Mirroring images for a disconnected installation

    • You must have a container image registry that supports Docker v2-2 in the location that will host the OKD cluster, such as one of the following registries:

      If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay or by using the Quay Operator. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat support.

    About the mirror registry

    You can mirror the images that are required for OKD installation and subsequent product updates to a mirror registry. These actions use the same process. The release image, which contains the description of the content, and the images it references are all mirrored. In addition, the Operator catalog source image and the images that it references must be mirrored for each Operator that you use. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.

    The mirror registry can be any container registry that supports Docker v2-2. All major cloud provider registries, as well as Red Hat Quay, Artifactory, and others, have the necessary support. Using one of these registries ensures that OKD can verify the integrity of each image in disconnected environments.

    The mirror registry must be reachable by every machine in the clusters that you provision. If the registry is unreachable installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OKD clusters.

    When you populate a mirror registry with OKD images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.

    For mirrored registries, to view the source of pulled images, you must review the log entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images command on a node, show the non-mirrored image name, even though the image is pulled from the mirrored location.

    Additional information

    For information on viewing the CRI-O logs to view the image source, see .

    Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.

    You can install the OpenShift CLI (oc) to interact with OKD from a command-line interface. You can install oc on Linux, Windows, or macOS.

    If you installed an earlier version of oc, you cannot use it to complete all of the commands in OKD 4.8. Download and install the new version of oc.

    Installing the OpenShift CLI on Linux

    You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.

    Procedure

    1. Navigate to and choose the folder for your operating system and architecture.

    2. Download oc.tar.gz.

    3. Unpack the archive:

    4. Place the oc binary in a directory that is on your PATH.

      To check your PATH, execute the following command:

      1. $ echo $PATH

    After you install the OpenShift CLI, it is available using the oc command:

    1. $ oc <command>

    Installing the OpenShift CLI on Windows

    You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.

    Procedure

    1. Navigate to and choose the folder for your operating system and architecture.

    2. Download oc.zip.

    3. Unzip the archive with a ZIP program.

    4. Move the oc binary to a directory that is on your PATH.

      To check your PATH, open the command prompt and execute the following command:

      1. C:\> path

    After you install the OpenShift CLI, it is available using the oc command:

    1. C:\> oc <command>

    Installing the OpenShift CLI on macOS

    You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.

    1. Navigate to and choose the folder for your operating system and architecture.

    2. Download oc.tar.gz.

    3. Move the oc binary to a directory on your PATH.

      To check your PATH, open a terminal and execute the following command:

      1. $ echo $PATH

    After you install the OpenShift CLI, it is available using the oc command:

    1. $ oc <command>

    Configuring credentials that allow images to be mirrored

    Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.

    Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.

    Prerequisites

    • You configured a mirror registry to use in your restricted network.

    • You identified an image repository location on your mirror registry to mirror images into.

    • You provisioned a mirror registry account that allows images to be uploaded to that image repository.

    Procedure

    Complete the following steps on the installation host:

    1. Generate the base64-encoded user name and password or token for your mirror registry:

      1. BGVtbYk3ZHAtqXs=
      1For <user_name> and <password>, specify the user name and password that you configured for your registry.
    2. Create a .json file and add a section that describes your registry to it:

      1For <mirror_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example, registry.example.com or registry.example.com:5000
      2For <credentials>, specify the base64-encoded user name and password for the mirror registry.

    Mirror the OKD image repository to your registry to use during cluster installation or upgrade.

    Prerequisites

    • Your mirror host has access to the internet.

    • You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.

    • You have created a pull secret for your mirror repository.

    • If you use self-signed certificates that do not set a Subject Alternative Name, you must precede the oc commands in this procedure with GODEBUG=x509ignoreCN=0. If you do not set this variable, the oc commands will fail with the following error:

      1. x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

    Procedure

    Complete the following steps on the mirror host:

    1. Review the to determine the version of OKD that you want to install and determine the corresponding tag on the Repository Tags page.

    2. Set the required environment variables:

      1. Export the release version:

        1. $ OCP_RELEASE=<release_version>

        For <release_version>, specify the tag that corresponds to the version of OKD to install, such as 4.5.4.

      2. Export the local registry name and host port:

        1. $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'

        For <local_registry_host_name>, specify the registry domain name for your mirror repository, and for <local_registry_host_port>, specify the port that it serves content on.

      3. Export the local repository name:

        1. $ LOCAL_REPOSITORY='<local_repository_name>'

        For <local_repository_name>, specify the name of the repository to create in your registry, such as ocp4/openshift4.

      4. Export the name of the repository to mirror:

        1. $ PRODUCT_REPO='openshift'
        1. $ LOCAL_SECRET_JSON='<path_to_pull_secret>'

        For <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.

      5. Export the release mirror:

        1. $ RELEASE_NAME="okd"
      6. Export the path to the directory to host the mirrored images:

    3. Mirror the version images to the internal container registry:

      • If your mirror host does not have internet access, take the following actions:

        1. Review the images and configuration manifests to mirror:

          1. $ oc adm release mirror -a ${LOCAL_SECRET_JSON} \
          2. --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \
          3. --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
        2. Record the entire imageContentSources section from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources section to the install-config.yaml file during installation.

        3. Mirror the images to a directory on the removable media:

          1. $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}
        4. Take the media to the restricted network environment and upload the images to the local container registry.

          1. $ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} (1)
          1For REMOVABLE_MEDIA_PATH, you must use the same path that you specified when you mirrored the images.
      • If the local container registry is connected to the mirror host, take the following actions:

        1. Directly push the release images to the local registry by using following command:

          1. $ oc adm release mirror -a ${LOCAL_SECRET_JSON} \
          2. --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \
          3. --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
          4. --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}

          This command pulls the release information as a digest, and its output includes the imageContentSources data that you require when you install your cluster.

        2. Record the entire imageContentSources section from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources section to the install-config.yaml file during installation.

          The image name gets patched to Quay.io during the mirroring process, and the podman images will show Quay.io in the registry on the bootstrap virtual machine.

    1. To create the installation program that is based on the content that you mirrored, extract it and pin it to the release:

      • If your mirror host does not have internet access, run the following command:

        1. $ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"
      • If the local container registry is connected to the mirror host, run the following command:

        1. $ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"
    2. For clusters using installer-provisioned infrastructure, run the following command:

      1. $ openshift-install

    The Cluster Samples Operator in a disconnected environment

    In a disconnected environment, you must take additional steps after you install a cluster to configure the Cluster Samples Operator. Review the following information in preparation.

    Cluster Samples Operator assistance for mirroring

    During installation, OKD creates a config map named imagestreamtag-to-image in the openshift-cluster-samples-operator namespace. The imagestreamtag-to-image config map contains an entry, the populating image, for each image stream tag.

    The format of the key for each entry in the data field in the config map is <image_stream_name>_<image_stream_tag_name>.

    During a disconnected installation of OKD, the status of the Cluster Samples Operator is set to Removed. If you choose to change it to Managed, it installs samples.

    You can use this config map as a reference for which images need to be mirrored for your image streams to import.

    • While the Cluster Samples Operator is set to Removed, you can create your mirrored registry, or determine which existing mirrored registry you want to use.

    • Mirror the samples you want to the mirrored registry using the new config map as your guide.

    • Add any of the image streams you did not mirror to the skippedImagestreams list of the Cluster Samples Operator configuration object.

    • Set samplesRegistry of the Cluster Samples Operator configuration object to the mirrored registry.

    • Then set the Cluster Samples Operator to Managed to install the image streams you have mirrored.

    • the OperatorHub images for the Operators that you want to install in your cluster.

    • Install a cluster on infrastructure that you provision in your restricted network, such as on VMware vSphere, , or Amazon Web Services.

    Additional resources