Search
SupportConsoleDevelopersStart a trialContact

Chapter 2. Mirroring container images for disconnected installations

download PDF

You can use a custom container registry when you deploy MicroShift in an air-gapped network. Running your cluster in a restricted network without direct internet connectivity is possible by installing the cluster from a mirrored set of container images in a private registry.

2.1. Mirror container images into an existing registry

Using a custom air-gapped container registry, or mirror, is necessary with certain user environments and workload requirements. Mirroring allows for the transfer of container images and updates to air-gapped environments where they can be installed on a MicroShift instance.

To create an air-gapped mirror registry for MicroShift containers, you must complete the following steps:

  • Get the container image list to be mirrored.
  • Configure the mirroring prerequisites.
  • Download images on a host with the internet access.
  • Copy the downloaded image directory to an air-gapped site.
  • Upload images to a mirror registry in an air-gapped site.
  • Configure your MicroShift hosts to use the mirror registry.

Additional resources

2.2. Getting the MicroShift mirror registry container image list

To use a mirror registry, you must know which container image references are used by a specific version of MicroShift. These references are provided in the release-<arch>.json files that are part of the microshift-release-info RPM package.

Prerequisites

  • You have installed jq.

Procedure

  1. Access the list of container image references by using one of the following methods:

    • If the package is installed on the MicroShift host, get the location of the files by running the following command: 

      $ rpm -ql microshift-release-info

      Example output

      /usr/share/microshift/release/release-x86_64.json

    • If the package is not installed on a MicroShift host, download and unpack the RPM package without installing it by running the following command: 

      $ rpm2cpio microshift-release-info*.noarch.rpm | cpio -idmv

      Example output

      /usr/share/microshift/release/release-x86_64.json

  2. Extract the list of container images into the microshift-container-refs.txt file by running the following commands: 

    $ RELEASE_FILE=/usr/share/microshift/release/release-$(uname -m).json
    $ jq -r '.images | .[]' ${RELEASE_FILE} > microshift-container-refs.txt
Note

After the microshift-container-refs.txt file is created with the MicroShift container image list, you can append the file with other user-specific image references before running the mirroring procedure.

2.3. Configuring mirroring prerequisites

You must create a container image registry credentials file that allows the mirroring of images from your internet-connected mirror host to your air-gapped mirror. Follow the instructions in the "Configuring credentials that allow images to be mirrored" link provided in the "Additional resources" section. These instructions guide you to create a ~/.pull-secret-mirror.json file on the mirror registry host that includes the user credentials for accessing the mirror.

2.3.1. Example mirror registry pull secret entry

For example, the following section is added to the pull secret file for the microshift_quay:8443 mirror registry using microshift:microshift as username and password.

Example mirror registry section for pull secret file

"<microshift_quay:8443>": { 1
    "auth": "<microshift_auth>", 2
    "email": "<microshift_quay@example.com>" 3
},

1
Replace the <registry_host>:<port> value microshift_quay:8443 with the host name and port of your mirror registry server.
2
Replace the <microshift_auth> value with the user password.
3
Replace the </microshift_quay@example.com> value with the user email.

Additional resources

2.4. Downloading container images

After you have located the container list and completed the mirroring prerequisites, download the container images to a host with internet access.

Prerequisites

  • You are logged into a host with access to the internet.
  • You have ensured that the .pull-secret-mirror.json file and microshift-containers directory contents are available locally.

Procedure

  1. Install the skopeo tool used for copying the container images by running the following command: 

    $ sudo dnf install -y skopeo

  2. Set the environment variable that points to the pull secret file: 

    $ PULL_SECRET_FILE=~/.pull-secret-mirror.json

  3. Set the environment variable that points to the list of container images: 

    $ IMAGE_LIST_FILE=~/microshift-container-refs.txt

  4. Set the environment variable that points to the destination directory for storing the downloaded data: 

    $ IMAGE_LOCAL_DIR=~/microshift-containers

  5. Run the following script to download the container images to the ${IMAGE_LOCAL_DIR} directory: 

    while read -r src_img ; do
   # Remove the source registry prefix
   dst_img=$(echo "${src_img}" | cut -d '/' -f 2-)

   # Run the image download command
   echo "Downloading '${src_img}' to '${IMAGE_LOCAL_DIR}'"
   mkdir -p "${IMAGE_LOCAL_DIR}/${dst_img}"
   skopeo copy --all --quiet \
      --preserve-digests \
      --authfile "${PULL_SECRET_FILE}" \
      docker://"${src_img}" dir://"${IMAGE_LOCAL_DIR}/${dst_img}"

done < "${IMAGE_LIST_FILE}"
  6. Transfer the image set to the target environment, such as air-gapped site. Then you can upload the image set into the mirror registry.

2.5. Uploading container images to a mirror registry

To use your container images at an air-gapped site, upload them to the mirror registry using the following procedure.

Prerequisites

  • You are logged into a host with access to microshift-quay.
  • The .pull-secret-mirror.json file is available locally.
  • The microshift-containers directory contents are available locally.

Procedure

  1. Install the skopeo tool used for copying the container images by running the following command: 

    $ sudo dnf install -y skopeo

  2. Set the environment variables pointing to the pull secret file: 

    $ IMAGE_PULL_FILE=~/.pull-secret-mirror.json

  3. Set the environment variables pointing to the local container image directory: 

    $ IMAGE_LOCAL_DIR=~/microshift-containers

  4. Set the environment variables pointing to the mirror registry URL for uploading the container images: 

    $ TARGET_REGISTRY=<registry_host>:<port> 1
    1
    Replace <registry_host>:<port> with the host name and port of your mirror registry server.

  5. Run the following script to upload the container images to the ${TARGET_REGISTRY} mirror registry: 

    image_tag=mirror-$(date +%y%m%d%H%M%S)
image_cnt=1
   # Uses timestamp and counter as a tag on the target images to avoid
   # their overwrite by the 'latest' automatic tagging

pushd "${IMAGE_LOCAL_DIR}" >/dev/null
while read -r src_manifest ; do
   # Remove the manifest.json file name
   src_img=$(dirname "${src_manifest}")
   # Add the target registry prefix and remove SHA
   dst_img="${TARGET_REGISTRY}/${src_img}"
   dst_img=$(echo "${dst_img}" | awk -F'@' '{print $1}')

   # Run the image upload command
   echo "Uploading '${src_img}' to '${dst_img}'"
   skopeo copy --all --quiet \
      --preserve-digests \
      --authfile "${IMAGE_PULL_FILE}" \
      dir://"${IMAGE_LOCAL_DIR}/${src_img}" docker://"${dst_img}:${image_tag}-${image_cnt}"
   # Increment the counter
   (( image_cnt += 1 ))

done < <(find . -type f -name manifest.json -printf '%P\n')
popd >/dev/null

2.6. Configuring hosts for mirror registry access

To configure a MicroShift host to use a mirror registry, you must give the MicroShift host access to the registry by creating a configuration file that maps the Red Hat registry host names to the mirror.

Prerequisites

  • Your mirror host has access to the internet.
  • The mirror host can access the mirror registry.
  • You configured the mirror registry for use in your restricted network.
  • You downloaded the pull secret and modified it to include authentication to your mirror repository.

Procedure

  1. Log into your MicroShift host.

  2. Enable the SSL certificate trust on any host accessing the mirror registry by completing the following steps:

    1. Copy the rootCA.pem file from the mirror registry, for example, <registry_path>/quay-rootCA, to the MicroShift host at the /etc/pki/ca-trust/source/anchors directory.

    2. Enable the certificate in the system-wide trust store configuration by running the following command: 

      $ sudo update-ca-trust

  3. Create the /etc/containers/registries.conf.d/999-microshift-mirror.conf configuration file that maps the Red Hat registry host names to the mirror registry:

    Example mirror configuration file

    [[registry]]
    prefix = ""
    location = "<registry_host>:<port>" 1
    mirror-by-digest-only = true
    insecure = false

[[registry]]
    prefix = ""
    location = "quay.io"
    mirror-by-digest-only = true
[[registry.mirror]]
    location = "<registry_host>:<port>"
    insecure = false

[[registry]]
    prefix = ""
    location = "registry.redhat.io"
    mirror-by-digest-only = true
[[registry.mirror]]
    location = "<registry_host>:<port>"
    insecure = false

[[registry]]
    prefix = ""
    location = "registry.access.redhat.com"
    mirror-by-digest-only = true
[[registry.mirror]]
    location = "<registry_host>:<port>"
    insecure = false

    1
    Replace <registry_host>:<port> with the host name and port of your mirror registry server, for example, <microshift-quay:8443>.

  4. Enable the MicroShift service by running the following command: 

    $ sudo systemctl enable microshift

  5. Reboot the host by running the following command: 

    $ sudo reboot
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.