Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Mirroring container images for disconnected installations

You can use a custom container registry when you deploy MicroShift in an air-gapped network. Running your cluster in a restricted network without direct internet connectivity is possible by installing the cluster from a mirrored set of container images in a private registry.

Using a custom air-gapped container registry, or mirror, is necessary with certain user environments and workload requirements. Mirroring allows for the transfer of container images and updates to air-gapped environments where they can be installed on a MicroShift instance.

To create an air-gapped mirror registry for MicroShift containers, you must complete the following steps:

  • Get the container image list to be mirrored.
  • Configure the mirroring prerequisites.
  • Download images on a host with the internet access.
  • Copy the downloaded image directory to an air-gapped site.
  • Upload images to a mirror registry in an air-gapped site.
  • Configure your MicroShift hosts to use the mirror registry.

To use a mirror registry, you must know which container image references are used by a specific version of MicroShift. These references are provided in the release-<arch>.json files that are part of the microshift-release-info RPM package.

Prerequisites

  • You have installed jq.

Procedure

  1. Access the list of container image references by using one of the following methods:

    • If the package is installed on the MicroShift host, get the location of the files by running the following command: 

      $ rpm -ql microshift-release-info
      Copy to Clipboard Toggle word wrap

      Example output

      /usr/share/microshift/release/release-x86_64.json
      Copy to Clipboard Toggle word wrap

    • If the package is not installed on a MicroShift host, download and unpack the RPM package without installing it by running the following command: 

      $ rpm2cpio microshift-release-info*.noarch.rpm | cpio -idmv
      Copy to Clipboard Toggle word wrap

      Example output

      /usr/share/microshift/release/release-x86_64.json
      Copy to Clipboard Toggle word wrap

  2. Extract the list of container images into the microshift-container-refs.txt file by running the following commands: 

    $ RELEASE_FILE=/usr/share/microshift/release/release-$(uname -m).json
    Copy to Clipboard Toggle word wrap 
    $ jq -r '.images | .[]' ${RELEASE_FILE} > microshift-container-refs.txt
    Copy to Clipboard Toggle word wrap
Note

After the microshift-container-refs.txt file is created with the MicroShift container image list, you can append the file with other user-specific image references before running the mirroring procedure.

2.3. Configuring mirroring prerequisites
Copy link

You must create a container image registry credentials file that allows the mirroring of images from your internet-connected mirror host to your air-gapped mirror. Follow the instructions in the "Configuring credentials that allow images to be mirrored" link provided in the "Additional resources" section. These instructions guide you to create a ~/.pull-secret-mirror.json file on the mirror registry host that includes the user credentials for accessing the mirror.

2.3.1. Example mirror registry pull secret entry
Copy link

For example, the following section is added to the pull secret file for the microshift_quay:8443 mirror registry using microshift:microshift as username and password.

Example mirror registry section for pull secret file

"<microshift_quay:8443>": {
1 

    "auth": "<microshift_auth>",
2 

    "email": "<microshift_quay@example.com>"
3 

},
Copy to Clipboard Toggle word wrap

1
Replace the <registry_host>:<port> value microshift_quay:8443 with the host name and port of your mirror registry server.
2
Replace the <microshift_auth> value with the user password.
3
Replace the </microshift_quay@example.com> value with the user email.

2.4. Downloading container images
Copy link

After you have located the container list and completed the mirroring prerequisites, download the container images to a host with internet access.

Prerequisites

  • You are logged into a host with access to the internet.
  • You have ensured that the .pull-secret-mirror.json file and microshift-containers directory contents are available locally.

Procedure

  1. Install the skopeo tool used for copying the container images by running the following command: 

    $ sudo dnf install -y skopeo
    Copy to Clipboard Toggle word wrap

  2. Set the environment variable that points to the pull secret file: 

    $ PULL_SECRET_FILE=~/.pull-secret-mirror.json
    Copy to Clipboard Toggle word wrap

  3. Set the environment variable that points to the list of container images: 

    $ IMAGE_LIST_FILE=~/microshift-container-refs.txt
    Copy to Clipboard Toggle word wrap

  4. Set the environment variable that points to the destination directory for storing the downloaded data: 

    $ IMAGE_LOCAL_DIR=~/microshift-containers
    Copy to Clipboard Toggle word wrap

  5. Run the following script to download the container images to the ${IMAGE_LOCAL_DIR} directory: 

    while read -r src_img ; do
   # Remove the source registry prefix
   dst_img=$(echo "${src_img}" | cut -d '/' -f 2-)

   # Run the image download command
   echo "Downloading '${src_img}' to '${IMAGE_LOCAL_DIR}'"
   mkdir -p "${IMAGE_LOCAL_DIR}/${dst_img}"
   skopeo copy --all --quiet \
      --preserve-digests \
      --authfile "${PULL_SECRET_FILE}" \
      docker://"${src_img}" dir://"${IMAGE_LOCAL_DIR}/${dst_img}"

done < "${IMAGE_LIST_FILE}"
    Copy to Clipboard Toggle word wrap
  6. Transfer the image set to the target environment, such as air-gapped site. Then you can upload the image set into the mirror registry.

To use your container images at an air-gapped site, upload them to the mirror registry using the following procedure.

Prerequisites

  • You are logged into a host with access to microshift-quay.
  • The .pull-secret-mirror.json file is available locally.
  • The microshift-containers directory contents are available locally.

Procedure

  1. Install the skopeo tool used for copying the container images by running the following command: 

    $ sudo dnf install -y skopeo
    Copy to Clipboard Toggle word wrap

  2. Set the environment variables pointing to the pull secret file: 

    $ IMAGE_PULL_FILE=~/.pull-secret-mirror.json
    Copy to Clipboard Toggle word wrap

  3. Set the environment variables pointing to the local container image directory: 

    $ IMAGE_LOCAL_DIR=~/microshift-containers
    Copy to Clipboard Toggle word wrap

  4. Set the environment variables pointing to the mirror registry URL for uploading the container images: 

    $ TARGET_REGISTRY=<registry_host>:<port>
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <registry_host>:<port> with the host name and port of your mirror registry server.

  5. Run the following script to upload the container images to the ${TARGET_REGISTRY} mirror registry: 

    image_tag=mirror-$(date +%y%m%d%H%M%S)
image_cnt=1
   # Uses timestamp and counter as a tag on the target images to avoid
   # their overwrite by the 'latest' automatic tagging

pushd "${IMAGE_LOCAL_DIR}" >/dev/null
while read -r src_manifest ; do
   # Remove the manifest.json file name
   src_img=$(dirname "${src_manifest}")
   # Add the target registry prefix and remove SHA
   dst_img="${TARGET_REGISTRY}/${src_img}"
   dst_img=$(echo "${dst_img}" | awk -F'@' '{print $1}')

   # Run the image upload command
   echo "Uploading '${src_img}' to '${dst_img}'"
   skopeo copy --all --quiet \
      --preserve-digests \
      --authfile "${IMAGE_PULL_FILE}" \
      dir://"${IMAGE_LOCAL_DIR}/${src_img}" docker://"${dst_img}:${image_tag}-${image_cnt}"
   # Increment the counter
   (( image_cnt += 1 ))

done < <(find . -type f -name manifest.json -printf '%P\n')
popd >/dev/null
    Copy to Clipboard Toggle word wrap

2.6. Configuring hosts for mirror registry access
Copy link

To configure a MicroShift host to use a mirror registry, you must give the MicroShift host access to the registry by creating a configuration file that maps the Red Hat registry host names to the mirror.

Prerequisites

  • Your mirror host has access to the internet.
  • The mirror host can access the mirror registry.
  • You configured the mirror registry for use in your restricted network.
  • You downloaded the pull secret and modified it to include authentication to your mirror repository.

Procedure

  1. Log into your MicroShift host.

  2. Enable the SSL certificate trust on any host accessing the mirror registry by completing the following steps:

    1. Copy the rootCA.pem file from the mirror registry, for example, <registry_path>/quay-rootCA, to the MicroShift host at the /etc/pki/ca-trust/source/anchors directory.

    2. Enable the certificate in the system-wide trust store configuration by running the following command: 

      $ sudo update-ca-trust
      Copy to Clipboard Toggle word wrap

  3. Create the /etc/containers/registries.conf.d/999-microshift-mirror.conf configuration file that maps the Red Hat registry host names to the mirror registry:

    Example mirror configuration file

    [[registry]]
    prefix = ""
    location = "<registry_host>:<port>"
    1 
    
    mirror-by-digest-only = true
    insecure = false

[[registry]]
    prefix = ""
    location = "quay.io"
    mirror-by-digest-only = true
[[registry.mirror]]
    location = "<registry_host>:<port>"
    insecure = false

[[registry]]
    prefix = ""
    location = "registry.redhat.io"
    mirror-by-digest-only = true
[[registry.mirror]]
    location = "<registry_host>:<port>"
    insecure = false

[[registry]]
    prefix = ""
    location = "registry.access.redhat.com"
    mirror-by-digest-only = true
[[registry.mirror]]
    location = "<registry_host>:<port>"
    insecure = false
    Copy to Clipboard Toggle word wrap

    1
    Replace <registry_host>:<port> with the host name and port of your mirror registry server, for example, <microshift-quay:8443>.

  4. Enable the MicroShift service by running the following command: 

    $ sudo systemctl enable microshift
    Copy to Clipboard Toggle word wrap

  5. Reboot the host by running the following command: 

    $ sudo reboot
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat