
Export the name of the repository to mirror:
$ PRODUCT_REPO='openshift-release-dev'
For a production release, you must specify openshift-release-dev
.
Export the path to your registry pull secret:
$ LOCAL_secret_JSON='<path_to_pull_secret>'
For <path_to_pull_secret>
, specify the absolute path to and file name of the pull secret for your mirror registry that you created.
If your cluster uses an |
Export the release mirror:
$ RELEASE_NAME="ocp-release"
For a production release, you must specify ocp-release
.
Export the type of architecture for your server, such as x86_64
.:
$ ARCHITECTURE=<server_architecture>
Export the path to the directory to host the mirrored images:
$ REMOVABLE_MEDIA_PATH=<path> (1)
1 | Specify the full path, including the initial forward slash (/) character. |
Review the images and configuration manifests to mirror:
$ oc adm release mirror -a ${LOCAL_secret_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run
Mirror the version images to the mirror registry.
If your mirror host does not have internet access, take the following actions:
Connect the removable media to a system that is connected to the internet.
Mirror the images and configuration manifests to a directory on the removable media:
$ oc adm release mirror -a ${LOCAL_secret_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
Take the media to the restricted network environment and upload the images to the local container registry.
$ oc image mirror -a ${LOCAL_secret_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} (1)
1 | For REMOVABLE_MEDIA_PATH , you must use the same path that you specified when you mirrored the images. |
Use oc
command-line interface (CLI) to log in to the cluster that you are upgrading.
Apply the mirrored release image signature config map to the connected cluster:
$ oc apply -f ${REMOVABLE_MEDIA_PATH}/mirror/config/<image_signature_file> (1)
1 | For <image_signature_file> , specify the path and name of the file, for example, signature-sha256-81154f5c03294534.yaml . |
If the local container registry and the cluster are connected to the mirror host, directly push the release images to the local registry and apply the config map to the cluster by using following command:
$ oc adm release mirror -a ${LOCAL_secret_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --apply-release-image-signature
If you include the |
Before you update your cluster, you must manually create a config map that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.
If you are upgrading from version 4.4.8 or later, you can use the oc
CLI to create the config map. If you are upgrading from an earlier version, you must use the manual method.
Create and apply the image signature config map to the cluster that you want to update.
You must perform following steps each time that you update a cluster. |
Review the OpenShift Container Platform upgrade paths knowledge base article to determine a valid update path for your cluster.
Add the version to the OCP_RELEASE_NUMBER
environment variable:
$ OCP_RELEASE_NUMBER=<release_version> (1)
1 | For <release_version> , specify the tag that corresponds to the version of OpenShift Container Platform you want
to update the cluster, such as 4.4.0 . |
Add the system architecture for your cluster to ARCHITECTURE
environment variable:
$ ARCHITECTURE=<server_architecture> (1)
1 | For server_architecture , specify the architecture of the server, such as x86_64 . |
Get the release image digest from Quay:
$ DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')"
Set the digest algorithm:
$ DIGEST_ALGO="${DIGEST%%:*}"
Set the digest signature:
$ DIGEST_ENCODED="${DIGEST#*:}"
Get the image signature from mirror.openshift.com website.
$ SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo)
Create the config map:
$ cat >checksum-${OCP_RELEASE_NUMBER}.yaml <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: release-image-${OCP_RELEASE_NUMBER}
namespace: openshift-config-managed
labels:
release.openshift.io/verification-signatures: ""
binaryData:
${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64}
EOF
Apply the config map to the cluster to update:
$ oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml
Update the restricted network cluster to the OpenShift Container Platform version that you downloaded the release images for.
If you have a local OpenShift Update Service, you can update by using the connected web console or CLI instructions instead of this procedure. |
You mirrored the images for the new release to your registry.
You applied the release image signature ConfigMap for the new release to your cluster.
You obtained the sha256 sum value for the release from the image signature ConfigMap.
Install the OpenShift CLI (oc
), version 4.4.8 or later.
Update the cluster:
$ oc adm upgrade --allow-explicit-upgrade --to-image ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}<sha256_sum_value> (1)
1 | The <sha256_sum_value> value is the sha256 sum value for the release from the image signature ConfigMap, for example, @sha256:81154f5c03294534e1eaf0319bef7a601134f891689ccede5d705ef659aa8c92 |
If you use an ImageContentSourcePolicy
for the mirror registry, you can use the canonical registry name instead of LOCAL_REGISTRY
.
You can only configure global pull secrets for clusters that have an |
Setting up container registry repository mirroring enables you to do the following:
Configure your OpenShift Container Platform cluster to redirect requests to pull images from a repository on a source image registry and have it resolved by a repository on a mirrored image registry.
Identify multiple mirrored repositories for each target repository, to make sure that if one mirror is down, another can be used.
The attributes of repository mirroring in OpenShift Container Platform include:
Image pulls are resilient to registry downtimes.
Clusters in restricted networks can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images.
A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried.
The mirror information you enter is added to the /etc/containers/registries.conf
file on every node in the OpenShift Container Platform cluster.
When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. If successful, the image is pulled to the node.
Setting up repository mirroring can be done in the following ways:
At OpenShift Container Platform installation:
By pulling container images needed by OpenShift Container Platform and then bringing those images behind your company’s firewall, you can install OpenShift Container Platform into a datacenter that is in a restricted network.
After OpenShift Container Platform installation:
Even if you don’t configure mirroring during OpenShift Container Platform installation, you can do so later using the ImageContentSourcePolicy
object.
The following procedure provides a post-installation mirror configuration, where you create an ImageContentSourcePolicy
object that identifies:
The source of the container image repository you want to mirror.
A separate entry for each mirror repository you want to offer the content requested from the source repository.
You can only configure global pull secrets for clusters that have an |
Access to the cluster as a user with the cluster-admin
role.
Configure mirrored repositories, by either:
Setting up a mirrored repository with Red Hat Quay, as described in Red Hat Quay Repository Mirroring. Using Red Hat Quay allows you to copy images from one repository to another and also automatically sync those repositories repeatedly over time.
Using a tool such as skopeo
to copy images manually from the source directory to the mirrored repository.
For example, after installing the skopeo RPM package on a Red Hat Enterprise Linux (RHEL) 7 or RHEL 8 system, use the skopeo
command as shown in this example:
$ skopeo copy \
docker://registry.access.redhat.com/ubi8/ubi-minimal@sha256:5cfbaf45ca96806917830c183e9f37df2e913b187adb32e89fd83fa455ebaa6 \
docker://example.io/example/ubi-minimal
In this example, you have a container image registry that is named example.io
with an image repository named example
to which you want to copy the ubi8/ubi-minimal
image from registry.access.redhat.com
. After you create the registry, you can configure your OpenShift Container Platform cluster to redirect requests made of the source repository to the mirrored repository.
Log in to your OpenShift Container Platform cluster.
Create an ImageContentSourcePolicy
file (for example, registryrepomirror.yaml
), replacing the source and mirrors with your own registry and repository pairs and images:
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: ubi8repo
spec:
repositoryDigestMirrors:
- mirrors:
- example.io/example/ubi-minimal (1)
source: registry.access.redhat.com/ubi8/ubi-minimal (2)
- mirrors:
- example.com/example/ubi-minimal
source: registry.access.redhat.com/ubi8/ubi-minimal
- mirrors:
- mirror.example.com/redhat
source: registry.redhat.io/openshift4 (3)
1 | Indicates the name of the image registry and repository. |
2 | Indicates the registry and repository containing the content that is mirrored. |
3 | You can configure a namespace inside a registry to use any image in that namespace. If you use a registry domain as a source, the ImageContentSourcePolicy resource is applied to all repositories from the registry. |
Create the new ImageContentSourcePolicy
object:
$ oc create -f registryrepomirror.yaml
After the ImageContentSourcePolicy
object is created, the new settings are deployed to each node and the cluster starts using the mirrored repository for requests to the source repository.
To check that the mirrored configuration settings, are applied, do the following on one of the nodes.
List your nodes:
$ oc get node
NAME STATUS ROLES AGE VERSION
ip-10-0-137-44.ec2.internal Ready worker 7m v1.20.0
ip-10-0-138-148.ec2.internal Ready master 11m v1.20.0
ip-10-0-139-122.ec2.internal Ready master 11m v1.20.0
ip-10-0-147-35.ec2.internal Ready,SchedulingDisabled worker 7m v1.20.0
ip-10-0-153-12.ec2.internal Ready worker 7m v1.20.0
ip-10-0-154-10.ec2.internal Ready master 11m v1.20.0
You can see that scheduling on each worker node is disabled as the change is being applied.
Start the debugging process to access the node:
$ oc debug node/ip-10-0-147-35.ec2.internal
Starting pod/ip-10-0-147-35ec2internal-debug ...
To use host binaries, run `chroot /host`
Access the node’s files:
sh-4.2# chroot /host
Check the /etc/containers/registries.conf
file to make sure
the changes were made:
sh-4.2# cat /etc/containers/registries.conf
unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
[[registry]]
location = "registry.access.redhat.com/ubi8/"
insecure = false
blocked = false
mirror-by-digest-only = true
prefix = ""
[[registry.mirror]]
location = "example.io/example/ubi8-minimal"
insecure = false
[[registry.mirror]]
location = "example.com/example/ubi8-minimal"
insecure = false
Pull an image digest to the node from the source and check if it is resolved by the mirror. ImageContentSourcePolicy
objects support image digests only, not image tags.
sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi8/ubi-minimal@sha256:5cfbaf45ca96806917830c183e9f37df2e913b187adb32e89fd83fa455ebaa6
If the repository mirroring procedure does not work as described, use the following information about how repository mirroring works to help troubleshoot the problem.
The first working mirror is used to supply the pulled image.
The main registry is only used if no other mirror works.
From the system context, the Insecure
flags are used as fallback.
The format of the /etc/containers/registries.conf
file has changed recently. It is now version 2 and in TOML format.
You can scope the mirrored image catalog at the repository level or the wider registry level. A widely scoped ImageContentSourcePolicy
resource reduces the number of times the nodes need to reboot in response to changes to the resource.
To widen the scope of the mirror image catalog in the ImageContentSourcePolicy
resource, perform the following procedure.
Install the OpenShift Container Platform CLI oc
.
Log in as a user with cluster-admin
privileges.
Configure a mirrored image catalog for use in your disconnected cluster.
Run the following command, specifying values for <local_registry>
, <pull_spec>
, and <pull_secret_file>
:
$ oc adm catalog mirror <local_registry>/<pull_spec> <local_registry> -a <pull_secret_file> --icsp-scope=registry
where:
is the local registry you have configured for your disconnected cluster, for example, local.registry:5000
.
is the pull specification as configured in your disconnected registry, for example, redhat/redhat-operator-index:v4.7
is the registry.redhat.io
pull secret in .json
file format. You can download the pull secret from the Red Hat OpenShift Cluster Manager.
The oc adm catalog mirror
command creates a /redhat-operator-index-manifests
directory and generates imageContentSourcePolicy.yaml
, catalogSource.yaml
, and mapping.txt
files.
Apply the new ImageContentSourcePolicy
resource to the cluster:
$ oc apply -f imageContentSourcePolicy.yaml
Verify that oc apply
successfully applied the change to ImageContentSourcePolicy
:
$ oc get ImageContentSourcePolicy -o yaml
apiVersion: v1
items:
- apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"operator.openshift.io/v1alpha1","kind":"ImageContentSourcePolicy","metadata":{"annotations":{},"name":"redhat-operator-index"},"spec":{"repositoryDigestMirrors":[{"mirrors":["local.registry:5000"],"source":"registry.redhat.io"}]}}
...
After you update the ImageContentSourcePolicy
resource, OpenShift Container Platform deploys the new settings to each node and the cluster starts using the mirrored repository for requests to the source repository.