0% found this document useful (0 votes)

257 views167 pages

OpenShift - Container - Platform 4.17 Disconnected - Environments en US

The document provides guidance on managing OpenShift Container Platform clusters in disconnected environments, including installation, configuration, and mirroring of images. It outlines preferred methods for working without internet access and details the process of converting connected clusters to disconnected ones. Additionally, it includes information on using the oc-mirror plugin for image mirroring and troubleshooting tips.

Uploaded by

rajan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

257 views167 pages

OpenShift - Container - Platform 4.17 Disconnected - Environments en US

Uploaded by

rajan

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 167

OpenShift Container Platform 4.

Disconnected environments

Managing OpenShift Container Platform clusters in a disconnected environment

Last Updated: 2025-01-28

OpenShift Container Platform 4.17 Disconnected environments
Managing OpenShift Container Platform clusters in a disconnected environment
Legal Notice
Copyright © 2025 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is
available at
http://creativecommons.org/licenses/by-sa/3.0/
. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must
provide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,
Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States
and other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and
other countries.

Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the
official Joyent Node.js open source or commercial project.

The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks
or trademarks/service marks of the OpenStack Foundation, in the United States and other
countries and are used with the OpenStack Foundation's permission. We are not affiliated with,
endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Abstract
This document provides information about installing, managing, and configuring OpenShift
Container Platform clusters in environments without internet access.
Table of Contents

Table of Contents
.CHAPTER
. . . . . . . . . . 1.. .ABOUT
. . . . . . . .DISCONNECTED
. . . . . . . . . . . . . . . . . .ENVIRONMENTS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. . . . . . . . . . . . .
1.1. GLOSSARY OF DISCONNECTED ENVIRONMENT TERMS 6
1.2. PREFERRED METHODS FOR WORKING WITH DISCONNECTED ENVIRONMENTS 6

.CHAPTER
. . . . . . . . . . 2.
. . CONVERTING
. . . . . . . . . . . . . . .A
. . CONNECTED
. . . . . . . . . . . . . . .CLUSTER
. . . . . . . . . .TO
. . . .A. DISCONNECTED
. . . . . . . . . . . . . . . . . . CLUSTER
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8. . . . . . . . . . . . .
2.1. ABOUT THE MIRROR REGISTRY 8
2.2. PREREQUISITES 9
2.3. PREPARING THE CLUSTER FOR MIRRORING 9
2.4. MIRRORING THE IMAGES 10
2.5. CONFIGURING THE CLUSTER FOR THE MIRROR REGISTRY 13
2.6. ENSURE APPLICATIONS CONTINUE TO WORK 15
2.7. DISCONNECT THE CLUSTER FROM THE NETWORK 16
2.8. RESTORING A DEGRADED INSIGHTS OPERATOR 16
2.9. RESTORING THE NETWORK 17

.CHAPTER
. . . . . . . . . . 3.
. . MIRRORING
. . . . . . . . . . . . . IN
. . . DISCONNECTED
. . . . . . . . . . . . . . . . . .ENVIRONMENTS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
..............
3.1. ABOUT DISCONNECTED INSTALLATION MIRRORING 19
3.1.1. Creating a mirror registry 19
3.1.2. Mirroring images for a disconnected installation 19
3.2. CREATING A MIRROR REGISTRY WITH MIRROR REGISTRY FOR RED HAT OPENSHIFT 19
3.2.1. Prerequisites 19
3.2.2. Mirror registry for Red Hat OpenShift introduction 20
3.2.2.1. Mirror registry for Red Hat OpenShift limitations 20
3.2.3. Mirroring on a local host with mirror registry for Red Hat OpenShift 21
3.2.4. Updating mirror registry for Red Hat OpenShift from a local host 22
3.2.5. Mirroring on a remote host with mirror registry for Red Hat OpenShift 23
3.2.6. Updating mirror registry for Red Hat OpenShift from a remote host 24
3.2.7. Replacing mirror registry for Red Hat OpenShift SSL/TLS certificates 25
3.2.8. Uninstalling the mirror registry for Red Hat OpenShift 26
3.2.9. Mirror registry for Red Hat OpenShift flags 26
3.2.10. Mirror registry for Red Hat OpenShift release notes 28
3.2.10.1. Mirror registry for Red Hat OpenShift 2.0 release notes 28
3.2.10.1.1. Mirror registry for Red Hat OpenShift 2.0.5 28
3.2.10.1.2. Mirror registry for Red Hat OpenShift 2.0.4 28
3.2.10.1.3. Mirror registry for Red Hat OpenShift 2.0.3 28
3.2.10.1.4. Mirror registry for Red Hat OpenShift 2.0.2 29
3.2.10.1.5. Mirror registry for Red Hat OpenShift 2.0.1 29
3.2.10.1.6. Mirror registry for Red Hat OpenShift 2.0.0 29
3.2.10.1.6.1. New features 29
3.2.10.2. Mirror registry for Red Hat OpenShift 1.3 release notes 29
3.2.10.3. Mirror registry for Red Hat OpenShift 1.2 release notes 29
3.2.10.4. Mirror registry for Red Hat OpenShift 1.1 release notes 30
3.2.11. Troubleshooting mirror registry for Red Hat OpenShift 30
3.2.12. Additional resources 30
3.3. MIRRORING IMAGES FOR A DISCONNECTED INSTALLATION BY USING THE OC ADM COMMAND 30
3.3.1. Prerequisites 31
3.3.2. About the mirror registry 31
3.3.3. Preparing your mirror host 32
3.3.3.1. Installing the OpenShift CLI 32
Installing the OpenShift CLI on Linux 32
Installing the OpenShift CLI on Windows 33

1
OpenShift Container Platform 4.17 Disconnected environments

Installing the OpenShift CLI on macOS 33

3.3.4. Configuring credentials that allow images to be mirrored 34
3.3.5. Mirroring the OpenShift Container Platform image repository 36
3.3.6. The Cluster Samples Operator in a disconnected environment 40
3.3.6.1. Cluster Samples Operator assistance for mirroring 40
3.3.7. Mirroring Operator catalogs for use with disconnected clusters 40
3.3.7.1. Prerequisites 41
3.3.7.2. Extracting and mirroring catalog contents 42
3.3.7.2.1. Mirroring catalog contents to registries on the same network 42
3.3.7.2.2. Mirroring catalog contents to airgapped registries 43
3.3.7.3. Generated manifests 45
3.3.7.4. Postinstallation requirements 47
3.3.8. Next steps 47
3.3.9. Additional resources 47
3.4. MIRRORING IMAGES FOR A DISCONNECTED INSTALLATION USING THE OC-MIRROR PLUGIN 47
3.4.1. About the oc-mirror plugin 47
3.4.1.1. High level workflow 48
3.4.2. oc-mirror plugin compatibility and support 48
3.4.3. About the mirror registry 49
3.4.4. Prerequisites 49
3.4.5. Preparing your mirror hosts 50
3.4.5.1. Installing the oc-mirror OpenShift CLI plugin 50
3.4.5.2. Configuring credentials that allow images to be mirrored 51
3.4.6. Creating the image set configuration 53
3.4.7. Mirroring an image set to a mirror registry 55
3.4.7.1. Mirroring an image set in a partially disconnected environment 56
3.4.7.1.1. Mirroring from mirror to mirror 56
3.4.7.2. Mirroring an image set in a fully disconnected environment 57
3.4.7.2.1. Mirroring from mirror to disk 57
3.4.7.2.2. Mirroring from disk to mirror 58
3.4.8. Configuring your cluster to use the resources generated by oc-mirror 59
3.4.9. Updating your mirror registry content 60
3.4.9.1. Mirror registry update examples 61
Mirroring a specific OpenShift Container Platform version by pruning the existing images 61
Updating to the latest version of an Operator by pruning the existing images 62
Mirroring a new Operator by pruning the existing Operator 62
Pruning all the OpenShift Container Platform images 62
3.4.10. Performing a dry run 63
3.4.11. Including local OCI Operator catalogs 64
3.4.12. Image set configuration parameters 66
3.4.13. Image set configuration examples 73
Use case: Including the shortest OpenShift Container Platform update path 73
Use case: Including all versions of OpenShift Container Platform from a minimum to the latest version for
multi-architecture releases 73
Use case: Including Operator versions from a minimum to the latest 74
Use case: Including the Nutanix CSI Operator 75
Use case: Including the default Operator channel 75
Use case: Including an entire catalog (all versions) 76
Use case: Including an entire catalog (channel heads only) 76
Use case: Including arbitrary images and helm charts 76
Use case: Including the upgrade path for EUS releases 77
Use case: Including the multi-arch OpenShift Container Platform images and catalog for multicluster engine
Operator 77

2
Table of Contents

3.4.14. Command reference for oc-mirror 78

3.4.15. Additional resources 80
3.5. MIRRORING IMAGES FOR A DISCONNECTED INSTALLATION BY USING THE OC-MIRROR PLUGIN V2
80
3.5.1. About oc-mirror plugin v2 80
3.5.1.1. High level workflow 81
3.5.1.2. oc-mirror plugin v2 compatibility and support 81
3.5.2. Prerequisites 81
3.5.3. Preparing your mirror hosts 82
3.5.3.1. Installing the oc-mirror OpenShift CLI plugin 82
3.5.3.2. Configuring credentials that allow images to be mirrored 83
3.5.4. Mirroring an image set to a mirror registry 85
3.5.4.1. Creating the image set configuration 85
3.5.4.2. Mirroring an image set in a partially disconnected environment 86
3.5.4.3. Mirroring an image set in a fully disconnected environment 87
3.5.4.3.1. Mirroring from mirror to disk 87
3.5.4.3.2. Mirroring from disk to mirror 88
3.5.5. About custom resources generated by v2 89
3.5.5.1. Configuring your cluster to use the resources generated by oc-mirror plugin v2 89
3.5.6. Deletion of images from your disconnected environment 90
3.5.6.1. Deleting images from a disconnected environment 91
3.5.7. Verifying your selected images for mirroring 93
3.5.7.1. Performing dry run for oc-mirror plugin v2 93
3.5.7.2. Troubleshooting oc-mirror plugin v2 errors 94
3.5.8. Benefits of enclave support 96
3.5.8.1. Enclave mirroring workflow 96
3.5.8.2. Mirroring to an enclave 98
3.5.9. How filtering works in the operator catalog 100
3.5.10. ImageSet configuration parameters for oc-mirror plugin v2 106
3.5.10.1. Delete ImageSet Configuration parameters 112
3.5.11. Command reference for oc-mirror plugin v2 116
3.5.12. Next steps 118

.CHAPTER
. . . . . . . . . . 4.
. . .INSTALLING
. . . . . . . . . . . . .A. .CLUSTER
. . . . . . . . . . IN
. . .A
. . DISCONNECTED
. . . . . . . . . . . . . . . . . .ENVIRONMENT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
..............
4.1. INSTALLING A CLUSTER WITH THE AGENT-BASED INSTALLER 119
4.2. INSTALLING A CLUSTER ON AMAZON WEB SERVICES 119
4.3. INSTALLING A CLUSTER ON MICROSOFT AZURE 119
4.4. INSTALLING A CLUSTER ON GOOGLE CLOUD PLATFORM 119
4.5. INSTALLING A CLUSTER ON IBM CLOUD 120
4.6. INSTALLING A CLUSTER ON NUTANIX 120
4.7. INSTALLING A BARE-METAL CLUSTER 120
4.8. INSTALLING A CLUSTER ON IBM Z(R) OR IBM(R) LINUXONE 120
4.9. INSTALLING A CLUSTER ON IBM POWER 120
4.10. INSTALLING A CLUSTER ON OPENSTACK 120
4.11. INSTALLING A CLUSTER ON VSPHERE 120

. . . . . . . . . . . 5.
CHAPTER . . USING
. . . . . . . .OPERATOR
. . . . . . . . . . . . LIFECYCLE
. . . . . . . . . . . . .MANAGER
. . . . . . . . . . . IN
. . .DISCONNECTED
. . . . . . . . . . . . . . . . . .ENVIRONMENTS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
...............
5.1. PREREQUISITES 123
5.2. DISABLING THE DEFAULT OPERATORHUB CATALOG SOURCES 123
5.3. MIRRORING AN OPERATOR CATALOG 124
5.4. ADDING A CATALOG SOURCE TO A CLUSTER 124
5.5. NEXT STEPS 126

. . . . . . . . . . . 6.
CHAPTER . . .UPDATING
. . . . . . . . . . .A
. . CLUSTER
. . . . . . . . . . .IN
..A
. . DISCONNECTED
. . . . . . . . . . . . . . . . . . ENVIRONMENT
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
...............

3
OpenShift Container Platform 4.17 Disconnected environments

6.1. ABOUT CLUSTER UPDATES IN A DISCONNECTED ENVIRONMENT 127

6.1.1. Mirroring OpenShift Container Platform images 127
6.1.2. Performing a cluster update in a disconnected environment 127
6.1.3. Uninstalling the OpenShift Update Service from a cluster 127
6.2. MIRRORING OPENSHIFT CONTAINER PLATFORM IMAGES 127
6.2.1. Mirroring resources using the oc-mirror plugin 128
6.2.2. Mirroring images using the oc adm release mirror command 128
6.2.2.1. Prerequisites 128
6.2.2.2. Preparing your mirror host 129
6.2.2.2.1. Installing the OpenShift CLI 129
Installing the OpenShift CLI on Linux 129
Installing the OpenShift CLI on Windows 130
Installing the OpenShift CLI on macOS 130
6.2.2.2.2. Configuring credentials that allow images to be mirrored 131
6.2.2.3. Mirroring images to a mirror registry 133
6.3. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT USING THE OPENSHIFT UPDATE SERVICE
137
6.3.1. Using the OpenShift Update Service in a disconnected environment 137
6.3.2. Prerequisites 137
6.3.3. Configuring access to a secured registry for the OpenShift Update Service 138
6.3.4. Updating the global cluster pull secret 138
6.3.5. Installing the OpenShift Update Service Operator 139
6.3.5.1. Installing the OpenShift Update Service Operator by using the web console 139
6.3.5.2. Installing the OpenShift Update Service Operator by using the CLI 140
6.3.6. Creating the OpenShift Update Service graph data container image 142
6.3.7. Creating an OpenShift Update Service application 143
6.3.7.1. Creating an OpenShift Update Service application by using the web console 143
6.3.7.2. Creating an OpenShift Update Service application by using the CLI 144
6.3.8. Configuring the Cluster Version Operator (CVO) 145
6.3.9. Next steps 146
6.4. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT WITHOUT THE OPENSHIFT UPDATE
SERVICE 147
6.4.1. Prerequisites 147
6.4.2. Pausing a MachineHealthCheck resource 148
6.4.3. Retrieving a release image digest 149
6.4.4. Updating the disconnected cluster 150
6.4.5. Understanding image registry repository mirroring 151
6.4.5.1. Configuring image registry repository mirroring 152
6.4.5.2. Converting ImageContentSourcePolicy (ICSP) files for image registry repository mirroring 157
6.4.6. Widening the scope of the mirror image catalog to reduce the frequency of cluster node reboots 159
6.4.7. Additional resources 160
6.5. UNINSTALLING THE OPENSHIFT UPDATE SERVICE FROM A CLUSTER 160
6.5.1. Deleting an OpenShift Update Service application 160
6.5.1.1. Deleting an OpenShift Update Service application by using the web console 160
6.5.1.2. Deleting an OpenShift Update Service application by using the CLI 161
6.5.2. Uninstalling the OpenShift Update Service Operator 161
6.5.2.1. Uninstalling the OpenShift Update Service Operator by using the web console 161
6.5.2.2. Uninstalling the OpenShift Update Service Operator by using the CLI 162

4
Table of Contents

5
OpenShift Container Platform 4.17 Disconnected environments

CHAPTER 1. ABOUT DISCONNECTED ENVIRONMENTS

A disconnected environment is an environment that does not have full access to the internet.

OpenShift Container Platform is designed to perform many automatic functions that depend on an
internet connection, such as retrieving release images from a registry or retrieving update paths and
recommendations for the cluster. Without a direct internet connection, you must perform additional
setup and configuration for your cluster to maintain full functionality in the disconnected environment.

1.1. GLOSSARY OF DISCONNECTED ENVIRONMENT TERMS

Although it is used throughout the OpenShift Container Platform documentation, disconnected
environment is a broad term that can refer to environments with various levels of internet connectivity.
Other terms are sometimes used to refer to a specific level of internet connectivity, and these
environments might require additional unique configurations.

The following table describes the different terms used to refer to environments without a full internet
connection:

Table 1.1. Disconnected environment terms

Term Description

Air-gapped network An environment or network that is completely isolated from an external

network.

This isolation depends on a physical separation, or an "air gap", between

machines on the internal network and any other part of an external
network. Air-gapped environments are often used in industries with strict
security or regulatory requirements.

Disconnected environment An environment or network that has some level of isolation from an
external network.

This isolation could be enabled by physical or logical separation between

machines on the internal network and an external network. Regardless of
the level of isolation from the external network, a cluster in a
disconnected environment does not have access to public services
hosted by Red Hat and requires additional setup to maintain full cluster
functionality.

Restricted Network An environment or network with limited connection to an external

network.

A physical connection may exist between machines on the internal

network and an external network, but network traffic is limited by
additional configurations, such as with firewalls and proxies.

1.2. PREFERRED METHODS FOR WORKING WITH DISCONNECTED

ENVIRONMENTS

You can choose between multiple options for most aspects of managing a cluster in a disconnected

6
CHAPTER 1. ABOUT DISCONNECTED ENVIRONMENTS

You can choose between multiple options for most aspects of managing a cluster in a disconnected
environment. For example, when mirroring images you can choose between using the oc-mirror
OpenShift CLI (oc) plugin or using the oc adm command.

However, some options provide a simpler and more convenient user experience for disconnected
environments, and are the preferred method over their alternatives.

Unless your organizational needs require you to choose another option, use the following methods for
mirroring images, installing your cluster, and updating your cluster:

Mirror your images using the oc-mirror plugin.

Install your cluster using the Agent-based Installer .

Update your cluster using a local OpenShift Update Service instance .

7
OpenShift Container Platform 4.17 Disconnected environments

CHAPTER 2. CONVERTING A CONNECTED CLUSTER TO A

DISCONNECTED CLUSTER
There might be some scenarios where you need to convert your OpenShift Container Platform cluster
from a connected cluster to a disconnected cluster.

A disconnected cluster, also known as a restricted cluster, does not have an active connection to the
internet. As such, you must mirror the contents of your registries and installation media. You can create
this mirror registry on a host that can access both the internet and your closed network, or copy images
to a device that you can move across network boundaries.

This topic describes the general process for converting an existing, connected cluster into a
disconnected cluster.

2.1. ABOUT THE MIRROR REGISTRY

You can mirror the images that are required for OpenShift Container Platform installation and
subsequent product updates to a container mirror registry such as Red Hat Quay, JFrog Artifactory,
Sonatype Nexus Repository, or Harbor. If you do not have access to a large-scale container registry, you
can use the mirror registry for Red Hat OpenShift , a small-scale container registry included with
OpenShift Container Platform subscriptions.

You can use any container registry that supports Docker v2-2, such as Red Hat Quay, the mirror registry
for Red Hat OpenShift, Artifactory, Sonatype Nexus Repository, or Harbor. Regardless of your chosen
registry, the procedure to mirror content from Red Hat hosted sites on the internet to an isolated image
registry is the same. After you mirror the content, you configure each cluster to retrieve this content
from your mirror registry.

IMPORTANT

The OpenShift image registry cannot be used as the target registry because it does not
support pushing without a tag, which is required during the mirroring process.

If choosing a container registry that is not the mirror registry for Red Hat OpenShift , it must be reachable
by every machine in the clusters that you provision. If the registry is unreachable, installation, updating,
or normal operations such as workload relocation might fail. For that reason, you must run mirror
registries in a highly available way, and the mirror registries must at least match the production
availability of your OpenShift Container Platform clusters.

When you populate your mirror registry with OpenShift Container Platform images, you can follow two
scenarios. If you have a host that can access both the internet and your mirror registry, but not your
cluster nodes, you can directly mirror the content from that machine. This process is referred to as
connected mirroring. If you have no such host, you must mirror the images to a file system and then bring
that host or removable media into your restricted environment. This process is referred to as
disconnected mirroring.

For mirrored registries, to view the source of pulled images, you must review the Trying to access log
entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images
command on a node, show the non-mirrored image name, even though the image is pulled from the
mirrored location.

NOTE

Red Hat does not test third party registries with OpenShift Container Platform.

8
CHAPTER 2. CONVERTING A CONNECTED CLUSTER TO A DISCONNECTED CLUSTER

2.2. PREREQUISITES
The oc client is installed.

A running cluster.

An installed mirror registry, which is a container image registry that supports Docker v2-2 in the
location that will host the OpenShift Container Platform cluster, such as one of the following
registries:

Red Hat Quay

JFrog Artifactory

Sonatype Nexus Repository

Harbor

If you have a subscription to Red Hat Quay, see the documentation on deploying Red Hat Quay
for proof-of-concept purposes or by using the Quay Operator.

The mirror repository must be configured to share images. For example, a Red Hat Quay
repository requires Organizations in order to share images.

Access to the internet to obtain the necessary container images.

2.3. PREPARING THE CLUSTER FOR MIRRORING

Before disconnecting your cluster, you must mirror, or copy, the images to a mirror registry that is
reachable by every node in your disconnected cluster. In order to mirror the images, you must prepare
your cluster by:

Adding the mirror registry certificates to the list of trusted CAs on your host.

Creating a .dockerconfigjson file that contains your image pull secret, which is from the
cloud.openshift.com token.

Procedure

1. Configuring credentials that allow image mirroring:

a. Add the CA certificate for the mirror registry, in the simple PEM or DER file formats, to the
list of trusted CAs. For example:

$ cp </path/to/cert.crt> /usr/share/pki/ca-trust-source/anchors/

where, </path/to/cert.crt>
Specifies the path to the certificate on your local file system.

b. Update the CA trust. For example, in Linux:

$ update-ca-trust

c. Extract the .dockerconfigjson file from the global pull secret:

9
OpenShift Container Platform 4.17 Disconnected environments

$ oc extract secret/pull-secret -n openshift-config --confirm --to=.

Example output

.dockerconfigjson

d. Edit the .dockerconfigjson file to add your mirror registry and authentication credentials
and save it as a new file:

{"auths":{"<local_registry>": {"auth": "<credentials>","email": "[email protected]"}}},"

<registry>:<port>/<namespace>/":{"auth":"<token>"}}}

where:

<local_registry>
Specifies the registry domain name, and optionally the port, that your mirror registry
uses to serve content.
auth
Specifies the base64-encoded user name and password for your mirror registry.
<registry>:<port>/<namespace>
Specifies the mirror registry details.
<token>
Specifies the base64-encoded username:password for your mirror registry.
For example:

$ {"auths":{"cloud.openshift.com":
{"auth":"b3BlbnNoaWZ0Y3UjhGOVZPT0lOMEFaUjdPUzRGTA==","email":"user@exa
mple.com"},
"quay.io":
{"auth":"b3BlbnNoaWZ0LXJlbGVhc2UtZGOVZPT0lOMEFaUGSTd4VGVGVUjdPUzR
GTA==","email":"[email protected]"},
"registry.connect.redhat.com"
{"auth":"NTE3MTMwNDB8dWhjLTFEZlN3VHkxOSTd4VGVGVU1MdTpleUpoYkdjaUail
A==","email":"[email protected]"},
"registry.redhat.io":
{"auth":"NTE3MTMwNDB8dWhjLTFEZlN3VH3BGSTd4VGVGVU1MdTpleUpoYkdjaU9
fZw==","email":"[email protected]"},
"registry.svc.ci.openshift.org":
{"auth":"dXNlcjpyWjAwWVFjSEJiT2RKVW1pSmg4dW92dGp1SXRxQ3RGN1pwajJhN1
ZXeTRV"},"my-registry:5000/my-namespace/":
{"auth":"dXNlcm5hbWU6cGFzc3dvcmQ="}}}

2.4. MIRRORING THE IMAGES

After the cluster is properly configured, you can mirror the images from your external repositories to the
mirror repository.

Procedure

1. Mirror the Operator Lifecycle Manager (OLM) images:

10
CHAPTER 2. CONVERTING A CONNECTED CLUSTER TO A DISCONNECTED CLUSTER

$ oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v{product-version}

<mirror_registry>:<port>/olm -a <reg_creds>

where:

product-version
Specifies the tag that corresponds to the version of OpenShift Container Platform to install,
such as 4.8.
mirror_registry
Specifies the fully qualified domain name (FQDN) for the target registry and namespace to
mirror the Operator content to, where <namespace> is any existing namespace on the
registry.
reg_creds
Specifies the location of your modified .dockerconfigjson file.

For example:

$ oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v4.8

mirror.registry.com:443/olm -a ./.dockerconfigjson --index-filter-by-os='.*'

2. Mirror the content for any other Red Hat-provided Operator:

$ oc adm catalog mirror <index_image> <mirror_registry>:<port>/<namespace> -a

<reg_creds>

where:

index_image
Specifies the index image for the catalog that you want to mirror.
mirror_registry
Specifies the FQDN for the target registry and namespace to mirror the Operator content
to, where <namespace> is any existing namespace on the registry.
reg_creds
Optional: Specifies the location of your registry credentials file, if required.

For example:

$ oc adm catalog mirror registry.redhat.io/redhat/community-operator-index:v4.8

mirror.registry.com:443/olm -a ./.dockerconfigjson --index-filter-by-os='.*'

3. Mirror the OpenShift Container Platform image repository:

$ oc adm release mirror -a .dockerconfigjson --from=quay.io/openshift-release-dev/ocp-

release:v<product-version>-<architecture> --to=<local_registry>/<local_repository> --to-
release-image=<local_registry>/<local_repository>:v<product-version>-<architecture>

where:

product-version

Specifies the tag that corresponds to the version of OpenShift Container Platform to install,

11
OpenShift Container Platform 4.17 Disconnected environments

Specifies the tag that corresponds to the version of OpenShift Container Platform to install,
such as 4.8.15-x86_64.
architecture
Specifies the type of architecture for your server, such as x86_64.
local_registry
Specifies the registry domain name for your mirror repository.
local_repository
Specifies the name of the repository to create in your registry, such as ocp4/openshift4.

For example:

$ oc adm release mirror -a .dockerconfigjson --from=quay.io/openshift-release-dev/ocp-

release:4.8.15-x86_64 --to=mirror.registry.com:443/ocp/release --to-release-
image=mirror.registry.com:443/ocp/release:4.8.15-x86_64

Example output

info: Mirroring 109 images to mirror.registry.com/ocp/release ...

mirror.registry.com:443/
ocp/release
manifests:
sha256:086224cadce475029065a0efc5244923f43fb9bb3bb47637e0aaf1f32b9cad47 ->
4.8.15-x86_64-thanos
sha256:0a214f12737cb1cfbec473cc301aa2c289d4837224c9603e99d1e90fc00328db ->
4.8.15-x86_64-kuryr-controller
sha256:0cf5fd36ac4b95f9de506623b902118a90ff17a07b663aad5d57c425ca44038c ->
4.8.15-x86_64-pod
sha256:0d1c356c26d6e5945a488ab2b050b75a8b838fc948a75c0fa13a9084974680cb ->
4.8.15-x86_64-kube-client-agent

…..
sha256:66e37d2532607e6c91eedf23b9600b4db904ce68e92b43c43d5b417ca6c8e63c
mirror.registry.com:443/ocp/release:4.5.41-multus-admission-controller
sha256:d36efdbf8d5b2cbc4dcdbd64297107d88a31ef6b0ec4a39695915c10db4973f1
mirror.registry.com:443/ocp/release:4.5.41-cluster-kube-scheduler-operator
sha256:bd1baa5c8239b23ecdf76819ddb63cd1cd6091119fecdbf1a0db1fb3760321a2
mirror.registry.com:443/ocp/release:4.5.41-aws-machine-controllers
info: Mirroring completed in 2.02s (0B/s)

Success
Update image: mirror.registry.com:443/ocp/release:4.5.41-x86_64
Mirror prefix: mirror.registry.com:443/ocp/release

4. Mirror any other registries, as needed:

$ oc image mirror <online_registry>/my/image:latest <mirror_registry>

Additional resources

For more information about mirroring Operator catalogs, see Mirroring an Operator catalog .

For more information about the oc adm catalog mirror command, see the OpenShift CLI

12
CHAPTER 2. CONVERTING A CONNECTED CLUSTER TO A DISCONNECTED CLUSTER

For more information about the oc adm catalog mirror command, see the OpenShift CLI
administrator command reference.

2.5. CONFIGURING THE CLUSTER FOR THE MIRROR REGISTRY

After creating and mirroring the images to the mirror registry, you must modify your cluster so that pods
can pull images from the mirror registry.

You must:

Add the mirror registry credentials to the global pull secret.

Add the mirror registry server certificate to the cluster.

Create an ImageContentSourcePolicy custom resource (ICSP), which associates the mirror

registry with the source registry.

1. Add mirror registry credential to the cluster global pull-secret:

$ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=

<pull_secret_location> 1

1 Provide the path to the new pull secret file.

For example:

$ oc set data secret/pull-secret -n openshift-config --from-

file=.dockerconfigjson=.mirrorsecretconfigjson

2. Add the CA-signed mirror registry server certificate to the nodes in the cluster:

a. Create a config map that includes the server certificate for the mirror registry

$ oc create configmap <config_map_name> --from-file=<mirror_address_host>..

<port>=$path/ca.crt -n openshift-config

For example:

S oc create configmap registry-config --from-

file=mirror.registry.com..443=/root/certs/ca-chain.cert.pem -n openshift-config

b. Use the config map to update the image.config.openshift.io/cluster custom resource

(CR). OpenShift Container Platform applies the changes to this CR to all nodes in the
cluster:

$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":

{"name":"<config_map_name>"}}}' --type=merge

For example:

$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":

{"name":"registry-config"}}}' --type=merge

3. Create an ICSP to redirect container pull requests from the online registries to the mirror
13
OpenShift Container Platform 4.17 Disconnected environments

3. Create an ICSP to redirect container pull requests from the online registries to the mirror
registry:

a. Create the ImageContentSourcePolicy custom resource:

apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: mirror-ocp
spec:
repositoryDigestMirrors:
- mirrors:
- mirror.registry.com:443/ocp/release 1
source: quay.io/openshift-release-dev/ocp-release 2
- mirrors:
- mirror.registry.com:443/ocp/release
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev

1 Specifies the name of the mirror image registry and repository.

2 Specifies the online registry and repository containing the content that is mirrored.

b. Create the ICSP object:

$ oc create -f registryrepomirror.yaml

Example output

imagecontentsourcepolicy.operator.openshift.io/mirror-ocp created

OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.

4. Verify that the credentials, CA, and ICSP for mirror registry were added:

a. Log into a node:

$ oc debug node/<node_name>

b. Set /host as the root directory within the debug shell:

sh-4.4# chroot /host

c. Check the config.json file for the credentials:

sh-4.4# cat /var/lib/kubelet/config.json

Example output

{"auths":{"brew.registry.redhat.io":{"xx=="},"brewregistry.stage.redhat.io":
{"auth":"xxx=="},"mirror.registry.com:443":{"auth":"xx="}}} 1

1 Ensure that the mirror registry and credentials are present.

14
CHAPTER 2. CONVERTING A CONNECTED CLUSTER TO A DISCONNECTED CLUSTER

d. Change to the certs.d directory

sh-4.4# cd /etc/docker/certs.d/

e. List the certificates in the certs.d directory:

sh-4.4# ls

Example output

image-registry.openshift-image-registry.svc.cluster.local:5000
image-registry.openshift-image-registry.svc:5000
mirror.registry.com:443 1

1 Ensure that the mirror registry is in the list.

f. Check that the ICSP added the mirror registry to the registries.conf file:

sh-4.4# cat /etc/containers/registries.conf

Example output

unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]

[[registry]]
prefix = ""
location = "quay.io/openshift-release-dev/ocp-release"
mirror-by-digest-only = true

[[registry.mirror]]
location = "mirror.registry.com:443/ocp/release"

[[registry]]
prefix = ""
location = "quay.io/openshift-release-dev/ocp-v4.0-art-dev"
mirror-by-digest-only = true

[[registry.mirror]]
location = "mirror.registry.com:443/ocp/release"

The registry.mirror parameters indicate that the mirror registry is searched before the
original registry.

g. Exit the node.

sh-4.4# exit

2.6. ENSURE APPLICATIONS CONTINUE TO WORK

Before disconnecting the cluster from the network, ensure that your cluster is working as expected and
all of your applications are working as expected.

15
OpenShift Container Platform 4.17 Disconnected environments

Procedure
Use the following commands to check the status of your cluster:

Ensure your pods are running:

$ oc get pods --all-namespaces

Example output

NAMESPACE NAME READY

STATUS RESTARTS AGE
kube-system apiserver-watcher-ci-ln-47ltxtb-f76d1-mrffg-master-0
1/1 Running 0 39m
kube-system apiserver-watcher-ci-ln-47ltxtb-f76d1-mrffg-master-1
1/1 Running 0 39m
kube-system apiserver-watcher-ci-ln-47ltxtb-f76d1-mrffg-master-2
1/1 Running 0 39m
openshift-apiserver-operator openshift-apiserver-operator-79c7c646fd-5rvr5
1/1 Running 3 45m
openshift-apiserver apiserver-b944c4645-q694g 2/2
Running 0 29m
openshift-apiserver apiserver-b944c4645-shdxb 2/2
Running 0 31m
openshift-apiserver apiserver-b944c4645-x7rf2 2/2
Running 0 33m
...

Ensure your nodes are in the READY status:

$ oc get nodes

Example output

NAME STATUS ROLES AGE VERSION

ci-ln-47ltxtb-f76d1-mrffg-master-0 Ready master 42m v1.30.3
ci-ln-47ltxtb-f76d1-mrffg-master-1 Ready master 42m v1.30.3
ci-ln-47ltxtb-f76d1-mrffg-master-2 Ready master 42m v1.30.3
ci-ln-47ltxtb-f76d1-mrffg-worker-a-gsxbz Ready worker 35m v1.30.3
ci-ln-47ltxtb-f76d1-mrffg-worker-b-5qqdx Ready worker 35m v1.30.3
ci-ln-47ltxtb-f76d1-mrffg-worker-c-rjkpq Ready worker 34m v1.30.3

2.7. DISCONNECT THE CLUSTER FROM THE NETWORK

After mirroring all the required repositories and configuring your cluster to work as a disconnected
cluster, you can disconnect the cluster from the network.

NOTE

The Insights Operator is degraded when the cluster loses its Internet connection. You can
avoid this problem by temporarily disabling the Insights Operator until you can restore it.

2.8. RESTORING A DEGRADED INSIGHTS OPERATOR

16
CHAPTER 2. CONVERTING A CONNECTED CLUSTER TO A DISCONNECTED CLUSTER

Disconnecting the cluster from the network necessarily causes the cluster to lose the Internet
connection. The Insights Operator becomes degraded because it requires access to Red Hat Insights .

This topic describes how to recover from a degraded Insights Operator.

Procedure

1. Edit your .dockerconfigjson file to remove the cloud.openshift.com entry, for example:

"cloud.openshift.com":{"auth":"<hash>","email":"[email protected]"}

2. Save the file.

3. Update the cluster secret with the edited .dockerconfigjson file:

$ oc set data secret/pull-secret -n openshift-config --from-

file=.dockerconfigjson=./.dockerconfigjson

4. Verify that the Insights Operator is no longer degraded:

$ oc get co insights

Example output

NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE

insights 4.5.41 True False False 3d

2.9. RESTORING THE NETWORK

If you want to reconnect a disconnected cluster and pull images from online registries, delete the
cluster’s ImageContentSourcePolicy (ICSP) objects. Without the ICSP, pull requests to external
registries are no longer redirected to the mirror registry.

Procedure

1. View the ICSP objects in your cluster:

$ oc get imagecontentsourcepolicy

Example output

NAME AGE
mirror-ocp 6d20h
ocp4-index-0 6d18h
qe45-index-0 6d15h

2. Delete all the ICSP objects you created when disconnecting your cluster:

$ oc delete imagecontentsourcepolicy <icsp_name> <icsp_name> <icsp_name>

For example:

17
OpenShift Container Platform 4.17 Disconnected environments

$ oc delete imagecontentsourcepolicy mirror-ocp ocp4-index-0 qe45-index-0

Example output

imagecontentsourcepolicy.operator.openshift.io "mirror-ocp" deleted

imagecontentsourcepolicy.operator.openshift.io "ocp4-index-0" deleted
imagecontentsourcepolicy.operator.openshift.io "qe45-index-0" deleted

3. Wait for all the nodes to restart and return to the READY status and verify that the
registries.conf file is pointing to the original registries and not the mirror registries:

a. Log into a node:

$ oc debug node/<node_name>

b. Set /host as the root directory within the debug shell:

sh-4.4# chroot /host

c. Examine the registries.conf file:

sh-4.4# cat /etc/containers/registries.conf

Example output

unqualified-search-registries = ["registry.access.redhat.com", "docker.io"] 1

1 The registry and registry.mirror entries created by the ICSPs you deleted are
removed.

18
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

3.1. ABOUT DISCONNECTED INSTALLATION MIRRORING

You can use a mirror registry to ensure that your clusters only use container images that satisfy your
organizational controls on external content. Before you install a cluster on infrastructure that you
provision in a restricted network, you must mirror the required container images into that environment.
To mirror container images, you must have a registry for mirroring.

3.1.1. Creating a mirror registry

If you already have a container image registry, such as Red Hat Quay, you can use it as your mirror
registry. If you do not already have a registry, you can create a mirror registry using the mirror registry for
Red Hat OpenShift.

3.1.2. Mirroring images for a disconnected installation

You can use one of the following procedures to mirror your OpenShift Container Platform image
repository to your mirror registry:

Mirroring images for a disconnected installation by using the oc adm command

Mirroring images for a disconnected installation using the oc-mirror plugin

3.2. CREATING A MIRROR REGISTRY WITH MIRROR REGISTRY FOR

RED HAT OPENSHIFT
The mirror registry for Red Hat OpenShift is a small and streamlined container registry that you can use
as a target for mirroring the required container images of OpenShift Container Platform for
disconnected installations.

If you already have a container image registry, such as Red Hat Quay, you can skip this section and go
straight to Mirroring the OpenShift Container Platform image repository .

3.2.1. Prerequisites
An OpenShift Container Platform subscription.

Red Hat Enterprise Linux (RHEL) 8 and 9 with Podman 3.4.2 or later and OpenSSL installed.

Fully qualified domain name for the Red Hat Quay service, which must resolve through a DNS
server.

Key-based SSH connectivity on the target host. SSH keys are automatically generated for local
installs. For remote hosts, you must generate your own SSH keys.

2 or more vCPUs.

8 GB of RAM.

About 12 GB for OpenShift Container Platform 4.17 release images, or about 358 GB for
OpenShift Container Platform 4.17 release images and OpenShift Container Platform 4.17 Red
Hat Operator images. Up to 1 TB per stream or more is suggested.

IMPORTANT
19
OpenShift Container Platform 4.17 Disconnected environments

IMPORTANT

These requirements are based on local testing results with only release images
and Operator images. Storage requirements can vary based on your
organization’s needs. You might require more space, for example, when you
mirror multiple z-streams. You can use standard Red Hat Quay functionality or
the proper API callout to remove unnecessary images and free up space.

3.2.2. Mirror registry for Red Hat OpenShift introduction

For disconnected deployments of OpenShift Container Platform, a container registry is required to carry
out the installation of the clusters. To run a production-grade registry service on such a cluster, you
must create a separate registry deployment to install the first cluster. The mirror registry for Red Hat
OpenShift addresses this need and is included in every OpenShift subscription. It is available for
download on the OpenShift console Downloads page.

The mirror registry for Red Hat OpenShift allows users to install a small-scale version of Red Hat Quay
and its required components using the mirror-registry command line interface (CLI) tool. The mirror
registry for Red Hat OpenShift is deployed automatically with preconfigured local storage and a local
database. It also includes auto-generated user credentials and access permissions with a single set of
inputs and no additional configuration choices to get started.

The mirror registry for Red Hat OpenShift provides a pre-determined network configuration and reports
deployed component credentials and access URLs upon success. A limited set of optional configuration
inputs like fully qualified domain name (FQDN) services, superuser name and password, and custom
TLS certificates are also provided. This provides users with a container registry so that they can easily
create an offline mirror of all OpenShift Container Platform release content when running OpenShift
Container Platform in restricted network environments.

Use of the mirror registry for Red Hat OpenShift is optional if another container registry is already
available in the install environment.

3.2.2.1. Mirror registry for Red Hat OpenShift limitations

The following limitations apply to the mirror registry for Red Hat OpenShift :

The mirror registry for Red Hat OpenShift is not a highly-available registry and only local file
system storage is supported. It is not intended to replace Red Hat Quay or the internal image
registry for OpenShift Container Platform.

The mirror registry for Red Hat OpenShift is not intended to be a substitute for a production
deployment of Red Hat Quay.

The mirror registry for Red Hat OpenShift is only supported for hosting images that are required
to install a disconnected OpenShift Container Platform cluster, such as Release images or Red
Hat Operator images. It uses local storage on your Red Hat Enterprise Linux (RHEL) machine,
and storage supported by RHEL is supported by the mirror registry for Red Hat OpenShift .

NOTE

Because the mirror registry for Red Hat OpenShift uses local storage, you should
remain aware of the storage usage consumed when mirroring images and use
Red Hat Quay’s garbage collection feature to mitigate potential issues. For more
information about this feature, see "Red Hat Quay garbage collection".

Support for Red Hat product images that are pushed to the mirror registry for Red Hat
20
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Support for Red Hat product images that are pushed to the mirror registry for Red Hat
OpenShift for bootstrapping purposes are covered by valid subscriptions for each respective
product. A list of exceptions to further enable the bootstrap experience can be found on the
Self-managed Red Hat OpenShift sizing and subscription guide .

Content built by customers should not be hosted by the mirror registry for Red Hat OpenShift .

Using the mirror registry for Red Hat OpenShift with more than one cluster is discouraged
because multiple clusters can create a single point of failure when updating your cluster fleet. It
is advised to leverage the mirror registry for Red Hat OpenShift to install a cluster that can host
a production-grade, highly-available registry such as Red Hat Quay, which can serve OpenShift
Container Platform content to other clusters.

3.2.3. Mirroring on a local host with mirror registry for Red Hat OpenShift
This procedure explains how to install the mirror registry for Red Hat OpenShift on a local host using the
mirror-registry installer tool. By doing so, users can create a local host registry running on port 443 for
the purpose of storing a mirror of OpenShift Container Platform images.

NOTE

Installing the mirror registry for Red Hat OpenShift using the mirror-registry CLI tool
makes several changes to your machine. After installation, a $HOME/quay-install
directory is created, which has installation files, local storage, and the configuration
bundle. Trusted SSH keys are generated in case the deployment target is the local host,
and systemd files on the host machine are set up to ensure that container runtimes are
persistent. Additionally, an initial user named init is created with an automatically
generated password. All access credentials are printed at the end of the install routine.

Procedure

1. Download the mirror-registry.tar.gz package for the latest version of the mirror registry for
Red Hat OpenShift found on the OpenShift console Downloads page.

2. Install the mirror registry for Red Hat OpenShift on your local host with your current user
account by using the mirror-registry tool. For a full list of available flags, see "mirror registry for
Red Hat OpenShift flags".

$ ./mirror-registry install \
--quayHostname <host_example_com> \
--quayRoot <example_directory_name>

3. Use the user name and password generated during installation to log into the registry by
running the following command:

$ podman login -u init \

-p <password> \
<host_example_com>:8443> \
--tls-verify=false 1

1 You can avoid running --tls-verify=false by configuring your system to trust the generated
rootCA certificates. See "Using SSL to protect connections to Red Hat Quay" and
"Configuring the system to trust the certificate authority" for more information.

NOTE
21
OpenShift Container Platform 4.17 Disconnected environments

NOTE

You can also log in by accessing the UI at https://<host.example.com>:8443

after installation.

4. You can mirror OpenShift Container Platform images after logging in. Depending on your
needs, see either the "Mirroring the OpenShift Container Platform image repository" or the
"Mirroring Operator catalogs for use with disconnected clusters" sections of this document.

NOTE

If there are issues with images stored by the mirror registry for Red Hat OpenShift
due to storage layer problems, you can remirror the OpenShift Container
Platform images, or reinstall mirror registry on more stable storage.

3.2.4. Updating mirror registry for Red Hat OpenShift from a local host
This procedure explains how to update the mirror registry for Red Hat OpenShift from a local host using
the upgrade command. Updating to the latest version ensures new features, bug fixes, and security
vulnerability fixes.

IMPORTANT

When upgrading from version 1 to version 2, be aware of the following constraints:

The worker count is set to 1 because multiple writes are not allowed in SQLite.

You must not use the mirror registry for Red Hat OpenShift user interface (UP).

Do not access the sqlite-storage Podman volume during the upgrade.

There is intermittent downtime of your mirror registry because it is restarted

during the upgrade process.

PostgreSQL data is backed up under the /$HOME/quay-instal/quay-postgres-

backup/ directory for recovery.

Prerequisites

You have installed the mirror registry for Red Hat OpenShift on a local host.

Procedure

If you are upgrading the mirror registry for Red Hat OpenShift from 1.3 → 2.y, and your
installation directory is the default at /etc/quay-install, you can enter the following command:

$ sudo ./mirror-registry upgrade -v

NOTE
22
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

NOTE

mirror registry for Red Hat OpenShift migrates Podman volumes for Quay
storage, Postgres data, and /etc/quay-install data to the new $HOME/quay-
install location. This allows you to use mirror registry for Red Hat OpenShift
without the --quayRoot flag during future upgrades.

Users who upgrade mirror registry for Red Hat OpenShift with the ./mirror-
registry upgrade -v flag must include the same credentials used when
creating their mirror registry. For example, if you installed the mirror registry
for Red Hat OpenShift with --quayHostname <host_example_com> and --
quayRoot <example_directory_name>, you must include that string to
properly upgrade the mirror registry.

If you are upgrading the mirror registry for Red Hat OpenShift from 1.3 → 2.y and you used a
custom quay configuration and storage directory in your 1.y deployment, you must pass in the --
quayRoot and --quayStorage flags. For example:

$ sudo ./mirror-registry upgrade --quayHostname <host_example_com> --quayRoot

<example_directory_name> --quayStorage <example_directory_name>/quay-storage -v

If you are upgrading the mirror registry for Red Hat OpenShift from 1.3 → 2.y and want to specify
a custom SQLite storage path, you must pass in the --sqliteStorage flag, for example:

$ sudo ./mirror-registry upgrade --sqliteStorage <example_directory_name>/sqlite-storage -v

3.2.5. Mirroring on a remote host with mirror registry for Red Hat OpenShift
This procedure explains how to install the mirror registry for Red Hat OpenShift on a remote host using
the mirror-registry tool. By doing so, users can create a registry to hold a mirror of OpenShift Container
Platform images.

NOTE

Procedure

1. Download the mirror-registry.tar.gz package for the latest version of the mirror registry for
Red Hat OpenShift found on the OpenShift console Downloads page.

$ ./mirror-registry install -v \
--targetHostname <host_example_com> \
--targetUsername <example_user> \

23
OpenShift Container Platform 4.17 Disconnected environments

-k ~/.ssh/my_ssh_key \
--quayHostname <host_example_com> \
--quayRoot <example_directory_name>

3. Use the user name and password generated during installation to log into the mirror registry by
running the following command:

$ podman login -u init \

-p <password> \
<host_example_com>:8443> \
--tls-verify=false 1

NOTE

You can also log in by accessing the UI at https://<host.example.com>:8443

after installation.

NOTE

3.2.6. Updating mirror registry for Red Hat OpenShift from a remote host
This procedure explains how to update the mirror registry for Red Hat OpenShift from a remote host
using the upgrade command. Updating to the latest version ensures bug fixes and security vulnerability
fixes.

IMPORTANT

When upgrading from version 1 to version 2, be aware of the following constraints:

The worker count is set to 1 because multiple writes are not allowed in SQLite.

You must not use the mirror registry for Red Hat OpenShift user interface (UP).

Do not access the sqlite-storage Podman volume during the upgrade.

There is intermittent downtime of your mirror registry because it is restarted

during the upgrade process.

PostgreSQL data is backed up under the /$HOME/quay-instal/quay-postgres-

backup/ directory for recovery.

24
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Prerequisites

You have installed the mirror registry for Red Hat OpenShift on a remote host.

Procedure

To upgrade the mirror registry for Red Hat OpenShift from a remote host, enter the following
command:

$ ./mirror-registry upgrade -v --targetHostname <remote_host_url> --targetUsername

<user_name> -k ~/.ssh/my_ssh_key

NOTE

Users who upgrade the mirror registry for Red Hat OpenShift with the ./mirror-
registry upgrade -v flag must include the same credentials used when creating
their mirror registry. For example, if you installed the mirror registry for Red Hat
OpenShift with --quayHostname <host_example_com> and --quayRoot
<example_directory_name>, you must include that string to properly upgrade
the mirror registry.

If you are upgrading the mirror registry for Red Hat OpenShift from 1.3 → 2.y and want to specify
a custom SQLite storage path, you must pass in the --sqliteStorage flag, for example:

$ ./mirror-registry upgrade -v --targetHostname <remote_host_url> --targetUsername

<user_name> -k ~/.ssh/my_ssh_key --sqliteStorage <example_directory_name>/quay-
storage

3.2.7. Replacing mirror registry for Red Hat OpenShift SSL/TLS certificates
In some cases, you might want to update your SSL/TLS certificates for the mirror registry for Red Hat
OpenShift. This is useful in the following scenarios:

If you are replacing the current mirror registry for Red Hat OpenShift certificate.

If you are using the same certificate as the previous mirror registry for Red Hat OpenShift
installation.

If you are periodically updating the mirror registry for Red Hat OpenShift certificate.

Use the following procedure to replace mirror registry for Red Hat OpenShift SSL/TLS certificates.

Prerequisites

You have downloaded the ./mirror-registry binary from the OpenShift console Downloads
page.

Procedure

1. Enter the following command to install the mirror registry for Red Hat OpenShift :

$ ./mirror-registry install \
--quayHostname <host_example_com> \
--quayRoot <example_directory_name>

25
OpenShift Container Platform 4.17 Disconnected environments

This installs the mirror registry for Red Hat OpenShift to the $HOME/quay-install directory.

2. Prepare a new certificate authority (CA) bundle and generate new ssl.key and ssl.crt key files.
For more information, see Using SSL/TLS to protect connections to Red Hat Quay .

3. Assign /$HOME/quay-install an environment variable, for example, QUAY, by entering the

following command:

$ export QUAY=/$HOME/quay-install

4. Copy the new ssl.crt file to the /$HOME/quay-install directory by entering the following
command:

$ cp ~/ssl.crt $QUAY/quay-config

5. Copy the new ssl.key file to the /$HOME/quay-install directory by entering the following
command:

$ cp ~/ssl.key $QUAY/quay-config

6. Restart the quay-app application pod by entering the following command:

$ systemctl --user restart quay-app

3.2.8. Uninstalling the mirror registry for Red Hat OpenShift

You can uninstall the mirror registry for Red Hat OpenShift from your local host by running the
following command:

$ ./mirror-registry uninstall -v \
--quayRoot <example_directory_name>

NOTE

Deleting the mirror registry for Red Hat OpenShift will prompt the user
before deletion. You can use --autoApprove to skip this prompt.

Users who install the mirror registry for Red Hat OpenShift with the --
quayRoot flag must include the --quayRoot flag when uninstalling. For
example, if you installed the mirror registry for Red Hat OpenShift with --
quayRoot example_directory_name, you must include that string to
properly uninstall the mirror registry.

3.2.9. Mirror registry for Red Hat OpenShift flags

The following flags are available for the mirror registry for Red Hat OpenShift :

Flags Description

26
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Flags Description

--autoApprove A boolean value that disables interactive prompts. If set to true, the quayRoot
directory is automatically deleted when uninstalling the mirror registry. Defaults to
false if left unspecified.

--initPassword The password of the init user created during Quay installation. Must be at least
eight characters and contain no whitespace.

--initUser string Shows the username of the initial user. Defaults to init if left unspecified.

--no-color, -c Allows users to disable color sequences and propagate that to Ansible when
running install, uninstall, and upgrade commands.

--quayHostname The fully-qualified domain name of the mirror registry that clients will use to
contact the registry. Equivalent to SERVER_HOSTNAME in the Quay
config.yaml. Must resolve by DNS. Defaults to<targetHostname>:8443 if
left unspecified. [1]

--quayStorage The folder where Quay persistent storage data is saved. Defaults to the quay-
storage Podman volume. Root privileges are required to uninstall.

--quayRoot, -r The directory where container image layer and configuration data is saved,
including rootCA.key , rootCA.pem, and rootCA.srl certificates. Defaults to
$HOME/quay-install if left unspecified.

--sqliteStorage The folder where SQLite database data is saved. Defaults to sqlite-storage
Podman volume if not specified. Root is required to uninstall.

--ssh-key, -k The path of your SSH identity key. Defaults to ~/.ssh/quay_installer if left
unspecified.

--sslCert The path to the SSL/TLS public key / certificate. Defaults to {quayRoot}/quay-
config and is auto-generated if left unspecified.

--sslCheckSkip Skips the check for the certificate hostname against the SERVER_HOSTNAME
in the config.yaml file. [2]

--sslKey The path to the SSL/TLS private key used for HTTPS communication. Defaults to
{quayRoot}/quay-config and is auto-generated if left unspecified.

--targetHostname, -H The hostname of the target you want to install Quay to. Defaults to $HOST , for
example, a local host, if left unspecified.

--targetUsername, -u The user on the target host which will be used for SSH. Defaults to $USER , for
example, the current user if left unspecified.

27
OpenShift Container Platform 4.17 Disconnected environments

Flags Description

--verbose, -v Shows debug logs and Ansible playbook outputs.

--version Shows the version for the mirror registry for Red Hat OpenShift.

1. --quayHostname must be modified if the public DNS name of your system is different from the
local hostname. Additionally, the --quayHostname flag does not support installation with an IP
address. Installation with a hostname is required.

2. --sslCheckSkip is used in cases when the mirror registry is set behind a proxy and the exposed
hostname is different from the internal Quay hostname. It can also be used when users do not
want the certificates to be validated against the provided Quay hostname during installation.

3.2.10. Mirror registry for Red Hat OpenShift release notes

The mirror registry for Red Hat OpenShift is a small and streamlined container registry that you can use
as a target for mirroring the required container images of OpenShift Container Platform for
disconnected installations.

These release notes track the development of the mirror registry for Red Hat OpenShift in OpenShift
Container Platform.

3.2.10.1. Mirror registry for Red Hat OpenShift 2.0 release notes

The following sections provide details for each 2.0 release of the mirror registry for Red Hat OpenShift.

3.2.10.1.1. Mirror registry for Red Hat OpenShift 2.0.5

Issued: 13 January 2025

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.5.

The following advisory is available for the mirror registry for Red Hat OpenShift:

RHBA-2025:0298 - mirror registry for Red Hat OpenShift 2.0.5

3.2.10.1.2. Mirror registry for Red Hat OpenShift 2.0.4

Issued: 06 January 2025

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.4.

The following advisory is available for the mirror registry for Red Hat OpenShift:

RHBA-2025:0033 - mirror registry for Red Hat OpenShift 2.0.4

3.2.10.1.3. Mirror registry for Red Hat OpenShift 2.0.3

Issued: 25 November 2024

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.3.

28
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

The following advisory is available for the mirror registry for Red Hat OpenShift:

RHBA-2024:10181 - mirror registry for Red Hat OpenShift 2.0.3

3.2.10.1.4. Mirror registry for Red Hat OpenShift 2.0.2

Issued: 31 October 2024

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.2.

The following advisory is available for the mirror registry for Red Hat OpenShift:

RHBA-2024:8370 - mirror registry for Red Hat OpenShift 2.0.2

3.2.10.1.5. Mirror registry for Red Hat OpenShift 2.0.1

Issued: 26 September 2024

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.1.

The following advisory is available for the mirror registry for Red Hat OpenShift:

RHBA-2024:7070 - mirror registry for Red Hat OpenShift 2.0.1

3.2.10.1.6. Mirror registry for Red Hat OpenShift 2.0.0

Issued: 03 September 2024

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.0.

The following advisory is available for the mirror registry for Red Hat OpenShift:

RHBA-2024:5277 - mirror registry for Red Hat OpenShift 2.0.0

3.2.10.1.6.1. New features

With the release of mirror registry for Red Hat OpenShift, the internal database has been
upgraded from PostgreSQL to SQLite. As a result, data is now stored on the sqlite-storage
Podman volume by default, and the overall tarball size is reduced by 300 MB.
New installations use SQLite by default. Before upgrading to version 2.0, see "Updating mirror
registry for Red Hat OpenShift from a local host" or "Updating mirror registry for Red Hat
OpenShift from a remote host" depending on your environment.

A new feature flag, --sqliteStorage has been added. With this flag, you can manually set the
location where SQLite database data is saved.

Mirror registry for Red Hat OpenShift is now available on IBM Power and IBM Z architectures
(s390x and ppc64le).

3.2.10.2. Mirror registry for Red Hat OpenShift 1.3 release notes

To view the mirror registry for Red Hat OpenShift 1.3 release notes, see Mirror registry for Red Hat
OpenShift 1.3 release notes.

3.2.10.3. Mirror registry for Red Hat OpenShift 1.2 release notes

To view the mirror registry for Red Hat OpenShift 1.2 release notes, see Mirror registry for Red Hat
29
OpenShift Container Platform 4.17 Disconnected environments

To view the mirror registry for Red Hat OpenShift 1.2 release notes, see Mirror registry for Red Hat
OpenShift 1.2 release notes.

3.2.10.4. Mirror registry for Red Hat OpenShift 1.1 release notes

To view the mirror registry for Red Hat OpenShift 1.1 release notes, see Mirror registry for Red Hat
OpenShift 1.1 release notes.

3.2.11. Troubleshooting mirror registry for Red Hat OpenShift

To assist in troubleshooting mirror registry for Red Hat OpenShift , you can gather logs of systemd
services installed by the mirror registry. The following services are installed:

quay-app.service

quay-postgres.service

quay-redis.service

quay-pod.service

Prerequisites

You have installed mirror registry for Red Hat OpenShift .

Procedure

If you installed mirror registry for Red Hat OpenShift with root privileges, you can get the status
information of its systemd services by entering the following command:

$ sudo systemctl status <service>

If you installed mirror registry for Red Hat OpenShift as a standard user, you can get the status
information of its systemd services by entering the following command:

$ systemctl --user status <service>

3.2.12. Additional resources

Red Hat Quay garbage collection

Using SSL to protect connections to Red Hat Quay

Configuring the system to trust the certificate authority

Mirroring the OpenShift Container Platform image repository

Mirroring Operator catalogs for use with disconnected clusters

3.3. MIRRORING IMAGES FOR A DISCONNECTED INSTALLATION BY

USING THE OC ADM COMMAND
You can ensure your clusters only use container images that satisfy your organizational controls on

30
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

external content. Before you install a cluster on infrastructure that you provision in a restricted network,
you must mirror the required container images into that environment. By using the oc adm command,
you can mirror release and catalog images in OpenShift. To mirror container images, you must have a
registry for mirroring.

IMPORTANT

You must have access to the internet to obtain the necessary container images. In this
procedure, you place your mirror registry on a mirror host that has access to both your
network and the internet. If you do not have access to a mirror host, use the Mirroring
Operator catalogs for use with disconnected clusters procedure to copy images to a
device you can move across network boundaries with.

3.3.1. Prerequisites
You must have a container image registry that supports Docker v2-2 in the location that will
host the OpenShift Container Platform cluster, such as one of the following registries:

Red Hat Quay

JFrog Artifactory

Sonatype Nexus Repository

Harbor

If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay
for proof-of-concept purposes or by using the Red Hat Quay Operator . If you need additional
assistance selecting and installing a registry, contact your sales representative or Red Hat
Support.

If you do not already have an existing solution for a container image registry, subscribers of
OpenShift Container Platform are provided a mirror registry for Red Hat OpenShift . The mirror
registry for Red Hat OpenShift is included with your subscription and is a small-scale container
registry that can be used to mirror the required container images of OpenShift Container
Platform in disconnected installations.

3.3.2. About the mirror registry

IMPORTANT

The OpenShift image registry cannot be used as the target registry because it does not
support pushing without a tag, which is required during the mirroring process.

31
OpenShift Container Platform 4.17 Disconnected environments

NOTE

Red Hat does not test third party registries with OpenShift Container Platform.

Additional information
For information about viewing the CRI-O logs to view the image source, see Viewing the image pull
source.

3.3.3. Preparing your mirror host

Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to
the remote location.

3.3.3.1. Installing the OpenShift CLI

You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-
line interface. You can install oc on Linux, Windows, or macOS.

IMPORTANT

If you installed an earlier version of oc, you cannot use it to complete all of the commands
in OpenShift Container Platform 4.17. Download and install the new version of oc.

Installing the OpenShift CLI on Linux

You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.

Procedure

1. Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer
Portal.

2. Select the architecture from the Product Variant drop-down list.

3. Select the appropriate version from the Version drop-down list.

32
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

4. Click Download Now next to the OpenShift v4.17 Linux Clients entry and save the file.

5. Unpack the archive:

$ tar xvf <file>

6. Place the oc binary in a directory that is on your PATH.

To check your PATH, execute the following command:

$ echo $PATH

Verification

After you install the OpenShift CLI, it is available using the oc command:

$ oc <command>

Installing the OpenShift CLI on Windows

You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.

Procedure

1. Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer
Portal.

2. Select the appropriate version from the Version drop-down list.

3. Click Download Now next to the OpenShift v4.17 Windows Client entry and save the file.

4. Unzip the archive with a ZIP program.

5. Move the oc binary to a directory that is on your PATH.

To check your PATH, open the command prompt and execute the following command:

C:\> path

Verification

After you install the OpenShift CLI, it is available using the oc command:

C:\> oc <command>

Installing the OpenShift CLI on macOS

You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.

Procedure

1. Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer
Portal.

2. Select the appropriate version from the Version drop-down list.

3. Click Download Now next to the OpenShift v4.17 macOS Clients entry and save the file.

33
OpenShift Container Platform 4.17 Disconnected environments

NOTE

For macOS arm64, choose the OpenShift v4.17 macOS arm64 Client entry.

4. Unpack and unzip the archive.

5. Move the oc binary to a directory on your PATH.

To check your PATH, open a terminal and execute the following command:

$ echo $PATH

Verification

Verify your installation by using an oc command:

$ oc <command>

3.3.4. Configuring credentials that allow images to be mirrored

Create a container image registry credentials file that enables you to mirror images from Red Hat to
your mirror.


WARNING

Do not use this image registry credentials file as the pull secret when you install a
cluster. If you provide this file when you install cluster, all of the machines in the
cluster will have write access to your mirror registry.

Prerequisites

You configured a mirror registry to use in your disconnected environment.

You identified an image repository location on your mirror registry to mirror images into.

You provisioned a mirror registry account that allows images to be uploaded to that image
repository.

You have write access to the mirror registry.

Procedure
Complete the following steps on the installation host:

1. Download your registry.redhat.io pull secret from Red Hat OpenShift Cluster Manager .

2. Make a copy of your pull secret in JSON format by running the following command:

$ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> 1

34
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

1 Specify the path to the folder to store the pull secret in and a name for the JSON file that
you create.

Example pull secret

{
"auths": {
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "[email protected]"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "[email protected]"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "[email protected]"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "[email protected]"
}
}
}

3. Generate the base64-encoded user name and password or token for your mirror registry by
running the following command:

$ echo -n '<user_name>:<password>' | base64 -w0 1

1 For <user_name> and <password>, specify the user name and password that you
configured for your registry.

Example output

BGVtbYk3ZHAtqXs=

4. Edit the JSON file and add a section that describes your registry to it:

"auths": {
"<mirror_registry>": { 1
"auth": "<credentials>", 2
"email": "[email protected]"
}
},

1 Specify the registry domain name, and optionally the port, that your mirror registry uses to
serve content. For example, registry.example.com or registry.example.com:8443

2 Specify the base64-encoded user name and password for the mirror registry.

35
OpenShift Container Platform 4.17 Disconnected environments

Example modified pull secret

{
"auths": {
"registry.example.com": {
"auth": "BGVtbYk3ZHAtqXs=",
"email": "[email protected]"
},
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "[email protected]"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "[email protected]"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "[email protected]"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "[email protected]"
}
}
}

3.3.5. Mirroring the OpenShift Container Platform image repository

Mirror the OpenShift Container Platform image repository to your registry to use during cluster
installation or upgrade.

Prerequisites

Your mirror host has access to the internet.

You configured a mirror registry to use in your restricted network and can access the certificate
and credentials that you configured.

You downloaded the pull secret from Red Hat OpenShift Cluster Manager and modified it to
include authentication to your mirror repository.

If you use self-signed certificates, you have specified a Subject Alternative Name in the
certificates.

Procedure
Complete the following steps on the mirror host:

1. Review the OpenShift Container Platform downloads page to determine the version of
OpenShift Container Platform that you want to install and determine the corresponding tag on
the Repository Tags page.

2. Set the required environment variables:

a. Export the release version:

36
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

$ OCP_RELEASE=<release_version>

For <release_version>, specify the tag that corresponds to the version of OpenShift
Container Platform to install, such as 4.5.4.

b. Export the local registry name and host port:

$ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'

For <local_registry_host_name>, specify the registry domain name for your mirror
repository, and for <local_registry_host_port>, specify the port that it serves content on.

c. Export the local repository name:

$ LOCAL_REPOSITORY='<local_repository_name>'

For <local_repository_name>, specify the name of the repository to create in your

registry, such as ocp4/openshift4.

d. Export the name of the repository to mirror:

$ PRODUCT_REPO='openshift-release-dev'

For a production release, you must specify openshift-release-dev.

e. Export the path to your registry pull secret:

$ LOCAL_SECRET_JSON='<path_to_pull_secret>'

For <path_to_pull_secret>, specify the absolute path to and file name of the pull secret
for your mirror registry that you created.

f. Export the release mirror:

$ RELEASE_NAME="ocp-release"

For a production release, you must specify ocp-release.

g. Export the type of architecture for your cluster:

$ ARCHITECTURE=<cluster_architecture> 1

1 Specify the architecture of the cluster, such as x86_64, aarch64, s390x, or ppc64le.

h. Export the path to the directory to host the mirrored images:

$ REMOVABLE_MEDIA_PATH=<path> 1

1 Specify the full path, including the initial forward slash (/) character.

3. Mirror the version images to the mirror registry:

37
OpenShift Container Platform 4.17 Disconnected environments

If your mirror host does not have internet access, take the following actions:

i. Connect the removable media to a system that is connected to the internet.

ii. Review the images and configuration manifests to mirror:

$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \

--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-
${ARCHITECTURE} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-
image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-
${ARCHITECTURE} --dry-run

iii. Record the entire imageContentSources section from the output of the previous
command. The information about your mirrors is unique to your mirrored repository, and
you must add the imageContentSources section to the install-config.yaml file during
installation.

iv. Mirror the images to a directory on the removable media:

$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-

dir=${REMOVABLE_MEDIA_PATH}/mirror
quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-
${ARCHITECTURE}

v. Take the media to the restricted network environment and upload the images to the
local container registry.

$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-

dir=${REMOVABLE_MEDIA_PATH}/mirror
"file://openshift/release:${OCP_RELEASE}*"
${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} 1

1 For REMOVABLE_MEDIA_PATH, you must use the same path that you specified
when you mirrored the images.

IMPORTANT

Running oc image mirror might result in the following error: error:

unable to retrieve source image. This error occurs when image indexes
include references to images that no longer exist on the image registry.
Image indexes might retain older references to allow users running those
images an upgrade path to newer points on the upgrade graph. As a
temporary workaround, you can use the --skip-missing option to bypass
the error and continue downloading the image index. For more
information, see Service Mesh Operator mirroring failed .

If the local container registry is connected to the mirror host, take the following actions:

i. Directly push the release images to the local registry by using following command:

$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \

--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-

38
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

${ARCHITECTURE} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-
image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-
${ARCHITECTURE}

This command pulls the release information as a digest, and its output includes the
imageContentSources data that you require when you install your cluster.

ii. Record the entire imageContentSources section from the output of the previous
command. The information about your mirrors is unique to your mirrored repository, and
you must add the imageContentSources section to the install-config.yaml file during
installation.

NOTE

The image name gets patched to Quay.io during the mirroring process,
and the podman images will show Quay.io in the registry on the
bootstrap virtual machine.

4. To create the installation program that is based on the content that you mirrored, extract it and
pin it to the release:

If your mirror host does not have internet access, run the following command:

$ oc adm release extract -a ${LOCAL_SECRET_JSON} --icsp-file=<file> --

command=openshift-install
"${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-
${ARCHITECTURE}" \
--insecure=true 1

1 Optional: If you do not want to configure trust for the target registry, add the --
insecure=true flag.

If the local container registry is connected to the mirror host, run the following command:

$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install

"${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-
${ARCHITECTURE}"

IMPORTANT

To ensure that you use the correct images for the version of OpenShift
Container Platform that you selected, you must extract the installation
program from the mirrored content.

You must perform this step on a machine with an active internet connection.

5. For clusters using installer-provisioned infrastructure, run the following command:

$ openshift-install

39
OpenShift Container Platform 4.17 Disconnected environments

3.3.6. The Cluster Samples Operator in a disconnected environment

In a disconnected environment, you must take additional steps after you install a cluster to configure the
Cluster Samples Operator. Review the following information in preparation.

3.3.6.1. Cluster Samples Operator assistance for mirroring

During installation, OpenShift Container Platform creates a config map named imagestreamtag-to-
image in the openshift-cluster-samples-operator namespace. The imagestreamtag-to-image config
map contains an entry, the populating image, for each image stream tag.

The format of the key for each entry in the data field in the config map is
<image_stream_name>_<image_stream_tag_name>.

During a disconnected installation of OpenShift Container Platform, the status of the Cluster Samples
Operator is set to Removed. If you choose to change it to Managed, it installs samples.

NOTE

The use of samples in a network-restricted or discontinued environment may require

access to services external to your network. Some example services include: Github,
Maven Central, npm, RubyGems, PyPi and others. There might be additional steps to
take that allow the cluster samples operators’s objects to reach the services they require.

You can use this config map as a reference for which images need to be mirrored for your image
streams to import.

While the Cluster Samples Operator is set to Removed, you can create your mirrored registry, or
determine which existing mirrored registry you want to use.

Mirror the samples you want to the mirrored registry using the new config map as your guide.

Add any of the image streams you did not mirror to the skippedImagestreams list of the
Cluster Samples Operator configuration object.

Set samplesRegistry of the Cluster Samples Operator configuration object to the mirrored
registry.

Then set the Cluster Samples Operator to Managed to install the image streams you have
mirrored.

3.3.7. Mirroring Operator catalogs for use with disconnected clusters

You can mirror the Operator contents of a Red Hat-provided catalog, or a custom catalog, into a
container image registry using the oc adm catalog mirror command. The target registry must support
Docker v2-2. For a cluster on a restricted network, this registry can be one that the cluster has network
access to, such as a mirror registry created during a restricted network cluster installation.

IMPORTANT
40
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

IMPORTANT

The OpenShift image registry cannot be used as the target registry because it
does not support pushing without a tag, which is required during the mirroring
process.

Running oc adm catalog mirror might result in the following error: error: unable
to retrieve source image. This error occurs when image indexes include
references to images that no longer exist on the image registry. Image indexes
might retain older references to allow users running those images an upgrade
path to newer points on the upgrade graph. As a temporary workaround, you can
use the --skip-missing option to bypass the error and continue downloading the
image index. For more information, see Service Mesh Operator mirroring failed .

The oc adm catalog mirror command also automatically mirrors the index image that is specified
during the mirroring process, whether it be a Red Hat-provided index image or your own custom-built
index image, to the target registry. You can then use the mirrored index image to create a catalog
source that allows Operator Lifecycle Manager (OLM) to load the mirrored catalog onto your OpenShift
Container Platform cluster.

Additional resources

Using Operator Lifecycle Manager in disconnected environments

3.3.7.1. Prerequisites

Mirroring Operator catalogs for use with disconnected clusters has the following prerequisites:

Workstation with unrestricted network access.

podman version 1.9.3 or later.

If you want to filter, or prune, an existing catalog and selectively mirror only a subset of
Operators, see the following sections:

Installing the opm CLI

Updating or filtering a file-based catalog image

If you want to mirror a Red Hat-provided catalog, run the following command on your
workstation with unrestricted network access to authenticate with registry.redhat.io:

$ podman login registry.redhat.io

Access to a mirror registry that supports Docker v2-2.

On your mirror registry, decide which repository, or namespace, to use for storing mirrored
Operator content. For example, you might create an olm-mirror repository.

If your mirror registry does not have internet access, connect removable media to your
workstation with unrestricted network access.

If you are working with private registries, including registry.redhat.io, set the REG_CREDS
environment variable to the file path of your registry credentials for use in later steps. For
example, for the podman CLI:

41
OpenShift Container Platform 4.17 Disconnected environments

$ REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json

3.3.7.2. Extracting and mirroring catalog contents

The oc adm catalog mirror command extracts the contents of an index image to generate the
manifests required for mirroring. The default behavior of the command generates manifests, then
automatically mirrors all of the image content from the index image, as well as the index image itself, to
your mirror registry.

Alternatively, if your mirror registry is on a completely disconnected, or airgapped, host, you can first
mirror the content to removable media, move the media to the disconnected environment, then mirror
the content from the media to the registry.

3.3.7.2.1. Mirroring catalog contents to registries on the same network

If your mirror registry is co-located on the same network as your workstation with unrestricted network
access, take the following actions on your workstation.

Procedure

1. If your mirror registry requires authentication, run the following command to log in to the
registry:

$ podman login <mirror_registry>

2. Run the following command to extract and mirror the content to the mirror registry:

$ oc adm catalog mirror \

<index_image> \ 1
<mirror_registry>:<port>[/<repository>] \ 2
[-a ${REG_CREDS}] \ 3
[--insecure] \ 4
[--index-filter-by-os='<platform>/<arch>'] \ 5
[--manifests-only] 6

1 Specify the index image for the catalog that you want to mirror.

2 Specify the fully qualified domain name (FQDN) for the target registry to mirror the
Operator contents to. The mirror registry <repository> can be any existing repository, or
namespace, on the registry, for example olm-mirror as outlined in the prerequisites. If
there is an existing repository found during mirroring, the repository name is added to the
resulting image name. If you do not want the image name to include the repository name,
omit the <repository> value from this line, for example <mirror_registry>:<port>.

3 Optional: If required, specify the location of your registry credentials file. {REG_CREDS} is
required for registry.redhat.io.

4 Optional: If you do not want to configure trust for the target registry, add the --insecure
flag.

5 Optional: Specify which platform and architecture of the index image to select when
multiple variants are available. Images are passed as '<platform>/<arch>[/<variant>]'. This
does not apply to images referenced by the index. Valid values are linux/amd64,
linux/ppc64le, linux/s390x, linux/arm64.

42
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

6 Optional: Generate only the manifests required for mirroring without actually mirroring the
image content to a registry. This option can be useful for reviewing what will be mirrored,

Example output

src image has index label for database path: /database/index.db

using database path mapping: /database/index.db:/tmp/153048078
wrote database to /tmp/153048078 1
...
wrote mirroring manifests to manifests-redhat-operator-index-1614211642 2

1 Directory for the temporary index.db database generated by the command.

2 Record the manifests directory name that is generated. This directory is referenced in
subsequent procedures.

NOTE

Red Hat Quay does not support nested repositories. As a result, running the
oc adm catalog mirror command will fail with a 401 unauthorized error. As
a workaround, you can use the --max-components=2 option when running
the oc adm catalog mirror command to disable the creation of nested
repositories. For more information on this workaround, see the
Unauthorized error thrown while using catalog mirror command with Quay
registry Knowledgebase Solution.

Additional resources

Architecture and operating system support for Operators

3.3.7.2.2. Mirroring catalog contents to airgapped registries

If your mirror registry is on a completely disconnected, or airgapped, host, take the following actions.

Procedure

1. Run the following command on your workstation with unrestricted network access to mirror the
content to local files:

$ oc adm catalog mirror \

<index_image> \ 1
file:///local/index \ 2
-a ${REG_CREDS} \ 3
--insecure \ 4
--index-filter-by-os='<platform>/<arch>' 5

1 Specify the index image for the catalog that you want to mirror.

2 Specify the content to mirror to local files in your current directory.

3 Optional: If required, specify the location of your registry credentials file.

43
OpenShift Container Platform 4.17 Disconnected environments

4 Optional: If you do not want to configure trust for the target registry, add the --insecure
flag.

5 Optional: Specify which platform and architecture of the index image to select when
multiple variants are available. Images are specified as '<platform>/<arch>[/<variant>]'.
This does not apply to images referenced by the index. Valid values are linux/amd64,
linux/ppc64le, linux/s390x, linux/arm64, and .*

Example output

...
info: Mirroring completed in 5.93s (5.915MB/s)
wrote mirroring manifests to manifests-my-index-1614985528 1

To upload local images to a registry, run:

oc adm catalog mirror file://local/index/myrepo/my-index:v1 REGISTRY/REPOSITORY 2

1 Record the manifests directory name that is generated. This directory is referenced in
subsequent procedures.

2 Record the expanded file:// path that is based on your provided index image. This path is
referenced in a subsequent step.

This command creates a v2/ directory in your current directory.

2. Copy the v2/ directory to removable media.

3. Physically remove the media and attach it to a host in the disconnected environment that has
access to the mirror registry.

4. If your mirror registry requires authentication, run the following command on your host in the
disconnected environment to log in to the registry:

$ podman login <mirror_registry>

5. Run the following command from the parent directory containing the v2/ directory to upload the
images from local files to the mirror registry:

$ oc adm catalog mirror \

file://local/index/<repository>/<index_image>:<tag> \ 1
<mirror_registry>:<port>[/<repository>] \ 2
-a ${REG_CREDS} \ 3
--insecure \ 4
--index-filter-by-os='<platform>/<arch>' 5

1 Specify the file:// path from the previous command output.

44
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

omit the <repository> value from this line, for example <mirror_registry>:<port>.

3 Optional: If required, specify the location of your registry credentials file.

4 Optional: If you do not want to configure trust for the target registry, add the --insecure
flag.

NOTE

Red Hat Quay does not support nested repositories. As a result, running the oc
adm catalog mirror command will fail with a 401 unauthorized error. As a
workaround, you can use the --max-components=2 option when running the oc
adm catalog mirror command to disable the creation of nested repositories. For
more information on this workaround, see the Unauthorized error thrown while
using catalog mirror command with Quay registry Knowledgebase Solution.

6. Run the oc adm catalog mirror command again. Use the newly mirrored index image as the
source and the same mirror registry target used in the previous step:

$ oc adm catalog mirror \

<mirror_registry>:<port>/<index_image> \
<mirror_registry>:<port>[/<repository>] \
--manifests-only \ 1
[-a ${REG_CREDS}] \
[--insecure]

1 The --manifests-only flag is required for this step so that the command does not copy all
of the mirrored content again.

IMPORTANT

This step is required because the image mappings in the

imageContentSourcePolicy.yaml file generated during the previous step must
be updated from local paths to valid mirror locations. Failure to do so will cause
errors when you create the ImageContentSourcePolicy object in a later step.

After you mirror the catalog, you can continue with the remainder of your cluster installation. After your
cluster installation has finished successfully, you must specify the manifests directory from this
procedure to create the ImageContentSourcePolicy and CatalogSource objects. These objects are
required to enable installation of Operators from OperatorHub.

Additional resources

Architecture and operating system support for Operators

3.3.7.3. Generated manifests

After mirroring Operator catalog content to your mirror registry, a manifests directory is generated in
45
OpenShift Container Platform 4.17 Disconnected environments

After mirroring Operator catalog content to your mirror registry, a manifests directory is generated in
your current directory.

If you mirrored content to a registry on the same network, the directory name takes the following
pattern:

manifests-<index_image_name>-<random_number>

If you mirrored content to a registry on a disconnected host in the previous section, the directory name
takes the following pattern:

manifests-index/<repository>/<index_image_name>-<random_number>

NOTE

The manifests directory name is referenced in subsequent procedures.

The manifests directory contains the following files, some of which might require further modification:

The catalogSource.yaml file is a basic definition for a CatalogSource object that is pre-
populated with your index image tag and other relevant metadata. This file can be used as is or
modified to add the catalog source to your cluster.

IMPORTANT

If you mirrored the content to local files, you must modify your
catalogSource.yaml file to remove any backslash ( /) characters from the
metadata.name field. Otherwise, when you attempt to create the object, it fails
with an "invalid resource name" error.

The imageContentSourcePolicy.yaml file defines an ImageContentSourcePolicy object that

can configure nodes to translate between the image references stored in Operator manifests
and the mirrored registry.

NOTE

If your cluster uses an ImageContentSourcePolicy object to configure

repository mirroring, you can use only global pull secrets for mirrored registries.
You cannot add a pull secret to a project.

The mapping.txt file contains all of the source images and where to map them in the target
registry. This file is compatible with the oc image mirror command and can be used to further
customize the mirroring configuration.

IMPORTANT

If you used the --manifests-only flag during the mirroring process and want to
further trim the subset of packages to mirror, see the steps in the Mirroring a
package manifest format catalog image procedure of the OpenShift Container
Platform 4.7 documentation about modifying your mapping.txt file and using the
file with the oc image mirror command.

46
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

3.3.7.4. Postinstallation requirements

Additional resources

Populating OperatorHub from mirrored Operator catalogs

Updating or filtering a file-based catalog image

3.3.8. Next steps

Install a cluster on infrastructure that you provision in your restricted network, such as on
VMware vSphere, bare metal, or Amazon Web Services.

3.3.9. Additional resources

See Gathering data about specific features for more information about using must-gather.

3.4. MIRRORING IMAGES FOR A DISCONNECTED INSTALLATION

USING THE OC-MIRROR PLUGIN
Running your cluster in a restricted network without direct internet connectivity is possible by installing
the cluster from a mirrored set of OpenShift Container Platform container images in a private registry.
This registry must be running at all times as long as the cluster is running. See the Prerequisites section
for more information.

You can use the oc-mirror OpenShift CLI (oc) plugin to mirror images to a mirror registry in your fully or
partially disconnected environments. You must run oc-mirror from a system with internet connectivity in
order to download the required images from the official Red Hat registries.

3.4.1. About the oc-mirror plugin

You can use the oc-mirror OpenShift CLI (oc) plugin to mirror all required OpenShift Container
Platform content and other images to your mirror registry by using a single tool. It provides the following
features:

Provides a centralized method to mirror OpenShift Container Platform releases, Operators,

helm charts, and other images.

Maintains update paths for OpenShift Container Platform and Operators.

Uses a declarative image set configuration file to include only the OpenShift Container
Platform releases, Operators, and images that your cluster needs.

Performs incremental mirroring, which reduces the size of future image sets.

Prunes images from the target mirror registry that were excluded from the image set
configuration since the previous execution.

Optionally generates supporting artifacts for OpenShift Update Service (OSUS) usage.

When using the oc-mirror plugin, you specify which content to mirror in an image set configuration file. In
47
OpenShift Container Platform 4.17 Disconnected environments

When using the oc-mirror plugin, you specify which content to mirror in an image set configuration file. In
this YAML file, you can fine-tune the configuration to only include the OpenShift Container Platform
releases and Operators that your cluster needs. This reduces the amount of data that you need to
download and transfer. The oc-mirror plugin can also mirror arbitrary helm charts and additional
container images to assist users in seamlessly synchronizing their workloads onto mirror registries.

The first time you run the oc-mirror plugin, it populates your mirror registry with the required content to
perform your disconnected cluster installation or update. In order for your disconnected cluster to
continue receiving updates, you must keep your mirror registry updated. To update your mirror registry,
you run the oc-mirror plugin using the same configuration as the first time you ran it. The oc-mirror
plugin references the metadata from the storage backend and only downloads what has been released
since the last time you ran the tool. This provides update paths for OpenShift Container Platform and
Operators and performs dependency resolution as required.

3.4.1.1. High level workflow

The following steps outline the high-level workflow on how to use the oc-mirror plugin to mirror images
to a mirror registry:

1. Create an image set configuration file.

2. Mirror the image set to the target mirror registry by using one of the following methods:

Mirror an image set directly to the target mirror registry.

Mirror an image set to disk, transfer the image set to the target environment, then upload
the image set to the target mirror registry.

3. Configure your cluster to use the resources generated by the oc-mirror plugin.

4. Repeat these steps to update your target mirror registry as necessary.

IMPORTANT

When using the oc-mirror CLI plugin to populate a mirror registry, any further updates to
the target mirror registry must be made by using the oc-mirror plugin.

3.4.2. oc-mirror plugin compatibility and support

The oc-mirror plugin supports mirroring OpenShift Container Platform payload images and Operator
catalogs for OpenShift Container Platform versions 4.12 and later.

NOTE

On aarch64, ppc64le, and s390x architectures the oc-mirror plugin is only supported for
OpenShift Container Platform versions 4.14 and later.

Use the latest available version of the oc-mirror plugin regardless of which versions of OpenShift
Container Platform you need to mirror.

Additional resources

For information on updating oc-mirror, see Viewing the image pull source.

48
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

3.4.3. About the mirror registry

You can mirror the images that are required for OpenShift Container Platform installation and
subsequent product updates to a container mirror registry that supports Docker v2-2, such as Red Hat
Quay. If you do not have access to a large-scale container registry, you can use the mirror registry for
Red Hat OpenShift, which is a small-scale container registry included with OpenShift Container Platform
subscriptions.

Regardless of your chosen registry, the procedure to mirror content from Red Hat hosted sites on the
internet to an isolated image registry is the same. After you mirror the content, you configure each
cluster to retrieve this content from your mirror registry.

IMPORTANT

The OpenShift image registry cannot be used as the target registry because it does not
support pushing without a tag, which is required during the mirroring process.

NOTE

Red Hat does not test third party registries with OpenShift Container Platform.

Additional resources

For information about viewing the CRI-O logs to view the image source, see Viewing the image
pull source.

3.4.4. Prerequisites
You must have a container image registry that supports Docker v2-2 in the location that will
host the OpenShift Container Platform cluster, such as Red Hat Quay.

NOTE
49
OpenShift Container Platform 4.17 Disconnected environments

NOTE

If you use Red Hat Quay, you must use version 3.6 or later with the oc-mirror
plugin. If you have an entitlement to Red Hat Quay, see the documentation on
deploying Red Hat Quay for proof-of-concept purposes or by using the Red Hat
Quay Operator. If you need additional assistance selecting and installing a
registry, contact your sales representative or Red Hat Support.

3.4.5. Preparing your mirror hosts

Before you can use the oc-mirror plugin to mirror images, you must install the plugin and create a
container image registry credentials file to allow the mirroring from Red Hat to your mirror.

3.4.5.1. Installing the oc-mirror OpenShift CLI plugin

Install the oc-mirror OpenShift CLI plugin to manage image sets in disconnected environments.

Prerequisites

You have installed the OpenShift CLI (oc). If you are mirroring image sets in a fully
disconnected environment, ensure the following:

You have installed the oc-mirror plugin on the host that has internet access.

The host in the disconnected environment has access to the target mirror registry.

You have set the umask parameter to 0022 on the operating system that uses oc-mirror.

You have installed the correct binary for the RHEL version that you are using.

Procedure

1. Download the oc-mirror CLI plugin:

a. Navigate to the Downloads page of the Red Hat Hybrid Cloud Console.

b. In the OpenShift disconnected installation tools section, select the OS type and
Architecture type of the OpenShift Client (oc) mirror plugin from the dropdown menus.

c. Click Download to save the file.

2. Extract the archive by running the following command:

$ tar xvzf oc-mirror.tar.gz

3. If necessary, update the plugin file to be executable by running the following command:

$ chmod +x oc-mirror

NOTE
50
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

NOTE

Do not rename the oc-mirror file.

4. Install the oc-mirror CLI plugin by placing the file in your PATH, for example /usr/local/bin, by
running the following command:

$ sudo mv oc-mirror /usr/local/bin/.

Verification

Verify that the oc-mirror plugin v1 is successfully installed by running the following command:

$ oc mirror help

Additional resources

Installing and using CLI plugins

3.4.5.2. Configuring credentials that allow images to be mirrored

Create a container image registry credentials file that enables you to mirror images from Red Hat to
your mirror.


WARNING

Prerequisites

You configured a mirror registry to use in your disconnected environment.

You identified an image repository location on your mirror registry to mirror images into.

You provisioned a mirror registry account that allows images to be uploaded to that image
repository.

You have write access to the mirror registry.

Procedure
Complete the following steps on the installation host:

1. Download your registry.redhat.io pull secret from Red Hat OpenShift Cluster Manager .

2. Make a copy of your pull secret in JSON format by running the following command:

$ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> 1

51
OpenShift Container Platform 4.17 Disconnected environments

1 Specify the path to the folder to store the pull secret in and a name for the JSON file that
you create.

Example pull secret

3. Save the file as either ~/.docker/config.json or $XDG_RUNTIME_DIR/containers/auth.json:

a. If the .docker or $XDG_RUNTIME_DIR/containers directories do not exist, create one by

entering the following command:

$ mkdir -p <directory_name>

Where <directory_name> is either ~/.docker or $XDG_RUNTIME_DIR/containers.

b. Copy the pull secret to the appropriate directory by entering the following command:

$ cp <path>/<pull_secret_file_in_json> <directory_name>/<auth_file>

Where <directory_name> is either ~/.docker or $XDG_RUNTIME_DIR/containers, and

<auth_file> is either config.json or auth.json.

4. Generate the base64-encoded user name and password or token for your mirror registry by
running the following command:

$ echo -n '<user_name>:<password>' | base64 -w0 1

1 For <user_name> and <password>, specify the user name and password that you
configured for your registry.

Example output

52
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

BGVtbYk3ZHAtqXs=

5. Edit the JSON file and add a section that describes your registry to it:

"auths": {
"<mirror_registry>": { 1
"auth": "<credentials>", 2
"email": "[email protected]"
}
},

1 Specify the registry domain name, and optionally the port, that your mirror registry uses to
serve content. For example, registry.example.com or registry.example.com:8443

2 Specify the base64-encoded user name and password for the mirror registry.

Example modified pull secret

3.4.6. Creating the image set configuration

Before you can use the oc-mirror plugin to mirror image sets, you must create an image set
configuration file. This image set configuration file defines which OpenShift Container Platform
releases, Operators, and other images to mirror, along with other configuration settings for the oc-
mirror plugin.

You must specify a storage backend in the image set configuration file. This storage backend can be a
local directory or a registry that supports Docker v2-2. The oc-mirror plugin stores metadata in this
storage backend during image set creation.

53
OpenShift Container Platform 4.17 Disconnected environments

IMPORTANT

Do not delete or modify the metadata that is generated by the oc-mirror plugin. You
must use the same storage backend every time you run the oc-mirror plugin for the same
mirror registry.

Prerequisites

You have created a container image registry credentials file. For instructions, see "Configuring
credentials that allow images to be mirrored".

Procedure

1. Use the oc mirror init command to create a template for the image set configuration and save
it to a file called imageset-config.yaml:

$ oc mirror init <--registry <storage_backend> > imageset-config.yaml 1

1 Specifies the location of your storage backend, such as example.com/mirror/oc-mirror-

metadata.

2. Edit the file and adjust the settings as necessary:

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
archiveSize: 4 1
storageConfig: 2
registry:
imageURL: example.com/mirror/oc-mirror-metadata 3
skipTLS: false
mirror:
platform:
channels:
- name: stable-4.17 4
type: ocp
graph: true 5
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17 6
packages:
- name: serverless-operator 7
channels:
- name: stable 8
additionalImages:
- name: registry.redhat.io/ubi9/ubi:latest 9
helm: {}

1 Add archiveSize to set the maximum size, in GiB, of each file within the image set.

2 Set the back-end location to save the image set metadata to. This location can be a
registry or local directory. It is required to specify storageConfig values.

3 Set the registry URL for the storage backend.

54
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

4 Set the channel to retrieve the OpenShift Container Platform images from.

5 Add graph: true to build and push the graph-data image to the mirror registry. The graph-
data image is required to create OpenShift Update Service (OSUS). The graph: true field
also generates the UpdateService custom resource manifest. The oc command-line
interface (CLI) can use the UpdateService custom resource manifest to create OSUS. For
more information, see About the OpenShift Update Service .

6 Set the Operator catalog to retrieve the OpenShift Container Platform images from.

7 Specify only certain Operator packages to include in the image set. Remove this field to
retrieve all packages in the catalog.

8 Specify only certain channels of the Operator packages to include in the image set. You
must always include the default channel for the Operator package even if you do not use
the bundles in that channel. You can find the default channel by running the following
command: oc mirror list operators --catalog=<catalog_name> --package=
<package_name>.

9 Specify any additional images to include in image set.

NOTE

The graph: true field also mirrors the ubi-micro image along with other mirrored
images.

When upgrading OpenShift Container Platform Extended Update Support (EUS)

versions, an intermediate version might be required between the current and
target versions. For example, if the current version is 4.14 and target version is
4.16, you might need to include a version such as 4.15.8 in the
ImageSetConfiguration when using the oc-mirror plugin v1.

The oc-mirror plugin v1 might not always detect this automatically, so check the
Cincinnati graph web page to confirm any required intermediate versions and
add them manually to your configuration.

See "Image set configuration parameters" for the full list of parameters and "Image set
configuration examples" for various mirroring use cases.

3. Save the updated file.

This image set configuration file is required by the oc mirror command when mirroring content.

Additional resources

Image set configuration parameters

Image set configuration examples

Using the OpenShift Update Service in a disconnected environment

3.4.7. Mirroring an image set to a mirror registry

You can use the oc-mirror CLI plugin to mirror images to a mirror registry in a partially disconnected
environment or in a fully disconnected environment.

55
OpenShift Container Platform 4.17 Disconnected environments

These procedures assume that you already have your mirror registry set up.

3.4.7.1. Mirroring an image set in a partially disconnected environment

In a partially disconnected environment, you can mirror an image set directly to the target mirror registry.

3.4.7.1.1. Mirroring from mirror to mirror

You can use the oc-mirror plugin to mirror an image set directly to a target mirror registry that is
accessible during image set creation.

You are required to specify a storage backend in the image set configuration file. This storage backend
can be a local directory or a Docker v2 registry. The oc-mirror plugin stores metadata in this storage
backend during image set creation.

IMPORTANT

Do not delete or modify the metadata that is generated by the oc-mirror plugin. You
must use the same storage backend every time you run the oc-mirror plugin for the same
mirror registry.

Prerequisites

You have access to the internet to get the necessary container images.

You have installed the OpenShift CLI (oc).

You have installed the oc-mirror CLI plugin.

You have created the image set configuration file.

Procedure

Run the oc mirror command to mirror the images from the specified image set configuration to
a specified registry:

$ oc mirror --config=./<imageset-config.yaml> \ 1
docker://registry.example:5000 2

1 Specify the image set configuration file that you created. For example, imageset-
config.yaml.

2 Specify the registry to mirror the image set file to. The registry must start with docker://. If
you specify a top-level namespace for the mirror registry, you must also use this same
namespace on subsequent executions.

Verification

1. Navigate into the oc-mirror-workspace/ directory that was generated.

2. Navigate into the results directory, for example, results-1639608409/.

3. Verify that YAML files are present for the ImageContentSourcePolicy and CatalogSource
resources.

56
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

NOTE

The repositoryDigestMirrors section of the ImageContentSourcePolicy YAML file is

used for the install-config.yaml file during installation.

Next steps

Configure your cluster to use the resources generated by oc-mirror.

Troubleshooting

Unable to retrieve source image .

3.4.7.2. Mirroring an image set in a fully disconnected environment

To mirror an image set in a fully disconnected environment, you must first mirror the image set to disk ,
then mirror the image set file on disk to a mirror .

3.4.7.2.1. Mirroring from mirror to disk

You can use the oc-mirror plugin to generate an image set and save the contents to disk. The
generated image set can then be transferred to the disconnected environment and mirrored to the
target registry.

IMPORTANT

Depending on the configuration specified in the image set configuration file, using oc-
mirror to mirror images might download several hundreds of gigabytes of data to disk.

The initial image set download when you populate the mirror registry is often the largest.
Because you only download the images that changed since the last time you ran the
command, when you run the oc-mirror plugin again, the generated image set is often
smaller.

You are required to specify a storage backend in the image set configuration file. This storage backend
can be a local directory or a docker v2 registry. The oc-mirror plugin stores metadata in this storage
backend during image set creation.

IMPORTANT

Do not delete or modify the metadata that is generated by the oc-mirror plugin. You
must use the same storage backend every time you run the oc-mirror plugin for the same
mirror registry.

Prerequisites

You have access to the internet to obtain the necessary container images.

You have installed the OpenShift CLI (oc).

You have installed the oc-mirror CLI plugin.

You have created the image set configuration file.

57
OpenShift Container Platform 4.17 Disconnected environments

Procedure

Run the oc mirror command to mirror the images from the specified image set configuration to
disk:

$ oc mirror --config=./imageset-config.yaml \ 1
file://<path_to_output_directory> 2

1 Pass in the image set configuration file that was created. This procedure assumes that it is
named imageset-config.yaml.

2 Specify the target directory where you want to output the image set file. The target
directory path must start with file://.

Verification

1. Navigate to your output directory:

$ cd <path_to_output_directory>

2. Verify that an image set .tar file was created:

$ ls

Example output

mirror_seq1_000000.tar

Next steps

Transfer the image set .tar file to the disconnected environment.

Troubleshooting

Unable to retrieve source image .

3.4.7.2.2. Mirroring from disk to mirror

You can use the oc-mirror plugin to mirror the contents of a generated image set to the target mirror
registry.

Prerequisites

You have installed the OpenShift CLI (oc) in the disconnected environment.

You have installed the oc-mirror CLI plugin in the disconnected environment.

You have generated the image set file by using the oc mirror command.

You have transferred the image set file to the disconnected environment.

Procedure

58
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Run the oc mirror command to process the image set file on disk and mirror the contents to a
target mirror registry:

$ oc mirror --from=./mirror_seq1_000000.tar \ 1
docker://registry.example:5000 2

1 Pass in the image set .tar file to mirror, named mirror_seq1_000000.tar in this example. If
an archiveSize value was specified in the image set configuration file, the image set might
be broken up into multiple .tar files. In this situation, you can pass in a directory that
contains the image set .tar files.

This command updates the mirror registry with the image set and generates the
ImageContentSourcePolicy and CatalogSource resources.

Verification

1. Navigate into the oc-mirror-workspace/ directory that was generated.

2. Navigate into the results directory, for example, results-1639608409/.

3. Verify that YAML files are present for the ImageContentSourcePolicy and CatalogSource
resources.

Next steps

Configure your cluster to use the resources generated by oc-mirror.

Troubleshooting

Unable to retrieve source image .

3.4.8. Configuring your cluster to use the resources generated by oc-mirror

After you have mirrored your image set to the mirror registry, you must apply the generated
ImageContentSourcePolicy, CatalogSource, and release image signature resources into the cluster.

The ImageContentSourcePolicy resource associates the mirror registry with the source registry and
redirects image pull requests from the online registries to the mirror registry. The CatalogSource
resource is used by Operator Lifecycle Manager (OLM) to retrieve information about the available
Operators in the mirror registry. The release image signatures are used to verify the mirrored release
images.

Prerequisites

You have mirrored the image set to the registry mirror in the disconnected environment.

You have access to the cluster as a user with the cluster-admin role.

Procedure

59
OpenShift Container Platform 4.17 Disconnected environments

1. Log in to the OpenShift CLI as a user with the cluster-admin role.

2. Apply the YAML files from the results directory to the cluster by running the following
command:

$ oc apply -f ./oc-mirror-workspace/results-1639608409/

3. If you mirrored release images, apply the release image signatures to the cluster by running the
following command:

$ oc apply -f ./oc-mirror-workspace/results-1639608409/release-signatures/

NOTE

If you are mirroring Operators instead of clusters, you do not need to run $ oc
apply -f ./oc-mirror-workspace/results-1639608409/release-signatures/.
Running that command will return an error, as there are no release image
signatures to apply.

Verification

1. Verify that the ImageContentSourcePolicy resources were successfully installed by running

the following command:

$ oc get imagecontentsourcepolicy

2. Verify that the CatalogSource resources were successfully installed by running the following
command:

$ oc get catalogsource -n openshift-marketplace

3.4.9. Updating your mirror registry content

You can update your mirror registry content by updating the image set configuration file and mirroring
the image set to the mirror registry. The next time that you run the oc-mirror plugin, an image set is
generated that only contains new and updated images since the previous execution.

While updating the mirror registry, you must take into account the following considerations:

Images are pruned from the target mirror registry if they are no longer included in the latest
image set that was generated and mirrored. Therefore, ensure that you are updating images for
the same combination of the following key components so that only a differential image set is
created and mirrored:

Image set configuration

Destination registry

Storage configuration

The images can be pruned in case of disk to mirror or mirror to mirror workflow.

The generated image sets must be pushed to the target mirror registry in sequence. You can
derive the sequence number from the file name of the generated image set archive file.

60
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Do not delete or modify the metadata image that is generated by the oc-mirror plugin.

If you specified a top-level namespace for the mirror registry during the initial image set
creation, then you must use this same namespace every time you run the oc-mirror plugin for
the same mirror registry.

For more information about the workflow to update the mirror registry content, see the "High level
workflow" section.

3.4.9.1. Mirror registry update examples

This section covers the use cases for updating the mirror registry from disk to mirror.

Example ImageSetConfiguration file that was previously used for mirroring

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
local:
path: /home/user/metadata
mirror:
platform:
channels:
- name: stable-4.12
minVersion: 4.12.1
maxVersion: 4.12.1
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.14
packages:
- name: rhacs-operator
channels:
- name: stable

Mirroring a specific OpenShift Container Platform version by pruning the existing images

Updated ImageSetConfiguration file

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
local:
path: /home/user/metadata
mirror:
platform:
channels:
- name: stable-4.13 1
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.14
packages:
- name: rhacs-operator
channels:
- name: stable

1 Replacing by stable-4.13 prunes all the images of stable-4.12.

61
OpenShift Container Platform 4.17 Disconnected environments

Updating to the latest version of an Operator by pruning the existing images

Updated ImageSetConfiguration file

1 Using the same channel without specifying a version prunes the existing images and updates with
the latest version of images.

Mirroring a new Operator by pruning the existing Operator

Updated ImageSetConfiguration file

1 Replacing rhacs-operator with new_operator_name prunes the Red Hat Advanced Cluster
Security for Kubernetes Operator.

Pruning all the OpenShift Container Platform images

Updated ImageSetConfiguration file

62
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
local:
path: /home/user/metadata
mirror:
platform:
channels:
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.14
packages:

Additional resources

Image set configuration examples

Mirroring an image set in a partially disconnected environment

Mirroring an image set in a fully disconnected environment

Configuring your cluster to use the resources generated by oc-mirror

3.4.10. Performing a dry run

You can use oc-mirror to perform a dry run, without actually mirroring any images. This allows you to
review the list of images that would be mirrored, as well as any images that would be pruned from the
mirror registry. A dry run also allows you to catch any errors with your image set configuration early or
use the generated list of images with other tools to carry out the mirroring operation.

Prerequisites

You have access to the internet to obtain the necessary container images.

You have installed the OpenShift CLI (oc).

You have installed the oc-mirror CLI plugin.

You have created the image set configuration file.

Procedure

1. Run the oc mirror command with the --dry-run flag to perform a dry run:

$ oc mirror --config=./imageset-config.yaml \ 1
docker://registry.example:5000 \ 2
--dry-run 3

1 Pass in the image set configuration file that was created. This procedure assumes that it is
named imageset-config.yaml.

2 Specify the mirror registry. Nothing is mirrored to this registry as long as you use the --dry-
run flag.

3 Use the --dry-run flag to generate the dry run artifacts and not an actual image set file.

63
OpenShift Container Platform 4.17 Disconnected environments

Example output

Checking push permissions for registry.example:5000

Creating directory: oc-mirror-workspace/src/publish
Creating directory: oc-mirror-workspace/src/v2
Creating directory: oc-mirror-workspace/src/charts
Creating directory: oc-mirror-workspace/src/release-signatures
No metadata detected, creating new workspace
wrote mirroring manifests to oc-mirror-workspace/operators.1658342351/manifests-redhat-
operator-index

...

info: Planning completed in 31.48s

info: Dry run complete
Writing image mapping to oc-mirror-workspace/mapping.txt

2. Navigate into the workspace directory that was generated:

$ cd oc-mirror-workspace/

3. Review the mapping.txt file that was generated.

This file contains a list of all images that would be mirrored.

4. Review the pruning-plan.json file that was generated.

This file contains a list of all images that would be pruned from the mirror registry when the
image set is published.

NOTE

The pruning-plan.json file is only generated if your oc-mirror command points

to your mirror registry and there are images to be pruned.

3.4.11. Including local OCI Operator catalogs

While mirroring OpenShift Container Platform releases, Operator catalogs, and additional images from a
registry to a partially disconnected cluster, you can include Operator catalog images from a local file-
based catalog on disk. The local catalog must be in the Open Container Initiative (OCI) format.

The local catalog and its contents are mirrored to your target mirror registry based on the filtering
information in the image set configuration file.

IMPORTANT

When mirroring local OCI catalogs, any OpenShift Container Platform releases or
additional images that you want to mirror along with the local OCI-formatted catalog
must be pulled from a registry.

You cannot mirror OCI catalogs along with an oc-mirror image set file on disk.

One example use case for using the OCI feature is if you have a CI/CD system building an OCI catalog to
a location on disk, and you want to mirror that OCI catalog along with an OpenShift Container Platform
release to your mirror registry.

64
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

NOTE

If you used the Technology Preview OCI local catalogs feature for the oc-mirror plugin
for OpenShift Container Platform 4.12, you can no longer use the OCI local catalogs
feature of the oc-mirror plugin to copy a catalog locally and convert it to OCI format as a
first step to mirroring to a fully disconnected cluster.

Prerequisites

You have access to the internet to obtain the necessary container images.

You have installed the OpenShift CLI (oc).

You have installed the oc-mirror CLI plugin.

Procedure

1. Create the image set configuration file and adjust the settings as necessary.
The following example image set configuration mirrors an OCI catalog on disk along with an
OpenShift Container Platform release and a UBI image from registry.redhat.io.

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
local:
path: /home/user/metadata 1
mirror:
platform:
channels:
- name: stable-4.17 2
type: ocp
graph: false
operators:
- catalog: oci:///home/user/oc-mirror/my-oci-catalog 3
targetCatalog: my-namespace/redhat-operator-index 4
packages:
- name: aws-load-balancer-operator
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17 5
packages:
- name: rhacs-operator
additionalImages:
- name: registry.redhat.io/ubi9/ubi:latest 6

1 Set the back-end location to save the image set metadata to. This location can be a
registry or local directory. It is required to specify storageConfig values.

2 Optionally, include an OpenShift Container Platform release to mirror from

registry.redhat.io.

3 Specify the absolute path to the location of the OCI catalog on disk. The path must start
with oci:// when using the OCI feature.

4 Optionally, specify an alternative namespace and name to mirror the catalog as.

5 Optionally, specify additional Operator catalogs to pull from a registry.

65
OpenShift Container Platform 4.17 Disconnected environments

6 Optionally, specify additional images to pull from a registry.

2. Run the oc mirror command to mirror the OCI catalog to a target mirror registry:

$ oc mirror --config=./imageset-config.yaml \ 1
docker://registry.example:5000 2

1 Pass in the image set configuration file. This procedure assumes that it is named
imageset-config.yaml.

2 Specify the registry to mirror the content to. The registry must start with docker://. If you
specify a top-level namespace for the mirror registry, you must also use this same
namespace on subsequent executions.

Optionally, you can specify other flags to adjust the behavior of the OCI feature:

--oci-insecure-signature-policy
Do not push signatures to the target mirror registry.
--oci-registries-config
Specify the path to a TOML-formatted registries.conf file. You can use this to mirror from a
different registry, such as a pre-production location for testing, without having to change the
image set configuration file. This flag only affects local OCI catalogs, not any other mirrored
content.

Example registries.conf file

[[registry]]
location = "registry.redhat.io:5000"
insecure = false
blocked = false
mirror-by-digest-only = true
prefix = ""
[[registry.mirror]]
location = "preprod-registry.example.com"
insecure = false

Next steps

Configure your cluster to use the resources generated by oc-mirror.

Additional resources

Configuring your cluster to use the resources generated by oc-mirror

3.4.12. Image set configuration parameters

The oc-mirror plugin requires an image set configuration file that defines what images to mirror. The
following table lists the available parameters for the ImageSetConfiguration resource.

Table 3.1. ImageSetConfiguration parameters

66
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Parameter Description Values

apiVersion The API version for the String. For

ImageSetConfiguration content. example:
mirror.openshif
t.io/v1alpha2 .

archiveSize The maximum size, in GiB, of each archive Integer. For

file within the image set. example: 4

mirror The configuration of the image set. Object

mirror.additionalImages The additional images configuration of Array of objects.

the image set. For example:

additionalIma
ges:
- name:
registry.redha
t.io/ubi8/ubi:lat
est

mirror.additionalImages.name The tag or digest of the image to mirror. String. For

example:
registry.redhat.i
o/ubi8/ubi:latest

mirror.blockedImages The full tag, digest, or pattern of images Array of strings.

to block from mirroring. For example:
docker.io/librar
y/alpine

mirror.helm The helm configuration of the image set. Object

Note that the oc-mirror plugin supports
only helm charts that do not require user
input when rendered.

mirror.helm.local The local helm charts to mirror. Array of objects.

For example:

local:
- name:
podinfo
path:
/test/podinfo-
5.0.0.tar.gz

mirror.helm.local.name The name of the local helm chart to String. For

mirror. example: podinfo.

67
OpenShift Container Platform 4.17 Disconnected environments

Parameter Description Values

mirror.helm.local.path The path of the local helm chart to mirror. String. For
example:
/test/podinfo-
5.0.0.tar.gz.

mirror.helm.repositories The remote helm repositories to mirror Array of objects.

from. For example:

repositories:
- name:
podinfo
url:
https://exampl
e.github.io/po
dinfo
charts:
- name:
podinfo
version:
5.0.0

mirror.helm.repositories.name The name of the helm repository to mirror String. For

from. example: podinfo.

mirror.helm.repositories.url The URL of the helm repository to mirror String. For

from. example:
https://example.
github.io/podinf
o.

mirror.helm.repositories.charts The remote helm charts to mirror. Array of objects.

mirror.helm.repositories.charts.na The name of the helm chart to mirror. String. For

me example: podinfo.

mirror.helm.repositories.charts.ver The version of the named helm chart to String. For

sion mirror. example: 5.0.0.

68
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Parameter Description Values

mirror.operators The Operators configuration of the image Array of objects.

set. For example:

operators:
- catalog:
registry.redha
t.io/redhat/red
hat-operator-
index:v4.17
packages:
- name:
elasticsearch-
operator

minVersion:
'2.4.0'

mirror.operators.catalog The Operator catalog to include in the String. For

image set. example:
registry.redhat.i
o/redhat/redhat-
operator-
index:v4.17.

mirror.operators.full When true, downloads the full catalog, Boolean. The

Operator package, or Operator channel. default value is
false.

mirror.operators.packages The Operator packages configuration. Array of objects.

For example:

operators:
- catalog:
registry.redha
t.io/redhat/red
hat-operator-
index:v4.17
packages:
- name:
elasticsearch-
operator

minVersion:
'5.2.3-31'

mirror.operators.packages.name The Operator package name to include in String. For

the image set example:
elasticsearch-
operator .

69
OpenShift Container Platform 4.17 Disconnected environments

Parameter Description Values

mirror.operators.packages.channel The Operator package channel Object

s configuration.

mirror.operators.packages.channel The Operator channel name, unique String. For

s.name within a package, to include in the image example: fast or
set. stable-v4.17.

mirror.operators.packages.channel The highest version of the Operator String. For

s.maxVersion mirror across all channels in which it example: 5.2.3-31
exists. See the following note for further
information.

mirror.operators.packages.channel The name of the minimum bundle to String. For

s.minBundle include, plus all bundles in the update example:
graph to the channel head. Set this field bundleName
only if the named bundle has no semantic
version metadata.

mirror.operators.packages.channel The lowest version of the Operator to String. For

s.minVersion mirror across all channels in which it example: 5.2.3-31
exists. See the following note for further
information.

mirror.operators.packages.maxVers The highest version of the Operator to String. For

ion mirror across all channels in which it example: 5.2.3-31.
exists. See the following note for further
information.

mirror.operators.packages.minVers The lowest version of the Operator to String. For

ion mirror across all channels in which it example: 5.2.3-31.
exists. See the following note for further
information.

mirror.operators.skipDependencies If true, dependencies of bundles are not Boolean. The

included. default value is
false.

mirror.operators.targetCatalog An alternative name and optional String. For

namespace hierarchy to mirror the example: my-
referenced catalog as. namespace/my-
operator-
catalog

70
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Parameter Description Values

mirror.operators.targetName An alternative name to mirror the String. For

referenced catalog as. example: my-
operator-
The targetName parameter is catalog
deprecated. Use the targetCatalog
parameter instead.

mirror.operators.targetTag An alternative tag to append to the String. For

targetName or targetCatalog. example: v1

mirror.platform The platform configuration of the image Object

set.

mirror.platform.architectures The architecture of the platform release Array of strings.

payload to mirror. For example:

architectures:
- amd64
- arm64
- multi
- ppc64le
- s390x

The default value

is amd64. The
value multi
ensures that the
mirroring is
supported for all
available
architectures,
eliminating the
need to specify
individual
architectures.

mirror.platform.channels The platform channel configuration of the Array of objects.

image set. For example:

channels:
- name:
stable-4.10
- name:
stable-4.17

mirror.platform.channels.full When true, sets the minVersion to the Boolean. The

first release in the channel and the default value is
maxVersion to the last release in the false.
channel.

71
OpenShift Container Platform 4.17 Disconnected environments

Parameter Description Values

mirror.platform.channels.name The name of the release channel. String. For

example: stable-
4.17

mirror.platform.channels.minVersio The minimum version of the referenced String. For

n platform to be mirrored. example: 4.12.6

mirror.platform.channels.maxVersi The highest version of the referenced String. For

on platform to be mirrored. example: 4.17.1

mirror.platform.channels.shortestP Toggles shortest path mirroring or full Boolean. The

ath range mirroring. default value is
false.

mirror.platform.channels.type The type of the platform to be mirrored. String. For

example: ocp or
okd . The default
is ocp .

mirror.platform.graph Indicates whether the OSUS graph is Boolean. The

added to the image set and subsequently default value is
published to the mirror. false.

storageConfig The back-end configuration of the image Object

set.

storageConfig.local The local back-end configuration of the Object

image set.

storageConfig.local.path The path of the directory to contain the String. For

image set metadata. example:
./path/to/dir/.

storageConfig.registry The registry back-end configuration of Object

the image set.

storageConfig.registry.imageURL The back-end registry URI. Can optionally String. For

include a namespace reference in the example:
URI. quay.io/myuser/
imageset:metad
ata.

storageConfig.registry.skipTLS Optionally skip TLS verification of the Boolean. The

referenced back-end registry. default value is
false.

NOTE
72
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

NOTE

Using the minVersion and maxVersion properties to filter for a specific Operator
version range can result in a multiple channel heads error. The error message states that
there are multiple channel heads. This is because when the filter is applied, the update
graph of the Operator is truncated.

Operator Lifecycle Manager requires that every Operator channel contains versions that
form an update graph with exactly one end point, that is, the latest version of the
Operator. When the filter range is applied, that graph can turn into two or more separate
graphs or a graph that has more than one end point.

To avoid this error, do not filter out the latest version of an Operator. If you still run into
the error, depending on the Operator, either the maxVersion property must be increased
or the minVersion property must be decreased. Because every Operator graph can be
different, you might need to adjust these values until the error resolves.

3.4.13. Image set configuration examples

The following ImageSetConfiguration file examples show the configuration for various mirroring use
cases.

Use case: Including the shortest OpenShift Container Platform update path
The following ImageSetConfiguration file uses a local storage backend and includes all OpenShift
Container Platform versions along the shortest update path from the minimum version of 4.11.37 to the
maximum version of 4.12.15.

Example ImageSetConfiguration file

Use case: Including all versions of OpenShift Container Platform from a minimum to the latest
version for multi-architecture releases
The following ImageSetConfiguration file uses a registry storage backend and includes all OpenShift
Container Platform versions starting at a minimum version of 4.13.4 to the latest version in the channel.
On every invocation of oc-mirror with this image set configuration, the latest release of the stable-4.13
channel is evaluated, so running oc-mirror at regular intervals ensures that you automatically receive the
latest releases of OpenShift Container Platform images.

By setting the value of platform.architectures to multi, you can ensure that the mirroring is supported
for multi-architecture releases.

Example ImageSetConfiguration file

73
OpenShift Container Platform 4.17 Disconnected environments

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
registry:
imageURL: example.com/mirror/oc-mirror-metadata
skipTLS: false
mirror:
platform:
architectures:
- "multi"
channels:
- name: stable-4.13
minVersion: 4.13.4
maxVersion: 4.13.6

Use case: Including Operator versions from a minimum to the latest

The following ImageSetConfiguration file uses a local storage backend and includes only the Red Hat
Advanced Cluster Security for Kubernetes Operator, versions starting at 4.0.1 and later in the stable
channel.

NOTE

When you specify a minimum or maximum version range, you might not receive all
Operator versions in that range.

By default, oc-mirror excludes any versions that are skipped or replaced by a newer
version in the Operator Lifecycle Manager (OLM) specification. Operator versions that
are skipped might be affected by a CVE or contain bugs. Use a newer version instead. For
more information on skipped and replaced versions, see Creating an update graph with
OLM.

To receive all Operator versions in a specified range, you can set the
mirror.operators.full field to true.

Example ImageSetConfiguration file

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
local:
path: /home/user/metadata
mirror:
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17
packages:
- name: rhacs-operator
channels:
- name: stable
minVersion: 4.0.1

NOTE

To specify a maximum version instead of the latest, set the

mirror.operators.packages.channels.maxVersion field.

74
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Use case: Including the Nutanix CSI Operator

The following ImageSetConfiguration file uses a local storage backend and includes the Nutanix CSI
Operator, the OpenShift Update Service (OSUS) graph image, and an additional Red Hat Universal
Base Image (UBI).

Example ImageSetConfiguration file

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
registry:
imageURL: mylocalregistry/ocp-mirror/openshift4
skipTLS: false
mirror:
platform:
channels:
- name: stable-4.11
type: ocp
graph: true
operators:
- catalog: registry.redhat.io/redhat/certified-operator-index:v4.17
packages:
- name: nutanixcsioperator
channels:
- name: stable
additionalImages:
- name: registry.redhat.io/ubi9/ubi:latest

Use case: Including the default Operator channel

The following ImageSetConfiguration file includes the stable-5.7 and stable channels for the
OpenShift Elasticsearch Operator. Even if only the packages from the stable-5.7 channel are needed,
the stable channel must also be included in the ImageSetConfiguration file, because it is the default
channel for the Operator. You must always include the default channel for the Operator package even if
you do not use the bundles in that channel.

TIP

You can find the default channel by running the following command: oc mirror list operators --
catalog=<catalog_name> --package=<package_name>.

Example ImageSetConfiguration file

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
registry:
imageURL: example.com/mirror/oc-mirror-metadata
skipTLS: false
mirror:
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17
packages:
- name: elasticsearch-operator

75
OpenShift Container Platform 4.17 Disconnected environments

channels:
- name: stable-5.7
- name: stable

Use case: Including an entire catalog (all versions)

The following ImageSetConfiguration file sets the mirror.operators.full field to true to include all
versions for an entire Operator catalog.

Example ImageSetConfiguration file

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
registry:
imageURL: example.com/mirror/oc-mirror-metadata
skipTLS: false
mirror:
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17
full: true

Use case: Including an entire catalog (channel heads only)

The following ImageSetConfiguration file includes the channel heads for an entire Operator catalog.

By default, for each Operator in the catalog, oc-mirror includes the latest Operator version (channel
head) from the default channel. If you want to mirror all Operator versions, and not just the channel
heads, you must set the mirror.operators.full field to true.

This example also uses the targetCatalog field to specify an alternative namespace and name to mirror
the catalog as.

Example ImageSetConfiguration file

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
registry:
imageURL: example.com/mirror/oc-mirror-metadata
skipTLS: false
mirror:
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17
targetCatalog: my-namespace/my-operator-catalog

Use case: Including arbitrary images and helm charts

The following ImageSetConfiguration file uses a registry storage backend and includes helm charts and
an additional Red Hat Universal Base Image (UBI).

Example ImageSetConfiguration file

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
archiveSize: 4
storageConfig:

76
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

registry:
imageURL: example.com/mirror/oc-mirror-metadata
skipTLS: false
mirror:
platform:
architectures:
- "s390x"
channels:
- name: stable-4.17
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17
helm:
repositories:
- name: redhat-helm-charts
url: https://raw.githubusercontent.com/redhat-developer/redhat-helm-charts/master
charts:
- name: ibm-mongodb-enterprise-helm
version: 0.2.0
additionalImages:
- name: registry.redhat.io/ubi9/ubi:latest

Use case: Including the upgrade path for EUS releases

The following ImageSetConfiguration file includes the eus-<version> channel, where the maxVersion
value is at least two minor versions higher than the minVersion value.

For example, in this ImageSetConfiguration file, the minVersion is set to 4.12.28, while the
maxVersion for the eus-4.14 channel is 4.14.16.

Example ImageSetConfiguration file

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v2alpha1
mirror:
platform:
graph: true # Required for the OSUS Operator
architectures:
- amd64
channels:
- name: stable-4.12
minVersion: '4.12.28'
maxVersion: '4.12.28'
shortestPath: true
type: ocp
- name: eus-4.14
minVersion: '4.12.28'
maxVersion: '4.14.16'
shortestPath: true
type: ocp

Use case: Including the multi-arch OpenShift Container Platform images and catalog for
multicluster engine Operator
The following ImageSetConfiguration file includes multicluster engine for Kubernetes Operator and all
OpenShift Container Platform versions starting at a minimum version of 4.17.0 in the channel.

Example ImageSetConfiguration file

77
OpenShift Container Platform 4.17 Disconnected environments

apiVersion: mirror.openshift.io/v1alpha2
kind: ImageSetConfiguration
storageConfig:
registry:
imageURL:
agent.agent.example.com:5000/openshift/release/metadata:latest/openshift/release/metadata:latest
mirror:
platform:
architectures:
- "multi"
channels:
- name: stable-4.17
minVersion: 4.17.0
maxVersion: 4.17.1
type: ocp
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17
packages:
- name: multicluster-engine

3.4.14. Command reference for oc-mirror

The following tables describe the oc mirror subcommands and flags:

Table 3.2. oc mirror subcommands

Subcommand Description

completion Generate the autocompletion script for the specified shell.

describe Output the contents of an image set.

help Show help about any subcommand.

init Output an initial image set configuration template.

list List available platform and Operator content and their version.

version Output the oc-mirror version.

Table 3.3. oc mirror flags

Flag Description

-c, --config <string> Specify the path to an image set configuration file.

--continue-on-error If any non image-pull related error occurs, continue and attempt to
mirror as much as possible.

--dest-skip-tls Disable TLS validation for the target registry.

78
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Flag Description

--dest-use-http Use plain HTTP for the target registry.

--dry-run Print actions without mirroring images. Generates mapping.txt and

pruning-plan.json files.

--from <string> Specify the path to an image set archive that was generated by an
execution of oc-mirror to load into a target registry.

-h, --help Show the help.

--ignore-history Ignore past mirrors when downloading images and packing layers.
Disables incremental mirroring and might download more data.

--manifests-only Generate manifests for ImageContentSourcePolicy objects to

configure a cluster to use the mirror registry, but do not actually mirror
any images. To use this flag, you must pass in an image set archive with
the --from flag.

--max-nested-paths <int> Specify the maximum number of nested paths for destination registries
that limit nested paths. The default is 0.

--max-per-registry <int> Specify the number of concurrent requests allowed per registry. The
default is 6.

--oci-insecure-signature- Do not push signatures when mirroring local OCI catalogs (with --
policy include-local-oci-catalogs).

--oci-registries-config Provide a registries configuration file to specify an alternative registry

location to copy from when mirroring local OCI catalogs (with --
include-local-oci-catalogs).

--skip-cleanup Skip removal of artifact directories.

--skip-image-pin Do not replace image tags with digest pins in Operator catalogs.

--skip-metadata-check Skip metadata when publishing an image set. This is only recommended
when the image set was created with --ignore-history.

--skip-missing If an image is not found, skip it instead of reporting an error and aborting
execution. Does not apply to custom images explicitly specified in the
image set configuration.

--skip-pruning Disable automatic pruning of images from the target mirror registry.

--skip-verification Skip digest verification.

--source-skip-tls Disable TLS validation for the source registry.

79
OpenShift Container Platform 4.17 Disconnected environments

Flag Description

--source-use-http Use plain HTTP for the source registry.

-v, --verbose <int> Specify the number for the log level verbosity. Valid values are 0 - 9. The
default is 0.

3.4.15. Additional resources

About cluster updates in a disconnected environment

3.5. MIRRORING IMAGES FOR A DISCONNECTED INSTALLATION BY

USING THE OC-MIRROR PLUGIN V2
You can run your cluster in a disconnected environment if you install the cluster from a mirrored set of
OpenShift Container Platform container images in a private registry. This registry must be running
whenever your cluster is running.

Just as you can use the oc-mirror OpenShift CLI (oc) plugin, you can also use oc-mirror plugin v2 to
mirror images to a mirror registry in your fully or partially disconnected environments. To download the
required images from the official Red Hat registries, you must run oc-mirror plugin v2 from a system
with internet connectivity.

IMPORTANT

oc-mirror plugin v2 is a Technology Preview feature only. Technology Preview features

are not supported with Red Hat production service level agreements (SLAs) and might
not be functionally complete. Red Hat does not recommend using them in production.
These features provide early access to upcoming product features, enabling customers
to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features,
see Technology Preview Features Support Scope .

3.5.1. About oc-mirror plugin v2

The oc-mirror OpenShift CLI (oc) plugin is a single tool that mirrors all required OpenShift Container
Platform content and other images to your mirror registry.

To use the new Technology Preview version of oc-mirror, add the --v2 flag to the oc-mirror plugin v2
command line.

oc-mirror plugin v2 has the following features:

Verifies that the complete image set specified in the image set configuration file is mirrored to
the mirrored registry, regardless of whether the images were previously mirrored or not.

Uses a cache system instead of metadata, which prevents the need to start the mirroring
process over in the case of a failure for a single step of the process.

80
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Maintains minimal archive sizes by incorporating only new images into the archive.

Generates mirroring archives with content selected by mirroring date.

Can generate ImageDigestMirrorSet (IDMS) and ImageTagMirrorSet (ITMS) resources, which

cover the full image set, instead of an ImageContentSourcePolicy (ICSP) resource, which only
covered incremental changes to the image set for each mirroring operation with v1.

Saves Operator versions that are filtered by bundle name.

Does not perform automatic pruning. v2 now uses a Delete feature, which grants users more
control over deleting images.

Introduces support for registries.conf files. This change facilitates mirroring to multiple
enclaves while using the same cache.

3.5.1.1. High level workflow

The following steps outline the high-level workflow on how to use the oc-mirror plugin v2 to mirror
images to a mirror registry:

1. Create an image set configuration file.

2. Mirror the image set to the target mirror registry by using one of the following workflows:

Mirror an image set directly to the target mirror registry (mirror to mirror).

Mirror an image set to disk (mirror to disk), transfer the tar file to the target environment,
then mirror the image set to the target mirror registry (disk to mirror).

3. Configure your cluster to use the resources generated by the oc-mirror plugin v2.

4. Repeat these steps to update your target mirror registry as necessary.

3.5.1.2. oc-mirror plugin v2 compatibility and support

The oc-mirror plugin v2 is supported for OpenShift Container Platform.

NOTE

On aarch64, ppc64le, and s390x architectures the oc-mirror plugin v2 is supported only
for OpenShift Container Platform 4.14 and later.

Use the latest available version of the oc-mirror plugin v2 regardless of which versions of OpenShift
Container Platform you need to mirror.

3.5.2. Prerequisites
You must have a container image registry that supports Docker V2-2 in the location that hosts
the OpenShift Container Platform cluster, such as Red Hat Quay.

NOTE
81
OpenShift Container Platform 4.17 Disconnected environments

NOTE

If you use Red Hat Quay, use version 3.6 or later with the oc-mirror plugin.
See Deploying the Red Hat Quay Operator on OpenShift Container Platform
(Red Hat Quay documentation). If you need additional assistance selecting
and installing a registry, contact your sales representative or Red Hat
Support.

If you do not have an existing solution for a container image registry,

OpenShift Container Platform subscribers receive a mirror registry for
Red Hat OpenShift. This mirror registry is included with your subscription and
serves as a small-scale container registry. You can use this registry to mirror
the necessary container images of OpenShift Container Platform for
disconnected installations.

Every machine in the provisioned clusters must have access to the mirror registry. If the registry
is unreachable, tasks like installation, updating, or routine operations such as workload
relocation, might fail. Mirror registries must be operated in a highly available manner, ensuring
their availability aligns with the production availability of your OpenShift Container Platform
clusters.

3.5.3. Preparing your mirror hosts

To use the oc-mirror plugin v2 for image mirroring, you must install the plugin and create a file with
credentials for container images, enabling you to mirror from Red Hat to your mirror.

3.5.3.1. Installing the oc-mirror OpenShift CLI plugin

Install the oc-mirror OpenShift CLI plugin to manage image sets in disconnected environments.

Prerequisites

You have installed the OpenShift CLI (oc). If you are mirroring image sets in a fully
disconnected environment, ensure the following:

You have installed the oc-mirror plugin on the host that has internet access.

The host in the disconnected environment has access to the target mirror registry.

You have set the umask parameter to 0022 on the operating system that uses oc-mirror.

You have installed the correct binary for the RHEL version that you are using.

Procedure

1. Download the oc-mirror CLI plugin:

a. Navigate to the Downloads page of the Red Hat Hybrid Cloud Console.

b. In the OpenShift disconnected installation tools section, select the OS type and
Architecture type of the OpenShift Client (oc) mirror plugin from the dropdown menus.

c. Click Download to save the file.

2. Extract the archive by running the following command:

82
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

$ tar xvzf oc-mirror.tar.gz

3. If necessary, update the plugin file to be executable by running the following command:

$ chmod +x oc-mirror

NOTE

Do not rename the oc-mirror file.

4. Install the oc-mirror CLI plugin by placing the file in your PATH, for example /usr/local/bin, by
running the following command:

$ sudo mv oc-mirror /usr/local/bin/.

Verification

Verify that the oc-mirror plugin v2 is successfully installed by running the following command:

$ oc mirror --v2 --help

3.5.3.2. Configuring credentials that allow images to be mirrored

Create a container image registry credentials file that enables you to mirror images from Red Hat to
your mirror.


WARNING

Prerequisites

You configured a mirror registry to use in your disconnected environment.

You identified an image repository location on your mirror registry to mirror images into.

You provisioned a mirror registry account that allows images to be uploaded to that image
repository.

You have write access to the mirror registry.

Procedure
Complete the following steps on the installation host:

1. Download your registry.redhat.io pull secret from Red Hat OpenShift Cluster Manager .

83
OpenShift Container Platform 4.17 Disconnected environments

2. Make a copy of your pull secret in JSON format by running the following command:

$ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> 1

1 Specify the path to the folder to store the pull secret in and a name for the JSON file that
you create.

Example pull secret

3. If the $XDG_RUNTIME_DIR/containers directory does not exist, create one by entering the
following command:

$ mkdir -p $XDG_RUNTIME_DIR/containers

4. Save the pull secret file as $XDG_RUNTIME_DIR/containers/auth.json.

5. Generate the base64-encoded user name and password or token for your mirror registry by
running the following command:

$ echo -n '<user_name>:<password>' | base64 -w0 1

1 For <user_name> and <password>, specify the user name and password that you
configured for your registry.

Example output

BGVtbYk3ZHAtqXs=

6. Edit the JSON file and add a section that describes your registry to it:

"auths": {

84
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

"<mirror_registry>": { 1
"auth": "<credentials>", 2
"email": "[email protected]"
}
},

1 Specify the registry domain name, and optionally the port, that your mirror registry uses to
serve content. For example, registry.example.com or registry.example.com:8443

2 Specify the base64-encoded user name and password for the mirror registry.

Example modified pull secret

3.5.4. Mirroring an image set to a mirror registry

Mirroring an image set to a mirror registry ensures that the required images are available in a secure and
controlled environment, facilitating smoother deployments, updates, and maintenance tasks.

3.5.4.1. Creating the image set configuration

Before you can use the oc-mirror plugin v2 to mirror images, you must create an image set configuration
file. This image set configuration file defines which OpenShift Container Platform releases, Operators,
and other images to mirror, along with other configuration settings for the oc-mirror plugin v2.

Prerequisites

You have created a container image registry credentials file. For instructions, see Configuring
credentials that allow images to be mirrored.

85
OpenShift Container Platform 4.17 Disconnected environments

Procedure

Create an ImageSetConfiguration YAML file and modify it to include your required images.

Example ImageSetConfiguration YAML file

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v2alpha1
mirror:
platform:
channels:
- name: stable-4.17 1
minVersion: 4.17.2
maxVersion: 4.17.2
graph: true 2
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.17 3
packages: 4
- name: aws-load-balancer-operator
- name: 3scale-operator
- name: node-observability-operator
additionalImages: 5
- name: registry.redhat.io/ubi8/ubi:latest
- name:
registry.redhat.io/ubi9/ubi@sha256:20f695d2a91352d4eaa25107535126727b5945bff38ed36a
3e59590f495046f0

1 Set the channel to retrieve OpenShift Container Platform images from.

2 Add graph: true to build and push the graph-data image to the mirror registry. The graph-
data image is required to create OpenShift Update Service (OSUS). The graph: true field
also generates the UpdateService custom resource manifest. The oc command-line
interface (CLI) can use the UpdateService custom resource manifest to create OSUS. For
more information, see About the OpenShift Update Service .

3 Set the Operator catalog to retrieve the OpenShift Container Platform images from.

4 Specify only certain Operator packages to include in the image set. Remove this field to
retrieve all packages in the catalog.

5 Specify any additional images to include in image set.

Additional resources

About the OpenShift Update Service

3.5.4.2. Mirroring an image set in a partially disconnected environment

You can mirror image sets to a registry using the oc-mirror plugin v2 in environments with restricted
internet access.

Prerequisites

You have access to the internet and the mirror registry in the environment where you are

86
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

You have access to the internet and the mirror registry in the environment where you are
running the oc-mirror plugin v2.

Procedure

Mirror the images from the specified image set configuration to a specified registry by running
the following command:

$ oc mirror -c <image_set_configuration> --workspace file://<file_path>

docker://<mirror_registry_url> --v2 1

where:

<image_set_configuration>
Specifies the name of the image set configuration file.
<file_path>
Specifies the directory where cluster resources will be generated in.
<mirror_registry_url>
Specifies the URL or address of the mirror registry where the images are stored and from
which they need to be deleted.

Verification

1. Navigate to the working-dir/cluster-resources directory that was generated in the

<file_path> directory.

2. Verify that the YAML files are present for the ImageDigestMirrorSet, ImageTagMirrorSet, and
CatalogSource resources.

Next steps

Configure your cluster to use the resources generated by oc-mirror plugin v2.

3.5.4.3. Mirroring an image set in a fully disconnected environment

You can mirror image sets in a fully disconnected environment where the OpenShift Container Platform
cluster cannot access the public internet. The following high-level workflow describes the mirroring
process:

1. Mirror to disk: Mirror the image set to an archive.

2. Disk transfer: Manually transfer the archive to the network of the disconnected mirror registry.

3. Disk to mirror: Mirror the image set from the archive to the target disconnected registry.

3.5.4.3.1. Mirroring from mirror to disk

You can use the oc-mirror plugin v2 to generate an image set and save the content to disk. Afterwards,
you can transfer the generated image set to the disconnected environment and mirror it to the target
registry.

oc-mirror plugin v2 retrieves the container images from the source specified in the image set
configuration file and packs them into a tar archive in a local directory.

87
OpenShift Container Platform 4.17 Disconnected environments

Procedure

Mirror the images from the specified image set configuration to the disk by running the
following command:

$ oc mirror -c <image_set_configuration> file://<file_path> --v2

where:

<image_set_configuration>
Specifies the name of the image set configuration file.
<file_path>
Specifies the directory where the archives containing the image sets will be generated in.

Verification

1. Navigate to the <file_path> directory that was generated.

2. Verify that the archive files have been generated.

Next steps

Mirroring from disk to mirror

3.5.4.3.2. Mirroring from disk to mirror

You can use the oc-mirror plugin v2 to mirror image sets from a disk to a target mirror registry.

The oc-mirror plugin v2 retrieves container images from a local disk and transfers them to the specified
mirror registry.

Procedure

1. Transfer the disk containing mirrored image sets to the environment that contains the target
mirror registry.

2. Process the image set file on the disk and mirror the contents to a target mirror registry by
running the following command:

$ oc mirror -c <image_set_configuration> --from file://<file_path>

docker://<mirror_registry_url> --v2

where:

<image_set_configuration>
Specifies the name of the image set configuration file.
<file_path>
Specifies the directory on the disk containing the archives. This folder will also contain
cluster resources generated for you apply to the cluster, for example the
ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) resources.
<mirror_registry_url>
Specifies the URL or address of the mirror registry where the images are stored.

88
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Verification

1. Navigate to the cluster-resources directory within the working-dir directory that was
generated in the <file_path> directory.

2. Verify that the YAML files are present for the ImageDigestMirrorSet, ImageTagMirrorSet, and
CatalogSource resources.

Next steps

Configure your cluster to use the resources generated by oc-mirror plugin v2.

3.5.5. About custom resources generated by v2

With oc-mirror plugin v2, ImageDigestMirrorSet (IDMS) resources are generated by default if at least
one image of the image set is mirrored by digest. ImageTagMirrorSet (ITMS) resources are generated
if at least one image from the image set is mirrored by tag.

Operator Lifecycle Manager (OLM) uses the CatalogSource resource to retrieve information about the
available Operators in the mirror registry.

The OpenShift Update Service uses the UpdateService resource to provide update graph data to the
disconnected environment.

Additional resources

ImageDigestMirrorSet

ImageTagMirrorSet

3.5.5.1. Configuring your cluster to use the resources generated by oc-mirror plugin v2

After you have mirrored your image set to the mirror registry, you must apply the generated
ImageDigestMirrorSet (IDMS), ImageTagMirrorSet (ITMS), CatalogSource, and UpdateService
resources to the cluster.

IMPORTANT

In oc-mirror plugin v2, the IDMS and ITMS files cover the entire image set, unlike the
ImageContentSourcePolicy (ICSP) files in oc-mirror plugin v1. Therefore, the IDMS and
ITMS files contain all images of the set even if you only add new images during
incremental mirroring.

Prerequisites

You have access to the cluster as a user with the cluster-admin role.

Procedure

1. Log in to the OpenShift CLI as a user with the cluster-admin role.

2. Apply the YAML files from the results directory to the cluster by running the following
command:

$ oc apply -f <path_to_oc_mirror_workspace>/working-dir/cluster-resources

89
OpenShift Container Platform 4.17 Disconnected environments

Verification

1. Verify that the ImageDigestMirrorSet resources are successfully installed by running the
following command:

$ oc get imagedigestmirrorset

2. Verify that the ImageTagMirrorSet resources are successfully installed by running the following
command:

$ oc get imagetagmirrorset

3. Verify that the CatalogSource resources are successfully installed by running the following
command:

$ oc get catalogsource -n openshift-marketplace

Once your cluster is configured to use the resources generated by oc-mirror plugin v2, see Next Steps
for information about tasks that you can perform using your mirrored images.

3.5.6. Deletion of images from your disconnected environment

If you have previously deployed images using the oc-mirror plugin v2, you can delete these images to
free up space in your mirror registry. oc-mirror plugin v2 does not automatically prune images that are
not included in the ImageSetConfiguration file. This prevents accidentally deleting necessary or
deployed images when making changes to the ImageSetConfig.yaml file.

You must create a DeleteImageSetConfiguration file to specify which images to delete.

In the following example, the DeleteImageSetConfiguration file removes the following images:

All release images for OpenShift Container Platform 4.13.3.

The redhat-operator-index v4.12 catalog image.

The aws-load-balancer-operator v0.0.1 bundle and all its related images.

The additional images for ubi and ubi-minimal, referenced by their corresponding digests.

Example DeleteImageSetConfiguration file

apiVersion: mirror.openshift.io/v2alpha1
kind: DeleteImageSetConfiguration
delete:
platform:
channels:
- name: stable-4.13
minVersion: 4.13.3
maxVersion: 4.13.3
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.12
packages:
- name: aws-load-balancer-operator

90
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

minVersion: 0.0.1
maxVersion: 0.0.1
additionalImages:
- name:
registry.redhat.io/ubi8/ubi@sha256:bce7e9f69fb7d4533447232478fd825811c760288f87a35699f9c8f03
0f2c1a6
- name: registry.redhat.io/ubi8/ubi-
minimal@sha256:8bedbe742f140108897fb3532068e8316900d9814f399d676ac78b46e740e34e

IMPORTANT

Consider using the mirror-to-disk and disk-to-mirror workflows to reduce mirroring

issues.

oc-mirror plugin v2 deletes only the manifests of the images, which does not reduce the storage
occupied in the registry.

To free up storage space from unnecessary images, such as those with deleted manifests, you must
enable the garbage collector on your container registry. With the garbage collector enabled, the registry
will delete the image blobs that no longer have references to any manifests, reducing the storage
previously occupied by the deleted blobs. The process for enabling the garbage collector differs
depending on your container registry.

IMPORTANT

To skip deleting the Operator catalog image while you are deleting Operator images, you
must list the specific Operators under the Operator catalog image in the
DeleteImageSetConfiguration file. This ensures that only the specified Operators are
deleted, not the catalog image.

If only the Operator catalog image is specified, all Operators within that catalog, as well
as the catalog image itself, will be deleted.

3.5.6.1. Deleting images from a disconnected environment

To delete images from a disconnected environment using the oc-mirror plugin v2, follow the procedure.

Prerequisites

You have enabled garbage collection in your environment to delete images that no longer
reference manifests.

Procedure

1. Create a delete-image-set-config.yaml file and include the following content:

DeleteImageSetConfiguration file

apiVersion: mirror.openshift.io/v2alpha1
kind: DeleteImageSetConfiguration
delete:
platform:
channels:
- name: <channel_name> 1

91
OpenShift Container Platform 4.17 Disconnected environments

minVersion: <channel_min_version> 2
maxVersion: <channel_max_version> 3
operators:
- catalog: <operator_catalog_name> 4
packages:
- name: <operator_name> 5
minVersion: <operator_max_version> 6
maxVersion: <operator_min_version> 7
additionalImages:
- name: <additional_images> 8

1 1 Specify the name of the OpenShift Container Platform channel to delete, for example
stable-4.15.

2 3 Specify a version range of the images to delete within the channel, for example 4.15.0 for
the minimum version and 4.15.1 for the maximum version. To delete only one version’s
images, use that version number for both the minVersion and maxVersion fields.

4 Specify an Operator catalog image to delete, for example

registry.redhat.io/redhat/redhat-operator-index:v4.14. To delete the catalog image, you
must not specify individual Operators using the delete.operators.packages parameter.

5 Specify a specific Operator bundle to delete, for example aws-load-balancer-operator. If

you specify individual Operators, the Operator catalog image does not get deleted.

6 7 Specify a version range of the images to delete for the Operator, for example 0.0.1 for the
minimum version and 0.0.2 for the maximum version. To delete only one version’s images,
use that version number for both the minVersion and maxVersion fields.

8 Specify additional images to delete, for example registry.redhat.io/ubi9/ubi-init:latest.

2. Create a delete-images.yaml file by running the following command:

$ oc mirror delete --config delete-image-set-config.yaml --workspace

file://<previously_mirrored_work_folder> --v2 --generate docker://<remote_registry>

where:

<previously_mirrored_work_folder>
Specifies the directory where images were previously mirrored to or stored during the
mirroring process.
<remote_registry>
Specifies the URL or address of the remote container registry from which images will be
deleted.

3. Go to the <previously_mirrored_work_folder>/delete directory that was created.

4. Verify that the delete-images.yaml file has been generated.

5. Manually ensure that each image listed in the file is no longer needed by the cluster and can be
safely removed from the registry.

6. After you generate the delete-images YAML file, delete the images from the remote registry by

92
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

6. After you generate the delete-images YAML file, delete the images from the remote registry by
running the following command:

$ oc mirror delete --v2 --delete-yaml-file <previously_mirrored_work_folder>/working-

dir/delete/delete-images.yaml docker://<remote_registry>

where:

<previously_mirrored_work_folder>
Specifies the directory where images were previously mirrored or stored during the mirroring
process.
<remote_registry>
Specifies the URL or address of the remote container registry from which images will be
deleted.

IMPORTANT

When using the mirror-to-mirror method to mirror images, images are not
cached locally, so you cannot delete images from a local cache.

3.5.7. Verifying your selected images for mirroring

You can use oc-mirror plugin v2 to perform a test run (dry run) that does not actually mirror any images.
This enables you to review the list of images that would be mirrored. You can also use a dry run to catch
any errors with your image set configuration early. When running a dry run on a mirror-to-disk workflow,
the oc-mirror plugin v2 checks if all the images within the image set are available in its cache. Any
missing images are listed in the missing.txt file. When a dry run is performed before mirroring, both
missing.txt and mapping.txt files contain the same list of images.

3.5.7.1. Performing dry run for oc-mirror plugin v2

Verify your image set configuration by performing a dry run without mirroring any images. This ensures
your setup is correct and prevents unintended changes.

Procedure

To perform a test run, run the oc mirror command and append the --dry-run argument to the
command:

$ oc mirror -c <image_set_config_yaml> --from file://<oc_mirror_workspace_path>

docker://<mirror_registry_url> --dry-run --v2

Where:

<image_set_config_yaml>: Use the image set configuration file that you just created.

<oc_mirror_workspace_path>: Insert the address of the workspace path.

<mirror_registry_url>: Insert the URL or address of the remote container registry from
which images will be deleted.

Example output

93
OpenShift Container Platform 4.17 Disconnected environments

$ oc mirror --config /tmp/isc_dryrun.yaml file://<oc_mirror_workspace_path> --dry-run --

[INFO] : :warning: --v2 flag identified, flow redirected to the oc-mirror v2 version. This is
Tech Preview, it is still under development and it is not production ready.
[INFO] : :wave: Hello, welcome to oc-mirror
[INFO] : :gear: setting up the environment for you...
[INFO] : :twisted_rightwards_arrows: workflow mode: mirrorToDisk
[INFO] : :sleuth_or_spy: going to discover the necessary images...
[INFO] : :mag: collecting release images...
[INFO] : :mag: collecting operator images...
[INFO] : :mag: collecting additional images...
[WARN] : :warning: 54/54 images necessary for mirroring are not available in the
cache.
[WARN] : List of missing images in : CLID-19/working-dir/dry-run/missing.txt.
please re-run the mirror to disk process
[INFO] : :page_facing_up: list of all images for mirroring in : CLID-19/working-dir/dry-
run/mapping.txt
[INFO] : mirror time : 9.641091076s
[INFO] : :wave: Goodbye, thank you for using oc-mirror

Verification

1. Navigate to the workspace directory that was generated:

$ cd <oc_mirror_workspace_path>

2. Review the mapping.txt and missing.txt files that were generated. These files contain a list of
all images that would be mirrored.

3.5.7.2. Troubleshooting oc-mirror plugin v2 errors

oc-mirror plugin v2 now logs all image mirroring errors in a separate file, making it easier to track and
diagnose failures.

IMPORTANT

When errors occur while mirroring release or release component images, they are critical.
This stops the mirroring process immediately.

Errors with mirroring Operators, Operator-related images, or additional images do not

stop the mirroring process. Mirroring continues, and oc-mirror plugin v2 logs updates
every 8 images.

When an image fails to mirror, and that image is mirrored as part of one or more Operator bundles, oc-
mirror plugin v2 notifies the user which Operators are incomplete, providing clarity on the Operator
bundles affected by the error.

Procedure

1. Check for server-related issues:

Example error

94
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

[ERROR] : [Worker] error mirroring image localhost:55000/openshift/graph-image:latest

error: copying image 1/4 from manifest list: trying to reuse blob
sha256:edab65b863aead24e3ed77cea194b6562143049a9307cd48f86b542db9eecb6e at
destination: pinging container registry localhost:5000: Get "https://localhost:5000/v2/": http:
server gave HTTP response to HTTPS client

a. Open the mirroring_error_date_time.log file in the working-dir/logs folder located in the

oc-mirror plugin v2 output directory.

b. Look for error messages that typically indicate server-side issues, such as HTTP 500 errors,
expired tokens, or timeouts.

c. Retry the mirroring process or contact support if the issue persists.

2. Check for incomplete mirroring of Operators:

Example error

error mirroring image docker://registry.redhat.io/3scale-amp2/zync-

rhel9@sha256:8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d
(Operator bundles: [3scale-operator.v0.11.12] - Operators: [3scale-operator]) error: initializing
source docker://localhost:55000/3scale-amp2/zync-
rhel9:8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d: reading
manifest 8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d in
localhost:55000/3scale-amp2/zync-rhel9: manifest unknown
error mirroring image docker://registry.redhat.io/3scale-amp2/3scale-rhel7-operator-
metadata@sha256:de0a70d1263a6a596d28bf376158056631afd0b6159865008a7263a8e9bf0
c7d error: skipping operator bundle docker://registry.redhat.io/3scale-amp2/3scale-rhel7-
operator-
metadata@sha256:de0a70d1263a6a596d28bf376158056631afd0b6159865008a7263a8e9bf0
c7d because one of its related images failed to mirror
error mirroring image docker://registry.redhat.io/3scale-amp2/system-
rhel7@sha256:fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e
(Operator bundles: [3scale-operator.v0.11.12] - Operators: [3scale-operator]) error: initializing
source docker://localhost:55000/3scale-amp2/system-
rhel7:fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e: reading
manifest fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e in
localhost:55000/3scale-amp2/system-rhel7: manifest unknown

a. Check for warnings in the console or log file indicating which Operators are incomplete.
If an Operator is flagged as incomplete, the image related to that Operator likely failed to
mirror.

b. Manually mirror the missing image or retry the mirroring process.

3. Check for errors related to generated cluster resources. Even if some images fail to mirror, oc-
mirror v2 will still generate cluster resources such as IDMS.yaml and ITMS.yaml files for the
successfully mirrored images.

a. Check the output directory for the generated files.

b. If these files are missing for specific images, ensure that no critical errors occurred for those
images during the mirroring process.

By following these steps, you can better diagnose issues and ensure smoother mirroring.

95
OpenShift Container Platform 4.17 Disconnected environments

3.5.8. Benefits of enclave support

Enclave support restricts internal access to a specific part of a network. Unlike a demilitarized zone
(DMZ) network, which allows inbound and outbound traffic access through firewall boundaries, enclaves
do not cross firewall boundaries.

IMPORTANT

Enclave Support is a Technology Preview feature only. Technology Preview features are
not supported with Red Hat production service level agreements (SLAs) and might not
be functionally complete. Red Hat does not recommend using them in production. These
features provide early access to upcoming product features, enabling customers to test
functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features,
see Technology Preview Features Support Scope .

The new enclave support functionality is for scenarios where mirroring is needed for multiple enclaves
that are secured behind at least one intermediate disconnected network.

Enclave support has the following benefits:

You can mirror content for multiple enclaves and centralize it in a single internal registry.
Because some customers want to run security checks on the mirrored content, with this setup
they can run these checks all at once. The content is then vetted before being mirrored to
downstream enclaves.

You can mirror content directly from the centralized internal registry to enclaves without
restarting the mirroring process from the internet for each enclave.

You can minimize data transfer between network stages, so to ensure that a blob or image is
transferred only once from one stage to another.

3.5.8.1. Enclave mirroring workflow

96
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

The previous image outlines the flow for using the oc-mirror plugin in different environments, including
environments with and without an internet connection.

Environment with Internet Connection:

1. The user executes oc-mirror plugin v2 to mirror content from an online registry to a local disk
directory.

2. The mirrored content is saved to the disk for transfer to offline environments.

Disconnected Enterprise Environment (No Internet):

Flow 1:

The user runs oc-mirror plugin v2 to load the mirrored content from the disk directory,
which was transferred from the online environment, into the enterprise-registry.in registry.

Flow 2:

a. After updating the registries.conf file, the user executes the oc-mirror plugin v2 to mirror
content from the enterprise-registry.in registry to an enclave environment.

b. The content is saved to a disk directory for transfer to the enclave.

Enclave Environment (No Internet):

The user runs oc-mirror plugin v2 to load content from the disk directory into the enclave-
registry.in registry.

The image visually represents the data flow across these environments and emphasizes the use of oc-
mirror to handle disconnected and enclave environments without an internet connection.

97
OpenShift Container Platform 4.17 Disconnected environments

3.5.8.2. Mirroring to an enclave

When you mirror to an enclave, you must first transfer the necessary images from one or more enclaves
into the enterprise central registry.

The central registry is situated within a secure network, specifically a disconnected environment, and is
not directly linked to the public internet. But the user must execute oc mirror in an environment with
access to the public internet.

Procedure

1. Before running oc-mirror plugin v2 in the disconnected environment, create a registries.conf

file. The TOML format of the file is described in this specification:

NOTE

It is recommended to store the file under

$HOME/.config/containers/registries.conf or /etc/containers/registries.conf.

Example registries.conf

[[registry]]
location="registry.redhat.io"
[[registry.mirror]]
location="<enterprise-registry.in>"

[[registry]]
location="quay.io"
[[registry.mirror]]
location="<enterprise-registry.in>"

2. Generate a mirror archive.

a. To collect all the OpenShift Container Platform content into an archive on the disk under
<file_path>/enterprise-content, run the following command:

$ oc mirror --v2 -c isc.yaml file://<file_path>/enterprise-content

Example of isc.yaml

apiVersion: mirror.openshift.io/v2alpha1
kind: ImageSetConfiguration
mirror:
platform:
architectures:
- "amd64"
channels:
- name: stable-4.15
minVersion: 4.15.0
maxVersion: 4.15.3

After the archive is generated, it is transferred to the disconnected environment. The

transport mechanism is not part of oc-mirror plugin v2. The enterprise network
administrators determine the transfer strategy.

98
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

In some cases, the transfer is done manually, in that the disk is physically unplugged from
one location, and plugged to another computer in the disconnected environment. In other
cases, the Secure File Transfer Protocol (SFTP) or other protocols are used.

3. After the transfer of the archive is done, you can execute oc-mirror plugin v2 again in order to
mirror the relevant archive contents to the registry (entrerpise_registry.in in the example) as
demonstrated in the following example:

$ oc mirror --v2 -c isc.yaml --from file://<disconnected_environment_file_path>/enterprise-

content docker://<enterprise_registry.in>/

Where:

--from points to the folder containing the archive. It starts with the file://.

docker:// is the destination of the mirroring is the final argument. Because it is a docker
registry.

-c (--config) is a mandatory argument. It enables oc-mirror plugin v2 to eventually mirror

only sub-parts of the archive to the registry. One archive might contain several OpenShift
Container Platform releases, but the disconnected environment or an enclave might mirror
only a few.

4. Prepare the imageSetConfig YAML file, which describes the content to mirror to the enclave:

Example isc-enclave.yaml

apiVersion: mirror.openshift.io/v2alpha1
kind: ImageSetConfiguration
mirror:
platform:
architectures:
- "amd64"
channels:
- name: stable-4.15
minVersion: 4.15.2
maxVersion: 4.15.2

You must run oc-mirror plugin v2 on a machine with access to the disconnected registry. In the
previous example, the disconnected environment, enterprise-registry.in, is accessible.

5. Update the graph URL

If you are using graph:true, oc-mirror plugin v2 attempts to reach the cincinnati API endpoint.
Because this environment is disconnected, be sure to export the environment variable
UPDATE_URL_OVERRIDE to refer to the URL for the OpenShift Update Service (OSUS):

$ export UPDATE_URL_OVERRIDE=https://<osus.enterprise.in>/graph

For more information on setting up OSUS on an OpenShift cluster, see "Updating a cluster in a
disconnected environment using the OpenShift Update Service".

NOTE
99
OpenShift Container Platform 4.17 Disconnected environments

NOTE

When updating between OpenShift Container Platform Extended Update

Support (EUS) versions, you must also include images for an intermediate minor
version between the current and target versions. The oc-mirror plugin v2 might
not always detect this requirement automatically, so check the Red Hat
OpenShift Container Platform Update Graph page to confirm any required
intermediate versions.

Use the Update Graph page to find the intermediate minor versions suggested
by the application, and include any of these versions in the
ImageSetConfiguration file when using the oc-mirror plugin v2.

6. Generate a mirror archive from the enterprise registry for the enclave.
To prepare an archive for the enclave1, the user executes oc-mirror plugin v2 in the enterprise
disconnected environment by using the imageSetConfiguration specific for that enclave. This
ensures that only images needed by that enclave are mirrored:

$ oc mirror --v2 -c isc-enclave.yaml

file:///disk-enc1/

This action collects all the OpenShift Container Platform content into an archive and generates
an archive on disk.

7. After the archive is generated, it will be transferred to the enclave1 network. The transport
mechanism is not the responsibility of oc-mirror plugin v2.

8. Mirror contents to the enclave registry

After the transfer of the archive is done, the user can execute oc-mirror plugin v2 again in order
to mirror the relevant archive contents to the registry.

$ oc mirror --v2 -c isc-enclave.yaml --from file://local-disk docker://registry.enc1.in

The administrators of the OpenShift Container Platform cluster in enclave1 are now ready to
install or upgrade that cluster.

Additional resources

Updating a cluster in a disconnected environment using the OpenShift Update Service

3.5.9. How filtering works in the operator catalog

oc-mirror plugin v2 selects the list of bundles for mirroring by processing the information in
imageSetConfig.

When oc-mirror plugin v2 selects bundles for mirroring, it does not infer Group Version Kind (GVK) or
bundle dependencies, omitting them from the mirroring set. Instead, it strictly adheres to the user
instructions. You must explicitly specify any required dependent packages and their versions.

Bundle versions typically use semantic versioning standards (SemVer), and you can sort bundles within a
channel by version. You can select buncles that fall within a specific range in the ImageSetConfig.

This selection algorithm ensures consistent outcomes compared to oc-mirror plugin v1. However, it does
not include upgrade graph details, such as replaces, skip, and skipRange. This approach differs from
the OLM algorithm. It might mirror more bundles than necessary for upgrading a cluster because of

100
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

potentially shorter upgrade paths between the minVersion and maxVersion.

Table 3.4. Use the following table to see what bundle versions are included in different scenarios

ImageSetConfig operator Expected bundle versions

filtering

Scenario 1 For each package in the catalog, 1 bundle, corresponding to the head
version of the default channel for that package.
mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.10

Scenario 2 All bundles of all channels of the specified catalog

mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.10
full: true

Scenario 3 One bundle, corresponding to the head version of the default channel for
that package
mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.10
packages:
- name: compliance-
operator

Scenario 4 All bundles of all channels for the packages specified

mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.10
full: true
- packages:
- name:
elasticsearch-operator

101
OpenShift Container Platform 4.17 Disconnected environments

ImageSetConfig operator Expected bundle versions

filtering

Scenario 5 All bundles in the default channel, from the minVersion, up to the
channel head for that package that do not rely on the shortest path from
mirror: upgrade the graph.
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
minVersion: 5.6.0

Scenario 6 All bundles in the default channel that are lower than the maxVersion
for that package.
mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
maxVersion: 6.0.0

Scenario 7 All bundles in the default channel, between the minVersion and
maxVersion for that package. The head of the channel is not included,
mirror: even if multiple channels are included in the filtering.
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
minVersion: 5.6.0
maxVersion: 6.0.0

102
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

ImageSetConfig operator Expected bundle versions

filtering

Scenario 8 The head bundle for the selected channel of that package.

mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
channels
- name: stable

Scenario 9 All bundles for the specified packages and channels.

mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.10
full: true
- packages:
- name:
elasticsearch-operator
channels:
- name: 'stable-v0'

Scenario 10 The head bundle for each selected channel of that package.

mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
channels
- name: stable
- name: stable-5.5

103
OpenShift Container Platform 4.17 Disconnected environments

ImageSetConfig operator Expected bundle versions

filtering

Scenario 11 Within the selected channel of that package, all versions starting with the
minVersion up to the channel head. This scenario does not relyon the
mirror: shortest path from the upgrade graph.
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
channels
- name: stable
minVersion: 5.6.0

Scenario 12 Within the selected channel of that package, all versions up to the
maxVersion (not relying on the shortest path from the upgrade graph).
mirror: The head of the channel is not included, even if multiple channels are
operators: included in the filtering.
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
channels
- name: stable
maxVersion: 6.0.0

Scenario 13 Within the selected channel of that package, all versions between the
minVersion and maxVersion, not relying on the shortest path from
mirror: the upgrade graph. The head of the channel is not included, even if
operators: multiple channels are included in the filtering.
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
channels
- name: stable
minVersion: 5.6.0
maxVersion: 6.0.0

104
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

ImageSetConfig operator Expected bundle versions

filtering

Scenario 14 Only the bundles specified for each package are included in the filtering.

mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.14
packages:
- name: aws-load-
balancer-operator
bundles:
- name: aws-load-
balancer-operator.v1.1.0
- name: 3scale-operator
bundles:
- name: 3scale-
operator.v0.10.0-mas

Scenario 15 Do not use this scenario. filtering by channel and by package with a
minVersion or maxVersion is not allowed.
mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
channels
- name: stable
minVersion: 5.6.0
maxVersion: 6.0.0

Scenario 16 Do not use this scenario. You cannot filter using full:true and the
minVersion or maxVersion.
mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
packages:
- name: compliance-
operator
channels
- name: stable
minVersion: 5.6.0
maxVersion: 6.0.0

105
OpenShift Container Platform 4.17 Disconnected environments

ImageSetConfig operator Expected bundle versions

filtering

Scenario 17 Do not use this scenario. You cannot filter using full:true and the
minVersion or maxVersion.
mirror:
operators:
- catalog:
registry.redhat.io/redhat/red
hat-operator-index:v4.15
full: true
packages:
- name: compliance-
operator
channels
- name: stable
minVersion: 5.6.0
maxVersion: 6.0.0

3.5.10. ImageSet configuration parameters for oc-mirror plugin v2

The oc-mirror plugin v2 requires an image set configuration file that defines what images to mirror. The
following table lists the available parameters for the ImageSetConfiguration resource.

NOTE

OLM requires that every Operator channel contains versions that form an update graph
with exactly one end point, that is, the latest version of the Operator. When the filter
range is applied, that graph can turn into two or more separate graphs or a graph that has
more than one end point.

Table 3.5. ImageSetConfiguration parameters

Parameter Description Values

apiVersion The API version of the String Example:

ImageSetConfiguration content. mirror.openshif
t.io/v2alpha1

archiveSize The maximum size, in GiB, of each archive Integer Example: 4

file within the image set.

106
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Parameter Description Values

kubeVirtContainer When set to true, includes images from Boolean Example

the HyperShift KubeVirt CoreOS ImageSetConfig
container. uration file:

apiVersion:
mirror.opensh
ift.io/v2alpha1
kind:
ImageSetCon
figuration
mirror:
platform:
channels:
- name:
stable-4.16

minVersion:
4.16.0

maxVersion:
4.16.0

kubeVirtConta
iner: true

mirror The configuration of the image set. Object

mirror.additionalImages The additional images configuration of Array of objects

the image set.
Example:

additionalIma
ges:
- name:
registry.redha
t.io/ubi8/ubi:lat
est

mirror.additionalImages.name The tag or digest of the image to mirror. String Example:

registry.redhat.i
o/ubi8/ubi:latest

mirror.blockedImages The full tag, digest, or pattern of images Array of strings

to block from mirroring. Example:
docker.io/librar
y/alpine

107
OpenShift Container Platform 4.17 Disconnected environments

Parameter Description Values

mirror.operators The Operators configuration of the image Array of objects

set.
Example:

operators:
- catalog:
registry.redha
t.io/redhat/red
hat-operator-
index:4.17
packages:
- name:
elasticsearch-
operator

minVersion:
'2.4.0'

mirror.operators.catalog The Operator catalog to include in the String Example:

image set. registry.redhat.i
o/redhat/redhat-
operator-
index:v4.15

mirror.operators.full When true, downloads the full catalog, Boolean The

Operator package, or Operator channel. default value is
false.

mirror.operators.packages The Operator packages configuration. Array of objects

Example:

operators:
- catalog:
registry.redha
t.io/redhat/red
hat-operator-
index:4.17
packages:
- name:
elasticsearch-
operator

minVersion:
'5.2.3-31'

108
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Parameter Description Values

mirror.operators.packages.name The Operator package name to include in String Example:

the image set. elasticsearch-
operator

mirror.operators.packages.channel Operator package channel configuration Object

mirror.operators.packages.channel The Operator channel name, unique String Eample:

s.name within a package, to include in the image fast or stable-
set. v4.15

mirror.operators.packages.channel The highest version of the Operator String Example:

s.maxVersion mirror across all channels in which it 5.2.3-31
exists.

mirror.operators.packages.channel The lowest version of the Operator to String Example:

s.minVersion mirror across all channels in which it exists 5.2.3-31

mirror.operators.packages.maxVers The highest version of the Operator to String Example:

ion mirror across all channels in which it 5.2.3-31
exists.

mirror.operators.packages.minVers The lowest version of the Operator to String Example:

ion mirror across all channels in which it 5.2.3-31
exists.

mirror.operators.packages.bundles Selected bundles configuration Array of objects

Example:

operators:
- catalog:
registry.redha
t.io/redhat/red
hat-operator-
index:4.17
packages:
- name:
3scale-
operator
bundles:
- name:
3scale-
operator.v0.1
0.0-mas

109
OpenShift Container Platform 4.17 Disconnected environments

Parameter Description Values

mirror.operators.packages.bundles. Name of the bundle selected for mirror String Example :

name (as it appears in the catalog). 3scale-
operator.v0.10.0
-mas

mirror.operators.targetCatalog An alternative name and optional String Example:

namespace hierarchy to mirror the my-
referenced catalog as namespace/my-
operator-
catalog

mirror.operators.targetCatalogSour Path on disk for a template to use to String Example:

ceTemplate complete catalogSource custom resource /tmp/catalog-
generated by oc-mirror plugin v2. source_templat
e.yaml Example
of a template file:

apiVersion:
operators.cor
eos.com/v1alp
ha1
kind:
CatalogSourc
e
metadata:
name:
discarded
namespace:
openshift-
marketplace
spec:
image:
discarded
sourceType:
grpc

updateStrateg
y:

registryPoll:
interval:
30m0s

mirror.operators.targetTag An alternative tag to append to the String Example: v1

targetName or targetCatalog.

mirror.platform The platform configuration of the image Object

set.

110
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Parameter Description Values

mirror.platform.architectures The architecture of the platform release Array of strings

payload to mirror. Example:

architectures:
- amd64
- arm64
- multi
- ppc64le
- s390x

The default value

is amd64. The
value multi
ensures that the
mirroring is
supported for all
available
architectures,
eliminating the
need to specify
individual
architectures

mirror.platform.channels The platform channel configuration of the Array of objects

image set. Example:

channels:
- name:
stable-4.12
- name:
stable-4.17

mirror.platform.channels.full When true, sets the minVersion to the Boolean The

first release in the channel and the default value is
maxVersion to the last release in the false
channel.

mirror.platform.channels.name Name of the release channel String Example:

stable-4.15

mirror.platform.channels.minVersio The minimum version of the referenced String Example:

n platform to be mirrored. 4.12.6

mirror.platform.channels.maxVersi The highest version of the referenced String Example:

on platform to be mirrored. 4.15.1

111
OpenShift Container Platform 4.17 Disconnected environments

Parameter Description Values

mirror.platform.channels.shortestP Toggles shortest path mirroring or full Boolean The

ath range mirroring. default value is
false

mirror.platform.channels.type Type of the platform to be mirrored String Example:

ocp or okd . The
default is ocp .

mirror.platform.graph Indicates whether the OSUS graph is Boolean The

added to the image set and subsequently default value is
published to the mirror. false

3.5.10.1. Delete ImageSet Configuration parameters

To use the oc-mirror plugin v2, you must have delete image set configuration file that defines which
images to delete from the mirror registry. The following table lists the available parameters for the
DeleteImageSetConfiguration resource.

Table 3.6. DeleteImageSetConfiguration parameters

Parameter Description Values

apiVersion The API version for the String Example:

DeleteImageSetConfiguration mirror.openshif
content. t.io/v2alpha1

delete The configuration of the image set to Object

delete.

delete.additionalImages The additional images configuration of Array of objects

the delete image set. Example:

additionalIma
ges:
- name:
registry.redha
t.io/ubi8/ubi:lat
est

delete.additionalImages.name The tag or digest of the image to delete. String Example:

registry.redhat.i
o/ubi8/ubi:latest

112
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Parameter Description Values

delete.operators The Operators configuration of the Array of objects

delete image set. Example:

operators:
- catalog:
registry.redha
t.io/redhat/red
hat-operator-
index:
{product-
version}
packages:
- name:
elasticsearch-
operator

minVersion:
'2.4.0'

delete.operators.catalog The Operator catalog to include in the String Example:

delete image set. registry.redhat.i
o/redhat/redhat-
operator-
index:v4.15

delete.operators.full When true, deletes the full catalog, Boolean The

Operator package, or Operator channel. default value is
false

delete.operators.packages Operator packages configuration Array of objects

Example:

operators:
- catalog:
registry.redha
t.io/redhat/red
hat-operator-
index:
{product-
version}
packages:
- name:
elasticsearch-
operator

minVersion:
'5.2.3-31'

113
OpenShift Container Platform 4.17 Disconnected environments

Parameter Description Values

delete.operators.packages.name The Operator package name to include in String Example:

the delete image set. elasticsearch-
operator

delete.operators.packages.channel Operator package channel configuration Object

delete.operators.packages.channel The Operator channel name, unique String Example:

s.name within a package, to include in the delete fast or stable-
image set. v4.15

delete.operators.packages.channel The highest version of the Operator to String Example:

s.maxVersion delete within the selected channel. 5.2.3-31

delete.operators.packages.channel The lowest version of the Operator to String Example:

s.minVersion delete within the selection in which it 5.2.3-31
exists.

delete.operators.packages.maxVers The highest version of the Operator to String Example:

ion delete across all channels in which it 5.2.3-31
exists.

delete.operators.packages.minVers The lowest version of the Operator to String Example:

ion delete across all channels in which it 5.2.3-31
exists.

114
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Parameter Description Values

delete.operators.packages.bundles The selected bundles configuration Array of objects

You cannot
choose both
channels and
bundles for the
same operator.

Example:

operators:
- catalog:
registry.redha
t.io/redhat/red
hat-operator-
index:
{product-
version}
packages:
- name:
3scale-
operator
bundles:
- name:
3scale-
operator.v0.1
0.0-mas

delete.operators.packages.bundles. Name of the bundle selected to delete String Example :

name (as it is displayed in the catalog) 3scale-
operator.v0.10.0
-mas

delete.platform The platform configuration of the image Object

set

delete.platform.architectures The architecture of the platform release Array of strings

payload to delete. Example:

architectures:
- amd64
- arm64
- multi
- ppc64le
- s390x

The default value

is amd64

115
OpenShift Container Platform 4.17 Disconnected environments

Parameter Description Values

delete.platform.channels The platform channel configuration of the Array of objects

image set.
Example:

channels:
- name:
stable-4.12
- name:
stable-4.17

delete.platform.channels.full When true, sets the minVersion to the Boolean The

first release in the channel and the default value is
maxVersion to the last release in the false
channel.

delete.platform.channels.name Name of the release channel String Example:

stable-4.15

delete.platform.channels.minVersio The minimum version of the referenced String Example:

n platform to be deleted. 4.12.6

delete.platform.channels.maxVersi The highest version of the referenced String Example:

on platform to be deleted. 4.15.1

delete.platform.channels.shortestP Toggles between deleting the shortest Boolean The

ath path and deleting the full range. default value is
false

delete.platform.channels.type Type of the platform to be deleted String Example:

ocp or okd The
default is ocp

delete.platform.graph Determines whether the OSUS graph is Boolean The

deleted as well on the mirror registry as default value is
well. false

3.5.11. Command reference for oc-mirror plugin v2

The following tables describe the oc mirror subcommands and flags for oc-mirror plugin v2:

Table 3.7. Subcommands and flags for the oc-mirror plugin v2

Subcommand Description

help Show help about any subcommand

version Output the oc-mirror version

116
CHAPTER 3. MIRRORING IN DISCONNECTED ENVIRONMENTS

Subcommand Description

delete Deletes images in remote registry and local cache.

Table 3.8. oc mirror flags

Flag Description

--authfile Displays the string path of the authentication file. Default is

${XDG_RUNTIME_DIR}/containers/auth.json.

-c, --config <string> Specifies the path to an image set configuration file.

--dest-tls-verify Requires HTTPS and verifies certificates when accessing the container
registry or daemon.

--dry-run Prints actions without mirroring images

--from <string> Specifies the path to an image set archive that was generated by
executing oc-mirror plugin v2 to load a target registry.

-h, --help Displays help

--loglevel Displays string log levels. Supported values include info, debug, trace,
error. The default is info.

-p, --port Determines the HTTP port used by oc-mirror plugin v2 local storage
instance. The default is 55000 .

--max-nested-paths <int> Specifies the maximum number of nested paths for destination registries
that limit nested paths. The default is 0.

--secure-policy Default value is false. If you set a non-default value, the command
enables signature verification, which is the secure policy for signature
verification.

--since Includes all new content since a specified date (format: yyyy-mm-dd ).
When not provided, new content since previous mirroring is mirrored.

--src-tls-verify Requires HTTPS and verifies certificates when accessing the container
registry or daemon.

--strict-archive Default value is false. If you set a value, the command generates
archives that are strictly less than the archiveSize that was set in the
imageSetConfig custom resource (CR). Mirroring exist in error if a file
being archived exceeds archiveSize (GB).

-v, --version Displays the version for oc-mirror plugin v2.

117
OpenShift Container Platform 4.17 Disconnected environments

Flag Description

--workspace Determines string oc-mirror plugin v2 workspace where resources and

internal artifacts are generated.

Configuring your cluster to use the resources generated by oc-mirror

3.5.12. Next steps

After you mirror images to your disconnected environment using oc-mirror plugin v2, you can perform
any of the following actions:

Installing a cluster in a disconnected environment

Using Operator Lifecycle Manager in disconnected environments

Updating a cluster in a disconnected environment using the OpenShift Update Service

118
CHAPTER 4. INSTALLING A CLUSTER IN A DISCONNECTED ENVIRONMENT

CHAPTER 4. INSTALLING A CLUSTER IN A DISCONNECTED

ENVIRONMENT
You can install an OpenShift Container Platform cluster in a disconnected environment, choosing the
installation method and infrastructure that best suits your requirements. This includes installing
OpenShift Container Platform on either on-premise hardware or on a cloud hosting service such as
Amazon Web Services (AWS).

The following sections outline all of the supported methods for installing a cluster in a disconnected
environment.

NOTE

In order to learn about other requirements for installing a cluster using a particular
method, be sure to review other content in the procedure’s respective section of the
documentation.

For example, if you plan to install a cluster on AWS with installer-provisioned

infrastructure, see Configuring an AWS account and Preparing to install a cluster on AWS

4.1. INSTALLING A CLUSTER WITH THE AGENT-BASED INSTALLER

To learn more about installing a cluster in a disconnected environment with the Agent-based installer,
see the following pages:

Understanding disconnected installation mirroring

Installing an OpenShift Container Platform cluster with the Agent-based Installer

4.2. INSTALLING A CLUSTER ON AMAZON WEB SERVICES

To learn more about installing a cluster on Amazon Web Services (AWS) in a disconnected environment,
see the following procedures:

Installer-provisioned infrastructure: Installing a cluster on AWS in a restricted network

User-provisioned infrastructure: Installing a cluster on AWS in a restricted network with user-

provisioned infrastructure

4.3. INSTALLING A CLUSTER ON MICROSOFT AZURE

To learn more about installing a cluster on Microsoft Azure in a disconnected environment, see the
following procedures:

Installer-provisioned infrastructure: Installing a cluster on Azure in a restricted network

User-provisioned infrastructure: Installing a cluster on Azure in a restricted network with user-

provisioned infrastructure

4.4. INSTALLING A CLUSTER ON GOOGLE CLOUD PLATFORM

To learn more about installing a cluster on Google Cloud Platform (GCP) in a disconnected
environment, see the following procedures:

119
OpenShift Container Platform 4.17 Disconnected environments

Installer-provisioned infrastructure: Installing a cluster on GCP in a restricted network

User-provisioned infrastructure: Installing a cluster on GCP in a restricted network with user-

provisioned infrastructure

4.5. INSTALLING A CLUSTER ON IBM CLOUD

To learn more about installing a cluster on IBM Cloud® in a disconnected environment, see the following
procedure:

Installing a cluster on IBM Cloud in a restricted network

4.6. INSTALLING A CLUSTER ON NUTANIX

To learn more about installing a cluster on Nutanix in a disconnected environment, see the following
procedure:

Installing a cluster on Nutanix in a restricted network

4.7. INSTALLING A BARE-METAL CLUSTER

To learn more about installing a bare-metal cluster in a disconnected environment, see the following
procedure:

Installing a user-provisioned bare metal cluster on a restricted network

4.8. INSTALLING A CLUSTER ON IBM Z(R) OR IBM(R) LINUXONE

To learn more about installing a cluster on IBM Z® or IBM® LinuxONE in a disconnected environment,
see the following procedures:

Installing a cluster with z/VM on IBM Z and IBM LinuxONE in a restricted network

Installing a cluster with RHEL KVM on IBM Z and IBM LinuxONE in a restricted network

Installing a cluster in an LPAR on IBM Z and IBM LinuxONE in a restricted network

4.9. INSTALLING A CLUSTER ON IBM POWER

To learn more about installing a cluster on IBM Power in a disconnected environment, see the following
procedure:

Installing a cluster on IBM Power in a restricted network

4.10. INSTALLING A CLUSTER ON OPENSTACK

To learn more about installing a cluster on Red Hat OpenStack Platform (RHOSP) in a disconnected
environment, see the following procedure:

Installing a cluster on OpenStack in a restricted network

4.11. INSTALLING A CLUSTER ON VSPHERE

120
CHAPTER 4. INSTALLING A CLUSTER IN A DISCONNECTED ENVIRONMENT

To learn more about installing a cluster on VMware vSphere in a disconnected environment, see the
following procedures:

Installer-provisioned infrastructure: Installing a cluster on vSphere in a restricted network

User-provisioned infrastructure: Installing a cluster on vSphere in a restricted network with user-

provisioned infrastructure

121
OpenShift Container Platform 4.17 Disconnected environments

CHAPTER 5. USING OPERATOR LIFECYCLE MANAGER IN

DISCONNECTED ENVIRONMENTS
For OpenShift Container Platform clusters in disconnected environments, Operator Lifecycle Manager
(OLM) by default cannot access the Red Hat-provided OperatorHub sources hosted on remote
registries because those remote sources require full internet connectivity.

However, as a cluster administrator you can still enable your cluster to use OLM in a disconnected
environment if you have a workstation that has full internet access. The workstation, which requires full
internet access to pull the remote OperatorHub content, is used to prepare local mirrors of the remote
sources, and push the content to a mirror registry.

The mirror registry can be located on a bastion host, which requires connectivity to both your
workstation and the disconnected cluster, or a completely disconnected, or airgapped, host, which
requires removable media to physically move the mirrored content to the disconnected environment.

This guide describes the following process that is required to enable OLM in disconnected
environments:

Disable the default remote OperatorHub sources for OLM.

Use a workstation with full internet access to create and push local mirrors of the OperatorHub
content to a mirror registry.

Configure OLM to install and manage Operators from local sources on the mirror registry
instead of the default remote sources.

After enabling OLM in a disconnected environment, you can continue to use your unrestricted
workstation to keep your local OperatorHub sources updated as newer versions of Operators are
released.

IMPORTANT
122
CHAPTER 5. USING OPERATOR LIFECYCLE MANAGER IN DISCONNECTED ENVIRONMENTS

IMPORTANT

While OLM can manage Operators from local sources, the ability for a given Operator to
run successfully in a disconnected environment still depends on the Operator itself
meeting the following criteria:

List any related images, or other container images that the Operator might
require to perform their functions, in the relatedImages parameter of its
ClusterServiceVersion (CSV) object.

Reference all specified images by a digest (SHA) and not by a tag.

You can search software on the Red Hat Ecosystem Catalog for a list of Red Hat
Operators that support running in disconnected mode by filtering with the following
selections:

Type Containerized application

Deployme Operator
nt method

Infrastruct Disconnected
ure
features

Additional resources

Red Hat-provided Operator catalogs

Enabling your Operator for restricted network environments

5.1. PREREQUISITES
You are logged in to your OpenShift Container Platform cluster as a user with cluster-admin
privileges.

If you are using OLM in a disconnected environment on IBM Z®, you must have at least 12 GB
allocated to the directory where you place your registry.

5.2. DISABLING THE DEFAULT OPERATORHUB CATALOG SOURCES

Operator catalogs that source content provided by Red Hat and community projects are configured for
OperatorHub by default during an OpenShift Container Platform installation. In a restricted network
environment, you must disable the default catalogs as a cluster administrator. You can then configure
OperatorHub to use local catalog sources.

Procedure

Disable the sources for the default catalogs by adding disableAllDefaultSources: true to the
OperatorHub object:

$ oc patch OperatorHub cluster --type json \

-p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'

123
OpenShift Container Platform 4.17 Disconnected environments

TIP

Alternatively, you can use the web console to manage catalog sources. From the Administration →
Cluster Settings → Configuration → OperatorHub page, click the Sources tab, where you can create,
update, delete, disable, and enable individual sources.

5.3. MIRRORING AN OPERATOR CATALOG

For instructions about mirroring Operator catalogs for use with disconnected clusters, see Mirroring
Operator catalogs for use with disconnected clusters.

IMPORTANT

As of OpenShift Container Platform 4.11, the default Red Hat-provided Operator catalog
releases in the file-based catalog format. The default Red Hat-provided Operator
catalogs for OpenShift Container Platform 4.6 through 4.10 released in the deprecated
SQLite database format.

The opm subcommands, flags, and functionality related to the SQLite database format
are also deprecated and will be removed in a future release. The features are still
supported and must be used for catalogs that use the deprecated SQLite database
format.

Many of the opm subcommands and flags for working with the SQLite database format,
such as opm index prune, do not work with the file-based catalog format. For more
information about working with file-based catalogs, see Operator Framework packaging
format, Managing custom catalogs, and Mirroring images for a disconnected installation
using the oc-mirror plugin.

5.4. ADDING A CATALOG SOURCE TO A CLUSTER

Adding a catalog source to an OpenShift Container Platform cluster enables the discovery and
installation of Operators for users. Cluster administrators can create a CatalogSource object that
references an index image. OperatorHub uses catalog sources to populate the user interface.

TIP

Prerequisites

You built and pushed an index image to a registry.

You have access to the cluster as a user with the cluster-admin role.

Procedure

1. Create a CatalogSource object that references your index image. If you used the oc adm
catalog mirror command to mirror your catalog to a target registry, you can use the generated
catalogSource.yaml file in your manifests directory as a starting point.

a. Modify the following to your specifications and save it as a catalogSource.yaml file:

124
CHAPTER 5. USING OPERATOR LIFECYCLE MANAGER IN DISCONNECTED ENVIRONMENTS

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
name: my-operator-catalog 1
namespace: openshift-marketplace 2
spec:
sourceType: grpc
grpcPodConfig:
securityContextConfig: <security_mode> 3
image: <registry>/<namespace>/redhat-operator-index:v4.17 4
displayName: My Operator Catalog
publisher: <publisher_name> 5
updateStrategy:
registryPoll: 6
interval: 30m

1 If you mirrored content to local files before uploading to a registry, remove any
backslash (/) characters from the metadata.name field to avoid an "invalid resource
name" error when you create the object.

2 If you want the catalog source to be available globally to users in all namespaces,
specify the openshift-marketplace namespace. Otherwise, you can specify a different
namespace for the catalog to be scoped and available only for that namespace.

3 Specify the value of legacy or restricted. If the field is not set, the default value is
legacy. In a future OpenShift Container Platform release, it is planned that the default
value will be restricted. If your catalog cannot run with restricted permissions, it is
recommended that you manually set this field to legacy.

4 Specify your index image. If you specify a tag after the image name, for example
:v4.17, the catalog source pod uses an image pull policy of Always, meaning the pod
always pulls the image prior to starting the container. If you specify a digest, for
example @sha256:<id>, the image pull policy is IfNotPresent, meaning the pod pulls
the image only if it does not already exist on the node.

5 Specify your name or an organization name publishing the catalog.

6 Catalog sources can automatically check for new versions to keep up to date.

b. Use the file to create the CatalogSource object:

$ oc apply -f catalogSource.yaml

2. Verify the following resources are created successfully.

a. Check the pods:

$ oc get pods -n openshift-marketplace

Example output

125
OpenShift Container Platform 4.17 Disconnected environments

NAME READY STATUS RESTARTS AGE

my-operator-catalog-6njx6 1/1 Running 0 28s
marketplace-operator-d9f549946-96sgr 1/1 Running 0 26h

b. Check the catalog source:

$ oc get catalogsource -n openshift-marketplace

Example output

NAME DISPLAY TYPE PUBLISHER AGE

my-operator-catalog My Operator Catalog grpc 5s

c. Check the package manifest:

$ oc get packagemanifest -n openshift-marketplace

Example output

NAME CATALOG AGE

jaeger-product My Operator Catalog 93s

You can now install the Operators from the OperatorHub page on your OpenShift Container Platform
web console.

Additional resources

Accessing images for Operators from private registries

Image template for custom catalog sources

Image pull policy

5.5. NEXT STEPS

Updating installed Operators

126
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED

ENVIRONMENT

6.1. ABOUT CLUSTER UPDATES IN A DISCONNECTED ENVIRONMENT

A disconnected environment is one in which your cluster nodes cannot access the internet or where you
want to manage update recommendations and release images locally for policy or performance
purposes. This section covers mirroring OpenShift Container Platform images, managing an OpenShift
Update Service, and performing cluster updates in a disconnected environment.

6.1.1. Mirroring OpenShift Container Platform images

To update your cluster in a disconnected environment, your cluster environment must have access to a
mirror registry that has the necessary images and resources for your targeted update. A single
container image registry is sufficient to host mirrored images for several clusters in the disconnected
network. The following page has instructions for mirroring images onto a repository in your
disconnected cluster:

Mirroring OpenShift Container Platform images

6.1.2. Performing a cluster update in a disconnected environment

You can use one of the following procedures to update a disconnected OpenShift Container Platform
cluster:

Updating a cluster in a disconnected environment using the OpenShift Update Service

Updating a cluster in a disconnected environment without the OpenShift Update Service

6.1.3. Uninstalling the OpenShift Update Service from a cluster

You can use the following procedure to uninstall a local copy of the OpenShift Update Service (OSUS)
from your cluster:

Uninstalling the OpenShift Update Service from a cluster

6.2. MIRRORING OPENSHIFT CONTAINER PLATFORM IMAGES

You must mirror container images onto a mirror registry before you can update a cluster in a
disconnected environment. You can also use this procedure in connected environments to ensure your
clusters run only approved container images that have satisfied your organizational controls for external
content.

NOTE

Your mirror registry must be running at all times while the cluster is running.

The following steps outline the high-level workflow on how to mirror images to a mirror registry:

1. Install the OpenShift CLI (oc) on all devices being used to retrieve and push release images.

2. Download the registry pull secret and add it to your cluster.

127
OpenShift Container Platform 4.17 Disconnected environments

3. If you use the oc-mirror OpenShift CLI (oc) plugin:

a. Install the oc-mirror plugin on all devices being used to retrieve and push release images.

b. Create an image set configuration file for the plugin to use when determining which release
images to mirror. You can edit this configuration file later to change which release images
that the plugin mirrors.

c. Mirror your targeted release images directly to a mirror registry, or to removable media and
then to a mirror registry.

d. Configure your cluster to use the resources generated by the oc-mirror plugin.

e. Repeat these steps as needed to update your mirror registry.

4. If you use the oc adm release mirror command:

a. Set environment variables that correspond to your environment and the release images you
want to mirror.

b. Mirror your targeted release images directly to a mirror registry, or to removable media and
then to a mirror registry.

c. Repeat these steps as needed to update your mirror registry.

Compared to using the oc adm release mirror command, the oc-mirror plugin has the following
advantages:

It can mirror content other than container images.

After mirroring images for the first time, it is easier to update images in the registry.

The oc-mirror plugin provides an automated way to mirror the release payload from Quay, and
also builds the latest graph data image for the OpenShift Update Service running in the
disconnected environment.

6.2.1. Mirroring resources using the oc-mirror plugin

You can use the oc-mirror OpenShift CLI (oc) plugin to mirror images to a mirror registry in your fully or
partially disconnected environments. You must run oc-mirror from a system with internet connectivity
to download the required images from the official Red Hat registries.

See Mirroring images for a disconnected installation using the oc-mirror plugin for additional details.

6.2.2. Mirroring images using the oc adm release mirror command

You can use the oc adm release mirror command to mirror images to your mirror registry.

6.2.2.1. Prerequisites

You must have a container image registry that supports Docker v2-2 in the location that will
host the OpenShift Container Platform cluster, such as Red Hat Quay.

NOTE
128
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

NOTE

If you use Red Hat Quay, you must use version 3.6 or later with the oc-mirror
plugin. If you have an entitlement to Red Hat Quay, see the documentation on
deploying Red Hat Quay for proof-of-concept purposes or by using the Quay
Operator. If you need additional assistance selecting and installing a registry,
contact your sales representative or Red Hat Support.

If you do not have an existing solution for a container image registry, the mirror registry for Red
Hat OpenShift is included in OpenShift Container Platform subscriptions. The mirror registry for
Red Hat OpenShift is a small-scale container registry that you can use to mirror OpenShift
Container Platform container images in disconnected installations and updates.

6.2.2.2. Preparing your mirror host

Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to
the remote location.

6.2.2.2.1. Installing the OpenShift CLI

You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-
line interface. You can install oc on Linux, Windows, or macOS.

IMPORTANT

If you installed an earlier version of oc, you cannot use it to complete all of the commands
in OpenShift Container Platform 4.17. Download and install the new version of oc. If you
are updating a cluster in a disconnected environment, install the oc version that you plan
to update to.

Installing the OpenShift CLI on Linux

You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.

Procedure

1. Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer
Portal.

2. Select the architecture from the Product Variant drop-down list.

3. Select the appropriate version from the Version drop-down list.

4. Click Download Now next to the OpenShift v4.17 Linux Clients entry and save the file.

5. Unpack the archive:

$ tar xvf <file>

6. Place the oc binary in a directory that is on your PATH.

To check your PATH, execute the following command:

$ echo $PATH

129
OpenShift Container Platform 4.17 Disconnected environments

Verification

After you install the OpenShift CLI, it is available using the oc command:

$ oc <command>

Installing the OpenShift CLI on Windows

You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.

Procedure

1. Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer
Portal.

2. Select the appropriate version from the Version drop-down list.

3. Click Download Now next to the OpenShift v4.17 Windows Client entry and save the file.

4. Unzip the archive with a ZIP program.

5. Move the oc binary to a directory that is on your PATH.

To check your PATH, open the command prompt and execute the following command:

C:\> path

Verification

After you install the OpenShift CLI, it is available using the oc command:

C:\> oc <command>

Installing the OpenShift CLI on macOS

You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.

Procedure

1. Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer
Portal.

2. Select the appropriate version from the Version drop-down list.

3. Click Download Now next to the OpenShift v4.17 macOS Clients entry and save the file.

NOTE

For macOS arm64, choose the OpenShift v4.17 macOS arm64 Client entry.

4. Unpack and unzip the archive.

5. Move the oc binary to a directory on your PATH.

To check your PATH, open a terminal and execute the following command:

$ echo $PATH

Verification
130
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

Verification

Verify your installation by using an oc command:

$ oc <command>

Additional resources

Installing and using CLI plugins

6.2.2.2.2. Configuring credentials that allow images to be mirrored

Create a container image registry credentials file that enables you to mirror images from Red Hat to
your mirror.


WARNING

Prerequisites

You configured a mirror registry to use in your disconnected environment.

You identified an image repository location on your mirror registry to mirror images into.

You provisioned a mirror registry account that allows images to be uploaded to that image
repository.

You have write access to the mirror registry.

Procedure
Complete the following steps on the installation host:

1. Download your registry.redhat.io pull secret from Red Hat OpenShift Cluster Manager .

2. Make a copy of your pull secret in JSON format by running the following command:

$ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> 1

1 Specify the path to the folder to store the pull secret in and a name for the JSON file that
you create.

Example pull secret

{
"auths": {
"cloud.openshift.com": {

131
OpenShift Container Platform 4.17 Disconnected environments

"auth": "b3BlbnNo...",
"email": "[email protected]"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "[email protected]"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "[email protected]"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "[email protected]"
}
}
}

3. Optional: If using the oc-mirror plugin, save the file as either ~/.docker/config.json or
$XDG_RUNTIME_DIR/containers/auth.json:

a. If the .docker or $XDG_RUNTIME_DIR/containers directories do not exist, create one by

entering the following command:

$ mkdir -p <directory_name>

Where <directory_name> is either ~/.docker or $XDG_RUNTIME_DIR/containers.

b. Copy the pull secret to the appropriate directory by entering the following command:

$ cp <path>/<pull_secret_file_in_json> <directory_name>/<auth_file>

Where <directory_name> is either ~/.docker or $XDG_RUNTIME_DIR/containers, and

<auth_file> is either config.json or auth.json.

4. Generate the base64-encoded user name and password or token for your mirror registry by
running the following command:

$ echo -n '<user_name>:<password>' | base64 -w0 1

1 For <user_name> and <password>, specify the user name and password that you
configured for your registry.

Example output

BGVtbYk3ZHAtqXs=

5. Edit the JSON file and add a section that describes your registry to it:

"auths": {
"<mirror_registry>": { 1
"auth": "<credentials>", 2

132
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

"email": "[email protected]"
}
},

1 Specify the registry domain name, and optionally the port, that your mirror registry uses to
serve content. For example, registry.example.com or registry.example.com:8443

2 Specify the base64-encoded user name and password for the mirror registry.

Example modified pull secret

6.2.2.3. Mirroring images to a mirror registry

IMPORTANT

To avoid excessive memory usage by the OpenShift Update Service application, you
must mirror release images to a separate repository as described in the following
procedure.

Prerequisites

You configured a mirror registry to use in your disconnected environment and can access the
certificate and credentials that you configured.

You downloaded the pull secret from Red Hat OpenShift Cluster Manager and modified it to
include authentication to your mirror repository.

If you use self-signed certificates, you have specified a Subject Alternative Name in the
certificates.

133
OpenShift Container Platform 4.17 Disconnected environments

Procedure

1. Use the Red Hat OpenShift Container Platform Update Graph visualizer and update planner to
plan an update from one version to another. The OpenShift Update Graph provides channel
graphs and a way to confirm that there is an update path between your current and intended
cluster versions.

2. Set the required environment variables:

a. Export the release version:

$ export OCP_RELEASE=<release_version>

For <release_version>, specify the tag that corresponds to the version of OpenShift
Container Platform to which you want to update, such as 4.5.4.

b. Export the local registry name and host port:

$ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'

For <local_registry_host_name>, specify the registry domain name for your mirror
repository, and for <local_registry_host_port>, specify the port that it serves content on.

c. Export the local repository name:

$ LOCAL_REPOSITORY='<local_repository_name>'

For <local_repository_name>, specify the name of the repository to create in your

registry, such as ocp4/openshift4.

d. If you are using the OpenShift Update Service, export an additional local repository name to
contain the release images:

$
LOCAL_RELEASE_IMAGES_REPOSITORY='<local_release_images_repository_name>'

For <local_release_images_repository_name>, specify the name of the repository to

create in your registry, such as ocp4/openshift4-release-images.

e. Export the name of the repository to mirror:

$ PRODUCT_REPO='openshift-release-dev'

For a production release, you must specify openshift-release-dev.

f. Export the path to your registry pull secret:

$ LOCAL_SECRET_JSON='<path_to_pull_secret>'

For <path_to_pull_secret>, specify the absolute path to and file name of the pull secret
for your mirror registry that you created.

NOTE
134
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

NOTE

If your cluster uses an ImageContentSourcePolicy object to configure

repository mirroring, you can use only global pull secrets for mirrored
registries. You cannot add a pull secret to a project.

g. Export the release mirror:

$ RELEASE_NAME="ocp-release"

For a production release, you must specify ocp-release.

h. Export the type of architecture for your cluster:

$ ARCHITECTURE=<cluster_architecture> 1

1 Specify the architecture of the cluster, such as x86_64, aarch64, s390x, or ppc64le.

i. Export the path to the directory to host the mirrored images:

$ REMOVABLE_MEDIA_PATH=<path> 1

1 Specify the full path, including the initial forward slash (/) character.

3. Review the images and configuration manifests to mirror:

$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-

dir=${REMOVABLE_MEDIA_PATH}/mirror
quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
--dry-run

4. Mirror the version images to the mirror registry.

If your mirror host does not have internet access, take the following actions:

i. Connect the removable media to a system that is connected to the internet.

ii. Mirror the images and configuration manifests to a directory on the removable media:

$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-

dir=${REMOVABLE_MEDIA_PATH}/mirror
quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-
${ARCHITECTURE}

NOTE

This command also generates and saves the mirrored release image
signature config map onto the removable media.

iii. Take the media to the disconnected environment and upload the images to the local
container registry.

135
OpenShift Container Platform 4.17 Disconnected environments

$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-

dir=${REMOVABLE_MEDIA_PATH}/mirror
"file://openshift/release:${OCP_RELEASE}*"
${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} 1

1 For REMOVABLE_MEDIA_PATH, you must use the same path that you specified
when you mirrored the images.

iv. Use oc command-line interface (CLI) to log in to the cluster that you are updating.

v. Apply the mirrored release image signature config map to the connected cluster:

$ oc apply -f ${REMOVABLE_MEDIA_PATH}/mirror/config/<image_signature_file>
1

1 For <image_signature_file>, specify the path and name of the file, for example,
signature-sha256-81154f5c03294534.yaml.

vi. If you are using the OpenShift Update Service, mirror the release image to a separate
repository:

$ oc image mirror -a ${LOCAL_SECRET_JSON}

${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-
${ARCHITECTURE}
${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_REL
EASE}-${ARCHITECTURE}

If the local container registry and the cluster are connected to the mirror host, take the
following actions:

i. Directly push the release images to the local registry and apply the config map to the
cluster by using following command:

$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --

from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-
${ARCHITECTURE} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --apply-release-image-
signature

NOTE

If you include the --apply-release-image-signature option, do not

create the config map for image signature verification.

ii. If you are using the OpenShift Update Service, mirror the release image to a separate
repository:

$ oc image mirror -a ${LOCAL_SECRET_JSON}

${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-
${ARCHITECTURE}
${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_REL
EASE}-${ARCHITECTURE}

136
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

6.3. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

USING THE OPENSHIFT UPDATE SERVICE
To get an update experience similar to connected clusters, you can use the following procedures to
install and configure the OpenShift Update Service (OSUS) in a disconnected environment.

The following steps outline the high-level workflow on how to update a cluster in a disconnected
environment using OSUS:

1. Configure access to a secured registry.

2. Update the global cluster pull secret to access your mirror registry.

3. Install the OSUS Operator.

4. Create a graph data container image for the OpenShift Update Service.

5. Install the OSUS application and configure your clusters to use the OpenShift Update Service in
your environment.

6. Perform a supported update procedure from the documentation as you would with a connected
cluster.

6.3.1. Using the OpenShift Update Service in a disconnected environment

The OpenShift Update Service (OSUS) provides update recommendations to OpenShift Container
Platform clusters. Red Hat publicly hosts the OpenShift Update Service, and clusters in a connected
environment can connect to the service through public APIs to retrieve update recommendations.

However, clusters in a disconnected environment cannot access these public APIs to retrieve update
information. To have a similar update experience in a disconnected environment, you can install and
configure the OpenShift Update Service so that it is available within the disconnected environment.

A single OSUS instance is capable of serving recommendations to thousands of clusters. OSUS can be
scaled horizontally to cater to more clusters by changing the replica value. So for most disconnected use
cases, one OSUS instance is enough. For example, Red Hat hosts just one OSUS instance for the entire
fleet of connected clusters.

If you want to keep update recommendations separate in different environments, you can run one OSUS
instance for each environment. For example, in a case where you have separate test and stage
environments, you might not want a cluster in a stage environment to receive update recommendations
to version A if that version has not been tested in the test environment yet.

The following sections describe how to install an OSUS instance and configure it to provide update
recommendations to a cluster.

Additional resources

About the OpenShift Update Service

Understanding update channels and releases

6.3.2. Prerequisites
You must have the oc command-line interface (CLI) tool installed.

137
OpenShift Container Platform 4.17 Disconnected environments

You must provision a container image registry in your environment with the container images
for your update, as described in Mirroring OpenShift Container Platform images .

6.3.3. Configuring access to a secured registry for the OpenShift Update Service
If the release images are contained in a registry whose HTTPS X.509 certificate is signed by a custom
certificate authority, complete the steps in Configuring additional trust stores for image registry access
along with following changes for the update service.

The OpenShift Update Service Operator needs the config map key name updateservice-registry in the
registry CA cert.

Image registry CA config map example for the update service

apiVersion: v1
kind: ConfigMap
metadata:
name: my-registry-ca
data:
updateservice-registry: | 1
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
registry-with-port.example.com..5000: | 2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

1 The OpenShift Update Service Operator requires the config map key name updateservice-
registry in the registry CA cert.

2 If the registry has the port, such as registry-with-port.example.com:5000, : should be replaced

with ...

6.3.4. Updating the global cluster pull secret

You can update the global pull secret for your cluster by either replacing the current pull secret or
appending a new pull secret.

The procedure is required when users use a separate registry to store images than the registry used
during installation.

Prerequisites

You have access to the cluster as a user with the cluster-admin role.

Procedure

1. Optional: To append a new pull secret to the existing pull secret, complete the following steps:

a. Enter the following command to download the pull secret:

138
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

$ oc get secret/pull-secret -n openshift-config --template='{{index .data

".dockerconfigjson" | base64decode}}' ><pull_secret_location> 1

1 Provide the path to the pull secret file.

b. Enter the following command to add the new pull secret:

$ oc registry login --registry="<registry>" \ 1

--auth-basic="<username>:<password>" \ 2
--to=<pull_secret_location> 3

1 Provide the new registry. You can include multiple repositories within the same
registry, for example: --registry="<registry/my-namespace/my-repository>".

2 Provide the credentials of the new registry.

3 Provide the path to the pull secret file.

Alternatively, you can perform a manual update to the pull secret file.

2. Enter the following command to update the global pull secret for your cluster:

$ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=

<pull_secret_location> 1

1 Provide the path to the new pull secret file.

This update is rolled out to all nodes, which can take some time depending on the size of your
cluster.

NOTE

As of OpenShift Container Platform 4.7.4, changes to the global pull secret no

longer trigger a node drain or reboot.

6.3.5. Installing the OpenShift Update Service Operator

To install the OpenShift Update Service, you must first install the OpenShift Update Service Operator
by using the OpenShift Container Platform web console or CLI.

NOTE

For clusters that are installed in disconnected environments, also known as disconnected
clusters, Operator Lifecycle Manager by default cannot access the Red Hat-provided
OperatorHub sources hosted on remote registries because those remote sources require
full internet connectivity. For more information, see Using Operator Lifecycle Manager in
disconnected environments.

6.3.5.1. Installing the OpenShift Update Service Operator by using the web console

You can use the web console to install the OpenShift Update Service Operator.

139
OpenShift Container Platform 4.17 Disconnected environments

Procedure

1. In the web console, click Operators → OperatorHub.

NOTE

Enter Update Service into the Filter by keyword… field to find the Operator
faster.

2. Choose OpenShift Update Service from the list of available Operators, and click Install.

a. Select an Update channel.

b. Select a Version.

c. Select A specific namespace on the clusterunder Installation Mode.

d. Select a namespace for Installed Namespace or accept the recommended namespace

openshift-update-service.

e. Select an Update approval strategy:

The Automatic strategy allows Operator Lifecycle Manager (OLM) to automatically

update the Operator when a new version is available.

The Manual strategy requires a cluster administrator to approve the Operator update.

f. Click Install.

3. Go to Operators → Installed Operators and verify that the OpenShift Update Service
Operator is installed.

4. Ensure that OpenShift Update Service is listed in the correct namespace with a Status of
Succeeded.

6.3.5.2. Installing the OpenShift Update Service Operator by using the CLI

You can use the OpenShift CLI (oc) to install the OpenShift Update Service Operator.

Procedure

1. Create a namespace for the OpenShift Update Service Operator:

a. Create a Namespace object YAML file, for example, update-service-namespace.yaml, for

the OpenShift Update Service Operator:

apiVersion: v1
kind: Namespace
metadata:
name: openshift-update-service
annotations:
openshift.io/node-selector: ""
labels:
openshift.io/cluster-monitoring: "true" 1

1 Set the openshift.io/cluster-monitoring label to enable Operator-recommended

cluster monitoring on this namespace.

140
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

cluster monitoring on this namespace.

b. Create the namespace:

$ oc create -f <filename>.yaml

For example:

$ oc create -f update-service-namespace.yaml

2. Install the OpenShift Update Service Operator by creating the following objects:

a. Create an OperatorGroup object YAML file, for example, update-service-operator-

group.yaml:

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: update-service-operator-group
namespace: openshift-update-service
spec:
targetNamespaces:
- openshift-update-service

b. Create an OperatorGroup object:

$ oc -n openshift-update-service create -f <filename>.yaml

For example:

$ oc -n openshift-update-service create -f update-service-operator-group.yaml

c. Create a Subscription object YAML file, for example, update-service-subscription.yaml:

Example Subscription

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: update-service-subscription
namespace: openshift-update-service
spec:
channel: v1
installPlanApproval: "Automatic"
source: "redhat-operators" 1
sourceNamespace: "openshift-marketplace"
name: "cincinnati-operator"

1 Specify the name of the catalog source that provides the Operator. For clusters that
do not use a custom Operator Lifecycle Manager (OLM), specify redhat-operators. If
your OpenShift Container Platform cluster is installed in a disconnected environment,
specify the name of the CatalogSource object created when you configured Operator
Lifecycle Manager (OLM).

141
OpenShift Container Platform 4.17 Disconnected environments

d. Create the Subscription object:

$ oc create -f <filename>.yaml

For example:

$ oc -n openshift-update-service create -f update-service-subscription.yaml

The OpenShift Update Service Operator is installed to the openshift-update-service

namespace and targets the openshift-update-service namespace.

3. Verify the Operator installation:

$ oc -n openshift-update-service get clusterserviceversions

Example output

NAME DISPLAY VERSION REPLACES PHASE

update-service-operator.v4.6.0 OpenShift Update Service 4.6.0 Succeeded
...

If the OpenShift Update Service Operator is listed, the installation was successful. The version
number might be different than shown.

Additional resources

Installing Operators in your namespace .

6.3.6. Creating the OpenShift Update Service graph data container image
The OpenShift Update Service requires a graph data container image, from which the OpenShift Update
Service retrieves information about channel membership and blocked update edges. Graph data is
typically fetched directly from the update graph data repository. In environments where an internet
connection is unavailable, loading this information from an init container is another way to make the
graph data available to the OpenShift Update Service. The role of the init container is to provide a local
copy of the graph data, and during pod initialization, the init container copies the data to a volume that
is accessible by the service.

NOTE

The oc-mirror OpenShift CLI (oc) plugin creates this graph data container image in
addition to mirroring release images. If you used the oc-mirror plugin to mirror your
release images, you can skip this procedure.

Procedure

1. Create a Dockerfile, for example, ./Dockerfile, containing the following:

FROM registry.access.redhat.com/ubi9/ubi:latest

RUN curl -L -o cincinnati-graph-data.tar.gz

https://api.openshift.com/api/upgrades_info/graph-data

142
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

RUN mkdir -p /var/lib/cincinnati-graph-data && tar xvzf cincinnati-graph-data.tar.gz -C

/var/lib/cincinnati-graph-data/ --no-overwrite-dir --no-same-owner

CMD ["/bin/bash", "-c" ,"exec cp -rp /var/lib/cincinnati-graph-data/* /var/lib/cincinnati/graph-

data"]

2. Use the docker file created in the above step to build a graph data container image, for
example, registry.example.com/openshift/graph-data:latest:

$ podman build -f ./Dockerfile -t registry.example.com/openshift/graph-data:latest

3. Push the graph data container image created in the previous step to a repository that is
accessible to the OpenShift Update Service, for example,
registry.example.com/openshift/graph-data:latest:

$ podman push registry.example.com/openshift/graph-data:latest

NOTE

To push a graph data image to a registry in a disconnected environment, copy the

graph data container image created in the previous step to a repository that is
accessible to the OpenShift Update Service. Run oc image mirror --help for
available options.

6.3.7. Creating an OpenShift Update Service application

You can create an OpenShift Update Service application by using the OpenShift Container Platform
web console or CLI.

6.3.7.1. Creating an OpenShift Update Service application by using the web console

You can use the OpenShift Container Platform web console to create an OpenShift Update Service
application by using the OpenShift Update Service Operator.

Prerequisites

The OpenShift Update Service Operator has been installed.

The OpenShift Update Service graph data container image has been created and pushed to a
repository that is accessible to the OpenShift Update Service.

The current release and update target releases have been mirrored to a registry in the
disconnected environment.

Procedure

1. In the web console, click Operators → Installed Operators.

2. Choose OpenShift Update Service from the list of installed Operators.

3. Click the Update Service tab.

4. Click Create UpdateService.

143
OpenShift Container Platform 4.17 Disconnected environments

5. Enter a name in the Name field, for example, service.

6. Enter the local pullspec in the Graph Data Image field to the graph data container image
created in "Creating the OpenShift Update Service graph data container image", for example,
registry.example.com/openshift/graph-data:latest.

7. In the Releases field, enter the registry and repository created to contain the release images in
"Mirroring the OpenShift Container Platform image repository", for example,
registry.example.com/ocp4/openshift4-release-images.

8. Enter 2 in the Replicas field.

9. Click Create to create the OpenShift Update Service application.

10. Verify the OpenShift Update Service application:

From the UpdateServices list in the Update Service tab, click the Update Service
application just created.

Click the Resources tab.

Verify each application resource has a status of Created.

6.3.7.2. Creating an OpenShift Update Service application by using the CLI

You can use the OpenShift CLI (oc) to create an OpenShift Update Service application.

Prerequisites

The OpenShift Update Service Operator has been installed.

The OpenShift Update Service graph data container image has been created and pushed to a
repository that is accessible to the OpenShift Update Service.

The current release and update target releases have been mirrored to a registry in the
disconnected environment.

Procedure

1. Configure the OpenShift Update Service target namespace, for example, openshift-update-
service:

$ NAMESPACE=openshift-update-service

The namespace must match the targetNamespaces value from the operator group.

2. Configure the name of the OpenShift Update Service application, for example, service:

$ NAME=service

3. Configure the registry and repository for the release images as configured in "Mirroring the
OpenShift Container Platform image repository", for example,
registry.example.com/ocp4/openshift4-release-images:

$ RELEASE_IMAGES=registry.example.com/ocp4/openshift4-release-images

144
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

4. Set the local pullspec for the graph data image to the graph data container image created in
"Creating the OpenShift Update Service graph data container image", for example,
registry.example.com/openshift/graph-data:latest:

$ GRAPH_DATA_IMAGE=registry.example.com/openshift/graph-data:latest

5. Create an OpenShift Update Service application object:

$ oc -n "${NAMESPACE}" create -f - <<EOF

apiVersion: updateservice.operator.openshift.io/v1
kind: UpdateService
metadata:
name: ${NAME}
spec:
replicas: 2
releases: ${RELEASE_IMAGES}
graphDataImage: ${GRAPH_DATA_IMAGE}
EOF

6. Verify the OpenShift Update Service application:

a. Use the following command to obtain a policy engine route:

$ while sleep 1; do POLICY_ENGINE_GRAPH_URI="$(oc -n "${NAMESPACE}" get -o

jsonpath='{.status.policyEngineURI}/api/upgrades_info/v1/graph{"\n"}' updateservice
"${NAME}")"; SCHEME="${POLICY_ENGINE_GRAPH_URI%%:*}"; if test "${SCHEME}"
= http -o "${SCHEME}" = https; then break; fi; done

You might need to poll until the command succeeds.

b. Retrieve a graph from the policy engine. Be sure to specify a valid version for channel. For
example, if running in OpenShift Container Platform 4.17, use stable-4.17:

$ while sleep 10; do HTTP_CODE="$(curl --header Accept:application/json --output

/dev/stderr --write-out "%{http_code}" "${POLICY_ENGINE_GRAPH_URI}?
channel=stable-4.6")"; if test "${HTTP_CODE}" -eq 200; then break; fi; echo
"${HTTP_CODE}"; done

This polls until the graph request succeeds; however, the resulting graph might be empty
depending on which release images you have mirrored.

NOTE

The policy engine route name must not be more than 63 characters based on RFC-1123. If
you see ReconcileCompleted status as false with the reason CreateRouteFailed
caused by host must conform to DNS 1123 naming convention and must be no more
than 63 characters, try creating the Update Service with a shorter name.

6.3.8. Configuring the Cluster Version Operator (CVO)

After the OpenShift Update Service Operator has been installed and the OpenShift Update Service
application has been created, the Cluster Version Operator (CVO) can be updated to pull graph data
from the OpenShift Update Service installed in your environment.

145
OpenShift Container Platform 4.17 Disconnected environments

Prerequisites

The OpenShift Update Service Operator has been installed.

The OpenShift Update Service graph data container image has been created and pushed to a
repository that is accessible to the OpenShift Update Service.

The current release and update target releases have been mirrored to a registry in the
disconnected environment.

The OpenShift Update Service application has been created.

Procedure

1. Set the OpenShift Update Service target namespace, for example, openshift-update-service:

$ NAMESPACE=openshift-update-service

2. Set the name of the OpenShift Update Service application, for example, service:

$ NAME=service

3. Obtain the policy engine route:

$ POLICY_ENGINE_GRAPH_URI="$(oc -n "${NAMESPACE}" get -o

jsonpath='{.status.policyEngineURI}/api/upgrades_info/v1/graph{"\n"}' updateservice
"${NAME}")"

4. Set the patch for the pull graph data:

$ PATCH="{\"spec\":{\"upstream\":\"${POLICY_ENGINE_GRAPH_URI}\"}}"

5. Patch the CVO to use the OpenShift Update Service in your environment:

$ oc patch clusterversion version -p $PATCH --type merge

NOTE

See Configuring the cluster-wide proxy to configure the CA to trust the update server.

6.3.9. Next steps

Before updating your cluster, confirm that the following conditions are met:

The Cluster Version Operator (CVO) is configured to use your installed OpenShift Update
Service application.

The release image signature config map for the new release is applied to your cluster.

NOTE
146
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

NOTE

The Cluster Version Operator (CVO) uses release image signatures to ensure
that release images have not been modified, by verifying that the release image
signatures match the expected result.

The current release and update target release images are mirrored to a registry in the
disconnected environment.

A recent graph data container image has been mirrored to your registry.

A recent version of the OpenShift Update Service Operator is installed.

NOTE

If you have not recently installed or updated the OpenShift Update Service
Operator, there might be a more recent version available. See Using Operator
Lifecycle Manager in disconnected environments for more information about
how to update your OLM catalog in a disconnected environment.

After you configure your cluster to use the installed OpenShift Update Service and local mirror registry,
you can use any of the following update methods:

Updating a cluster using the web console

Updating a cluster using the CLI

Performing a Control Plane Only update

Performing a canary rollout update

Updating a cluster that includes RHEL compute machines

6.4. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

WITHOUT THE OPENSHIFT UPDATE SERVICE
Use the following procedures to update a cluster in a disconnected environment without access to the
OpenShift Update Service.

6.4.1. Prerequisites
You must have the oc command-line interface (CLI) tool installed.

You must provision a local container image registry with the container images for your update,
as described in Mirroring OpenShift Container Platform images .

You must have access to the cluster as a user with admin privileges. See Using RBAC to define
and apply permissions.

You must have a recent etcd backup in case your update fails and you must restore your cluster
to a previous state.

You have updated all Operators previously installed through Operator Lifecycle Manager
(OLM) to a version that is compatible with your target release. Updating the Operators ensures
they have a valid update path when the default OperatorHub catalogs switch from the current

147
OpenShift Container Platform 4.17 Disconnected environments

minor version to the next during a cluster update. See Updating installed Operators for more
information on how to check compatibility and, if necessary, update the installed Operators.

You must ensure that all machine config pools (MCPs) are running and not paused. Nodes
associated with a paused MCP are skipped during the update process. You can pause the MCPs
if you are performing a canary rollout update strategy.

If your cluster uses manually maintained credentials, update the cloud provider resources for
the new release. For more information, including how to determine if this is a requirement for
your cluster, see Preparing to update a cluster with manually maintained credentials .

If you run an Operator or you have configured any application with the pod disruption budget,
you might experience an interruption during the update process. If minAvailable is set to 1 in
PodDisruptionBudget, the nodes are drained to apply pending machine configs which might
block the eviction process. If several nodes are rebooted, all the pods might run on only one
node, and the PodDisruptionBudget field can prevent the node drain.

NOTE

If you run an Operator or you have configured any application with the pod disruption
budget, you might experience an interruption during the update process. If minAvailable
is set to 1 in PodDisruptionBudget, the nodes are drained to apply pending machine
configs which might block the eviction process. If several nodes are rebooted, all the pods
might run on only one node, and the PodDisruptionBudget field can prevent the node
drain.

6.4.2. Pausing a MachineHealthCheck resource

During the update process, nodes in the cluster might become temporarily unavailable. In the case of
worker nodes, the machine health check might identify such nodes as unhealthy and reboot them. To
avoid rebooting such nodes, pause all the MachineHealthCheck resources before updating the cluster.

Prerequisites

Install the OpenShift CLI (oc).

Procedure

1. To list all the available MachineHealthCheck resources that you want to pause, run the
following command:

$ oc get machinehealthcheck -n openshift-machine-api

2. To pause the machine health checks, add the cluster.x-k8s.io/paused="" annotation to the
MachineHealthCheck resource. Run the following command:

$ oc -n openshift-machine-api annotate mhc <mhc-name> cluster.x-k8s.io/paused=""

The annotated MachineHealthCheck resource resembles the following YAML file:

apiVersion: machine.openshift.io/v1beta1
kind: MachineHealthCheck
metadata:
name: example

148
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

namespace: openshift-machine-api
annotations:
cluster.x-k8s.io/paused: ""
spec:
selector:
matchLabels:
role: worker
unhealthyConditions:
- type: "Ready"
status: "Unknown"
timeout: "300s"
- type: "Ready"
status: "False"
timeout: "300s"
maxUnhealthy: "40%"
status:
currentHealthy: 5
expectedMachines: 5

IMPORTANT

Resume the machine health checks after updating the cluster. To resume the
check, remove the pause annotation from the MachineHealthCheck resource by
running the following command:

$ oc -n openshift-machine-api annotate mhc <mhc-name> cluster.x-

k8s.io/paused-

6.4.3. Retrieving a release image digest

In order to update a cluster in a disconnected environment using the oc adm upgrade command with
the --to-image option, you must reference the sha256 digest that corresponds to your targeted release
image.

Procedure

1. Run the following command on a device that is connected to the internet:

$ oc adm release info -o 'jsonpath={.digest}{"\n"}' quay.io/openshift-release-dev/ocp-

release:${OCP_RELEASE_VERSION}-${ARCHITECTURE}

For {OCP_RELEASE_VERSION}, specify the version of OpenShift Container Platform to

which you want to update, such as 4.10.16.

For {ARCHITECTURE}, specify the architecture of the cluster, such as x86_64, aarch64, s390x,
or ppc64le.

Example output

sha256:a8bfba3b6dddd1a2fbbead7dac65fe4fb8335089e4e7cae327f3bad334add31d

2. Copy the sha256 digest for use when updating your cluster.

149
OpenShift Container Platform 4.17 Disconnected environments

6.4.4. Updating the disconnected cluster

Update the disconnected cluster to the OpenShift Container Platform version that you downloaded the
release images for.

NOTE

If you have a local OpenShift Update Service, you can update by using the connected web
console or CLI instructions instead of this procedure.

Prerequisites

You mirrored the images for the new release to your registry.

You applied the release image signature ConfigMap for the new release to your cluster.

NOTE

The release image signature config map allows the Cluster Version Operator
(CVO) to ensure the integrity of release images by verifying that the actual
image signatures match the expected signatures.

You obtained the sha256 digest for your targeted release image.

You installed the OpenShift CLI (oc).

You paused all MachineHealthCheck resources.

Procedure

Update the cluster:

$ oc adm upgrade --allow-explicit-upgrade --to-image

<defined_registry>/<defined_repository>@<digest>

Where:

<defined_registry>
Specifies the name of the mirror registry you mirrored your images to.
<defined_repository>
Specifies the name of the image repository you want to use on the mirror registry.
<digest>
Specifies the sha256 digest for the targeted release image, for example,
sha256:81154f5c03294534e1eaf0319bef7a601134f891689ccede5d705ef659aa8c92.

NOTE
150
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

NOTE

See "Mirroring OpenShift Container Platform images" to review how your

mirror registry and repository names are defined.

If you used an ImageContentSourcePolicy or ImageDigestMirrorSet, you

can use the canonical registry and repository names instead of the names
you defined. The canonical registry name is quay.io and the canonical
repository name is openshift-release-dev/ocp-release.

You can only configure global pull secrets for clusters that have an
ImageContentSourcePolicy object. You cannot add a pull secret to a
project.

Additional resources

Mirroring OpenShift Container Platform images

6.4.5. Understanding image registry repository mirroring

Setting up container registry repository mirroring enables you to perform the following tasks:

Configure your OpenShift Container Platform cluster to redirect requests to pull images from a
repository on a source image registry and have it resolved by a repository on a mirrored image
registry.

Identify multiple mirrored repositories for each target repository, to make sure that if one mirror
is down, another can be used.

Repository mirroring in OpenShift Container Platform includes the following attributes:

Image pulls are resilient to registry downtimes.

Clusters in disconnected environments can pull images from critical locations, such as quay.io,
and have registries behind a company firewall provide the requested images.

A particular order of registries is tried when an image pull request is made, with the permanent
registry typically being the last one tried.

The mirror information you enter is added to the /etc/containers/registries.conf file on every
node in the OpenShift Container Platform cluster.

When a node makes a request for an image from the source repository, it tries each mirrored
repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the
source repository. If successful, the image is pulled to the node.

Setting up repository mirroring can be done in the following ways:

At OpenShift Container Platform installation:

By pulling container images needed by OpenShift Container Platform and then bringing those
images behind your company’s firewall, you can install OpenShift Container Platform into a data
center that is in a disconnected environment.

After OpenShift Container Platform installation:

If you did not configure mirroring during OpenShift Container Platform installation, you can do
so postinstallation by using any of the following custom resource (CR) objects:

151
OpenShift Container Platform 4.17 Disconnected environments

ImageDigestMirrorSet (IDMS). This object allows you to pull images from a mirrored
registry by using digest specifications. The IDMS CR enables you to set a fall back policy
that allows or stops continued attempts to pull from the source registry if the image pull
fails.

ImageTagMirrorSet (ITMS). This object allows you to pull images from a mirrored registry
by using image tags. The ITMS CR enables you to set a fall back policy that allows or stops
continued attempts to pull from the source registry if the image pull fails.

ImageContentSourcePolicy (ICSP). This object allows you to pull images from a mirrored
registry by using digest specifications. The ICSP CR always falls back to the source registry
if the mirrors do not work.

IMPORTANT

Using an ImageContentSourcePolicy (ICSP) object to configure repository

mirroring is a deprecated feature. Deprecated functionality is still included in
OpenShift Container Platform and continues to be supported; however, it will be
removed in a future release of this product and is not recommended for new
deployments. If you have existing YAML files that you used to create
ImageContentSourcePolicy objects, you can use the oc adm migrate icsp
command to convert those files to an ImageDigestMirrorSet YAML file. For
more information, see "Converting ImageContentSourcePolicy (ICSP) files for
image registry repository mirroring" in the following section.

Each of these custom resource objects identify the following information:

The source of the container image repository you want to mirror.

A separate entry for each mirror repository you want to offer the content requested from the
source repository.

For new clusters, you can use IDMS, ITMS, and ICSP CRs objects as desired. However, using IDMS and
ITMS is recommended.

If you upgraded a cluster, any existing ICSP objects remain stable, and both IDMS and ICSP objects are
supported. Workloads using ICSP objects continue to function as expected. However, if you want to take
advantage of the fallback policies introduced in the IDMS CRs, you can migrate current workloads to
IDMS objects by using the oc adm migrate icsp command as shown in the Converting
ImageContentSourcePolicy (ICSP) files for image registry repository mirroring section that follows.
Migrating to IDMS objects does not require a cluster reboot.

NOTE

If your cluster uses an ImageDigestMirrorSet, ImageTagMirrorSet, or

ImageContentSourcePolicy object to configure repository mirroring, you can use only
global pull secrets for mirrored registries. You cannot add a pull secret to a project.

6.4.5.1. Configuring image registry repository mirroring

You can create postinstallation mirror configuration custom resources (CR) to redirect image pull
requests from a source image registry to a mirrored image registry.

Prerequisites

152
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

Access to the cluster as a user with the cluster-admin role.

Procedure

1. Configure mirrored repositories, by either:

Setting up a mirrored repository with Red Hat Quay, as described in Red Hat Quay
Repository Mirroring. Using Red Hat Quay allows you to copy images from one repository to
another and also automatically sync those repositories repeatedly over time.

Using a tool such as skopeo to copy images manually from the source repository to the
mirrored repository.
For example, after installing the skopeo RPM package on a Red Hat Enterprise Linux
(RHEL) 7 or RHEL 8 system, use the skopeo command as shown in this example:

$ skopeo copy --all \

docker://registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:5cf... \
docker://example.io/example/ubi-minimal

In this example, you have a container image registry that is named example.io with an
image repository named example to which you want to copy the ubi9/ubi-minimal image
from registry.access.redhat.com. After you create the mirrored registry, you can configure
your OpenShift Container Platform cluster to redirect requests made of the source
repository to the mirrored repository.

2. Create a postinstallation mirror configuration CR, by using one of the following examples:

Create an ImageDigestMirrorSet or ImageTagMirrorSet CR, as needed, replacing the

source and mirrors with your own registry and repository pairs and images:

apiVersion: config.openshift.io/v1 1
kind: ImageDigestMirrorSet 2
metadata:
name: ubi9repo
spec:
imageDigestMirrors: 3
- mirrors:
- example.io/example/ubi-minimal 4
- example.com/example/ubi-minimal 5
source: registry.access.redhat.com/ubi9/ubi-minimal 6
mirrorSourcePolicy: AllowContactingSource 7
- mirrors:
- mirror.example.com/redhat
source: registry.example.com/redhat 8
mirrorSourcePolicy: AllowContactingSource
- mirrors:
- mirror.example.com
source: registry.example.com 9
mirrorSourcePolicy: AllowContactingSource
- mirrors:
- mirror.example.net/image
source: registry.example.com/example/myimage 10
mirrorSourcePolicy: AllowContactingSource
- mirrors:

153
OpenShift Container Platform 4.17 Disconnected environments

- mirror.example.net
source: registry.example.com/example 11
mirrorSourcePolicy: AllowContactingSource
- mirrors:
- mirror.example.net/registry-example-com
source: registry.example.com 12
mirrorSourcePolicy: AllowContactingSource

1 Indicates the API to use with this CR. This must be config.openshift.io/v1.

2 Indicates the kind of object according to the pull type:

ImageDigestMirrorSet: Pulls a digest reference image.

ImageTagMirrorSet: Pulls a tag reference image.

3 Indicates the type of image pull method, either:

imageDigestMirrors: Use for an ImageDigestMirrorSet CR.

imageTagMirrors: Use for an ImageTagMirrorSet CR.

4 Indicates the name of the mirrored image registry and repository.

5 Optional: Indicates a secondary mirror repository for each target repository. If one
mirror is down, the target repository can use the secondary mirror.

6 Indicates the registry and repository source, which is the repository that is referred to
in an image pull specification.

7 Optional: Indicates the fallback policy if the image pull fails:

AllowContactingSource: Allows continued attempts to pull the image from the

source repository. This is the default.

NeverContactSource: Prevents continued attempts to pull the image from the

source repository.

8 Optional: Indicates a namespace inside a registry, which allows you to use any image in
that namespace. If you use a registry domain as a source, the object is applied to all
repositories from the registry.

9 Optional: Indicates a registry, which allows you to use any image in that registry. If you
specify a registry name, the object is applied to all repositories from a source registry
to a mirror registry.

10 Pulls the image registry.example.com/example/myimage@sha256:… from the

mirror mirror.example.net/image@sha256:...

11 Pulls the image registry.example.com/example/image@sha256:… in the source

registry namespace from the mirror mirror.example.net/image@sha256:….

12 Pulls the image registry.example.com/myimage@sha256 from the mirror registry

example.net/registry-example-com/myimage@sha256:….

Create an ImageContentSourcePolicy custom resource, replacing the source and mirrors

154
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

Create an ImageContentSourcePolicy custom resource, replacing the source and mirrors

with your own registry and repository pairs and images:

1 Specifies the name of the mirror image registry and repository.

2 Specifies the online registry and repository containing the content that is mirrored.

3. Create the new object:

$ oc create -f registryrepomirror.yaml

After the object is created, the Machine Config Operator (MCO) drains the nodes for
ImageTagMirrorSet objects only. The MCO does not drain the nodes for
ImageDigestMirrorSet and ImageContentSourcePolicy objects.

4. To check that the mirrored configuration settings are applied, do the following on one of the
nodes.

a. List your nodes:

$ oc get node

Example output

NAME STATUS ROLES AGE VERSION

ip-10-0-137-44.ec2.internal Ready worker 7m v1.30.3
ip-10-0-138-148.ec2.internal Ready master 11m v1.30.3
ip-10-0-139-122.ec2.internal Ready master 11m v1.30.3
ip-10-0-147-35.ec2.internal Ready worker 7m v1.30.3
ip-10-0-153-12.ec2.internal Ready worker 7m v1.30.3
ip-10-0-154-10.ec2.internal Ready master 11m v1.30.3

b. Start the debugging process to access the node:

$ oc debug node/ip-10-0-147-35.ec2.internal

Example output

Starting pod/ip-10-0-147-35ec2internal-debug ...

To use host binaries, run `chroot /host`

155
OpenShift Container Platform 4.17 Disconnected environments

c. Change your root directory to /host:

sh-4.2# chroot /host

d. Check the /etc/containers/registries.conf file to make sure the changes were made:

sh-4.2# cat /etc/containers/registries.conf

The following output represents a registries.conf file where postinstallation mirror

configuration CRs were applied. The final two entries are marked digest-only and tag-only
respectively.

Example output

unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]

short-name-mode = ""

[[registry]]
prefix = ""
location = "registry.access.redhat.com/ubi9/ubi-minimal" 1

[[registry.mirror]]
location = "example.io/example/ubi-minimal" 2
pull-from-mirror = "digest-only" 3

[[registry.mirror]]
location = "example.com/example/ubi-minimal"
pull-from-mirror = "digest-only"

[[registry]]
prefix = ""
location = "registry.example.com"

[[registry.mirror]]
location = "mirror.example.net/registry-example-com"
pull-from-mirror = "digest-only"

[[registry]]
prefix = ""
location = "registry.example.com/example"

[[registry.mirror]]
location = "mirror.example.net"
pull-from-mirror = "digest-only"

[[registry]]
prefix = ""
location = "registry.example.com/example/myimage"

[[registry.mirror]]
location = "mirror.example.net/image"
pull-from-mirror = "digest-only"

[[registry]]
prefix = ""

156
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

location = "registry.example.com"

[[registry.mirror]]
location = "mirror.example.com"
pull-from-mirror = "digest-only"

[[registry]]
prefix = ""
location = "registry.example.com/redhat"

[[registry.mirror]]
location = "mirror.example.com/redhat"
pull-from-mirror = "digest-only"
[[registry]]
prefix = ""
location = "registry.access.redhat.com/ubi9/ubi-minimal"
blocked = true 4

[[registry.mirror]]
location = "example.io/example/ubi-minimal-tag"
pull-from-mirror = "tag-only" 5

1 Indicates the repository that is referred to in a pull spec.

2 Indicates the mirror for that repository.

3 Indicates that the image pull from the mirror is a digest reference image.

4 Indicates that the NeverContactSource parameter is set for this repository.

5 Indicates that the image pull from the mirror is a tag reference image.

e. Pull an image to the node from the source and check if it is resolved by the mirror.

sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi9/ubi-

minimal@sha256:5cf...

Troubleshooting repository mirroring

If the repository mirroring procedure does not work as described, use the following information about
how repository mirroring works to help troubleshoot the problem.

The first working mirror is used to supply the pulled image.

The main registry is only used if no other mirror works.

From the system context, the Insecure flags are used as fallback.

The format of the /etc/containers/registries.conf file has changed recently. It is now version 2
and in TOML format.

6.4.5.2. Converting ImageContentSourcePolicy (ICSP) files for image registry repository

mirroring

Using an ImageContentSourcePolicy (ICSP) object to configure repository mirroring is a deprecated

157
OpenShift Container Platform 4.17 Disconnected environments

feature. This functionality is still included in OpenShift Container Platform and continues to be
supported; however, it will be removed in a future release of this product and is not recommended for
new deployments.

ICSP objects are being replaced by ImageDigestMirrorSet and ImageTagMirrorSet objects to

configure repository mirroring. If you have existing YAML files that you used to create
ImageContentSourcePolicy objects, you can use the oc adm migrate icsp command to convert those
files to an ImageDigestMirrorSet YAML file. The command updates the API to the current version,
changes the kind value to ImageDigestMirrorSet, and changes spec.repositoryDigestMirrors to
spec.imageDigestMirrors. The rest of the file is not changed.

Because the migration does not change the registries.conf file, the cluster does not need to reboot.

For more information about ImageDigestMirrorSet or ImageTagMirrorSet objects, see "Configuring

image registry repository mirroring" in the previous section.

Prerequisites

Access to the cluster as a user with the cluster-admin role.

Ensure that you have ImageContentSourcePolicy objects on your cluster.

Procedure

1. Use the following command to convert one or more ImageContentSourcePolicy YAML files to
an ImageDigestMirrorSet YAML file:

$ oc adm migrate icsp <file_name>.yaml <file_name>.yaml <file_name>.yaml --dest-dir

<path_to_the_directory>

where:

<file_name>
Specifies the name of the source ImageContentSourcePolicy YAML. You can list multiple
file names.
--dest-dir
Optional: Specifies a directory for the output ImageDigestMirrorSet YAML. If unset, the file
is written to the current directory.

For example, the following command converts the icsp.yaml and icsp-2.yaml file and saves the
new YAML files to the idms-files directory.

$ oc adm migrate icsp icsp.yaml icsp-2.yaml --dest-dir idms-files

Example output

wrote ImageDigestMirrorSet to idms-

files/imagedigestmirrorset_ubi8repo.5911620242173376087.yaml
wrote ImageDigestMirrorSet to idms-
files/imagedigestmirrorset_ubi9repo.6456931852378115011.yaml

2. Create the CR object by running the following command:

158
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

$ oc create -f <path_to_the_directory>/<file-name>.yaml

where:

<path_to_the_directory>
Specifies the path to the directory, if you used the --dest-dir flag.
<file_name>
Specifies the name of the ImageDigestMirrorSet YAML.

3. Remove the ICSP objects after the IDMS objects are rolled out.

6.4.6. Widening the scope of the mirror image catalog to reduce the frequency of
cluster node reboots
You can scope the mirrored image catalog at the repository level or the wider registry level. A widely
scoped ImageContentSourcePolicy resource reduces the number of times the nodes need to reboot
in response to changes to the resource.

To widen the scope of the mirror image catalog in the ImageContentSourcePolicy resource, perform
the following procedure.

Prerequisites

Install the OpenShift Container Platform CLI oc.

Log in as a user with cluster-admin privileges.

Configure a mirrored image catalog for use in your disconnected cluster.

Procedure

1. Run the following command, specifying values for <local_registry>, <pull_spec>, and
<pull_secret_file>:

$ oc adm catalog mirror <local_registry>/<pull_spec> <local_registry> -a <pull_secret_file> --

icsp-scope=registry

where:

<local_registry>
is the local registry you have configured for your disconnected cluster, for example,
local.registry:5000.
<pull_spec>
is the pull specification as configured in your disconnected registry, for example,
redhat/redhat-operator-index:v4.17
<pull_secret_file>
is the registry.redhat.io pull secret in .json file format. You can download the pull secret
from Red Hat OpenShift Cluster Manager.

The oc adm catalog mirror command creates a /redhat-operator-index-manifests directory

and generates imageContentSourcePolicy.yaml, catalogSource.yaml, and mapping.txt files.

159
OpenShift Container Platform 4.17 Disconnected environments

2. Apply the new ImageContentSourcePolicy resource to the cluster:

$ oc apply -f imageContentSourcePolicy.yaml

Verification

Verify that oc apply successfully applied the change to ImageContentSourcePolicy:

$ oc get ImageContentSourcePolicy -o yaml

Example output

apiVersion: v1
items:
- apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |

{"apiVersion":"operator.openshift.io/v1alpha1","kind":"ImageContentSourcePolicy","metadata":
{"annotations":{},"name":"redhat-operator-index"},"spec":{"repositoryDigestMirrors":
[{"mirrors":["local.registry:5000"],"source":"registry.redhat.io"}]}}
...

After you update the ImageContentSourcePolicy resource, OpenShift Container Platform deploys the
new settings to each node and the cluster starts using the mirrored repository for requests to the
source repository.

6.4.7. Additional resources

Using Operator Lifecycle Manager in disconnected environments

Machine Config Overview

6.5. UNINSTALLING THE OPENSHIFT UPDATE SERVICE FROM A

CLUSTER
To remove a local copy of the OpenShift Update Service (OSUS) from your cluster, you must first delete
the OSUS application and then uninstall the OSUS Operator.

6.5.1. Deleting an OpenShift Update Service application

You can delete an OpenShift Update Service application by using the OpenShift Container Platform
web console or CLI.

6.5.1.1. Deleting an OpenShift Update Service application by using the web console

You can use the OpenShift Container Platform web console to delete an OpenShift Update Service
application by using the OpenShift Update Service Operator.

Prerequisites

160
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

The OpenShift Update Service Operator has been installed.

Procedure

1. In the web console, click Operators → Installed Operators.

2. Choose OpenShift Update Service from the list of installed Operators.

3. Click the Update Service tab.

4. From the list of installed OpenShift Update Service applications, select the application to be
deleted and then click Delete UpdateService.

5. From the Delete UpdateService? confirmation dialog, click Delete to confirm the deletion.

6.5.1.2. Deleting an OpenShift Update Service application by using the CLI

You can use the OpenShift CLI (oc) to delete an OpenShift Update Service application.

Procedure

1. Get the OpenShift Update Service application name using the namespace the OpenShift
Update Service application was created in, for example, openshift-update-service:

$ oc get updateservice -n openshift-update-service

Example output

NAME AGE
service 6s

2. Delete the OpenShift Update Service application using the NAME value from the previous step
and the namespace the OpenShift Update Service application was created in, for example,
openshift-update-service:

$ oc delete updateservice service -n openshift-update-service

Example output

updateservice.updateservice.operator.openshift.io "service" deleted

6.5.2. Uninstalling the OpenShift Update Service Operator

You can uninstall the OpenShift Update Service Operator by using the OpenShift Container Platform
web console or CLI.

6.5.2.1. Uninstalling the OpenShift Update Service Operator by using the web console

You can use the OpenShift Container Platform web console to uninstall the OpenShift Update Service
Operator.

Prerequisites

161
OpenShift Container Platform 4.17 Disconnected environments

All OpenShift Update Service applications have been deleted.

Procedure

1. In the web console, click Operators → Installed Operators.

2. Select OpenShift Update Service from the list of installed Operators and click Uninstall
Operator.

3. From the Uninstall Operator? confirmation dialog, click Uninstall to confirm the uninstallation.

6.5.2.2. Uninstalling the OpenShift Update Service Operator by using the CLI

You can use the OpenShift CLI (oc) to uninstall the OpenShift Update Service Operator.

Prerequisites

All OpenShift Update Service applications have been deleted.

Procedure

1. Change to the project containing the OpenShift Update Service Operator, for example,
openshift-update-service:

$ oc project openshift-update-service

Example output

Now using project "openshift-update-service" on server "https://example.com:6443".

2. Get the name of the OpenShift Update Service Operator operator group:

$ oc get operatorgroup

Example output

NAME AGE
openshift-update-service-fprx2 4m41s

3. Delete the operator group, for example, openshift-update-service-fprx2:

$ oc delete operatorgroup openshift-update-service-fprx2

Example output

operatorgroup.operators.coreos.com "openshift-update-service-fprx2" deleted

4. Get the name of the OpenShift Update Service Operator subscription:

$ oc get subscription

Example output

162
CHAPTER 6. UPDATING A CLUSTER IN A DISCONNECTED ENVIRONMENT

NAME PACKAGE SOURCE CHANNEL

update-service-operator update-service-operator updateservice-index-catalog v1

5. Using the Name value from the previous step, check the current version of the subscribed
OpenShift Update Service Operator in the currentCSV field:

$ oc get subscription update-service-operator -o yaml | grep " currentCSV"

Example output

currentCSV: update-service-operator.v0.0.1

6. Delete the subscription, for example, update-service-operator:

$ oc delete subscription update-service-operator

Example output

subscription.operators.coreos.com "update-service-operator" deleted

7. Delete the CSV for the OpenShift Update Service Operator using the currentCSV value from
the previous step:

$ oc delete clusterserviceversion update-service-operator.v0.0.1

Example output

clusterserviceversion.operators.coreos.com "update-service-operator.v0.0.1" deleted

163

Common questions

The challenges associated with mirroring OpenShift Container Platform Extended Update Support (EUS) versions using the oc-mirror plugin include needing to explicitly account for intermediate minor version images, as these are sometimes not automatically detected by the plugin for updates between EUS versions . Users must refer to the OpenShift Update Graph to verify intermediate versions and include them in their ImageSetConfiguration . Additionally, there is a need to verify that the complete image set specified in the configuration file is accurately mirrored, as failures at any step require starting the mirroring process over without automatic detection . Strategies to address these challenges involve creating a detailed image set configuration file that includes all necessary images and dependencies . Users must also regularly update the configuration to ensure the mirror registry aligns with the latest releases and conduct dry runs where possible to preempt issues . Furthermore, ensuring the oc-mirror plugin is installed and configured correctly, with a high-availability setup for the mirror registry, is crucial to avoid disruptions .

Setting up a partially disconnected environment for OpenShift Container Platform using the oc-mirror plugin involves several key steps and challenges. First, an image set configuration file must be created to specify the content to be mirrored, allowing selective inclusion of necessary releases and Operators . The mirroring process can be direct to the target registry or through a disk transfer approach, which involves saving the image set to a disk, transferring it to the target environment, and then uploading it to the target mirror registry . The oc-mirror plugin supports OpenShift Container Platform versions 4.12 and later, with specific requirements for architectures like aarch64 and ppc64le, where support begins from version 4.14 . Challenges include ensuring access to a target mirror registry, which must be maintained in a highly available manner , and managing updates, which require repeating the mirroring process to include new content since the last update . Configuration must be precise, as the plugin does not automatically manage dependencies or pruning, which means any required intermediate version or dependences must be explicitly included . Finally, setting up and modifying cluster configurations to use mirrored resources generated by the oc-mirror plugin, such as ImageDigestMirrorSet and ImageTagMirrorSet resources, is necessary for cluster operation within a disconnected environment .

To secure access when logging into the mirror registry for Red Hat OpenShift, it's recommended to configure your system to trust the generated root CA certificates to avoid using the --tls-verify=false flag. This involves managing SSL connections properly, as described in the guides for using SSL to protect Red Hat Quay connections and configuring system certificate authorities .

The workflow for creating and deploying an OpenShift Update Service (OSUS) graph data container image in a disconnected environment involves several steps: 1. **Operator Installation**: Install the OpenShift Update Service Operator by first creating the necessary namespaces and operator groups. For a disconnected cluster, use the custom CatalogSource object you configured during the Operator Lifecycle Manager setup . 2. **Create Graph Data Image**: Develop the graph data container image from a Dockerfile, which includes fetching the graph data. Use the image build tools 'docker' or 'podman' to build and tag this image locally . 3. **Push Image to Accessible Repository**: Push the newly created graph data container image to a repository that is accessible within the disconnected network, ensuring the OSUS has access to it. Use `oc image mirror` for transferring the local image to the repository in the disconnected environment . 4. **Create and Configure OSUS Application**: Deploy the OSUS application using the OpenShift web console or CLI. During the setup, specify the graph data image you created, ensure it is correctly linked in the application's configuration, and set up any necessary repository and release configurations for your disconnected environment . 5. **Verify Application**: Confirm the OSUS application is running correctly by checking the application resources' status through the OpenShift web console or CLI commands . 6. **Update CVO**: If updating the Cluster Version Operator is required, ensure it pulls graph data from the locally configured OSUS in your disconnected environment .

To uninstall the OpenShift Update Service Operator from a cluster, follow these steps: Firstly, ensure all OpenShift Update Service applications have been deleted . Using the OpenShift web console, navigate to Operators → Installed Operators, select the OpenShift Update Service, and click Uninstall Operator. Confirm the uninstallation when prompted . Alternatively, using the CLI, switch to the project containing the OpenShift Update Service Operator and delete the operator group and subscription, followed by deleting the Cluster Service Version (CSV) for the operator . This uninstallation might be necessary if the service is no longer needed, doesn't comply with environment regulations, or needs replacement with a different update mechanism ."}

To mirror an image set in a fully disconnected environment using the oc-mirror plugin, follow these steps: 1. Create an image set configuration file to specify the necessary OpenShift releases and Operators, minimizing data transfer . 2. Use the oc-mirror plugin to mirror the image set to disk by specifying the file path where the image set will be stored . This involves running the oc-mirror command with the appropriate configuration . 3. Transfer the generated .tar image set file to the disconnected environment . 4. Mirror the image set from the disk to the target mirror registry . This requires using the oc-mirror command to read the contents of the image set .tar file and upload them to the registry . 5. Apply the generated YAML files for ImageContentSourcePolicy, CatalogSource, and other resources to configure your OpenShift cluster to use the new mirror registry . Important considerations include ensuring the initial setup of the image set configuration file, maintaining the same storage backend, avoiding modification of oc-mirror metadata, and ensuring the cluster admin role is used when applying resources . Keeping the mirror registry updated is also crucial, which involves rerunning the oc-mirror plugin with the latest requirements as necessary ."}

In disconnected environments, the ImageContentSourcePolicy (ICSP) resource is crucial for directing OpenShift Container Platform clusters to use mirrored registries for pulling container images instead of external registries. This ensures that the cluster can function independently from external Internet connections. The procedure starts by creating an `imageContentSourcePolicy.yaml` file, which defines alternative image sources, specifying the mirrored repository in place of the original registry . This file is then applied using the `oc apply` command, deploying the new policy across the cluster nodes. The cluster begins using the mirrored registries specified in the ICSP, providing resilience to registry downtimes and maintaining operational integrity . This process guarantees that during updates, the cluster retrieves and trusts image sources from the local mirrored registry, essential in environments with limited or no internet access. It also plays a role in ensuring image signing integrity by working in conjunction with image signature verification mechanisms. The setup helps to keep clusters secure and consistent by ensuring the images have not been tampered with during transit .

The process to update the mirror registry for Red Hat OpenShift from the local host involves using the upgrade command. Specifically, you must use the `~/mirror-registry upgrade -v` command. When upgrading from version 1 to version 2, there are key constraints to consider: 1. The worker count is set to 1 because SQLite does not allow multiple writes . 2. Avoid using the mirror registry user interface during the upgrade. 3. Do not access the sqlite-storage Podman volume during the upgrade to prevent potential data corruption. 4. There will be intermittent downtime as the registry restarts during the upgrade process. 5. PostgreSQL data is backed up under the `$HOME/quay-install/quay-postgres-backup/` directory for recovery . Ensure you use the same credentials as when creating the mirror registry, including the quayHostname and quayRoot flags, if specified during the initial setup .

To verify an operator installation in a disconnected OpenShift environment, ensure that the OpenShift CLI (oc) applies changes successfully to resources like ImageContentSourcePolicy, and verify that the OpenShift Update Service (OSUS) has been correctly configured and installed to support updates . The OSUS allows clusters in disconnected environments to receive update recommendations using mirrored data, simulating a connected environment update experience . This involves creating a local graph data container image and setting up the Cluster Version Operator to use it . The OSUS enables the management of updates similarly to connected clusters by providing a localized instance capable of serving update recommendations, crucial for maintaining service integrity in environments lacking internet access ."}

Key prerequisites for installing a mirror registry for Red Hat OpenShift on a local host include having a Red Hat Enterprise Linux (RHEL) machine available and using local storage supported by RHEL . The installation requires at least 2 vCPUs, 8 GB of RAM, and significant storage space (up to 1 TB recommended per stream). Additionally, the mirror registry CLI tool, mirror-registry, must be used to create a local installation directory ($HOME/quay-install), and trusted SSH keys are automatically generated for local installs . During installation, an initial user with an automatically generated password is created, and systemd files are configured to ensure container runtimes are persistent . Considerations involve being aware that the mirror registry is not a production-grade solution like Red Hat Quay and is only supported for specific image hosting necessary for a disconnected OpenShift environment . User-generated content should not be hosted on this mirror registry, and it is advised to use this mirror to initially install a cluster that can then support a full Red Hat Quay deployment for broader use .

OpenShift Container Platform 4.17 Disconnected Environments
No ratings yet
OpenShift Container Platform 4.17 Disconnected Environments
165 pages
OpenShift Container Platform 3.5 Administrator Solutions en US
No ratings yet
OpenShift Container Platform 3.5 Administrator Solutions en US
55 pages
01 OpenShift Container Platform 3.11 Getting Started en US
No ratings yet
01 OpenShift Container Platform 3.11 Getting Started en US
26 pages
Openshift Container Platform 4.15 Installing en Us
100% (1)
Openshift Container Platform 4.15 Installing en Us
3,702 pages
OpenShift Cluster Manager
No ratings yet
OpenShift Cluster Manager
60 pages
OpenShift - Container - Platform 3.9 Cluster - Administration en US
No ratings yet
OpenShift - Container - Platform 3.9 Cluster - Administration en US
334 pages
OpenShift - Container - Platform 4.14 About en US
No ratings yet
OpenShift - Container - Platform 4.14 About en US
30 pages
Openshift Container Platform 4.3: Updating Clusters
No ratings yet
Openshift Container Platform 4.3: Updating Clusters
32 pages
OpenShift - Container - Platform 4.17 Installation - Overview en US
No ratings yet
OpenShift - Container - Platform 4.17 Installation - Overview en US
43 pages
OpenShift Container Platform 3.5 Creating Images en US
No ratings yet
OpenShift Container Platform 3.5 Creating Images en US
44 pages
OpenShift - Container - Platform 4.15 About en US
No ratings yet
OpenShift - Container - Platform 4.15 About en US
15 pages
OpenShift - Container - Platform 4.14 Installation - Overview en US
No ratings yet
OpenShift - Container - Platform 4.14 Installation - Overview en US
39 pages
OpenShift - Container - Platform 3.11 Cluster - Administration en US PDF
No ratings yet
OpenShift - Container - Platform 3.11 Cluster - Administration en US PDF
390 pages
OpenShift - Container - Platform 4.18 About en US
No ratings yet
OpenShift - Container - Platform 4.18 About en US
28 pages
OpenShift Container Platform-3.9-Installation and Configuration-en-US PDF
No ratings yet
OpenShift Container Platform-3.9-Installation and Configuration-en-US PDF
673 pages
Openshift Cluster Manager 2021: Managing Clusters
No ratings yet
Openshift Cluster Manager 2021: Managing Clusters
43 pages
Openshift Container Platform 4.13 Release Notes en Us
No ratings yet
Openshift Container Platform 4.13 Release Notes en Us
73 pages
OpenShift Container Platform
No ratings yet
OpenShift Container Platform
669 pages
Openshift Container Platform 4.6: Architecture
No ratings yet
Openshift Container Platform 4.6: Architecture
48 pages
OpenShift Container Platform 4.17 Installing On Nutanix
No ratings yet
OpenShift Container Platform 4.17 Installing On Nutanix
96 pages
OpenShift Container Platform 4.5 Installing en US
No ratings yet
OpenShift Container Platform 4.5 Installing en US
1,553 pages
Openshift Container Platform 4.3: Release Notes
No ratings yet
Openshift Container Platform 4.3: Release Notes
35 pages
OpenShift Container Platform 4.17 Installing On Any Platform
No ratings yet
OpenShift Container Platform 4.17 Installing On Any Platform
73 pages
Openshift Container Platform 4.13 Architecture en Us
No ratings yet
Openshift Container Platform 4.13 Architecture en Us
83 pages
OpenShift - Container - Platform 4.17 Architecture en US
No ratings yet
OpenShift - Container - Platform 4.17 Architecture en US
72 pages
Openshift Container Platform 4.4: Installing
100% (1)
Openshift Container Platform 4.4: Installing
42 pages
OpenShift - Container - Platform 4.6 OpenShift - Virtualization en US
No ratings yet
OpenShift - Container - Platform 4.6 OpenShift - Virtualization en US
257 pages
OpenShift - Container - Platform 4.18 Architecture en US
No ratings yet
OpenShift - Container - Platform 4.18 Architecture en US
73 pages
OpenShift - Container - Platform 4.16 Release - Notes en US
No ratings yet
OpenShift - Container - Platform 4.16 Release - Notes en US
123 pages
Openshift Container Platform 4.13 Updating Clusters en Us CL
No ratings yet
Openshift Container Platform 4.13 Updating Clusters en Us CL
162 pages
Openshift - Container - Platform 4.15 Architecture en Us
No ratings yet
Openshift - Container - Platform 4.15 Architecture en Us
87 pages
Openshift - Container - Platform 4.6 Architecture en Us
No ratings yet
Openshift - Container - Platform 4.6 Architecture en Us
60 pages
Openshift - Container - Platform 4.14 Architecture en Us
No ratings yet
Openshift - Container - Platform 4.14 Architecture en Us
85 pages
OpenShift Container Platform 3.7 Installation and Configuration en US
0% (1)
OpenShift Container Platform 3.7 Installation and Configuration en US
651 pages
OpenShift Container Platform 4.17 About en US
No ratings yet
OpenShift Container Platform 4.17 About en US
27 pages
Red Hat OpenShift Container Platform
No ratings yet
Red Hat OpenShift Container Platform
5 pages
Openshiftmgmt
No ratings yet
Openshiftmgmt
8 pages
Openshift Container Platform 4.5 Installing On Aws en Us
No ratings yet
Openshift Container Platform 4.5 Installing On Aws en Us
301 pages
Openshift Container Platform 4.13 Getting Started en Us
No ratings yet
Openshift Container Platform 4.13 Getting Started en Us
42 pages
OpenShift - Container - Platform 4.17 Release - Notes en US
No ratings yet
OpenShift - Container - Platform 4.17 Release - Notes en US
78 pages
OpenShift - Container - Platform 4.3 CLI - Tools en US
No ratings yet
OpenShift - Container - Platform 4.3 CLI - Tools en US
76 pages
Red Hat Openshift Container Storage 4.6
No ratings yet
Red Hat Openshift Container Storage 4.6
39 pages
Openshift - Container - Platform 4.11 Architecture en Us
No ratings yet
Openshift - Container - Platform 4.11 Architecture en Us
72 pages
OpenShift Container Platform 4.17 Support en US
No ratings yet
OpenShift Container Platform 4.17 Support en US
162 pages
Openshift - Container - Platform 4.12 Getting - Started en Us
100% (1)
Openshift - Container - Platform 4.12 Getting - Started en Us
41 pages
Openshift - Introduction
No ratings yet
Openshift - Introduction
23 pages
OpenShift Container Platform-4.6-Installing On Azure-en-US
No ratings yet
OpenShift Container Platform-4.6-Installing On Azure-en-US
199 pages
Openshift - Container - Platform 4.15 Cli - Tools en Us
No ratings yet
Openshift - Container - Platform 4.15 Cli - Tools en Us
143 pages
Openshift - Container - Platform 4.13 Support en Us
No ratings yet
Openshift - Container - Platform 4.13 Support en Us
140 pages
OpenShift Container Platform-4.6-Installing On GCP-en-US
No ratings yet
OpenShift Container Platform-4.6-Installing On GCP-en-US
248 pages
Red Hat OpenStack Services On OpenShift-18.0-Deploying Red Hat OpenStack Services On OpenShift-en-US
No ratings yet
Red Hat OpenStack Services On OpenShift-18.0-Deploying Red Hat OpenStack Services On OpenShift-en-US
76 pages
Openshift Container Platform 4.3: Architecture
No ratings yet
Openshift Container Platform 4.3: Architecture
37 pages
Openshift Container Platform 4.3: Architecture
No ratings yet
Openshift Container Platform 4.3: Architecture
36 pages
Openshift Container Platform-4.5-Installing On Bare Metal-En-Us
No ratings yet
Openshift Container Platform-4.5-Installing On Bare Metal-En-Us
134 pages
Container Security
No ratings yet
Container Security
37 pages
MCQ
100% (1)
MCQ
2 pages
B1 - Overlay Virtual Networking and SDDC
No ratings yet
B1 - Overlay Virtual Networking and SDDC
278 pages
Bi Directional Stream New
No ratings yet
Bi Directional Stream New
2 pages
Syncfusion Flutter Charts
No ratings yet
Syncfusion Flutter Charts
7 pages
Annual Plan of Activities For Computer Club SJKC Khiu Min
No ratings yet
Annual Plan of Activities For Computer Club SJKC Khiu Min
2 pages
JKSSB Finance Sub-Inspector Exam 2021
No ratings yet
JKSSB Finance Sub-Inspector Exam 2021
21 pages
Product Synthesis Domain Human Modeling Products: CATIA Version 5 Release 14
No ratings yet
Product Synthesis Domain Human Modeling Products: CATIA Version 5 Release 14
41 pages
Assignment Two
No ratings yet
Assignment Two
3 pages
Excel Course Manual LCBS S5
No ratings yet
Excel Course Manual LCBS S5
3 pages
Java Swing Guide for Beginners
No ratings yet
Java Swing Guide for Beginners
342 pages
UDF Mechanics
No ratings yet
UDF Mechanics
47 pages
Computer Arithmetic Overview
No ratings yet
Computer Arithmetic Overview
47 pages
Mock Test 2
No ratings yet
Mock Test 2
3 pages
QF - Artificial Intelligence Associate
No ratings yet
QF - Artificial Intelligence Associate
19 pages
Hyper-Personalize Digital Experiences
No ratings yet
Hyper-Personalize Digital Experiences
2 pages
Pin Configuration of 8086
No ratings yet
Pin Configuration of 8086
12 pages
Deutsche Bank's Blockchain Innovations
67% (3)
Deutsche Bank's Blockchain Innovations
3 pages
Data Guard Standby Database Guide
No ratings yet
Data Guard Standby Database Guide
32 pages
Re-Exam "Discrete: Optimization"
No ratings yet
Re-Exam "Discrete: Optimization"
5 pages
Mainframe Evaluation Guide
No ratings yet
Mainframe Evaluation Guide
4 pages
CX Simulator Folheto GC CS1-1
No ratings yet
CX Simulator Folheto GC CS1-1
2 pages
ProNest 8 Quick Start Guide
0% (1)
ProNest 8 Quick Start Guide
29 pages
OLCreate - Lecture 9 Quiz - Attempt Review - OLCreate
No ratings yet
OLCreate - Lecture 9 Quiz - Attempt Review - OLCreate
6 pages
t4 Pro
No ratings yet
t4 Pro
32 pages
Intro to S-DES Encryption
No ratings yet
Intro to S-DES Encryption
7 pages
Redux Cheat Sheet
No ratings yet
Redux Cheat Sheet
1 page
GeoKettle: Spatial ETL Tool Overview
No ratings yet
GeoKettle: Spatial ETL Tool Overview
75 pages
SAD10e Ch06 Solutions To Exercises
No ratings yet
SAD10e Ch06 Solutions To Exercises
42 pages
Exercises Solutions
No ratings yet
Exercises Solutions
128 pages
Intelligent Asset Management with SAP
No ratings yet
Intelligent Asset Management with SAP
31 pages