mirror-registry.md

Mirroring Openshift 4 Repositories for disconnected install (air gapped)

Mirroring OpenShift images from the internet to a local disconnected environment is an effective method to expedite the installation process in isolated networks. By obtaining the necessary images from the internet and transferring them to the local environment, the installation can be carried out without relying on an internet connection.

This approach offers several advantages. It allows for a faster and more efficient installation process, as the images are readily available in the local environment. This eliminates the need to download the images from the internet during installation, which can be time-consuming and prone to interruptions in disconnected networks.

Steps to follow

All the command below should be run as root user

1. Download the mirror-registry.tar.gz package from following link

   https://mirror.openshift.com/pub/openshift-v4/clients/mirror-registry/1.3.11/

2. Install the mirror registry for Red Hat OpenShift on your local host with your current user account by using the mirror-registry tool

./mirror-registry install --quayRoot /mirror-registry/quay-config --quayStorage /mirror-registry/storage --pgStorage /mirror-registry/pg-storage --initUser admin --initPassword "Password"

3. Once the mirror registry is installed add the certificate generated to the trust store.

   cp /mirror-registry/quay-config/quay-rootCA/rootCA.pem /etc/pki/ca-trust/source/anchors/
   update-ca-trust
   

4. Also remember to open firewall ports on the machine

   firewall-cmd --add-port 8443/tcp --permanent
   firewall-cmd --reload
   

5. Install the oc-mirror plugin from OpenShift console Downloads page under Openshift disconnected installation tools

    a. tar xvzf oc-mirror.tar.gz
    b. chmod +x oc-mirror
    c. sudo mv oc-mirror /usr/local/bin/.
   

6. Add mirror-registry credentials to pull-secret a. Download your "pull secret" from the Red Hat OpenShift Cluster Manager at

   https://console.redhat.com/openshift/install/pull-secret
   

   b. Execute the following commands

    ```
    jq . pull-secret.txt
    
    mkdir -p $HOME/.docker
    
    mv -v pull-secret.txt $HOME/.docker/config.json
    
    podman login -u admin -p password --authfile $HOME/.docker/config.json $(hostname -f):8443
    ```
   

   Confirm contents and create a backup

    ```
    jq . $HOME/.docker/config.json
    cp -v $HOME/.docker/config.json ~/pull-secret.json
    ```
   

Create the imageset-config.yaml

1. To create a default imageset-config.yaml run the following command

   a. oc-mirror init --registry <mirror-registry.hostname>:8443/ocp| tee imageset-config.yaml

   kind: ImageSetConfiguration
   apiVersion: mirror.openshift.io/v1alpha2
   storageConfig:
     registry:
       imageURL: mirror-registry.hostname:8443/ocp
       skipTLS: false
   mirror:
     platform:
       channels:
       - name: stable-4.16
         type: ocp
     operators:
     - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.18
       packages:
       - name: serverless-operator
         channels:
         - name: stable
     additionalImages:
     - name: registry.redhat.io/ubi8/ubi:latest
     helm: {}
   

Some examples for imageset-config.yaml

1. imageset config with few sets of operators and two versions of ocp https://raw.githubusercontent.com/rh-telco-tigers/mirror-registry/refs/heads/main/imageset-config-with-operator-helm.yaml

2. imageset config with all operators https://raw.githubusercontent.com/rh-telco-tigers/mirror-registry/refs/heads/main/imageset-config-allops.yaml

3. imageset config with just one operator https://raw.githubusercontent.com/rh-telco-tigers/mirror-registry/refs/heads/main/imageset-config-gitops-operator.yaml

Run the oc-mirror command

Once you have created your imageset-config file now it is time to start the mirroring process. Run the following command to start the process

oc-mirror --config imageset-config.yaml docker://mirror-registry.hostname:8443/ocp

You should see successful output after oc-mirror runs, if you do not see the "Writing manifests" output then something may have gone wrong with the oc-mirror command

...
Writing image mapping to oc-mirror-workspace/results-1725721677/mapping.txt
Writing CatalogSource manifests to oc-mirror-workspace/results-1725721677
Writing ICSP manifests to oc-mirror-workspace/results-1725721677

Updating the certificate to add the IP of mirror registry Incase DNS is not present in the environment we have to create a certificate for registry which also contains the IP of the registry so that we can pull images using the IP also

1. Open config.yaml in /mirror-registry/quay-config/quay-config/ and change the SERVER_HOSTNAME to IP

# cd /mirror-registry/quay-config/quay-config/
# cp config.yaml config.yaml.bkup
# vi config.yaml
AUTHENTICATION_TYPE: Database
BUILDLOGS_REDIS:
  host: localhost
  password: D1aE4r1w1G5YQru0XT1U4HrQ
  port: 6379
DATABASE_SECRET_KEY: Kkg6XihMfnNeLS9UK246Uy54Tk5+VGRlaiskS29nSSF4Q3t4MG9kUFswOkhDI3Bt
DB_URI: postgresql://user:fexno170CfXjx6m8dU7GQPOl@localhost/quay
DEFAULT_TAG_EXPIRATION: 2w
DISTRIBUTED_STORAGE_DEFAULT_LOCATIONS: []
DISTRIBUTED_STORAGE_PREFERENCE:
  - default
DISTRIBUTED_STORAGE_CONFIG:
  default:
    - LocalStorage
    - storage_path: /datastorage
ENTERPRISE_LOGO_URL: /static/img/quay-horizontal-color.svg
FEATURE_ACI_CONVERSION: false
FEATURE_ANONYMOUS_ACCESS: true
FEATURE_APP_REGISTRY: false
FEATURE_APP_SPECIFIC_TOKENS: true
FEATURE_BUILD_SUPPORT: false
FEATURE_CHANGE_TAG_EXPIRATION: true
FEATURE_DIRECT_LOGIN: true
FEATURE_PARTIAL_USER_AUTOCOMPLETE: true
FEATURE_REPO_MIRROR: true
FEATURE_MAILING: false
FEATURE_REQUIRE_TEAM_INVITE: true
FEATURE_RESTRICTED_V1_PUSH: true
FEATURE_SECURITY_NOTIFICATIONS: true
FEATURE_SECURITY_SCANNER: false
FEATURE_USERNAME_CONFIRMATION: true
FEATURE_USER_CREATION: true
FEATURE_USER_LOG_ACCESS: true
GITHUB_LOGIN_CONFIG: {}
GITHUB_TRIGGER_CONFIG: {}
GITLAB_TRIGGER_KIND: {}
LOGS_MODEL: database
LOGS_MODEL_CONFIG: {}
LOG_ARCHIVE_LOCATION: default
PREFERRED_URL_SCHEME: https
REGISTRY_TITLE: Red Hat Quay
REGISTRY_TITLE_SHORT: Red Hat Quay
REPO_MIRROR_SERVER_HOSTNAME: null
REPO_MIRROR_TLS_VERIFY: false
SECRET_KEY: Ilt1UT9qQEYxRntvPzRNXlJMKVpDbTljem9rZ10heWUkVkkwXm5cXkFrfmgkNj9Y
SECURITY_SCANNER_ISSUER_NAME: security_scanner
SERVER_HOSTNAME: 192.168.50.13:8443.    <====== Change this
SETUP_COMPLETE: true
SUPER_USERS:
  - admin
TAG_EXPIRATION_OPTIONS:
  - 0s
  - 1d
  - 1w
  - 2w
  - 4w
TEAM_RESYNC_STALE_TIME: 60m
TESTING: false
USERFILES_LOCATION: default
USERFILES_PATH: userfiles/
USER_EVENTS_REDIS:
  host: localhost
  password: D1aE4r1w1G5YQru0XT1U4HrQ
  port: 6379
USE_CDN: false
FEATURE_USER_INITIALIZE: true
CREATE_NAMESPACE_ON_PUSH: true

2. Now edit openssl.cnf in the same location and add IP address of the registry

# cp openssl.cnf openssl.cnf.bkup
#vi openssl.cnf
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CA
ST = On
L = Brampton
O = Quay
OU = Division
CN = kvm3.home.lab
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS = kvm3.home.lab
IP.1 = 192.168.50.13    <==== add here

3. Now create a new certificate

#mv ssl.csr ssl.csr.bkup
#mv ssl.cert ssl.cert.bkup
#openssl req -new -key ssl.key -out ssl.csr -reqexts v3_req -config openssl.cnf
#openssl req -in ssl.csr -noout -text
#openssl x509 -req -in ssl.csr -CA ../quay-rootCA/rootCA.pem -CAkey ../quay-rootCA/rootCA.key -CAcreateserial -out ssl.cert -days 730 -extensions v3_req -extfile openssl.cnf
#openssl x509 -in ssl.cert -text -noout

4. Run this

  # find . -type f -exec setfacl -m user:1001:rw {} \;
  # find . -type d -exec setfacl -m user:1001:rwx {} \;