This is a cache of https://docs.okd.io/4.10/installing/disconnected_install/installing-mirroring-disconnected.html. It is a snapshot of the page at 2024-11-21T21:33:41.087+0000.
Mirroring images for a disconnected installation using the oc-mirror plugin - Disconnected installation mirroring | Installing | OKD 4.10
×

You can ensure your clusters only use container images that satisfy your organizational controls on external content. Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. To mirror container images, you must have a registry for mirroring.

You can use the oc-mirror OpenShift CLI (oc) plugin to mirror images to a mirror registry in your fully or partially disconnected environments.

Mirroring images for disconnected environments using the oc-mirror plugin is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

The following steps outline the high-level workflow on how to use the oc-mirror plugin to mirror images to a mirror registry:

  1. Create an image set configuration file.

  2. Mirror the image set to the mirror registry.

  3. Configure your cluster to use the resources generated by the oc-mirror plugin.

  4. Repeat these steps to update your mirror registry as necessary.

About the oc-mirror plugin

You can use the oc-mirror OpenShift CLI (oc) plugin to mirror all required OKD content and other images to your mirror registry by using a single tool. It provides the following features:

  • Provides a centralized method to mirror OKD releases, Operators, helm charts, and other images.

  • Maintains update paths for OKD and Operators.

  • Uses a declarative image set configuration file to include only the OKD releases, Operators, and images that your cluster needs.

  • Performs incremental mirroring, which reduces the size of future image sets.

When using the oc-mirror plugin, you specify which content to mirror in an image set configuration file. In this YAML file, you can fine-tune the configuration to only include the OKD releases and Operators that your cluster needs. This reduces the amount of data that you need to download and transfer. The oc-mirror plugin can also mirror arbitrary helm charts and additional container images to assist users in seamlessly synchronizing their workloads onto mirror registries.

The first time you run the oc-mirror plugin, it populates your mirror registry with the required content to perform your disconnected cluster installation. In order for your disconnected cluster to continue receiving updates, you must keep your mirror registry updated. To update your mirror registry, you run the oc-mirror plugin using the same configuration as the first time you ran it. The oc-mirror plugin references the metadata from the storage backend and only downloads what has been released since the last time you ran the tool. This provides update paths for OKD and Operators and performs dependency resolution as required.

When using the oc-mirror CLI plugin to populate a mirror registry, any further updates to the mirror registry must be made using the oc-mirror tool.

About the mirror registry

You can mirror the images that are required for OKD installation and subsequent product updates to a container mirror registry that supports Docker v2-2, such as Red Hat Quay. If you do not have access to a large-scale container registry, you can use the mirror registry for Red Hat OpenShift, which is a small-scale container registry included with OKD subscriptions.

Regardless of your chosen registry, the procedure to mirror content from Red Hat hosted sites on the internet to an isolated image registry is the same. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.

The OpenShift image registry cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.

If choosing a container registry that is not the mirror registry for Red Hat OpenShift, it must be reachable by every machine in the clusters that you provision. If the registry is unreachable, installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OKD clusters.

When you populate your mirror registry with OKD images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.

For mirrored registries, to view the source of pulled images, you must review the Trying to access log entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images command on a node, show the non-mirrored image name, even though the image is pulled from the mirrored location.

Red Hat does not test third party registries with OKD.

Additional resources

Prerequisites

  • You must have a container image registry that supports Docker v2-2 in the location that will host the OKD cluster, such as Red Hat Quay.

    If you use Red Hat Quay, you must use version 3.6 or later with the oc-mirror plugin. If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or by using the Quay Operator. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support.

    If you do not already have an existing solution for a container image registry, subscribers of OKD are provided a mirror registry for Red Hat OpenShift. The mirror registry for Red Hat OpenShift is included with your subscription and is a small-scale container registry that can be used to mirror the required container images of OKD in disconnected installations.

Preparing your mirror hosts

Before you can use the oc-mirror plugin to mirror images, you must install the plugin and create a container image registry credentials file to allow the mirroring from Red Hat to your mirror.

Installing the oc-mirror OpenShift CLI plugin

To use the oc-mirror OpenShift CLI plugin to mirror registry images, you must install the plugin. If you are mirroring image sets in a fully disconnected environment, ensure that you install the oc-mirror plugin on the host with internet access and the host in the disconnected environment with access to the mirror registry.

Prerequisites
  • You have installed the OpenShift CLI (oc).

Procedure
  1. Download the oc-mirror CLI plugin.

    1. Navigate to the Downloads page of the OpenShift Cluster Manager.

    2. Under the OpenShift disconnected installation tools section, click Download for OpenShift Client (oc) mirror plugin and save the file.

  2. Extract the archive:

    $ tar xvzf oc-mirror.tar.gz
  3. If necessary, update the plugin file to be executable:

    $ chmod +x oc-mirror

    Do not rename the oc-mirror file.

  4. Install the oc-mirror CLI plugin by placing the file in your PATH, for example, /usr/local/bin:

    $ sudo mv oc-mirror /usr/local/bin/.
Verification
  • Run oc mirror help to verify that the plugin was successfully installed:

    $ oc mirror help
Additional resources

Configuring credentials that allow images to be mirrored

Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.

Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.

This process requires that you have write access to a container image registry on the mirror registry and adds the credentials to a registry pull secret.

Prerequisites
  • You configured a mirror registry to use in your disconnected environment.

  • You identified an image repository location on your mirror registry to mirror images into.

  • You provisioned a mirror registry account that allows images to be uploaded to that image repository.

Procedure

Complete the following steps on the installation host:

  1. Generate the base64-encoded user name and password or token for your mirror registry:

    $ echo -n '<user_name>:<password>' | base64 -w0 (1)
    BGVtbYk3ZHAtqXs=
    1 For <user_name> and <password>, specify the user name and password that you configured for your registry.
  2. Create a .json file and add a section that describes your registry to it:

    {
      "auths": {
        "<mirror_registry>": { (1)
          "auth": "<credentials>", (2)
          "email": "you@example.com"
        }
      }
    }
    1 For <mirror_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example, registry.example.com or registry.example.com:8443
    2 For <credentials>, specify the base64-encoded user name and password for the mirror registry.

Creating the image set configuration

Before you can use the oc-mirror plugin to mirror image sets, you must create an image set configuration file. This image set configuration file defines which OKD releases, Operators, and other images to mirror, along with other configuration settings for the oc-mirror plugin.

You must specify a storage backend in the image set configuration file. This storage backend can be a local directory or a registry that supports Docker v2-2. The oc-mirror plugin stores metadata in this storage backend during image set creation.

Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.

Procedure
  1. Create an ImageSetConfiguration resource that specifies the necessary configuration details:

    Example ImageSetConfiguration file
    apiVersion: mirror.openshift.io/v1alpha1
    kind: ImageSetConfiguration
    archiveSize: 4 (1)
    mirror:
     ocp:
       channels:
         - name: stable-4.9 (2)
     operators:
       - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.9 (3)
    storageConfig: (4)
     registry:
       imageURL: example.com/example/oc-mirror (5)
    1 The maximum size, in GiB, of each file within the image set.
    2 The channel to retrieve the OKD images from.
    3 The Operator catalog to retrieve the OKD images from.
    4 The back-end location to save the image set metadata to. This location can be a registry or local directory. It is required to specify storageConfig values.
    5 The registry URL for the storage backend.

    This example pulls images from the stable-4.9 channel for the registry.redhat.io/redhat/redhat-operator-index:v4.9 operator catalog and saves the image set metadata to the example.com/example/oc-mirror registry.

  2. Save the file as imageset-config.yaml. This file is required by the oc mirror command when mirroring content.

Mirroring an image set to a mirror registry

You can use the oc-mirror CLI plugin to mirror images to a mirror registry in a partially disconnected environment or in a fully disconnected environment.

These procedures assume that you already have your mirror registry set up.

Mirroring an image set in a partially disconnected environment

In a partially disconnected environment, you can mirror an image set directly to the target mirror registry.

Mirroring from mirror to mirror

You can use the oc-mirror plugin to mirror an image set directly to a target mirror registry that is accessible during image set creation.

Depending on the configuration specified in the image set configuration file, using oc-mirror to mirror images might download several hundreds of gigabytes of data to disk before mirroring to the destination mirror registry.

The initial image set download when you populate the mirror registry is often the largest. Because you only download the images that changed since the last time you ran the command, when you run the oc-mirror plugin again, the generated image set is often smaller.

You are required to specify a storage backend in the image set configuration file. This storage backend can be a local directory or a Docker v2 registry. The oc-mirror plugin stores metadata in this storage backend during image set creation.

Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.

Prerequisites
  • You have access to the internet to obtain the necessary container images.

  • You have installed the OpenShift CLI (oc).

  • You have installed the oc-mirror CLI plugin.

  • You have created the image set configuration file.

Procedure
  • Run the oc mirror command to mirror the images from the specified image set configuration to a specified registry:

    $ oc mirror --config=./imageset-config.yaml \ (1)
      docker://registry.example:5000              (2)
    
    1 Pass in the image set configuration file that was created. This procedure assumes that it is named imageset-config.yaml.
    2 Specify the registry to mirror the image set file to. The registry must start with docker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.
Verification
  1. Navigate into the oc-mirror-workspace/ directory that was generated.

  2. Navigate into the results directory, for example, results-1639608409/.

  3. Verify that YAML files are present for the ImageContentSourcePolicy and CatalogSource resources.

Next steps
  • Configure your cluster to use the resources generated by oc-mirror.

Mirroring an image set in a fully disconnected environment

To mirror an image set in a fully disconnected environment, you must first mirror the image set to disk, then mirror the image set file on disk to a mirror.

Mirroring from mirror to disk

You can use the oc-mirror plugin to generate an image set and save the contents to disk. The generated image set can then be transferred to the disconnected environment and mirrored to the target registry.

Depending on the configuration specified in the image set configuration file, using oc-mirror to mirror images might download several hundreds of gigabytes of data to disk.

The initial image set download when you populate the mirror registry is often the largest. Because you only download the images that changed since the last time you ran the command, when you run the oc-mirror plugin again, the generated image set is often smaller.

You are required to specify a storage backend in the image set configuration file. This storage backend can be a local directory or a docker v2 registry. The oc-mirror plugin stores metadata in this storage backend during image set creation.

Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.

Prerequisites
  • You have access to the internet to obtain the necessary container images.

  • You have installed the OpenShift CLI (oc).

  • You have installed the oc-mirror CLI plugin.

  • You have created the image set configuration file.

Procedure
  • Run the oc mirror command to mirror the images from the specified image set configuration to disk:

    $ oc mirror --config=./imageset-config.yaml \ (1)
      file://<path_to_output_directory>          (2)
    
    1 Pass in the image set configuration file that was created. This procedure assumes that it is named imageset-config.yaml.
    2 Specify the target directory where you want to output the image set file. The target directory path must start with file://.
Verification
  1. Navigate to your output directory:

    $ cd <path_to_output_directory>
  2. Verify that an image set .tar file was created:

    $ ls
    Example output
    mirror_seq1_000000.tar
Next steps
  • Transfer the image set .tar file to the disconnected environment.

Mirroring from disk to mirror

You can use the oc-mirror plugin to mirror the contents of a generated image set to the target mirror registry.

Prerequisites
  • You have installed the OpenShift CLI (oc) in the disconnected environment.

  • You have installed the oc-mirror CLI plugin in the disconnected environment.

  • You have generated the image set file by using the oc mirror command.

  • You have transferred the image set file to the disconnected environment.

Procedure
  • Run the oc mirror command to process the image set file on disk and mirror the contents to a target mirror registry:

    $ oc mirror --from=./mirror_seq1_000000.tar \ (1)
      docker://registry.example:5000              (2)
    
    1 Pass in the image set .tar file to mirror, named mirror_seq1_000000.tar in this example. If an archiveSize value was specified in the image set configuration file, the image set might be broken up into multiple .tar files. In this situation, you can pass in a directory that contains the image set .tar files.
    2 Specify the registry to mirror the image set file to. The registry must start with docker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.

    This command updates the mirror registry with the image set and generates the ImageContentSourcePolicy and CatalogSource resources.

Verification
  1. Navigate into the oc-mirror-workspace/ directory that was generated.

  2. Navigate into the results directory, for example, results-1639608409/.

  3. Verify that YAML files are present for the ImageContentSourcePolicy and CatalogSource resources.

Next steps
  • Configure your cluster to use the resources generated by oc-mirror.

Configuring your cluster to use the resources generated by oc-mirror

After you have mirrored your image set to the mirror registry, you must apply the generated ImageContentSourcePolicy, CatalogSource, and release image signature resources into the cluster.

The ImageContentSourcePolicy resource associates the mirror registry with the source registry and redirects image pull requests from the online registries to the mirror registry. The CatalogSource resource is used by Operator Lifecycle Manager (OLM) to retrieve information about the available Operators in the mirror registry. The release image signatures are used to verify the mirrored release images.

Prerequisites
  • You have mirrored the image set to the registry mirror in the disconnected environment.

  • You have access to the cluster as a user with the cluster-admin role.

Procedure
  1. Log in to the OpenShift CLI as a user with the cluster-admin role.

  2. Apply the YAML files from the results directory to the cluster by running the following command:

    $ oc apply -f ./oc-mirror-workspace/results-1639608409/
  3. Apply the release image signatures to the cluster by running the following command:

    $ oc apply -f ./oc-mirror-workspace/results-1639608409/release-signatures/
Verification
  1. Verify that the ImageContentSourcePolicy resources were successfully installed by running the following command:

    $ oc get imagecontentsourcepolicy --all-namespaces
  2. Verify that the CatalogSource resources were successfully installed by running the following command:

    $ oc get catalogsource --all-namespaces

Updating your mirror registry

After you publish a full image set to the mirror registry, you can use the oc-mirror plugin to update the mirror registry with updated images.

When you run the oc-mirror plugin again, it generates an image set that only contains new and updated images since the previous execution.

You must use the same storage backend as the initial execution of oc-mirror for the same mirror registry. Do not delete or modify the metadata that is generated by the oc-mirror plugin.

Because it only pulls in the differences since the previous image set was created, the generated image set is often smaller and faster to process than the initial image set.

Generated image sets are sequential and must be synchronized to the target mirror registry in order.

Prerequisites
  • You have used the oc-mirror plugin to mirror the initial image set to your mirror registry.

  • You have access to the storage backend that was used for the initial execution of the oc-mirror plugin.

Procedure
  1. Follow the same steps that you used to create the initial image set and mirror it to the mirror registry. For instructions, see Mirroring an image set in a partially disconnected environment or Mirroring an image set in a fully disconnected environment.

    • You must provide the same storage backend so that only a differential image set is created and mirrored.

    • If you specified a top-level namespace for the mirror registry during the initial image set creation, then you must use this same namespace every time you run the oc-mirror plugin for the same mirror registry.

  2. Configure your cluster to use the resources generated by oc-mirror.

Image set configuration parameters

The oc-mirror plugin requires an image set configuration file that defines what images to mirror. The following table lists the available parameters for the ImageSetConfiguration resource.

Table 1. ImageSetConfiguration parameters
Parameter Description Values

apiVersion

The API version for the ImageSetConfiguration content.

String. For example: mirror.openshift.io/v1alpha1.

archiveSize

The maximum size, in GiB, of each archive file within the image set.

Integer. For example: 4

mirror

The configuration of the image set.

Object

mirror.additionalImages

The additional images configuration of the image set.

Array of objects. For example:

additionalImages:
  - name: registry.redhat.io/ubi8/ubi:latest

mirror.additionalImages.name

The tag of the image to mirror.

String. For example: registry.redhat.io/ubi8/ubi:latest

mirror.helm

The helm configuration of the image set. Note that the oc-mirror plugin supports only helm charts that do not require user input when rendered.

Object

mirror.helm.local

The local helm charts to mirror.

Array of objects. For example:

local:
  - name: podinfo
    path: /test/podinfo-5.0.0.tar.gz

mirror.helm.local.name

The name of the local helm chart to mirror.

String. For example: podinfo.

mirror.helm.local.path

The path of the local helm chart to mirror.

String. For example: /test/podinfo-5.0.0.tar.gz.

mirror.helm.repos

The remote helm repositories to mirror from.

Array of objects. For example:

repos:
  - name: podinfo
    url: https://example.github.io/podinfo
    charts:
      - name: podinfo
        version: 5.0.0

mirror.helm.repos.name

The name of the helm repository to mirror from.

String. For example: podinfo.

mirror.helm.repos.url

The URL of the helm repository to mirror from.

String. For example: https://example.github.io/podinfo.

mirror.helm.repos.charts

The remote helm charts to mirror.

Array of objects.

mirror.helm.repos.charts.name

The name of the helm chart to mirror.

String. For example: podinfo.

mirror.helm.repos.charts.version

The version of the named helm chart to mirror.

String. For example: 5.0.0.

mirror.ocp

The platform configuration of the image set.

Object

mirror.ocp.channels

The platform channel configuration of the image set.

Array of objects. For example:

channels:
  - name: stable-4.7
  - name: stable-4.6
    versions:
      - '4.6.36'

mirror.ocp.channels.name

The name of the release channel.

String. For example: stable-4.9 or okd.

mirror.ocp.channels.versions

The list of release versions within the named channel.

String. For example: 4.9.6.

mirror.operators

The Operators configuration of the image set.

Array of objects. For example:

operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.9
    headsOnly: false
    packages:
      - name: elasticsearch-operator
        startingVersion: '2.4.0'

mirror.operators.catalog

The Operator catalog to include in the image set.

String. For example: registry.redhat.io/redhat/redhat-operator-index:v4.9.

mirror.operators.headsOnly

Toggles between downloading channel HEADs and full channels. Cannot be used in conjunction with mirror.operators.packages.

Boolean

mirror.operators.packages

The Operator packages configuration.

Array of objects. For example:

operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.8
    headsOnly: false
    packages:
      - name: elasticsearch-operator
        startingVersion: '5.2.3-31'

mirror.operators.packages.name

The Operator package name to include in the image set

String. For example: elasticsearch-operator.

mirror.operators.packages.startingVersion

The starting version of the Operator package to mirror. All versions of the Operator are mirrored between the value of startingVersion and the HEAD version of each channel that contains the referenced version.

String. For example: 5.2.3-31.

mirror.operators.packages.channels

The Operator package channel configuration.

Object

mirror.operators.packages.channels.name

The Operator channel name, unique within a package, to include in the image set.

String. For example: fast or stable-v4.9.

mirror.operators.packages.channels.startingVersion

The starting version of the Operator channel to mirror. All versions of the Operator are mirrored between the value of startingVersion and the HEAD version of the specified channel.

String. For example: 5.2.3-31

storageConfig

The back-end configuration of the image set.

Object

storageConfig.local

The local back-end configuration of the image set.

Object

storageConfig.local.path

The path of the directory to contain the image set metadata.

String. For example: ./path/to/dir/.

storageConfig.registry

The registry back-end configuration of the image set.

Object

storageConfig.registry.imageURL

The back-end registry URI. Can optionally include a namespace reference in the URI.

String. For example: quay.io/myuser/imageset:metadata.

storageConfig.registry.skipTLS

Optionally skip TLS verification of the referenced back-end registry.

Boolean. The default value is false.

Image set configuration examples

The following ImageSetConfiguration file examples show the configuration for various mirroring use cases.

Use case: Including arbitrary images and helm charts

The following ImageSetConfiguration file uses a registry storage backend and includes helm charts and an additional Red Hat Universal Base Image (UBI).

Example ImageSetConfiguration file
apiVersion: mirror.openshift.io/v1alpha1
kind: ImageSetConfiguration
archiveSize: 4
storageConfig:
 registry:
   imageURL: example.com/example/oc-mirror
   skipTLS: false
mirror:
 ocp:
   channels:
     - name: stable-4.10
 operators:
   - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
 helm:
   repos:
     - name: redhat-helm-charts
       url: https://raw.githubusercontent.com/redhat-developer/redhat-helm-charts/master
       charts:
         - name: ibm-mongodb-enterprise-helm
           version: 0.2.0
 additionalImages:
   - name: registry.redhat.io/ubi8/ubi:latest

Use case: Including specific Operator versions

The following ImageSetConfiguration file uses a local storage backend and includes only the Red Hat Advanced Cluster Security for Kubernetes Operator, versions starting at 3.67.0 and later.

Example ImageSetConfiguration file
apiVersion: mirror.openshift.io/v1alpha1
kind: ImageSetConfiguration
storageConfig:
  local:
    path: /home/user/metadata
mirror:
  operators:
    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
      headsOnly: false
      packages:
        - name: rhacs-operator
          channels:
          - name: latest
          startingVersion: 3.67.0

Command reference for oc-mirror

The following tables describe the oc mirror subcommands and flags:

Table 2. oc mirror subcommands
Subcommand Description

completion

Generate the autocompletion script for the specified shell.

describe

Output the contents of an image set.

help

Show help about any subcommand.

list

List available platform and Operator content and their version.

version

Output the oc-mirror version.

Table 3. oc mirror flags
Flag Description

-c, --config <string>

Specify the path to an image set configuration file.

--continue-on-error

If any non image-pull related error occurs, continue and attempt to mirror as much as possible.

--dest-skip-tls

Disable TLS validation for the target registry.

--dest-use-http

Use plain HTTP for the target registry.

--dry-run

Print actions without mirroring images.

--from <string>

Specify the path to an image set archive that was generated by an execution of oc-mirror to load into a target registry.

-h, --help

Show the help.

--log-level <string>

Specify the number for the log level verbosity. Valid values are 0 - 9. The default is 0.

--manifests-only

Generate manifests for ImageContentSourcePolicy objects to configure a cluster to use the mirror registry, but do not actually mirror any images. To use this flag, you must pass in an image set archive with the --from flag.

--skip-cleanup

Skip removal of artifact directories.

--skip-image-pin

Do not replace image tags with digest pins in Operator catalogs.

--skip-missing

If an image is not found, skip it instead of reporting an error and aborting execution. Does not apply to custom images explicitly specified in the image set configuration.

--skip-verification

Skip digest verification.

--source-skip-tls

Disable TLS validation for the source registry.

--source-use-http

Use plain HTTP for the source registry.