Mirroring the OKD image repository

    The following steps outline the high-level workflow on how to mirror images to a mirror registry:

    1. Install the OpenShift CLI () on all devices being used to retrieve and push release images.

    2. Download the registry pull secret and add it to your cluster.

    3. If you use the oc-mirror OpenShift CLI (oc) plugin:

      1. Install the oc-mirror plugin on all devices being used to retrieve and push release images.

      2. Create an image set configuration file for the plugin to use when determining which release images to mirror. You can edit this configuration file later to change which release images that the plugin mirrors.

      3. Mirror your targeted release images directly to a mirror registry, or to removable media and then to a mirror registry.

      4. Configure your cluster to use the resources generated by the oc-mirror plugin.

      5. Repeat these steps as needed to update your mirror registry.

    4. If you use the :

      1. Set environment variables that correspond to your environment and the release images you want to mirror.

      2. Mirror your targeted release images directly to a mirror registry, or to removable media and then to a mirror registry.

      3. Repeat these steps as needed to update your mirror registry.

    Compared to using the oc adm release mirror command, the oc-mirror plugin has the following advantages:

    • It can mirror content other than container images.

    • After mirroring images for the first time, it is easier to update images in the registry.

    • The oc-mirror plugin provides an automated way to mirror the release payload from Quay, and also builds the latest graph data image for the OpenShift Update Service running in the disconnected environment.

    • You must have a container image registry that supports in the location that will host the OKD cluster, such as Red Hat Quay.

      If you use Red Hat Quay, you must use version 3.6 or later with the oc-mirror plugin. If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or . If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support.

      If you do not have an existing solution for a container image registry, the mirror registry for Red Hat OpenShift is included in OKD subscriptions. The mirror registry for Red Hat OpenShift is a small-scale container registry that you can use to mirror OKD container images in disconnected installations and updates.

    Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.

    You can install the OpenShift CLI (oc) to interact with OKD from a command-line interface. You can install oc on Linux, Windows, or macOS.

    If you installed an earlier version of oc, you cannot use it to complete all of the commands in OKD 4.13. Download and install the new version of oc. If you are upgrading a cluster in a disconnected environment, install the oc version that you plan to upgrade to.

    Installing the OpenShift CLI on Linux

    You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.

    Procedure

    1. Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.

    2. Download oc.tar.gz.

    3. Unpack the archive:

    4. Place the oc binary in a directory that is on your PATH.

      To check your PATH, execute the following command:

      1. $ echo $PATH

    After you install the OpenShift CLI, it is available using the oc command:

    1. $ oc <command>

    Installing the OpenShift CLI on Windows

    You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.

    Procedure

    1. Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.

    2. Download oc.zip.

    3. Unzip the archive with a ZIP program.

    4. Move the oc binary to a directory that is on your PATH.

      To check your PATH, open the command prompt and execute the following command:

      1. C:\> path

    After you install the OpenShift CLI, it is available using the oc command:

    1. C:\> oc <command>

    Installing the OpenShift CLI on macOS

    You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.

    Procedure

    1. Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.

    2. Download oc.tar.gz.

    3. Unpack and unzip the archive.

    4. Move the oc binary to a directory on your PATH.

      To check your PATH, open a terminal and execute the following command:

      1. $ echo $PATH

    After you install the OpenShift CLI, it is available using the oc command:

    1. $ oc <command>

    Additional resources

    Configuring credentials that allow images to be mirrored

    Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.

    Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.

    This process requires that you have write access to a container image registry on the mirror registry and adds the credentials to a registry pull secret.

    Prerequisites

    • You configured a mirror registry to use in your disconnected environment.

    • You identified an image repository location on your mirror registry to mirror images into.

    • You provisioned a mirror registry account that allows images to be uploaded to that image repository.

    Procedure

    Complete the following steps on the installation host:

    1. Generate the base64-encoded user name and password or token for your mirror registry:

      1. $ echo -n '<user_name>:<password>' | base64 -w0 (1)
      2. BGVtbYk3ZHAtqXs=
      1For <user_name> and <password>, specify the user name and password that you configured for your registry.
    2. Create a .json file and add a section that describes your registry to it:

      1. {
      2. "auths": {
      3. "<mirror_registry>": { (1)
      4. "auth": "<credentials>", (2)
      5. "email": "you@example.com"
      6. }
      7. }
      8. }
      1For <mirror_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example, registry.example.com or registry.example.com:8443
      2For <credentials>, specify the base64-encoded user name and password for the mirror registry.

    You can use the oc-mirror OpenShift CLI (oc) plugin to mirror images to a mirror registry in your fully or partially disconnected environments. You must run oc-mirror from a system with internet connectivity to download the required images from the official Red Hat registries.

    About the oc-mirror plugin

    You can use the oc-mirror OpenShift CLI (oc) plugin to mirror all required OKD content and other images to your mirror registry by using a single tool. It provides the following features:

    • Provides a centralized method to mirror OKD releases, Operators, helm charts, and other images.

    • Maintains update paths for OKD and Operators.

    • Uses a declarative image set configuration file to include only the OKD releases, Operators, and images that your cluster needs.

    • Performs incremental mirroring, which reduces the size of future image sets.

    • Prunes images from the target mirror registry that were excluded from the image set configuration since the previous execution.

    • Optionally generates supporting artifacts for OpenShift Update Service (OSUS) usage.

    When using the oc-mirror plugin, you specify which content to mirror in an image set configuration file. In this YAML file, you can fine-tune the configuration to only include the OKD releases and Operators that your cluster needs. This reduces the amount of data that you need to download and transfer. The oc-mirror plugin can also mirror arbitrary helm charts and additional container images to assist users in seamlessly synchronizing their workloads onto mirror registries.

    The first time you run the oc-mirror plugin, it populates your mirror registry with the required content to perform your disconnected cluster installation or update. In order for your disconnected cluster to continue receiving updates, you must keep your mirror registry updated. To update your mirror registry, you run the oc-mirror plugin using the same configuration as the first time you ran it. The oc-mirror plugin references the metadata from the storage backend and only downloads what has been released since the last time you ran the tool. This provides update paths for OKD and Operators and performs dependency resolution as required.

    When using the oc-mirror CLI plugin to populate a mirror registry, any further updates to the mirror registry must be made using the oc-mirror tool.

    oc-mirror compatibility and support

    The oc-mirror plugin supports mirroring OKD payload images and Operator catalogs for OKD versions 4.10 and later.

    Use the latest available version of the oc-mirror plugin regardless of which versions of OKD you need to mirror.

    If you used the Technology Preview OCI local catalogs feature for the oc-mirror plugin for OKD 4.12, you can no longer use the OCI local catalogs feature of the oc-mirror plugin to copy a catalog locally and convert it to OCI format as a first step to mirroring to a fully disconnected cluster.

    About the mirror registry

    You can mirror the images that are required for OKD installation and subsequent product updates to a container mirror registry that supports , such as Red Hat Quay. If you do not have access to a large-scale container registry, you can use the mirror registry for Red Hat OpenShift, which is a small-scale container registry included with OKD subscriptions.

    Regardless of your chosen registry, the procedure to mirror content from Red Hat hosted sites on the internet to an isolated image registry is the same. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.

    The OpenShift image registry cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.

    If choosing a container registry that is not the mirror registry for Red Hat OpenShift, it must be reachable by every machine in the clusters that you provision. If the registry is unreachable, installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OKD clusters.

    When you populate your mirror registry with OKD images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.

    For mirrored registries, to view the source of pulled images, you must review the Trying to access log entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images command on a node, show the non-mirrored image name, even though the image is pulled from the mirrored location.

    Red Hat does not test third party registries with OKD.

    Additional resources

    To use the oc-mirror OpenShift CLI plugin to mirror registry images, you must install the plugin. If you are mirroring image sets in a fully disconnected environment, ensure that you install the oc-mirror plugin on the host with internet access and the host in the disconnected environment with access to the mirror registry.

    Prerequisites

    • You have installed the OpenShift CLI (oc).

    Procedure

    1. Download the oc-mirror CLI plugin.

      1. Navigate to the Downloads page of the .

      2. Under the OpenShift disconnected installation tools section, click Download for OpenShift Client (oc) mirror plugin and save the file.

    2. Extract the archive:

      1. $ tar xvzf oc-mirror.tar.gz
    3. If necessary, update the plugin file to be executable:

      1. $ chmod +x oc-mirror

      Do not rename the oc-mirror file.

    4. Install the oc-mirror CLI plugin by placing the file in your PATH, for example, /usr/local/bin:

      1. $ sudo mv oc-mirror /usr/local/bin/.

    Verification

    • Run oc mirror help to verify that the plugin was successfully installed:

      1. $ oc-mirror help

    Creating the image set configuration

    Before you can use the oc-mirror plugin to mirror image sets, you must create an image set configuration file. This image set configuration file defines which OKD releases, Operators, and other images to mirror, along with other configuration settings for the oc-mirror plugin.

    You must specify a storage backend in the image set configuration file. This storage backend can be a local directory or a registry that supports . The oc-mirror plugin stores metadata in this storage backend during image set creation.

    Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.

    Prerequisites

    • You have created a container image registry credentials file. For instructions, see Configuring credentials that allow images to be mirrored.

    Procedure

    1. Use the oc mirror init command to create a template for the image set configuration and save it to a file called imageset-config.yaml:

      1. $ oc mirror init --registry example.com/mirror/oc-mirror-metadata > imageset-config.yaml (1)
      1Replace example.com/mirror/oc-mirror-metadata with the location of your registry for the storage backend.
    2. Edit the file and adjust the settings as necessary:

      1. kind: ImageSetConfiguration
      2. apiVersion: mirror.openshift.io/v1alpha2
      3. archiveSize: 4 (1)
      4. storageConfig: (2)
      5. registry:
      6. imageURL: example.com/mirror/oc-mirror-metadata (3)
      7. skipTLS: false
      8. mirror:
      9. platform:
      10. channels:
      11. - name: stable-4.13 (4)
      12. type: ocp
      13. graph: true (5)
      14. operators:
      15. - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.13 (6)
      16. packages:
      17. - name: serverless-operator (7)
      18. channels:
      19. - name: stable (8)
      20. additionalImages:
      21. - name: registry.redhat.io/ubi9/ubi:latest (9)
      22. helm: {}

      See Image set configuration parameters for the full list of parameters and Image set configuration examples for various mirroring use cases.

    3. Save the updated file.

      This image set configuration file is required by the oc mirror command when mirroring content.

    Additional resources

    Mirroring an image set to a mirror registry

    You can use the oc-mirror CLI plugin to mirror images to a mirror registry in a or in a fully disconnected environment.

    The following procedures assume that you already have your mirror registry set up.

    Mirroring an image set in a partially disconnected environment

    In a partially disconnected environment, you can mirror an image set directly to the target mirror registry.

    Mirroring from mirror to mirror

    You can use the oc-mirror plugin to mirror an image set directly to a target mirror registry that is accessible during image set creation.

    You are required to specify a storage backend in the image set configuration file. This storage backend can be a local directory or a Docker v2 registry. The oc-mirror plugin stores metadata in this storage backend during image set creation.

    Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.

    Prerequisites

    • You have access to the internet to obtain the necessary container images.

    • You have installed the OpenShift CLI (oc).

    • You have installed the oc-mirror CLI plugin.

    • You have created the image set configuration file.

    Procedure

    • Run the oc mirror command to mirror the images from the specified image set configuration to a specified registry:

      1. $ oc mirror --config=./imageset-config.yaml \(1)
      2. docker://registry.example:5000 (2)
      1Pass in the image set configuration file that was created. This procedure assumes that it is named imageset-config.yaml.
      2Specify the registry to mirror the image set file to. The registry must start with docker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.

    Verification

    1. Navigate into the oc-mirror-workspace/ directory that was generated.

    2. Navigate into the results directory, for example, results-1639608409/.

    3. Verify that YAML files are present for the ImageContentSourcePolicy and CatalogSource resources.

    Next steps

    • Configure your cluster to use the resources generated by oc-mirror.

    Mirroring an image set in a fully disconnected environment

    To mirror an image set in a fully disconnected environment, you must first mirror the image set to disk, then .

    Mirroring from mirror to disk

    You can use the oc-mirror plugin to generate an image set and save the contents to disk. The generated image set can then be transferred to the disconnected environment and mirrored to the target registry.

    Depending on the configuration specified in the image set configuration file, using oc-mirror to mirror images might download several hundreds of gigabytes of data to disk.

    The initial image set download when you populate the mirror registry is often the largest. Because you only download the images that changed since the last time you ran the command, when you run the oc-mirror plugin again, the generated image set is often smaller.

    You are required to specify a storage backend in the image set configuration file. This storage backend can be a local directory or a docker v2 registry. The oc-mirror plugin stores metadata in this storage backend during image set creation.

    Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.

    Prerequisites

    • You have access to the internet to obtain the necessary container images.

    • You have installed the OpenShift CLI (oc).

    • You have installed the oc-mirror CLI plugin.

    • You have created the image set configuration file.

    Procedure

    • Run the oc mirror command to mirror the images from the specified image set configuration to disk:

      1. $ oc mirror --config=./imageset-config.yaml \(1)
      2. file://<path_to_output_directory> (2)
      1Pass in the image set configuration file that was created. This procedure assumes that it is named imageset-config.yaml.
      2Specify the target directory where you want to output the image set file. The target directory path must start with file://.

    Verification

    1. Navigate to your output directory:

      1. $ cd <path_to_output_directory>
    2. Verify that an image set .tar file was created:

      1. $ ls

      Example output

      1. mirror_seq1_000000.tar

    Next steps

    • Transfer the image set .tar file to the disconnected environment.
    Mirroring from disk to mirror

    You can use the oc-mirror plugin to mirror the contents of a generated image set to the target mirror registry.

    Prerequisites

    • You have installed the OpenShift CLI (oc) in the disconnected environment.

    • You have installed the oc-mirror CLI plugin in the disconnected environment.

    • You have generated the image set file by using the oc mirror command.

    • You have transferred the image set file to the disconnected environment.

    Procedure

    • Run the oc mirror command to process the image set file on disk and mirror the contents to a target mirror registry:

      1Pass in the image set .tar file to mirror, named mirror_seq1_000000.tar in this example. If an archiveSize value was specified in the image set configuration file, the image set might be broken up into multiple .tar files. In this situation, you can pass in a directory that contains the image set .tar files.
      2Specify the registry to mirror the image set file to. The registry must start with docker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.

      This command updates the mirror registry with the image set and generates the ImageContentSourcePolicy and CatalogSource resources.

    Verification

    1. Navigate into the oc-mirror-workspace/ directory that was generated.

    2. Navigate into the results directory, for example, results-1639608409/.

    3. Verify that YAML files are present for the ImageContentSourcePolicy and CatalogSource resources.

    Next steps

    • Configure your cluster to use the resources generated by oc-mirror.

    Configuring your cluster to use the resources generated by oc-mirror

    After you have mirrored your image set to the mirror registry, you must apply the generated ImageContentSourcePolicy, CatalogSource, and release image signature resources into the cluster.

    The ImageContentSourcePolicy resource associates the mirror registry with the source registry and redirects image pull requests from the online registries to the mirror registry. The CatalogSource resource is used by Operator Lifecycle Manager (OLM) to retrieve information about the available Operators in the mirror registry. The release image signatures are used to verify the mirrored release images.

    Prerequisites

    • You have mirrored the image set to the registry mirror in the disconnected environment.

    • You have access to the cluster as a user with the cluster-admin role.

    Procedure

    1. Log in to the OpenShift CLI as a user with the cluster-admin role.

      1. $ oc apply -f ./oc-mirror-workspace/results-1639608409/
    2. Apply the release image signatures to the cluster by running the following command:

      1. $ oc apply -f ./oc-mirror-workspace/results-1639608409/release-signatures/

    Verification

    1. Verify that the ImageContentSourcePolicy resources were successfully installed by running the following command:

      1. $ oc get imagecontentsourcepolicy --all-namespaces
    2. Verify that the CatalogSource resources were successfully installed by running the following command:

      1. $ oc get catalogsource --all-namespaces

    Keeping your mirror registry content updated

    After you populate your target mirror registry with the initial image set, you must update it regularly so that it has the latest content. If possible, you can set up a cron job to update the mirror registry on a regular basis.

    Update your image set configuration to add or remove OKD and Operator releases as necessary. Removed images are pruned from the mirror registry.

    About updating your mirror registry content

    When you run the oc-mirror plugin again, it generates an image set that only contains new and updated images since the previous execution. Because it only pulls in the differences since the previous image set was created, the generated image set is often smaller and faster to process than the initial image set.

    Generated image sets are sequential and must be pushed to the target mirror registry in order. You can derive the sequence number from the file name of the generated image set archive file.

    Adding new and updated images

    Depending on the settings in your image set configuration, future executions of oc-mirror can mirror additional new and updated images. Review the settings in your image set configuration to ensure that you are retrieving new versions as necessary. For example, you can set the minimum and maximum versions of Operators to mirror if you want to restrict to specific versions. Alternatively, you can set the minimum version as a starting point to mirror, but keep the version range open so you keep receiving new Operator versions on future executions of oc-mirror. Omitting any minimum or maximum version gives you the full version history of an Operator in a channel. Omitting explicitly named channels gives you all releases in all channels of the specified Operator. Omitting any named Operator gives you the entire catalog of all Operators and all their versions ever released.

    All these constraints and conditions are evaluated against the publicly released content by Red Hat on every invocation of oc-mirror. This way, it automatically picks up new releases and entirely new Operators. Constraints can be specified by only listing a desired set of Operators, which will not automatically add other newly released Operators into the mirror set. You can also specify a particular release channel, which limits mirroring to just this channel and not any new channels that have been added. This is important for Operator products, such as Red Hat Quay, that use different release channels for their minor releases. Lastly, you can specify a maximum version of a particular Operator, which causes the tool to only mirror the specified version range so that you do not automatically get any newer releases past the maximum version mirrored. In all these cases, you must update the image set configuration file to broaden the scope of the mirroring of Operators to get other Operators, new channels, and newer versions of Operators to be available in your target registry.

    It is recommended to align constraints like channel specification or version ranges with the release strategy that a particular Operator has chosen. For example, when the Operator uses a stable channel, you should restrict mirroring to that channel and potentially a minimum version to find the right balance between download volume and getting stable updates regularly. If the Operator chooses a release version channel scheme, for example stable-3.7, you should mirror all releases in that channel. This allows you to keep receiving patch versions of the Operator, for example 3.7.1. You can also regularly adjust the image set configuration to add channels for new product releases, for example stable-3.8.

    Pruning images

    Images are pruned automatically from the target mirror registry if they are no longer included in the latest image set that was generated and mirrored. This allows you to easily manage and clean up unneeded content and reclaim storage resources.

    If there are OKD releases or Operator versions that you no longer need, you can modify your image set configuration to exclude them, and they will be pruned from the mirror registry upon mirroring. This can be done by adjusting a minimum or maximum version range setting per Operator in the image set configuration file or by deleting the Operator from the list of Operators to mirror from the catalog. You can also remove entire Operator catalogs or entire OKD releases from the configuration file.

    If there are no new or updated images to mirror, the excluded images are not pruned from the target mirror registry. Additionally, if an Operator publisher removes an Operator version from a channel, the removed versions are pruned from the target mirror registry.

    To disable automatic pruning of images from the target mirror registry, pass the --skip-pruning flag to the oc mirror command.

    Updating your mirror registry content

    After you publish the initial image set to the mirror registry, you can use the oc-mirror plugin to keep your disconnected clusters updated.

    Depending on your image set configuration, oc-mirror automatically detects newer releases of OKD and your selected Operators that have been released after you completed the inital mirror. It is recommended to run oc-mirror at regular intervals, for example in a nightly cron job, to receive product and security updates on a timely basis.

    Prerequisites

    • You have used the oc-mirror plugin to mirror the initial image set to your mirror registry.

    • You have access to the storage backend that was used for the initial execution of the oc-mirror plugin.

      You must use the same storage backend as the initial execution of oc-mirror for the same mirror registry. Do not delete or modify the metadata image that is generated by the oc-mirror plugin.

    Procedure

    1. If necessary, update your image set configuration file to pick up new OKD and Operator versions. See Image set configuration examples for example mirroring use cases.

    2. Follow the same steps that you used to mirror your initial image set to the mirror registry. For instructions, see Mirroring an image set in a partially disconnected environment or Mirroring an image set in a fully disconnected environment.

      • You must provide the same storage backend so that only a differential image set is created and mirrored.

      • If you specified a top-level namespace for the mirror registry during the initial image set creation, then you must use this same namespace every time you run the oc-mirror plugin for the same mirror registry.

    3. Configure your cluster to use the resources generated by oc-mirror.

    Additional resources

    You can use oc-mirror to perform a dry run, without actually mirroring any images. This allows you to review the list of images that would be mirrored, as well as any images that would be pruned from the mirror registry. It also allows you to catch any errors with your image set configuration early or use the generated list of images with other tools to carry out the mirroring operation.

    Prerequisites

    • You have access to the internet to obtain the necessary container images.

    • You have installed the OpenShift CLI (oc).

    • You have installed the oc-mirror CLI plugin.

    • You have created the image set configuration file.

    Procedure

    1. Run the oc mirror command with the --dry-run flag to perform a dry run:

      1. $ oc mirror --config=./imageset-config.yaml \(1)
      2. docker://registry.example:5000 \(2)
      3. --dry-run (3)
      1Pass in the image set configuration file that was created. This procedure assumes that it is named imageset-config.yaml.
      2Specify the mirror registry. Nothing is mirrored to this registry as long as you use the —dry-run flag.
      3Use the —dry-run flag to generate the dry run artifacts and not an actual image set file.

      Example output

      1. Checking push permissions for registry.example:5000
      2. Creating directory: oc-mirror-workspace/src/publish
      3. Creating directory: oc-mirror-workspace/src/v2
      4. Creating directory: oc-mirror-workspace/src/charts
      5. Creating directory: oc-mirror-workspace/src/release-signatures
      6. No metadata detected, creating new workspace
      7. wrote mirroring manifests to oc-mirror-workspace/operators.1658342351/manifests-redhat-operator-index
      8. ...
      9. info: Planning completed in 31.48s
      10. info: Dry run complete
      11. Writing image mapping to oc-mirror-workspace/mapping.txt
    2. Navigate into the workspace directory that was generated:

      1. $ cd oc-mirror-workspace/
    3. Review the mapping.txt file that was generated.

      This file contains a list of all images that would be mirrored.

    4. Review the pruning-plan.json file that was generated.

      This file contains a list of all images that would be pruned from the mirror registry when the image set is published.

      The pruning-plan.json file is only generated if your oc-mirror command points to your mirror registry and there are images to be pruned.

    Including local OCI Operator catalogs

    While mirroring OKD releases, Operator catalogs, and additional images from a registry to a partially disconnected cluster, you can include Operator catalog images from a local file-based catalog on disk. The local catalog must be in the Open Container Initiative (OCI) format.

    The local catalog and its contents are mirrored to your target mirror registry based on the filtering information in the image set configuration file.

    When mirroring local OCI catalogs, any OKD releases or additional images that you want to mirror along with the local OCI-formatted catalog must be pulled from a registry.

    You cannot mirror OCI catalogs along with an oc-mirror image set file on disk.

    One example use case for using the OCI feature is if you have a CI/CD system building an OCI catalog to a location on disk, and you want to mirror that OCI catalog along with an OKD release to your mirror registry.

    Prerequisites

    • You have access to the internet to obtain the necessary container images.

    • You have installed the OpenShift CLI (oc).

    • You have installed the oc-mirror CLI plugin.

    Procedure

    1. Create the image set configuration file and adjust the settings as necessary.

      The following example image set configuration mirrors an OCI catalog on disk along with an OKD release and a UBI image from registry.redhat.io.

      1. kind: ImageSetConfiguration
      2. storageConfig:
      3. local:
      4. path: /home/user/metadata (1)
      5. mirror:
      6. platform:
      7. channels:
      8. - name: stable-4.13 (2)
      9. type: ocp
      10. graph: false
      11. operators:
      12. - catalog: oci:///home/user/oc-mirror/my-oci-catalog (3)
      13. packages:
      14. - name: aws-load-balancer-operator
      15. - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.13 (4)
      16. packages:
      17. - name: rhacs-operator
      18. additionalImages:
      19. - name: registry.redhat.io/ubi9/ubi:latest (5)
      1Set the back-end location to save the image set metadata to. This location can be a registry or local directory. It is required to specify storageConfig values.
      2Optionally, include an OKD release to mirror from registry.redhat.io.
      3Specify the absolute path to the location of the OCI catalog on disk. The path must start with oci:// when using the OCI feature.
      4Optionally, specify additional Operator catalogs to pull from a registry.
      5Optionally, specify additional images to pull from a registry.
    2. Run the oc mirror command to mirror the OCI catalog to a target mirror registry:

      1. $ oc mirror --config=./imageset-config.yaml \ (1)
      2. --include-local-oci-catalogs (2)
      3. docker://registry.example:5000 (3)
      1Pass in the image set configuration file. This procedure assumes that it is named imageset-config.yaml.
      2Use the —include-local-oci-catalogs flag to enable mirroring local OCI catalogs along with other remote content.
      3Specify the registry to mirror the content to. The registry must start with docker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.

      Optionally, you can specify other flags to adjust the behavior of the OCI feature:

      --oci-insecure-signature-policy

      Do not push signatures to the target mirror registry.

      --oci-registries-config

      Specify the path to a TOML-formatted registries.conf file. You can use this to mirror from a different registry, such as a pre-production location for testing, without having to change the image set configuration file. This flag only affects local OCI catalogs, not any other mirrored content.

      Example registries.conf file

      1. [[registry]]
      2. location = "registry.redhat.io:5000"
      3. insecure = false
      4. blocked = false
      5. mirror-by-digest-only = true
      6. prefix = ""
      7. [[registry.mirror]]
      8. location = "preprod-registry.example.com"
      9. insecure = false

    Next steps

    • Configure your cluster to use the resources generated by oc-mirror.

    Additional resources

    Image set configuration parameters

    The oc-mirror plugin requires an image set configuration file that defines what images to mirror. The following table lists the available parameters for the ImageSetConfiguration resource.

    Table 1. ImageSetConfiguration parameters
    ParameterDescriptionValues

    apiVersion

    The API version for the ImageSetConfiguration content.

    String. For example: mirror.openshift.io/v1alpha2.

    archiveSize

    The maximum size, in GiB, of each archive file within the image set.

    Integer. For example: 4

    mirror

    The configuration of the image set.

    Object

    mirror.additionalImages

    The additional images configuration of the image set.

    Array of objects. For example:

    1. additionalImages:
    2. - name: registry.redhat.io/ubi8/ubi:latest

    mirror.additionalImages.name

    The tag or digest of the image to mirror.

    String. For example: registry.redhat.io/ubi8/ubi:latest

    mirror.blockedImages

    The full tag, digest, or pattern of images to block from mirroring.

    Array of strings. For example: docker.io/library/alpine

    mirror.helm

    The helm configuration of the image set. Note that the oc-mirror plugin supports only helm charts that do not require user input when rendered.

    Object

    mirror.helm.local

    The local helm charts to mirror.

    Array of objects. For example:

    1. local:
    2. - name: podinfo
    3. path: /test/podinfo-5.0.0.tar.gz

    mirror.helm.local.name

    The name of the local helm chart to mirror.

    String. For example: podinfo.

    mirror.helm.local.path

    The path of the local helm chart to mirror.

    String. For example: /test/podinfo-5.0.0.tar.gz.

    mirror.helm.repositories

    The remote helm repositories to mirror from.

    Array of objects. For example:

    1. repositories:
    2. - name: podinfo
    3. url: https://example.github.io/podinfo
    4. charts:
    5. - name: podinfo
    6. version: 5.0.0

    mirror.helm.repositories.name

    The name of the helm repository to mirror from.

    String. For example: podinfo.

    mirror.helm.repositories.url

    The URL of the helm repository to mirror from.

    String. For example: .

    mirror.helm.repositories.charts

    The remote helm charts to mirror.

    Array of objects.

    mirror.helm.repositories.charts.name

    The name of the helm chart to mirror.

    String. For example: podinfo.

    mirror.helm.repositories.charts.version

    The version of the named helm chart to mirror.

    String. For example: 5.0.0.

    mirror.operators

    The Operators configuration of the image set.

    Array of objects. For example:

    1. operators:
    2. - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.13
    3. packages:
    4. - name: elasticsearch-operator
    5. minVersion: 2.4.0

    mirror.operators.catalog

    The Operator catalog to include in the image set.

    String. For example: registry.redhat.io/redhat/redhat-operator-index:v4.13.

    mirror.operators.full

    When true, downloads the full catalog, Operator package, or Operator channel.

    Boolean. The default value is false.

    mirror.operators.packages

    The Operator packages configuration.

    Array of objects. For example:

    1. - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.13
    2. packages:
    3. - name: elasticsearch-operator
    4. minVersion: 5.2.3-31

    mirror.operators.packages.name

    The Operator package name to include in the image set

    String. For example: elasticsearch-operator.

    mirror.operators.packages.channels

    The Operator package channel configuration.

    Object

    mirror.operators.packages.channels.name

    The Operator channel name, unique within a package, to include in the image set.

    String. For example: fast or stable-v4.13.

    mirror.operators.packages.channels.maxVersion

    The highest version of the Operator mirror across all channels in which it exists.

    String. For example: 5.2.3-31

    mirror.operators.packages.channels.minBundle

    The name of the minimum bundle to include, plus all bundles in the upgrade graph to the channel head. Set this field only if the named bundle has no semantic version metadata.

    String. For example: bundleName

    mirror.operators.packages.channels.minVersion

    The lowest version of the Operator to mirror across all channels in which it exists.

    String. For example: 5.2.3-31

    mirror.operators.packages.maxVersion

    The highest version of the Operator to mirror across all channels in which it exists.

    String. For example: 5.2.3-31.

    mirror.operators.packages.minVersion

    The lowest version of the Operator to mirror across all channels in which it exists.

    String. For example: 5.2.3-31.

    mirror.operators.skipDependencies

    If true, dependencies of bundles are not included.

    Boolean. The default value is false.

    mirror.operators.targetCatalog

    An alternative name and optional namespace hierarchy to mirror the referenced catalog as.

    String. For example: my-namespace/my-operator-catalog

    mirror.operators.targetName

    An alternative name to mirror the referenced catalog as.

    The targetName parameter is deprecated. Use the targetCatalog parameter instead.

    String. For example: my-operator-catalog

    mirror.operators.targetTag

    String. For example: v1

    mirror.platform

    The platform configuration of the image set.

    Object

    mirror.platform.architectures

    The architecture of the platform release payload to mirror.

    Array of strings. For example:

    1. architectures:
    2. - amd64
    3. - arm64

    mirror.platform.channels

    The platform channel configuration of the image set.

    Array of objects. For example:

    1. channels:
    2. - name: stable-4.10
    3. - name: stable-4.13

    mirror.platform.channels.full

    When true, sets the minVersion to the first release in the channel and the maxVersion to the last release in the channel.

    Boolean. The default value is false.

    mirror.platform.channels.name

    The name of the release channel.

    String. For example: stable-4.13

    mirror.platform.channels.minVersion

    The minimum version of the referenced platform to be mirrored.

    String. For example: 4.12.6

    mirror.platform.channels.maxVersion

    The highest version of the referenced platform to be mirrored.

    String. For example: 4.13.1

    mirror.platform.channels.shortestPath

    Toggles shortest path mirroring or full range mirroring.

    Boolean. The default value is false.

    mirror.platform.channels.type

    The type of the platform to be mirrored.

    String. For example: ocp or okd. The default is ocp.

    mirror.platform.graph

    Indicates whether the OSUS graph is added to the image set and subsequently published to the mirror.

    Boolean. The default value is false.

    storageConfig

    The back-end configuration of the image set.

    Object

    storageConfig.local

    The local back-end configuration of the image set.

    Object

    storageConfig.local.path

    The path of the directory to contain the image set metadata.

    String. For example: ./path/to/dir/.

    storageConfig.registry

    The registry back-end configuration of the image set.

    Object

    storageConfig.registry.imageURL

    The back-end registry URI. Can optionally include a namespace reference in the URI.

    String. For example: quay.io/myuser/imageset:metadata.

    storageConfig.registry.skipTLS

    Optionally skip TLS verification of the referenced back-end registry.

    Boolean. The default value is false.

    Image set configuration examples

    The following ImageSetConfiguration file examples show the configuration for various mirroring use cases.

    Use case: Including arbitrary images and helm charts

    The following ImageSetConfiguration file uses a registry storage backend and includes helm charts and an additional Red Hat Universal Base Image (UBI).

    Example ImageSetConfiguration file

    1. apiVersion: mirror.openshift.io/v1alpha2
    2. kind: ImageSetConfiguration
    3. archiveSize: 4
    4. storageConfig:
    5. registry:
    6. imageURL: example.com/mirror/oc-mirror-metadata
    7. skipTLS: false
    8. mirror:
    9. platform:
    10. architectures:
    11. - "s390x"
    12. channels:
    13. operators:
    14. - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.13
    15. helm:
    16. repositories:
    17. - name: redhat-helm-charts
    18. url: https://raw.githubusercontent.com/redhat-developer/redhat-helm-charts/master
    19. charts:
    20. - name: ibm-mongodb-enterprise-helm
    21. version: 0.2.0
    22. additionalImages:
    23. - name: registry.redhat.io/ubi9/ubi:latest

    Use case: Including Operator versions from a minimum to the latest

    The following ImageSetConfiguration file uses a local storage backend and includes only the Red Hat Advanced Cluster Security for Kubernetes Operator, versions starting at 3.68.0 and later in the latest channel.

    Example ImageSetConfiguration file

    1. apiVersion: mirror.openshift.io/v1alpha2
    2. kind: ImageSetConfiguration
    3. storageConfig:
    4. local:
    5. path: /home/user/metadata
    6. mirror:
    7. operators:
    8. - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.13
    9. packages:
    10. - name: rhacs-operator
    11. channels:
    12. - name: latest
    13. minVersion: 3.68.0

    Use case: Including the shortest OKD upgrade path

    The following ImageSetConfiguration file uses a local storage backend and includes all OKD versions along the shortest upgrade path from the minimum version of 4.11.37 to the maximum version of 4.12.15.

    Example ImageSetConfiguration file

    Use case: Including all versions of OKD from a minimum to the latest

    The following ImageSetConfiguration file uses a registry storage backend and includes all OKD versions starting at a minimum version of 4.10.10 to the latest version in the channel.

    On every invocation of oc-mirror with this image set configuration, the latest release of the stable-4.10 channel is evaluated, so running oc-mirror at regular intervals ensures that you automatically receive the latest releases of OKD images.

    Example ImageSetConfiguration file

    1. apiVersion: mirror.openshift.io/v1alpha2
    2. kind: ImageSetConfiguration
    3. storageConfig:
    4. registry:
    5. imageURL: example.com/mirror/oc-mirror-metadata
    6. skipTLS: false
    7. mirror:
    8. platform:
    9. channels:
    10. - name: stable-4.10
    11. minVersion: 4.10.10

    Use case: Including Operator versions from a minimum to a maximum

    The following ImageSetConfiguration file uses a local storage backend and includes only an example Operator, versions starting at 1.0.0 through 2.0.0 in the stable channel.

    This allows you to only mirror a specific version range of a particular Operator. As time progresses, you can use these settings to adjust the version to newer releases, for example when you no longer have version 1.0.0 running anywhere anymore. In this scenario, you can increase the minVersion to something newer, for example 1.5.0. When oc-mirror runs again with the updated version range, it automatically detects that any releases older than 1.5.0 are no longer required and deletes those from the registry to conserve storage space.

    Example ImageSetConfiguration file

    1. apiVersion: mirror.openshift.io/v1alpha2
    2. kind: ImageSetConfiguration
    3. storageConfig:
    4. local:
    5. path: /home/user/metadata
    6. mirror:
    7. operators:
    8. - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
    9. packages:
    10. - name: example-operator
    11. channels:
    12. - name: stable
    13. minVersion: '1.0.0'
    14. maxVersion: '2.0.0'

    Use case: Including the Nutanix CSI Operator

    The following ImageSetConfiguration file uses a local storage backend and includes the Nutanix CSI Operator, the OpenShift Update Service (OSUS) graph image, and an additional Red Hat Universal Base Image (UBI).

    Example ImageSetConfiguration file

    1. kind: ImageSetConfiguration
    2. apiVersion: mirror.openshift.io/v1alpha2
    3. storageConfig:
    4. registry:
    5. imageURL: mylocalregistry/ocp-mirror/openshift4
    6. skipTLS: false
    7. mirror:
    8. platform:
    9. channels:
    10. - name: stable-4.11
    11. type: ocp
    12. graph: true
    13. operators:
    14. - catalog: registry.redhat.io/redhat/certified-operator-index:v4.11
    15. packages:
    16. - name: nutanixcsioperator
    17. channels:
    18. - name: stable
    19. additionalImages:
    20. - name: registry.redhat.io/ubi9/ubi:latest

    Command reference for oc-mirror

    The following tables describe the oc mirror subcommands and flags:

    Table 2. oc mirror subcommands
    SubcommandDescription

    completion

    Generate the autocompletion script for the specified shell.

    describe

    Output the contents of an image set.

    help

    Show help about any subcommand.

    init

    Output an initial image set configuration template.

    list

    List available platform and Operator content and their version.

    version

    Output the oc-mirror version.

    Table 3. oc mirror flags
    FlagDescription

    -c, —config <string>

    Specify the path to an image set configuration file.

    —continue-on-error

    If any non image-pull related error occurs, continue and attempt to mirror as much as possible.

    —dest-skip-tls

    Disable TLS validation for the target registry.

    —dest-use-http

    Use plain HTTP for the target registry.

    —dry-run

    Print actions without mirroring images. Generates mapping.txt and pruning-plan.json files.

    —from <string>

    Specify the path to an image set archive that was generated by an execution of oc-mirror to load into a target registry.

    -h, —help

    Show the help.

    —ignore-history

    Ignore past mirrors when downloading images and packing layers. Disables incremental mirroring and might download more data.

    —include-local-oci-catalogs

    Enable mirroring for local OCI catalogs on disk to the target mirror registry.

    —manifests-only

    Generate manifests for ImageContentSourcePolicy objects to configure a cluster to use the mirror registry, but do not actually mirror any images.

    —max-nested-paths <int>

    Specify the maximum number of nested paths for destination registries that limit nested paths. The default is 2.

    —max-per-registry <int>

    Specify the number of concurrent requests allowed per registry. The default is 6.

    —oci-insecure-signature-policy

    Do not push signatures when mirroring local OCI catalogs (with —include-local-oci-catalogs).

    —oci-registries-config

    Provide a registries configuration file to specify an alternative registry location to copy from when mirroring local OCI catalogs (with —include-local-oci-catalogs).

    —skip-cleanup

    Skip removal of artifact directories.

    —skip-image-pin

    Do not replace image tags with digest pins in Operator catalogs.

    —skip-metadata-check

    Skip metadata when publishing an image set. This is only recommended when the image set was created with —ignore-history.

    —skip-missing

    If an image is not found, skip it instead of reporting an error and aborting execution. Does not apply to custom images explicitly specified in the image set configuration.

    —skip-pruning

    Disable automatic pruning of images from the target mirror registry.

    —skip-verification

    Skip digest verification.

    —source-skip-tls

    Disable TLS validation for the source registry.

    —source-use-http

    Use plain HTTP for the source registry.

    —use-oci-feature

    Enable mirroring for local OCI catalogs on disk to the target mirror registry.

    The —use-oci-feature flag is deprecated. Use the —include-local-oci-catalogs flag instead.

    -v, —verbose <int>

    Specify the number for the log level verbosity. Valid values are 0 - 9. The default is 0.

    To avoid excessive memory usage by the OpenShift Update Service application, you must mirror release images to a separate repository as described in the following procedure.

    Prerequisites

    • You configured a mirror registry to use in your disconnected environment and can access the certificate and credentials that you configured.

    • You have created a pull secret for your mirror repository.

    • If you use self-signed certificates, you have specified a Subject Alternative Name in the certificates.

    Procedure

    1. Use the to plan an update from one version to another. The OpenShift Upgrade Graph provides channel graphs and a way to confirm that there is an update path between your current and intended cluster versions.

    2. Set the required environment variables:

      1. Export the release version:

        1. $ export OCP_RELEASE=<release_version>

        For <release_version>, specify the tag that corresponds to the version of OKD to which you want to update, such as 4.5.4.

      2. Export the local registry name and host port:

        1. $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'

        For <local_registry_host_name>, specify the registry domain name for your mirror repository, and for <local_registry_host_port>, specify the port that it serves content on.

      3. Export the local repository name:

        1. $ LOCAL_REPOSITORY='<local_repository_name>'

        For <local_repository_name>, specify the name of the repository to create in your registry, such as ocp4/openshift4.

      4. If you are using the OpenShift Update Service, export an additional local repository name to contain the release images:

        1. $ LOCAL_RELEASE_IMAGES_REPOSITORY='<local_release_images_repository_name>'

        For <local_release_images_repository_name>, specify the name of the repository to create in your registry, such as ocp4/openshift4-release-images.

      5. Export the name of the repository to mirror:

        1. $ PRODUCT_REPO='openshift-release-dev'

        For a production release, you must specify openshift-release-dev.

      6. Export the path to your registry pull secret:

        1. $ LOCAL_SECRET_JSON='<path_to_pull_secret>'

        For <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.

        If your cluster uses an ImageContentSourcePolicy object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.

      7. Export the release mirror:

        1. $ RELEASE_NAME="ocp-release"

        For a production release, you must specify ocp-release.

      8. Export the type of architecture for your cluster:

        1. $ ARCHITECTURE=<cluster_architecture> (1)
        1Specify the architecture of the cluster, such as x86_64, aarch64, s390x, or ppc64le.
      9. Export the path to the directory to host the mirrored images:

        1. $ REMOVABLE_MEDIA_PATH=<path> (1)
        1Specify the full path, including the initial forward slash (/) character.
    3. Review the images and configuration manifests to mirror:

      1. $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run
    4. Mirror the version images to the mirror registry.

      • If your mirror host does not have internet access, take the following actions:

        1. Connect the removable media to a system that is connected to the internet.

        2. Mirror the images and configuration manifests to a directory on the removable media:

          1. $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}

          This command also generates and saves the mirrored release image signature config map onto the removable media.

        3. Take the media to the disconnected environment and upload the images to the local container registry.

          1. $ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} (1)
          1For REMOVABLE_MEDIA_PATH, you must use the same path that you specified when you mirrored the images.
        4. Use oc command-line interface (CLI) to log in to the cluster that you are upgrading.

        5. Apply the mirrored release image signature config map to the connected cluster:

          1. $ oc apply -f ${REMOVABLE_MEDIA_PATH}/mirror/config/<image_signature_file> (1)
          1For <image_signature_file>, specify the path and name of the file, for example, signature-sha256-81154f5c03294534.yaml.
        6. If you are using the OpenShift Update Service, mirror the release image to a separate repository:

          1. $ oc image mirror -a ${LOCAL_SECRET_JSON} ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}
      • If the local container registry and the cluster are connected to the mirror host, take the following actions:

        1. Directly push the release images to the local registry and apply the config map to the cluster by using following command:

          1. $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
          2. --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --apply-release-image-signature

          If you include the —apply-release-image-signature option, do not create the config map for image signature verification.

        2. If you are using the OpenShift Update Service, mirror the release image to a separate repository:

          1. $ oc image mirror -a ${LOCAL_SECRET_JSON} ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}