我的书签
添加书签
移除书签- Mirroring images for a disconnected installation
- Prerequisites
- About the mirror registry
- Preparing your mirror host
- Configuring credentials that allow images to be mirrored
- Mirroring the OKD image repository
- The Cluster Samples Operator in a disconnected environment
- Mirroring Operator catalogs for use with disconnected clusters
- Next steps
- Additional resources
Mirroring images for a disconnected installation
- Prerequisites
- About the mirror registry
- Preparing your mirror host
- Configuring credentials that allow images to be mirrored
- Mirroring the OKD image repository
- The Cluster Samples Operator in a disconnected environment
- Mirroring Operator catalogs for use with disconnected clusters
- Next steps
- Additional resources
Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.
You must have access to the internet to obtain the necessary container images. In this procedure, you place the mirror registry on a mirror host that has access to both your network and the Internet. If you do not have access to a mirror host, use the disconnected procedure to copy images to a device you can move across network boundaries with. |
Prerequisites
You must have a container image registry that supports Docker v2-2 in the location that will host the OKD cluster, such as one of the following registries:
The internal registry of the OKD cluster cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.
If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or by using the Quay Operator. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat support.
About the mirror registry
You can mirror the images that are required for OKD installation and subsequent product updates to a mirror registry. These actions use the same process. The release image, which contains the description of the content, and the images it references are all mirrored. In addition, the Operator catalog source image and the images that it references must be mirrored for each Operator that you use. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.
The mirror registry can be any container registry that supports Docker v2-2. All major cloud provider registries, as well as Red Hat Quay, Artifactory, and others, have the necessary support. Using one of these registries ensures that OKD can verify the integrity of each image in disconnected environments.
The internal registry of the OKD cluster cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process. |
The mirror registry must be reachable by every machine in the clusters that you provision. If the registry is unreachable installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OKD clusters.
When you populate a mirror registry with OKD images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.
For mirrored registries, to view the source of pulled images, you must review the Trying to access log entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images command on a node, show the non-mirrored image name, even though the image is pulled from the mirrored location.
Additional information
For information on viewing the CRI-O logs to view the image source, see Viewing the image pull source.
Preparing your mirror host
Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.
Installing the OpenShift CLI by downloading the binary
You can install the OpenShift CLI (oc) to interact with OKD from a command-line interface. You can install oc on Linux, Windows, or macOS.
If you installed an earlier version of |
Installing the OpenShift CLI on Linux
You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
Procedure
Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download
oc.tar.gz.Unpack the archive:
$ tar xvzf <file>
Place the
ocbinary in a directory that is on yourPATH.To check your
PATH, execute the following command:$ echo $PATH
After you install the OpenShift CLI, it is available using the oc command:
$ oc <command>
Installing the OpenShift CLI on Windows
You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
Procedure
Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download
oc.zip.Unzip the archive with a ZIP program.
Move the
ocbinary to a directory that is on yourPATH.To check your
PATH, open the command prompt and execute the following command:C:\> path
After you install the OpenShift CLI, it is available using the oc command:
C:\> oc <command>
Installing the OpenShift CLI on macOS
You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
Procedure
Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download
oc.tar.gz.Unpack and unzip the archive.
Move the
ocbinary to a directory on your PATH.To check your
PATH, open a terminal and execute the following command:$ echo $PATH
After you install the OpenShift CLI, it is available using the oc command:
$ oc <command>
Configuring credentials that allow images to be mirrored
Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry. |
This process requires that you have write access to a container image registry on the mirror registry and adds the credentials to a registry pull secret. |
Prerequisites
You configured a mirror registry to use in your restricted network.
You identified an image repository location on your mirror registry to mirror images into.
You provisioned a mirror registry account that allows images to be uploaded to that image repository.
Procedure
Complete the following steps on the installation host:
Generate the base64-encoded user name and password or token for your mirror registry:
$ echo -n '<user_name>:<password>' | base64 -w0 (1)BGVtbYk3ZHAtqXs=
1 For <user_name>and<password>, specify the user name and password that you configured for your registry.Create a
.jsonfile and add a section that describes your registry to it:{"auths": {"<mirror_registry>": { (1)"auth": "<credentials>", (2)"email": "you@example.com"}}}
1 For <mirror_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example,registry.example.comorregistry.example.com:50002 For <credentials>, specify the base64-encoded user name and password for the mirror registry.
Mirroring the OKD image repository
Mirror the OKD image repository to your registry to use during cluster installation or upgrade.
Prerequisites
Your mirror host has access to the internet.
You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.
You have created a pull secret for your mirror repository.
If you use self-signed certificates that do not set a Subject Alternative Name, you must precede the
occommands in this procedure withGODEBUG=x509ignoreCN=0. If you do not set this variable, theoccommands will fail with the following error:x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
Procedure
Complete the following steps on the mirror host:
Review the OKD downloads page to determine the version of OKD that you want to install and determine the corresponding tag on the Repository Tags page.
Set the required environment variables:
Export the release version:
$ OCP_RELEASE=<release_version>
For
<release_version>, specify the tag that corresponds to the version of OKD to install, such as4.5.4.Export the local registry name and host port:
$ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'
For
<local_registry_host_name>, specify the registry domain name for your mirror repository, and for<local_registry_host_port>, specify the port that it serves content on.Export the local repository name:
$ LOCAL_REPOSITORY='<local_repository_name>'
For
<local_repository_name>, specify the name of the repository to create in your registry, such asocp4/openshift4.Export the name of the repository to mirror:
$ PRODUCT_REPO='openshift'
Export the path to your registry pull secret:
$ LOCAL_SECRET_JSON='<path_to_pull_secret>'
For
<path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.Export the release mirror:
$ RELEASE_NAME="okd"
Export the path to the directory to host the mirrored images:
$ REMOVABLE_MEDIA_PATH=<path> (1)
1 Specify the full path, including the initial forward slash (/) character.
Mirror the version images to the internal container registry:
If your mirror host does not have internet access, take the following actions:
Connect the removable media to a system that is connected to the internet.
Review the images and configuration manifests to mirror:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE} --dry-run
Record the entire
imageContentSourcessection from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add theimageContentSourcessection to theinstall-config.yamlfile during installation.Mirror the images to a directory on the removable media:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}
Take the media to the restricted network environment and upload the images to the local container registry.
$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} (1)
1 For REMOVABLE_MEDIA_PATH, you must use the same path that you specified when you mirrored the images.
If the local container registry is connected to the mirror host, take the following actions:
Directly push the release images to the local registry by using following command:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
This command pulls the release information as a digest, and its output includes the
imageContentSourcesdata that you require when you install your cluster.Record the entire
imageContentSourcessection from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add theimageContentSourcessection to theinstall-config.yamlfile during installation.The image name gets patched to Quay.io during the mirroring process, and the podman images will show Quay.io in the registry on the bootstrap virtual machine.
To create the installation program that is based on the content that you mirrored, extract it and pin it to the release:
If your mirror host does not have internet access, run the following command:
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"
If the local container registry is connected to the mirror host, run the following command:
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"
To ensure that you use the correct images for the version of OKD that you selected, you must extract the installation program from the mirrored content.
You must perform this step on a machine with an active internet connection.
If you are in a disconnected environment, use the
—imageflag as part of must-gather and point to the payload image.
For clusters using installer-provisioned infrastructure, run the following command:
$ openshift-install
The Cluster Samples Operator in a disconnected environment
In a disconnected environment, you must take additional steps after you install a cluster to configure the Cluster Samples Operator. Review the following information in preparation.
Cluster Samples Operator assistance for mirroring
During installation, OKD creates a config map named imagestreamtag-to-image in the openshift-cluster-samples-operator namespace. The imagestreamtag-to-image config map contains an entry, the populating image, for each image stream tag.
The format of the key for each entry in the data field in the config map is <image_stream_name>_<image_stream_tag_name>.
During a disconnected installation of OKD, the status of the Cluster Samples Operator is set to Removed. If you choose to change it to Managed, it installs samples.
You can use this config map as a reference for which images need to be mirrored for your image streams to import.
While the Cluster Samples Operator is set to
Removed, you can create your mirrored registry, or determine which existing mirrored registry you want to use.Mirror the samples you want to the mirrored registry using the new config map as your guide.
Add any of the image streams you did not mirror to the
skippedImagestreamslist of the Cluster Samples Operator configuration object.Set
samplesRegistryof the Cluster Samples Operator configuration object to the mirrored registry.Then set the Cluster Samples Operator to
Managedto install the image streams you have mirrored.
Mirroring Operator catalogs for use with disconnected clusters
You can mirror the Operator contents of a Red Hat-provided catalog, or a custom catalog, into a container image registry using the oc adm catalog mirror command. The target registry must support Docker v2-2. For a cluster on a restricted network, this registry can be one that the cluster has network access to, such as a mirror registry created during a restricted network cluster installation.
The internal registry of the OKD cluster cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process. |
The oc adm catalog mirror command also automatically mirrors the index image that is specified during the mirroring process, whether it be a Red Hat-provided index image or your own custom-built index image, to the target registry. You can then use the mirrored index image to create a catalog source that allows Operator Lifecycle Manager (OLM) to load the mirrored catalog onto your OKD cluster.
Additional resources
Prerequisites
Mirroring Operator catalogs for use with disconnected clusters has the following prerequisites:
Workstation with unrestricted network access.
podmanversion 1.9.3 or later.Access to mirror registry that supports Docker v2-2.
Decide which namespace on your mirror registry you will use to store the mirrored Operator content. For example, you might create an
olm-mirrornamespace.If your mirror registry does not have internet access, connect removable media to your workstation with unrestricted network access.
If you are working with private registries, including
registry.redhat.io, set theREG_CREDSenvironment variable to the file path of your registry credentials for use in later steps. For example, for thepodmanCLI:$ REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json
Extracting and mirroring catalog contents
The oc adm catalog mirror command extracts the contents of an index image to generate the manifests required for mirroring. The default behavior of the command generates manifests, then automatically mirrors all of the image content from the index image, as well as the index image itself, to your mirror registry.
Alternatively, if your mirror registry is on a completely disconnected, or airgapped, host, you can first mirror the content to removable media, move the media to the disconnected environment, then mirror the content from the media to the registry.
Mirroring catalog contents to registries on the same network
If your mirror registry is co-located on the same network as your workstation with unrestricted network access, take the following actions on your workstation.
Procedure
If your mirror registry requires authentication, run the following command to log in to the registry:
$ podman login <mirror_registry>
Run the following command to extract and mirror the content to the mirror registry:
$ oc adm catalog mirror \<index_image> \ (1)<mirror_registry>:<port>/<namespace> \ (2)[-a ${REG_CREDS}] \ (3)[--insecure] \ (4)[--index-filter-by-os='<platform>/<arch>'] \ (5)[--manifests-only] (6)
1 Specify the index image for the catalog that you want to mirror. For example, this might be a pruned index image that you created previously, or one of the source index images for the default catalogs, such as quay.io/operatorhubio/catalog:latest.2 Specify the target registry and namespace to mirror the Operator contents to, where <namespace>is any existing namespace on the registry. For example, you might create anolm-mirrornamespace to push all mirrored content to.3 Optional: If required, specify the location of your registry credentials file. {REG_CREDS}is required forregistry.redhat.io.4 Optional: If you do not want to configure trust for the target registry, add the —insecureflag.5 Optional: Specify which platform and architecture of the index image to select when multiple variants are available. Images are passed as ‘<platform>/<arch>[/<variant>]’. This does not apply to images referenced by the index. Valid values arelinux/amd64,linux/ppc64le,linux/s390x, and.*6 Optional: Generate only the manifests required for mirroring, and do not actually mirror the image content to a registry. This option can be useful for reviewing what will be mirrored, and it allows you to make any changes to the mapping list if you require only a subset of packages. You can then use the mapping.txtfile with theoc image mirrorcommand to mirror the modified list of images in a later step. This flag is intended for only advanced selective mirroring of content from the catalog; theopm index prunecommand, if you used it previously to prune the index image, is suitable for most catalog management use cases.Example output
src image has index label for database path: /database/index.dbusing database path mapping: /database/index.db:/tmp/153048078wrote database to /tmp/153048078 (1)...wrote mirroring manifests to manifests-catalog-1614211642 (2)
1 Directory for the temporary index.dbdatabase generated by the command.2 Record the manifests directory name that is generated. This directory is referenced in subsequent procedures. Red Hat Quay does not support nested repositories. As a result, running the
oc adm catalog mirrorcommand will fail with a401unauthorized error. As a workaround, you can use the—max-components=2option when running theoc adm catalog mirrorcommand to disable the creation of nested repositories. For more information on this workaround, see the Unauthorized error thrown while using catalog mirror command with Quay registry Knowledgebase Solution.
Additional resources
Mirroring catalog contents to airgapped registries
If your mirror registry is on a completely disconnected, or airgapped, host, take the following actions.
Procedure
Run the following command on your workstation with unrestricted network access to mirror the content to local files:
$ oc adm catalog mirror \<index_image> \ (1)file:///local/index \ (2)-a ${REG_CREDS} \ (3)--insecure \ (4)--index-filter-by-os='<platform>/<arch>' (5)
1 Specify the index image for the catalog that you want to mirror. For example, this might be a pruned index image that you created previously, or one of the source index images for the default catalogs, such as quay.io/operatorhubio/catalog:latest.2 Specify the content to mirror to local files in your current directory. 3 Optional: If required, specify the location of your registry credentials file. 4 Optional: If you do not want to configure trust for the target registry, add the —insecureflag.5 Optional: Specify which platform and architecture of the index image to select when multiple variants are available. Images are specified as ‘<platform>/<arch>[/<variant>]’. This does not apply to images referenced by the index. Valid values arelinux/amd64,linux/ppc64le,linux/s390x, and.*Example output
...info: Mirroring completed in 5.93s (5.915MB/s)wrote mirroring manifests to manifests-my-index-1614985528 (1)To upload local images to a registry, run:oc adm catalog mirror file://local/index/myrepo/my-index:v1 REGISTRY/REPOSITORY (2)
1 Record the manifests directory name that is generated. This directory is referenced in subsequent procedures. 2 Record the expanded file://path that is based on your provided index image. This path is referenced in a subsequent step.This command creates a
v2/directory in your current directory.Copy the
v2/directory to removable media.Physically remove the media and attach it to a host in the disconnected environment that has access to the mirror registry.
If your mirror registry requires authentication, run the following command on your host in the disconnected environment to log in to the registry:
$ podman login <mirror_registry>
Run the following command from the parent directory containing the
v2/directory to upload the images from local files to the mirror registry:$ oc adm catalog mirror \file://local/index/<repo>/<index_image>:<tag> \ (1)<mirror_registry>:<port>/<namespace> \ (2)-a ${REG_CREDS} \ (3)--insecure \ (4)--index-filter-by-os='<platform>/<arch>' (5)
1 Specify the file://path from the previous command output.2 Specify the target registry and namespace to mirror the Operator contents to, where <namespace>is any existing namespace on the registry. For example, you might create anolm-mirrornamespace to push all mirrored content to.3 Optional: If required, specify the location of your registry credentials file. 4 Optional: If you do not want to configure trust for the target registry, add the —insecureflag.5 Optional: Specify which platform and architecture of the index image to select when multiple variants are available. Images are specified as ‘<platform>/<arch>[/<variant>]’. This does not apply to images referenced by the index. Valid values arelinux/amd64,linux/ppc64le,linux/s390x, and.*Red Hat Quay does not support nested repositories. As a result, running the
oc adm catalog mirrorcommand will fail with a401unauthorized error. As a workaround, you can use the—max-components=2option when running theoc adm catalog mirrorcommand to disable the creation of nested repositories. For more information on this workaround, see the Unauthorized error thrown while using catalog mirror command with Quay registry Knowledgebase Solution.
After you mirror the catalog, you can continue with the remainder of your cluster installation. After your cluster installation has finished successfully, you must specify the manifests directory from this procedure to create the ImageContentSourcePolicy and CatalogSource objects. These objects are required to enable installation of Operators from OperatorHub.
Additional resources
Generated manifests
After mirroring Operator catalog content to your mirror registry, a manifests directory is generated in your current directory.
If you mirrored content to a registry on the same network, the directory name takes the following pattern:
manifests-<index_image_name>-<random_number>
If you mirrored content to a registry on a disconnected host in the previous section, the directory name takes the following pattern:
manifests-index/<namespace>/<index_image_name>-<random_number>
The manifests directory name is referenced in subsequent procedures. |
The manifests directory contains the following files, some of which might require further modification:
The
catalogSource.yamlfile is a basic definition for aCatalogSourceobject that is pre-populated with your index image tag and other relevant metadata. This file can be used as is or modified to add the catalog source to your cluster.If you mirrored the content to local files, you must modify your
catalogSource.yamlfile to remove any backslash (/) characters from themetadata.namefield. Otherwise, when you attempt to create the object, it fails with an “invalid resource name” error.The
imageContentSourcePolicy.yamlfile defines anImageContentSourcePolicyobject that can configure nodes to translate between the image references stored in Operator manifests and the mirrored registry.If your cluster uses an
ImageContentSourcePolicyobject to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.The
mapping.txtfile contains all of the source images and where to map them in the target registry. This file is compatible with theoc image mirrorcommand and can be used to further customize the mirroring configuration.If you used the
—manifests-onlyflag during the mirroring process and want to further trim the subset of packages to mirror, see the steps in the Mirroring a package manifest format catalog image procedure of the OKD 4.7 documentation about modifying yourmapping.txtfile and using the file with theoc image mirrorcommand.
Post-installation requirements
After you mirror the catalog, you can continue with the remainder of your cluster installation. After your cluster installation has finished successfully, you must specify the manifests directory from this procedure to create the ImageContentSourcePolicy and CatalogSource objects. These objects are required to populate and enable installation of Operators from OperatorHub.
Additional resources
Next steps
- Install a cluster on infrastructure that you provision in your restricted network, such as on VMware vSphere, bare metal, or Amazon Web Services.
Additional resources
- See Gathering data about specific features for more information about using must-gather.
