Este contenido no está disponible en el idioma seleccionado.
Images
Creating and managing images and imagestreams in OpenShift Container Platform
Abstract
Chapter 1. Overview of images
1.1. Understanding containers, images, and image streams
Containers, images, and image streams are important concepts to understand when you set out to create and manage containerized software. An image holds a set of software that is ready to run, while a container is a running instance of a container image. An image stream provides a way of storing different versions of the same basic image. Those different versions are represented by different tags on the same image name.
1.2. Images
Containers in OpenShift Container Platform are based on OCI- or Docker-formatted container images. An image is a binary that includes all of the requirements for running a single container, as well as metadata describing its needs and capabilities.
You can think of it as a packaging technology. Containers only have access to resources defined in the image unless you give the container additional access when creating it. By deploying the same image in multiple containers across multiple hosts and load balancing between them, OpenShift Container Platform can provide redundancy and horizontal scaling for a service packaged into an image.
				You can use the podman or docker CLI directly to build images, but OpenShift Container Platform also supplies builder images that assist with creating new images by adding your code or configuration to existing images.
			
				Because applications develop over time, a single image name can actually refer to many different versions of the same image. Each different image is referred to uniquely by its hash, a long hexadecimal number such as fd44297e2ddb050ec4f…, which is usually shortened to 12 characters, such as fd44297e2ddb.
			
1.3. Image registry
An image registry is a content server that can store and serve container images. For example:
registry.redhat.io
registry.redhat.io
				A registry contains a collection of one or more image repositories, which contain one or more tagged images. Red Hat provides a registry at registry.redhat.io for subscribers. OpenShift Container Platform can also supply its own OpenShift image registry for managing custom container images.
			
1.4. Image repository
An image repository is a collection of related container images and tags identifying them. For example, the OpenShift Container Platform Jenkins images are in the repository:
docker.io/openshift/jenkins-2-centos7
docker.io/openshift/jenkins-2-centos71.5. Image tags
				An image tag is a label applied to a container image in a repository that distinguishes a specific image from other images in an image stream. Typically, the tag represents a version number of some sort. For example, here :v3.11.59-2 is the tag:
			
registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11.59-2
registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11.59-2
				You can add additional tags to an image. For example, an image might be assigned the tags :v3.11.59-2 and :latest.
			
				OpenShift Container Platform provides the oc tag command, which is similar to the docker tag command, but operates on image streams instead of directly on images.
			
1.6. Image IDs
An image ID is a SHA (Secure Hash Algorithm) code that can be used to pull an image. A SHA image ID cannot change. A specific SHA identifier always references the exact same container image content. For example:
docker.io/openshift/jenkins-2-centos7@sha256:ab312bda324
docker.io/openshift/jenkins-2-centos7@sha256:ab312bda3241.7. Containers
The basic units of OpenShift Container Platform applications are called containers. Linux container technologies are lightweight mechanisms for isolating running processes so that they are limited to interacting with only their designated resources. The word container is defined as a specific running or paused instance of a container image.
Many application instances can be running in containers on a single host without visibility into each others' processes, files, network, and so on. Typically, each container provides a single service, often called a micro-service, such as a web server or a database, though containers can be used for arbitrary workloads.
The Linux kernel has been incorporating capabilities for container technologies for years. The Docker project developed a convenient management interface for Linux containers on a host. More recently, the Open Container Initiative has developed open standards for container formats and container runtimes. OpenShift Container Platform and Kubernetes add the ability to orchestrate OCI- and Docker-formatted containers across multi-host installations.
Though you do not directly interact with container runtimes when using OpenShift Container Platform, understanding their capabilities and terminology is important for understanding their role in OpenShift Container Platform and how your applications function inside of containers.
				Tools such as podman can be used to replace docker command-line tools for running and managing containers directly. Using podman, you can experiment with containers separately from OpenShift Container Platform.
			
1.8. Why use imagestreams
An image stream and its associated tags provide an abstraction for referencing container images from within OpenShift Container Platform. The image stream and its tags allow you to see what images are available and ensure that you are using the specific image you need even if the image in the repository changes.
Image streams do not contain actual image data, but present a single virtual view of related images, similar to an image repository.
You can configure builds and deployments to watch an image stream for notifications when new images are added and react by performing a build or deployment, respectively.
For example, if a deployment is using a certain image and a new version of that image is created, a deployment could be automatically performed to pick up the new version of the image.
However, if the image stream tag used by the deployment or build is not updated, then even if the container image in the container image registry is updated, the build or deployment continues using the previous, presumably known good image.
The source images can be stored in any of the following:
- OpenShift Container Platform’s integrated registry.
- An external registry, for example registry.redhat.io or quay.io.
- Other image streams in the OpenShift Container Platform cluster.
When you define an object that references an image stream tag, such as a build or deployment configuration, you point to an image stream tag and not the repository. When you build or deploy your application, OpenShift Container Platform queries the repository using the image stream tag to locate the associated ID of the image and uses that exact image.
The image stream metadata is stored in the etcd instance along with other cluster information.
Using image streams has several significant benefits:
- You can tag, rollback a tag, and quickly deal with images, without having to re-push using the command line.
- You can trigger builds and deployments when a new image is pushed to the registry. Also, OpenShift Container Platform has generic triggers for other resources, such as Kubernetes objects.
- You can mark a tag for periodic re-import. If the source image has changed, that change is picked up and reflected in the image stream, which triggers the build or deployment flow, depending upon the build or deployment configuration.
- You can share images using fine-grained access control and quickly distribute images across your teams.
- If the source image changes, the image stream tag still points to a known-good version of the image, ensuring that your application does not break unexpectedly.
- You can configure security around who can view and use the images through permissions on the image stream objects.
- Users that lack permission to read or list images on the cluster level can still retrieve the images tagged in a project using image streams.
You can manage image streams, use image streams with Kubernetes resources, and trigger updates on image stream updates.
1.9. Image stream tags
An image stream tag is a named pointer to an image in an image stream. An image stream tag is similar to a container image tag.
1.10. Image stream images
An image stream image allows you to retrieve a specific container image from a particular image stream where it is tagged. An image stream image is an API resource object that pulls together some metadata about a particular image SHA identifier.
1.11. Image stream triggers
An image stream trigger causes a specific action when an image stream tag changes. For example, importing can cause the value of the tag to change, which causes a trigger to fire when there are deployments, builds, or other resources listening for those.
1.12. How you can use the Cluster Samples Operator
				During the initial startup, the Operator creates the default samples resource to initiate the creation of the image streams and templates. You can use the Cluster Samples Operator to manage the sample image streams and templates stored in the openshift namespace.
			
As a cluster administrator, you can use the Cluster Samples Operator to:
1.13. About templates
A template is a definition of an object to be replicated. You can use templates to build and deploy configurations.
1.14. How you can use Ruby on Rails
As a developer, you can use Ruby on Rails to:
- Write your application: - Set up a database.
- Create a welcome page.
- Configure your application for OpenShift Container Platform.
- Store your application in Git.
 
- Deploy your application in OpenShift Container Platform: - Create the database service.
- Create the frontend service.
- Create a route for your application.
 
Chapter 2. Configuring the Cluster Samples Operator
			The Cluster Samples Operator, which operates in the openshift namespace, installs and updates the Red Hat Enterprise Linux (RHEL)-based OpenShift Container Platform image streams and OpenShift Container Platform templates.
		
- Starting from OpenShift Container Platform 4.13, Cluster Samples Operator is downsized. Cluster Samples Operator will stop providing the following updates for non-Source-to-Image (Non-S2I) image streams and templates: - new image streams and templates
- updates to the existing image streams and templates unless it is a CVE update
 
- Cluster Samples Operator will provide support for Non-S2I image streams and templates as per the OpenShift Container Platform lifecycle policy dates and support guidelines.
- Cluster Samples Operator will continue to support the S2I builder image streams and templates and accept the updates. S2I image streams and templates include: - Ruby
- Python
- Node.js
- Perl
- PHP
- HTTPD
- Nginx
- EAP
- Java
- Webserver
- .NET
- Go
 
- Starting from OpenShift Container Platform 4.16, Cluster Samples Operator will stop managing non-S2I image streams and templates. You can contact the image stream or template owner for any requirements and future plans. In addition, refer to the list of the repositories hosting the image stream or templates.
2.1. Understanding the Cluster Samples Operator
During installation, the Operator creates the default configuration object for itself and then creates the sample image streams and templates, including quick start templates.
					To facilitate image stream imports from other registries that require credentials, a cluster administrator can create any additional secrets that contain the content of a Docker config.json file in the openshift namespace needed for image import.
				
				The Cluster Samples Operator configuration is a cluster-wide resource, and the deployment is contained within the openshift-cluster-samples-operator namespace.
			
The image for the Cluster Samples Operator contains image stream and template definitions for the associated OpenShift Container Platform release. When each sample is created or updated, the Cluster Samples Operator includes an annotation that denotes the version of OpenShift Container Platform. The Operator uses this annotation to ensure that each sample matches the release version. Samples outside of its inventory are ignored, as are skipped samples. Modifications to any samples that are managed by the Operator, where that version annotation is modified or deleted, are reverted automatically.
The Jenkins images are part of the image payload from installation and are tagged into the image streams directly.
The Cluster Samples Operator configuration resource includes a finalizer which cleans up the following upon deletion:
- Operator managed image streams.
- Operator managed templates.
- Operator generated configuration resources.
- Cluster status resources.
Upon deletion of the samples resource, the Cluster Samples Operator recreates the resource using the default configuration.
2.1.1. Cluster Samples Operator’s use of management state
					The Cluster Samples Operator is bootstrapped as Managed by default or if global proxy is configured. In the Managed state, the Cluster Samples Operator is actively managing its resources and keeping the component active in order to pull sample image streams and images from the registry and ensure that the requisite sample templates are installed.
				
					Certain circumstances result in the Cluster Samples Operator bootstrapping itself as Removed including:
				
- If the Cluster Samples Operator cannot reach registry.redhat.io after three minutes on initial startup after a clean installation.
- If the Cluster Samples Operator detects it is on an IPv6 network.
- 
							If the image controller configuration parameters prevent the creation of image streams by using the default image registry, or by using the image registry specified by the samplesRegistrysetting.
						For OpenShift Container Platform, the default image registry is registry.redhat.io.
					
					However, if the Cluster Samples Operator detects that it is on an IPv6 network and an OpenShift Container Platform global proxy is configured, then IPv6 check supersedes all the checks. As a result, the Cluster Samples Operator bootstraps itself as Removed.
				
IPv6 installations are not currently supported by registry.redhat.io. The Cluster Samples Operator pulls most of the sample image streams and images from registry.redhat.io.
2.1.1.1. Restricted network installation
						Boostrapping as Removed when unable to access registry.redhat.io facilitates restricted network installations when the network restriction is already in place. Bootstrapping as Removed when network access is restricted allows the cluster administrator more time to decide if samples are desired, because the Cluster Samples Operator does not submit alerts that sample image stream imports are failing when the management state is set to Removed. When the Cluster Samples Operator comes up as Managed and attempts to install sample image streams, it starts alerting two hours after initial installation if there are failing imports.
					
2.1.1.2. Restricted network installation with initial network access
						Conversely, if a cluster that is intended to be a restricted network or disconnected cluster is first installed while network access exists, the Cluster Samples Operator installs the content from registry.redhat.io since it can access it. If you want the Cluster Samples Operator to still bootstrap as Removed in order to defer samples installation until you have decided which samples are desired, set up image mirrors, and so on, then follow the instructions for using the Samples Operator with an alternate registry and customizing nodes, both linked in the additional resources section, to override the Cluster Samples Operator default configuration and initially come up as Removed.
					
						You must put the following additional YAML file in the openshift directory created by openshift-install create manifest:
					
Example Cluster Samples Operator YAML file with managementState: Removed
2.1.2. Cluster Samples Operator’s tracking and error recovery of image stream imports
After creation or update of a samples image stream, the Cluster Samples Operator monitors the progress of each image stream tag’s image import.
					If an import fails, the Cluster Samples Operator retries the import through the image stream image import API, which is the same API used by the oc import-image command, approximately every 15 minutes until it sees the import succeed, or if the Cluster Samples Operator’s configuration is changed such that either the image stream is added to the skippedImagestreams list, or the management state is changed to Removed.
				
2.3. Cluster Samples Operator configuration parameters
The samples resource offers the following configuration fields:
| Parameter | Description | 
|---|---|
| 
								 | 
								 
								 
								 | 
| 
								 | 
								Allows you to specify which registry is accessed by image streams for their image content.  Note 
									Creation or update of RHEL content does not commence if the secret for pull access is not in place when either  
									Creation or update of RHEL content is not gated by the existence of the pull secret if the  | 
| 
								 | Placeholder to choose an architecture type. | 
| 
								 | 
								Image streams that are in the Cluster Samples Operator’s inventory but that the cluster administrator wants the Operator to ignore or not manage. You can add a list of image stream names to this parameter. For example,  | 
| 
								 | Templates that are in the Cluster Samples Operator’s inventory, but that the cluster administrator wants the Operator to ignore or not manage. | 
Secret, image stream, and template watch events can come in before the initial samples resource object is created, the Cluster Samples Operator detects and re-queues the event.
2.3.1. Configuration restrictions
					When the Cluster Samples Operator starts supporting multiple architectures, the architecture list is not allowed to be changed while in the Managed state.
				
To change the architectures values, a cluster administrator must:
- 
							Mark the Management StateasRemoved, saving the change.
- 
							In a subsequent change, edit the architecture and change the Management Stateback toManaged.
					The Cluster Samples Operator still processes secrets while in Removed state. You can create the secret before switching to Removed, while in Removed before switching to Managed, or after switching to Managed state. There are delays in creating the samples until the secret event is processed if you create the secret after switching to Managed. This helps facilitate the changing of the registry, where you choose to remove all the samples before switching to insure a clean slate. Removing all samples before switching is not required.
				
2.3.2. Conditions
The samples resource maintains the following conditions in its status:
| Condition | Description | 
|---|---|
| 
									 | 
									Indicates the samples are created in the  | 
| 
									 | 
									 
									 This condition is deprecated in OpenShift Container Platform. | 
| 
									 | 
									 | 
| 
									 | 
									Indicator that there is a  | 
| 
									 | Indicator of which image streams had errors during the image import phase for one of their tags. 
									 | 
| 
									 | 
									 This condition is deprecated in OpenShift Container Platform. | 
2.4. Accessing the Cluster Samples Operator configuration
You can configure the Cluster Samples Operator by editing the file with the provided parameters.
Prerequisites
- 
						Install the OpenShift CLI (oc).
Procedure
- Access the Cluster Samples Operator configuration: - oc edit configs.samples.operator.openshift.io/cluster -o yaml - $ oc edit configs.samples.operator.openshift.io/cluster -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The Cluster Samples Operator configuration resembles the following example: - apiVersion: samples.operator.openshift.io/v1 kind: Config # ... - apiVersion: samples.operator.openshift.io/v1 kind: Config # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.5. Removing deprecated image stream tags from the Cluster Samples Operator
The Cluster Samples Operator leaves deprecated image stream tags in an image stream because users can have deployments that use the deprecated image stream tags.
				You can remove deprecated image stream tags by editing the image stream with the oc tag command.
			
Deprecated image stream tags that the samples providers have removed from their image streams are not included on initial installations.
Prerequisites
- 
						You installed the ocCLI.
Procedure
- Remove deprecated image stream tags by editing the image stream with the - oc tagcommand.- oc tag -d <image_stream_name:tag> - $ oc tag -d <image_stream_name:tag>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Deleted tag default/<image_stream_name:tag>. - Deleted tag default/<image_stream_name:tag>.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Chapter 3. Using the Cluster Samples Operator with an alternate registry
You can use the Cluster Samples Operator with an alternate registry by first creating a mirror registry.
You must have access to the internet to obtain the necessary container images. In this procedure, you place the mirror registry on a mirror host that has access to both your network and the internet.
3.1. About the mirror registry
You can mirror the images that are required for OpenShift Container Platform installation and subsequent product updates to a container mirror registry such as Red Hat Quay, JFrog Artifactory, Sonatype Nexus Repository, or Harbor. If you do not have access to a large-scale container registry, you can use the mirror registry for Red Hat OpenShift, a small-scale container registry included with OpenShift Container Platform subscriptions.
You can use any container registry that supports Docker v2-2, such as Red Hat Quay, the mirror registry for Red Hat OpenShift, Artifactory, Sonatype Nexus Repository, or Harbor. Regardless of your chosen registry, the procedure to mirror content from Red Hat hosted sites on the internet to an isolated image registry is the same. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.
The OpenShift image registry cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.
If choosing a container registry that is not the mirror registry for Red Hat OpenShift, it must be reachable by every machine in the clusters that you provision. If the registry is unreachable, installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OpenShift Container Platform clusters.
When you populate your mirror registry with OpenShift Container Platform images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.
				For mirrored registries, to view the source of pulled images, you must review the Trying to access log entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images command on a node, show the non-mirrored image name, even though the image is pulled from the mirrored location.
			
Red Hat does not test third party registries with OpenShift Container Platform.
Additional information
For information on viewing the CRI-O logs to view the image source, see Viewing the image pull source.
3.1.1. Preparing the mirror host
Before you create the mirror registry, you must prepare the mirror host.
3.1.2. Installing the OpenShift CLI by downloading the binary
					You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-line interface. You can install oc on Linux, Windows, or macOS.
				
						If you installed an earlier version of oc, you cannot use it to complete all of the commands in OpenShift Container Platform 4.15. Download and install the new version of oc.
					
3.1.2.1. Installing the OpenShift CLI on Linux
						You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the architecture from the Product Variant drop-down list.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.15 Linux Clients entry and save the file.
- Unpack the archive: - tar xvf <file> - $ tar xvf <file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - ocbinary in a directory that is on your- PATH.- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.1.2.2. Installing the OpenShift CLI on Windows
						You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.15 Windows Client entry and save the file.
- Unzip the archive with a ZIP program.
- Move the - ocbinary to a directory that is on your- PATH.- To check your - PATH, open the command prompt and execute the following command:- path - C:\> path- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - C:\> oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.1.2.3. Installing the OpenShift CLI on macOS
						You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.15 macOS Clients entry and save the file. Note- For macOS arm64, choose the OpenShift v4.15 macOS arm64 Client entry. 
- Unpack and unzip the archive.
- Move the - ocbinary to a directory on your PATH.- To check your - PATH, open a terminal and execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify your installation by using an - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.2. Configuring credentials that allow images to be mirrored
Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.
Prerequisites
- You configured a mirror registry to use in your disconnected environment.
Procedure
Complete the following steps on the installation host:
- 
						Download your registry.redhat.iopull secret from Red Hat OpenShift Cluster Manager.
- Make a copy of your pull secret in JSON format: - cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> - $ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path to the folder to store the pull secret in and a name for the JSON file that you create.
 - The contents of the file resemble the following example: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Generate the base64-encoded user name and password or token for your mirror registry: - echo -n '<user_name>:<password>' | base64 -w0 - $ echo -n '<user_name>:<password>' | base64 -w0- 1 - BGVtbYk3ZHAtqXs=- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<user_name>and<password>, specify the user name and password that you configured for your registry.
 
- Edit the JSON file and add a section that describes your registry to it: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The file resembles the following example: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.3. Mirroring the OpenShift Container Platform image repository
Mirror the OpenShift Container Platform image repository to your registry to use during cluster installation or upgrade.
Prerequisites
- Your mirror host has access to the internet.
- You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.
- You downloaded the pull secret from Red Hat OpenShift Cluster Manager and modified it to include authentication to your mirror repository.
- If you use self-signed certificates, you have specified a Subject Alternative Name in the certificates.
Procedure
Complete the following steps on the mirror host:
- Review the OpenShift Container Platform downloads page to determine the version of OpenShift Container Platform that you want to install and determine the corresponding tag on the Repository Tags page.
- Set the required environment variables: - Export the release version: - OCP_RELEASE=<release_version> - $ OCP_RELEASE=<release_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform to install, such as- 4.5.4.
- Export the local registry name and host port: - LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' - $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <local_registry_host_name>, specify the registry domain name for your mirror repository, and for- <local_registry_host_port>, specify the port that it serves content on.
- Export the local repository name: - LOCAL_REPOSITORY='<local_repository_name>' - $ LOCAL_REPOSITORY='<local_repository_name>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <local_repository_name>, specify the name of the repository to create in your registry, such as- ocp4/openshift4.
- Export the name of the repository to mirror: - PRODUCT_REPO='openshift-release-dev' - $ PRODUCT_REPO='openshift-release-dev'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For a production release, you must specify - openshift-release-dev.
- Export the path to your registry pull secret: - LOCAL_SECRET_JSON='<path_to_pull_secret>' - $ LOCAL_SECRET_JSON='<path_to_pull_secret>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.
- Export the release mirror: - RELEASE_NAME="ocp-release" - $ RELEASE_NAME="ocp-release"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For a production release, you must specify - ocp-release.
- Export the type of architecture for your cluster: - ARCHITECTURE=<cluster_architecture> - $ ARCHITECTURE=<cluster_architecture>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the architecture of the cluster, such asx86_64,aarch64,s390x, orppc64le.
 
- Export the path to the directory to host the mirrored images: - REMOVABLE_MEDIA_PATH=<path> - $ REMOVABLE_MEDIA_PATH=<path>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the full path, including the initial forward slash (/) character.
 
 
- Mirror the version images to the mirror registry: - If your mirror host does not have internet access, take the following actions: - Connect the removable media to a system that is connected to the internet.
- Review the images and configuration manifests to mirror: - oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
										Record the entire imageContentSourcessection from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add theimageContentSourcessection to theinstall-config.yamlfile during installation.
- Mirror the images to a directory on the removable media: - oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Take the media to the restricted network environment and upload the images to the local container registry. - oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}- $ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- ForREMOVABLE_MEDIA_PATH, you must use the same path that you specified when you mirrored the images.
 Important- Running - oc image mirrormight result in the following error:- error: unable to retrieve source image. This error occurs when image indexes include references to images that no longer exist on the image registry. Image indexes might retain older references to allow users running those images an upgrade path to newer points on the upgrade graph. As a temporary workaround, you can use the- --skip-missingoption to bypass the error and continue downloading the image index. For more information, see Service Mesh Operator mirroring failed.
 
- If the local container registry is connected to the mirror host, take the following actions: - Directly push the release images to the local registry by using following command: - oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This command pulls the release information as a digest, and its output includes the - imageContentSourcesdata that you require when you install your cluster.
- Record the entire - imageContentSourcessection from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add the- imageContentSourcessection to the- install-config.yamlfile during installation.Note- The image name gets patched to Quay.io during the mirroring process, and the podman images will show Quay.io in the registry on the bootstrap virtual machine. 
 
 
- To create the installation program that is based on the content that you mirrored, extract it and pin it to the release: - If your mirror host does not have internet access, run the following command: - oc adm release extract -a ${LOCAL_SECRET_JSON} --icsp-file=<file> --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}" \ --insecure=true- $ oc adm release extract -a ${LOCAL_SECRET_JSON} --icsp-file=<file> --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}" \ --insecure=true- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Optional: If you do not want to configure trust for the target registry, add the--insecure=trueflag.
 
- If the local container registry is connected to the mirror host, run the following command: - oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"- $ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- To ensure that you use the correct images for the version of OpenShift Container Platform that you selected, you must extract the installation program from the mirrored content. - You must perform this step on a machine with an active internet connection. 
 
- For clusters using installer-provisioned infrastructure, run the following command: - openshift-install - $ openshift-install- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.4. Using Cluster Samples Operator image streams with alternate or mirrored registries
				Most image streams in the openshift namespace managed by the Cluster Samples Operator point to images located in the Red Hat registry at registry.redhat.io.
			
					The cli, installer, must-gather, and tests image streams, while part of the install payload, are not managed by the Cluster Samples Operator. These are not addressed in this procedure.
				
					The Cluster Samples Operator must be set to Managed in a disconnected environment. To install the image streams, you have a mirrored registry.
				
Prerequisites
- 
						Access to the cluster as a user with the cluster-adminrole.
- Create a pull secret for your mirror registry.
Procedure
- Access the images of a specific image stream to mirror, for example: - oc get is <imagestream> -n openshift -o json | jq .spec.tags[].from.name | grep registry.redhat.io - $ oc get is <imagestream> -n openshift -o json | jq .spec.tags[].from.name | grep registry.redhat.io- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Mirror images from registry.redhat.io associated with any image streams you need - oc image mirror registry.redhat.io/rhscl/ruby-25-rhel7:latest ${MIRROR_ADDR}/rhscl/ruby-25-rhel7:latest- $ oc image mirror registry.redhat.io/rhscl/ruby-25-rhel7:latest ${MIRROR_ADDR}/rhscl/ruby-25-rhel7:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the cluster’s image configuration object: - oc create configmap registry-config --from-file=${MIRROR_ADDR_HOSTNAME}..5000=$path/ca.crt -n openshift-config- $ oc create configmap registry-config --from-file=${MIRROR_ADDR_HOSTNAME}..5000=$path/ca.crt -n openshift-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the required trusted CAs for the mirror in the cluster’s image configuration object: - oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge- $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update the - samplesRegistryfield in the Cluster Samples Operator configuration object to contain the- hostnameportion of the mirror location defined in the mirror configuration:- oc edit configs.samples.operator.openshift.io -n openshift-cluster-samples-operator - $ oc edit configs.samples.operator.openshift.io -n openshift-cluster-samples-operator- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- This is required because the image stream import process does not use the mirror or search mechanism at this time. 
- Add any image streams that are not mirrored into the - skippedImagestreamsfield of the Cluster Samples Operator configuration object. Or if you do not want to support any of the sample image streams, set the Cluster Samples Operator to- Removedin the Cluster Samples Operator configuration object.Note- The Cluster Samples Operator issues alerts if image stream imports are failing but the Cluster Samples Operator is either periodically retrying or does not appear to be retrying them. - Many of the templates in the - openshiftnamespace reference the image streams. So using- Removedto purge both the image streams and templates will eliminate the possibility of attempts to use them if they are not functional because of any missing image streams.
3.4.1. Cluster Samples Operator assistance for mirroring
					During installation, OpenShift Container Platform creates a config map named imagestreamtag-to-image in the openshift-cluster-samples-operator namespace. The imagestreamtag-to-image config map contains an entry, the populating image, for each image stream tag.
				
					The format of the key for each entry in the data field in the config map is <image_stream_name>_<image_stream_tag_name>.
				
					During a disconnected installation of OpenShift Container Platform, the status of the Cluster Samples Operator is set to Removed. If you choose to change it to Managed, it installs samples.
				
The use of samples in a network-restricted or discontinued environment may require access to services external to your network. Some example services include: Github, Maven Central, npm, RubyGems, PyPi and others. There might be additional steps to take that allow the cluster samples operators’s objects to reach the services they require.
You can use this config map as a reference for which images need to be mirrored for your image streams to import.
- 
							While the Cluster Samples Operator is set to Removed, you can create your mirrored registry, or determine which existing mirrored registry you want to use.
- Mirror the samples you want to the mirrored registry using the new config map as your guide.
- 
							Add any of the image streams you did not mirror to the skippedImagestreamslist of the Cluster Samples Operator configuration object.
- 
							Set samplesRegistryof the Cluster Samples Operator configuration object to the mirrored registry.
- 
							Then set the Cluster Samples Operator to Managedto install the image streams you have mirrored.
See Using Cluster Samples Operator image streams with alternate or mirrored registries for a detailed procedure.
Chapter 4. Creating images
Learn how to create your own container images, based on pre-built images that are ready to help you. The process includes learning best practices for writing images, defining metadata for images, testing images, and using a custom builder workflow to create images to use with OpenShift Container Platform. After you create an image, you can push it to the OpenShift image registry.
4.1. Learning container best practices
When creating container images to run on OpenShift Container Platform there are a number of best practices to consider as an image author to ensure a good experience for consumers of those images. Because images are intended to be immutable and used as-is, the following guidelines help ensure that your images are highly consumable and easy to use on OpenShift Container Platform.
4.1.1. General container image guidelines
The following guidelines apply when creating a container image in general, and are independent of whether the images are used on OpenShift Container Platform.
4.1.1.1. Reuse images
						Wherever possible, base your image on an appropriate upstream image using the FROM statement. This ensures your image can easily pick up security fixes from an upstream image when it is updated, rather than you having to update your dependencies directly.
					
						In addition, use tags in the FROM instruction, for example, rhel:rhel7, to make it clear to users exactly which version of an image your image is based on. Using a tag other than latest ensures your image is not subjected to breaking changes that might go into the latest version of an upstream image.
					
4.1.1.2. Maintain compatibility within tags
						When tagging your own images, try to maintain backwards compatibility within a tag. For example, if you provide an image named image and it currently includes version 1.0, you might provide a tag of image:v1. When you update the image, as long as it continues to be compatible with the original image, you can continue to tag the new image image:v1, and downstream consumers of this tag are able to get updates without being broken.
					
						If you later release an incompatible update, then switch to a new tag, for example image:v2. This allows downstream consumers to move up to the new version at will, but not be inadvertently broken by the new incompatible image. Any downstream consumer using image:latest takes on the risk of any incompatible changes being introduced.
					
4.1.1.3. Avoid multiple processes
						Do not start multiple services, such as a database and SSHD, inside one container. This is not necessary because containers are lightweight and can be easily linked together for orchestrating multiple processes. OpenShift Container Platform allows you to easily colocate and co-manage related images by grouping them into a single pod.
					
This colocation ensures the containers share a network namespace and storage for communication. Updates are also less disruptive as each image can be updated less frequently and independently. Signal handling flows are also clearer with a single process as you do not have to manage routing signals to spawned processes.
4.1.1.4. Use exec in wrapper scripts
						Many images use wrapper scripts to do some setup before starting a process for the software being run. If your image uses such a script, that script uses exec so that the script’s process is replaced by your software. If you do not use exec, then signals sent by your container runtime go to your wrapper script instead of your software’s process. This is not what you want.
					
						If you have a wrapper script that starts a process for some server. You start your container, for example, using podman run -i, which runs the wrapper script, which in turn starts your process. If you want to close your container with CTRL+C. If your wrapper script used exec to start the server process, podman sends SIGINT to the server process, and everything works as you expect. If you did not use exec in your wrapper script, podman sends SIGINT to the process for the wrapper script and your process keeps running like nothing happened.
					
						Also note that your process runs as PID 1 when running in a container. This means that if your main process terminates, the entire container is stopped, canceling any child processes you launched from your PID 1 process.
					
4.1.1.5. Clean temporary files
						Remove all temporary files you create during the build process. This also includes any files added with the ADD command. For example, run the yum clean command after performing yum install operations.
					
						You can prevent the yum cache from ending up in an image layer by creating your RUN statement as follows:
					
RUN yum -y install mypackage && yum -y install myotherpackage && yum clean all -y
RUN yum -y install mypackage && yum -y install myotherpackage && yum clean all -yNote that if you instead write:
RUN yum -y install mypackage RUN yum -y install myotherpackage && yum clean all -y
RUN yum -y install mypackage
RUN yum -y install myotherpackage && yum clean all -y
						Then the first yum invocation leaves extra files in that layer, and these files cannot be removed when the yum clean operation is run later. The extra files are not visible in the final image, but they are present in the underlying layers.
					
						The current container build process does not allow a command run in a later layer to shrink the space used by the image when something was removed in an earlier layer. However, this may change in the future. This means that if you perform an rm command in a later layer, although the files are hidden it does not reduce the overall size of the image to be downloaded. Therefore, as with the yum clean example, it is best to remove files in the same command that created them, where possible, so they do not end up written to a layer.
					
						In addition, performing multiple commands in a single RUN statement reduces the number of layers in your image, which improves download and extraction time.
					
4.1.1.6. Place instructions in the proper order
						The container builder reads the Dockerfile and runs the instructions from top to bottom. Every instruction that is successfully executed creates a layer which can be reused the next time this or another image is built. It is very important to place instructions that rarely change at the top of your Dockerfile. Doing so ensures the next builds of the same image are very fast because the cache is not invalidated by upper layer changes.
					
						For example, if you are working on a Dockerfile that contains an ADD command to install a file you are iterating on, and a RUN command to yum install a package, it is best to put the ADD command last:
					
FROM foo RUN yum -y install mypackage && yum clean all -y ADD myfile /test/myfile
FROM foo
RUN yum -y install mypackage && yum clean all -y
ADD myfile /test/myfile
						This way each time you edit myfile and rerun podman build or docker build, the system reuses the cached layer for the yum command and only generates the new layer for the ADD operation.
					
						If instead you wrote the Dockerfile as:
					
FROM foo ADD myfile /test/myfile RUN yum -y install mypackage && yum clean all -y
FROM foo
ADD myfile /test/myfile
RUN yum -y install mypackage && yum clean all -y
						Then each time you changed myfile and reran podman build or docker build, the ADD operation would invalidate the RUN layer cache, so the yum operation must be rerun as well.
					
4.1.1.7. Mark important ports
						The EXPOSE instruction makes a port in the container available to the host system and other containers. While it is possible to specify that a port should be exposed with a podman run invocation, using the EXPOSE instruction in a Dockerfile makes it easier for both humans and software to use your image by explicitly declaring the ports your software needs to run:
					
- 
								Exposed ports show up under podman psassociated with containers created from your image.
- 
								Exposed ports are present in the metadata for your image returned by podman inspect.
- Exposed ports are linked when you link one container to another.
4.1.1.8. Set environment variables
						It is good practice to set environment variables with the ENV instruction. One example is to set the version of your project. This makes it easy for people to find the version without looking at the Dockerfile. Another example is advertising a path on the system that could be used by another process, such as JAVA_HOME.
					
4.1.1.9. Avoid default passwords
Avoid setting default passwords. Many people extend the image and forget to remove or change the default password. This can lead to security issues if a user in production is assigned a well-known password. Passwords are configurable using an environment variable instead.
If you do choose to set a default password, ensure that an appropriate warning message is displayed when the container is started. The message should inform the user of the value of the default password and explain how to change it, such as what environment variable to set.
4.1.1.10. Avoid sshd
						It is best to avoid running sshd in your image. You can use the podman exec or docker exec command to access containers that are running on the local host. Alternatively, you can use the oc exec command or the oc rsh command to access containers that are running on the OpenShift Container Platform cluster. Installing and running sshd in your image opens up additional vectors for attack and requirements for security patching.
					
4.1.1.11. Use volumes for persistent data
Images use a volume for persistent data. This way OpenShift Container Platform mounts the network storage to the node running the container, and if the container moves to a new node the storage is reattached to that node. By using the volume for all persistent storage needs, the content is preserved even if the container is restarted or moved. If your image writes data to arbitrary locations within the container, that content could not be preserved.
						All data that needs to be preserved even after the container is destroyed must be written to a volume. Container engines support a readonly flag for containers, which can be used to strictly enforce good practices about not writing data to ephemeral storage in a container. Designing your image around that capability now makes it easier to take advantage of it later.
					
						Explicitly defining volumes in your Dockerfile makes it easy for consumers of the image to understand what volumes they must define when running your image.
					
See the Kubernetes documentation for more information on how volumes are used in OpenShift Container Platform.
Even with persistent volumes, each instance of your image has its own volume, and the filesystem is not shared between instances. This means the volume cannot be used to share state in a cluster.
4.1.2. OpenShift Container Platform-specific guidelines
The following are guidelines that apply when creating container images specifically for use on OpenShift Container Platform.
4.1.2.1. Enable images for source-to-image (S2I)
For images that are intended to run application code provided by a third party, such as a Ruby image designed to run Ruby code provided by a developer, you can enable your image to work with the Source-to-Image (S2I) build tool. S2I is a framework that makes it easy to write images that take application source code as an input and produce a new image that runs the assembled application as output.
4.1.2.2. Support arbitrary user ids
By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.
Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:
RUN chgrp -R 0 /some/directory && \
    chmod -R g=u /some/directory
RUN chgrp -R 0 /some/directory && \
    chmod -R g=u /some/directoryBecause the container user is always a member of the root group, the container user can read and write these files.
							Care must be taken when altering the directories and file permissions of the sensitive areas of a container. If applied to sensitive areas, such as the /etc/passwd file, such changes can allow the modification of these files by unintended users, potentially exposing the container or host. CRI-O supports the insertion of arbitrary user IDs into a container’s /etc/passwd file. As such, changing permissions is never required.
						
							Additionally, the /etc/passwd file should not exist in any container image. If it does, the CRI-O container runtime will fail to inject a random UID into the /etc/passwd file. In such cases, the container might face challenges in resolving the active UID. Failing to meet this requirement could impact the functionality of certain containerized applications.
						
In addition, the processes running in the container must not listen on privileged ports, ports below 1024, since they are not running as a privileged user.
							If your S2I image does not include a USER declaration with a numeric user, your builds fail by default. To allow images that use either named users or the root 0 user to build in OpenShift Container Platform, you can add the project’s builder service account, system:serviceaccount:<your-project>:builder, to the anyuid security context constraint (SCC). Alternatively, you can allow all images to run as any user.
						
4.1.2.3. Use services for inter-image communication
For cases where your image needs to communicate with a service provided by another image, such as a web front end image that needs to access a database image to store and retrieve data, your image consumes an OpenShift Container Platform service. Services provide a static endpoint for access which does not change as containers are stopped, started, or moved. In addition, services provide load balancing for requests.
4.1.2.4. Provide common libraries
For images that are intended to run application code provided by a third party, ensure that your image contains commonly used libraries for your platform. In particular, provide database drivers for common databases used with your platform. For example, provide JDBC drivers for MySQL and PostgreSQL if you are creating a Java framework image. Doing so prevents the need for common dependencies to be downloaded during application assembly time, speeding up application image builds. It also simplifies the work required by application developers to ensure all of their dependencies are met.
4.1.2.5. Use environment variables for configuration
Users of your image are able to configure it without having to create a downstream image based on your image. This means that the runtime configuration is handled using environment variables. For a simple configuration, the running process can consume the environment variables directly. For a more complicated configuration or for runtimes which do not support this, configure the runtime by defining a template configuration file that is processed during startup. During this processing, values supplied using environment variables can be substituted into the configuration file or used to make decisions about what options to set in the configuration file.
It is also possible and recommended to pass secrets such as certificates and keys into the container using environment variables. This ensures that the secret values do not end up committed in an image and leaked into a container image registry.
Providing environment variables allows consumers of your image to customize behavior, such as database settings, passwords, and performance tuning, without having to introduce a new layer on top of your image. Instead, they can simply define environment variable values when defining a pod and change those settings without rebuilding the image.
For extremely complex scenarios, configuration can also be supplied using volumes that would be mounted into the container at runtime. However, if you elect to do it this way you must ensure that your image provides clear error messages on startup when the necessary volume or configuration is not present.
This topic is related to the Using Services for Inter-image Communication topic in that configuration like datasources are defined in terms of environment variables that provide the service endpoint information. This allows an application to dynamically consume a datasource service that is defined in the OpenShift Container Platform environment without modifying the application image.
						In addition, tuning is done by inspecting the cgroups settings for the container. This allows the image to tune itself to the available memory, CPU, and other resources. For example, Java-based images tune their heap based on the cgroup maximum memory parameter to ensure they do not exceed the limits and get an out-of-memory error.
					
4.1.2.6. Set image metadata
Defining image metadata helps OpenShift Container Platform better consume your container images, allowing OpenShift Container Platform to create a better experience for developers using your image. For example, you can add metadata to provide helpful descriptions of your image, or offer suggestions on other images that are needed.
4.1.2.7. Clustering
You must fully understand what it means to run multiple instances of your image. In the simplest case, the load balancing function of a service handles routing traffic to all instances of your image. However, many frameworks must share information to perform leader election or failover state; for example, in session replication.
Consider how your instances accomplish this communication when running in OpenShift Container Platform. Although pods can communicate directly with each other, their IP addresses change anytime the pod starts, stops, or is moved. Therefore, it is important for your clustering scheme to be dynamic.
4.1.2.8. Logging
It is best to send all logging to standard out. OpenShift Container Platform collects standard out from containers and sends it to the centralized logging service where it can be viewed. If you must separate log content, prefix the output with an appropriate keyword, which makes it possible to filter the messages.
If your image logs to a file, users must use manual operations to enter the running container and retrieve or view the log file.
4.1.2.9. Liveness and readiness probes
Document example liveness and readiness probes that can be used with your image. These probes allow users to deploy your image with confidence that traffic is not be routed to the container until it is prepared to handle it, and that the container is restarted if the process gets into an unhealthy state.
4.1.2.10. Templates
Consider providing an example template with your image. A template gives users an easy way to quickly get your image deployed with a working configuration. Your template must include the liveness and readiness probes you documented with the image, for completeness.
4.2. Including metadata in images
Defining image metadata helps OpenShift Container Platform better consume your container images, allowing OpenShift Container Platform to create a better experience for developers using your image. For example, you can add metadata to provide helpful descriptions of your image, or offer suggestions on other images that may also be needed.
This topic only defines the metadata needed by the current set of use cases. Additional metadata or use cases may be added in the future.
4.2.1. Defining image metadata
					You can use the LABEL instruction in a Dockerfile to define image metadata. Labels are similar to environment variables in that they are key value pairs attached to an image or a container. Labels are different from environment variable in that they are not visible to the running application and they can also be used for fast look-up of images and containers.
				
					Docker documentation for more information on the LABEL instruction.
				
					The label names are typically namespaced. The namespace is set accordingly to reflect the project that is going to pick up the labels and use them. For OpenShift Container Platform the namespace is set to io.openshift and for Kubernetes the namespace is io.k8s.
				
See the Docker custom metadata documentation for details about the format.
| Variable | Description | 
|---|---|
| 
									 | This label contains a list of tags represented as a list of comma-separated string values. The tags are the way to categorize the container images into broad areas of functionality. Tags help UI and generation tools to suggest relevant container images during the application creation process. LABEL io.openshift.tags mongodb,mongodb24,nosql  | 
| 
									 | 
									Specifies a list of tags that the generation tools and the UI uses to provide relevant suggestions if you do not have the container images with specified tags already. For example, if the container image wants  LABEL io.openshift.wants mongodb,redis  | 
| 
									 | This label can be used to give the container image consumers more detailed information about the service or functionality this image provides. The UI can then use this description together with the container image name to provide more human friendly information to end users. LABEL io.k8s.description The MySQL 5.5 Server with master-slave replication support  | 
| 
									 | 
									An image can use this variable to suggest that it does not support scaling. The UI then communicates this to consumers of that image. Being not-scalable means that the value of  LABEL io.openshift.non-scalable true  | 
| 
									 | This label suggests how much resources the container image needs to work properly. The UI can warn the user that deploying this container image may exceed their user quota. The values must be compatible with Kubernetes quantity. LABEL io.openshift.min-memory 16Gi LABEL io.openshift.min-cpu 4  | 
4.3. Creating images from source code with source-to-image
Source-to-image (S2I) is a framework that makes it easy to write images that take application source code as an input and produce a new image that runs the assembled application as output.
The main advantage of using S2I for building reproducible container images is the ease of use for developers. As a builder image author, you must understand two basic concepts in order for your images to provide the best S2I performance, the build process and S2I scripts.
4.3.1. Understanding the source-to-image build process
The build process consists of the following three fundamental elements, which are combined into a final container image:
- Sources
- Source-to-image (S2I) scripts
- Builder image
					S2I generates a Dockerfile with the builder image as the first FROM instruction. The Dockerfile generated by S2I is then passed to Buildah.
				
4.3.2. How to write source-to-image scripts
					You can write source-to-image (S2I) scripts in any programming language, as long as the scripts are executable inside the builder image. S2I supports multiple options providing assemble/run/save-artifacts scripts. All of these locations are checked on each build in the following order:
				
- A script specified in the build configuration.
- 
							A script found in the application source .s2i/bindirectory.
- 
							A script found at the default image URL with the io.openshift.s2i.scripts-urllabel.
					Both the io.openshift.s2i.scripts-url label specified in the image and the script specified in a build configuration can take one of the following forms:
				
- 
							image:///path_to_scripts_dir: absolute path inside the image to a directory where the S2I scripts are located.
- 
							file:///path_to_scripts_dir: relative or absolute path to a directory on the host where the S2I scripts are located.
- 
							http(s)://path_to_scripts_dir: URL to a directory where the S2I scripts are located.
| Script | Description | 
|---|---|
| 
									 | 
									The  
 | 
| 
									 | 
									The  | 
| 
									 | 
									The  
 
									These dependencies are gathered into a  | 
| 
									 | 
									The  | 
| 
									 | 
									The  
 Note 
										The suggested location to put the test application built by your  | 
Example S2I scripts
					The following example S2I scripts are written in Bash. Each example assumes its tar contents are unpacked into the /tmp/s2i directory.
				
assemble script:
run script:
run the application
#!/bin/bash
# run the application
/opt/application/run.shsave-artifacts script:
usage script:
4.4. About testing source-to-image images
As an Source-to-Image (S2I) builder image author, you can test your S2I image locally and use the OpenShift Container Platform build system for automated testing and continuous integration.
				S2I requires the assemble and run scripts to be present to successfully run the S2I build. Providing the save-artifacts script reuses the build artifacts, and providing the usage script ensures that usage information is printed to console when someone runs the container image outside of the S2I.
			
The goal of testing an S2I image is to make sure that all of these described commands work properly, even if the base container image has changed or the tooling used by the commands was updated.
4.4.1. Understanding testing requirements
					The standard location for the test script is test/run. This script is invoked by the OpenShift Container Platform S2I image builder and it could be a simple Bash script or a static Go binary.
				
					The test/run script performs the S2I build, so you must have the S2I binary available in your $PATH. If required, follow the installation instructions in the S2I README.
				
					S2I combines the application source code and builder image, so to test it you need a sample application source to verify that the source successfully transforms into a runnable container image. The sample application should be simple, but it should exercise the crucial steps of assemble and run scripts.
				
4.4.2. Generating scripts and tools
					The S2I tooling comes with powerful generation tools to speed up the process of creating a new S2I image. The s2i create command produces all the necessary S2I scripts and testing tools along with the Makefile:
				
s2i create <image_name> <destination_directory>
$ s2i create <image_name> <destination_directory>
					The generated test/run script must be adjusted to be useful, but it provides a good starting point to begin developing.
				
						The test/run script produced by the s2i create command requires that the sample application sources are inside the test/test-app directory.
					
4.4.3. Testing locally
					The easiest way to run the S2I image tests locally is to use the generated Makefile.
				
					If you did not use the s2i create command, you can copy the following Makefile template and replace the IMAGE_NAME parameter with your image name.
				
Sample Makefile
4.4.4. Basic testing workflow
					The test script assumes you have already built the image you want to test. If required, first build the S2I image. Run one of the following commands:
				
- If you use Podman, run the following command: - podman build -t <builder_image_name> - $ podman build -t <builder_image_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you use Docker, run the following command: - docker build -t <builder_image_name> - $ docker build -t <builder_image_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
The following steps describe the default workflow to test S2I image builders:
- Verify the - usagescript is working:- If you use Podman, run the following command: - podman run <builder_image_name> . - $ podman run <builder_image_name> .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you use Docker, run the following command: - docker run <builder_image_name> . - $ docker run <builder_image_name> .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Build the image: - s2i build file:///path-to-sample-app _<BUILDER_IMAGE_NAME>_ _<OUTPUT_APPLICATION_IMAGE_NAME>_ - $ s2i build file:///path-to-sample-app _<BUILDER_IMAGE_NAME>_ _<OUTPUT_APPLICATION_IMAGE_NAME>_- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Optional: if you support save-artifacts, run step 2 once again to verify that saving and restoring artifacts works properly.
- Run the container: - If you use Podman, run the following command: - podman run <output_application_image_name> - $ podman run <output_application_image_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you use Docker, run the following command: - docker run <output_application_image_name> - $ docker run <output_application_image_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Verify the container is running and the application is responding.
Running these steps is generally enough to tell if the builder image is working as expected.
4.4.5. Using OpenShift Container Platform for building the image
					Once you have a Dockerfile and the other artifacts that make up your new S2I builder image, you can put them in a git repository and use OpenShift Container Platform to build and push the image. Define a Docker build that points to your repository.
				
If your OpenShift Container Platform instance is hosted on a public IP address, the build can be triggered each time you push into your S2I builder image GitHub repository.
					You can also use the ImageChangeTrigger to trigger a rebuild of your applications that are based on the S2I builder image you updated.
				
Chapter 5. Managing images
5.1. Managing images overview
With OpenShift Container Platform you can interact with images and set up image streams, depending on where the registries of the images are located, any authentication requirements around those registries, and how you want your builds and deployments to behave.
5.1.1. Images overview
An image stream comprises any number of container images identified by tags. It presents a single virtual view of related images, similar to a container image repository.
By watching an image stream, builds and deployments can receive notifications when new images are added or modified and react by performing a build or deployment, respectively.
5.2. Tagging images
The following sections provide an overview and instructions for using image tags in the context of container images for working with OpenShift Container Platform image streams and their tags.
5.2.1. Image tags
					An image tag is a label applied to a container image in a repository that distinguishes a specific image from other images in an image stream. Typically, the tag represents a version number of some sort. For example, here :v3.11.59-2 is the tag:
				
registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11.59-2
registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11.59-2
					You can add additional tags to an image. For example, an image might be assigned the tags :v3.11.59-2 and :latest.
				
					OpenShift Container Platform provides the oc tag command, which is similar to the docker tag command, but operates on image streams instead of directly on images.
				
5.2.2. Image tag conventions
Images evolve over time and their tags reflect this. Generally, an image tag always points to the latest image built.
					If there is too much information embedded in a tag name, like v2.0.1-may-2019, the tag points to just one revision of an image and is never updated. Using default image pruning options, such an image is never removed. In very large clusters, the schema of creating new tags for every revised image could eventually fill up the etcd datastore with excess tag metadata for images that are long outdated.
				
					If the tag is named v2.0, image revisions are more likely. This results in longer tag history and, therefore, the image pruner is more likely to remove old and unused images.
				
					Although tag naming convention is up to you, here are a few examples in the format <image_name>:<image_tag>:
				
| Description | Example | 
|---|---|
| Revision | 
									 | 
| Architecture | 
									 | 
| Base image | 
									 | 
| Latest (potentially unstable) | 
									 | 
| Latest stable | 
									 | 
					If you require dates in tag names, periodically inspect old and unsupported images and istags and remove them. Otherwise, you can experience increasing resource usage caused by retaining old images.
				
5.2.3. Adding tags to image streams
An image stream in OpenShift Container Platform comprises zero or more container images identified by tags.
					There are different types of tags available. The default behavior uses a permanent tag, which points to a specific image in time. If the permanent tag is in use and the source changes, the tag does not change for the destination.
				
					A tracking tag means the destination tag’s metadata is updated during the import of the source tag.
				
Procedure
- You can add tags to an image stream using the - oc tagcommand:- oc tag <source> <destination> - $ oc tag <source> <destination>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example, to configure the - rubyimage stream- static-2.0tag to always refer to the current image for the- rubyimage stream- 2.0tag:- oc tag ruby:2.0 ruby:static-2.0 - $ oc tag ruby:2.0 ruby:static-2.0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This creates a new image stream tag named - static-2.0in the- rubyimage stream. The new tag directly references the image id that the- ruby:2.0image stream tag pointed to at the time- oc tagwas run, and the image it points to never changes.
- To ensure the destination tag is updated when the source tag changes, use the - --alias=trueflag:- oc tag --alias=true <source> <destination> - $ oc tag --alias=true <source> <destination>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
						Use a tracking tag for creating permanent aliases, for example, latest or stable. The tag only works correctly within a single image stream. Trying to create a cross-image stream alias produces an error.
					
- 
							You can also add the --scheduled=trueflag to have the destination tag be refreshed, or re-imported, periodically. The period is configured globally at the system level.
- The - --referenceflag creates an image stream tag that is not imported. The tag points to the source location, permanently.- If you want to instruct OpenShift Container Platform to always fetch the tagged image from the integrated registry, use - --reference-policy=local. The registry uses the pull-through feature to serve the image to the client. By default, the image blobs are mirrored locally by the registry. As a result, they can be pulled more quickly the next time they are needed. The flag also allows for pulling from insecure registries without a need to supply- --insecure-registryto the container runtime as long as the image stream has an insecure annotation or the tag has an insecure import policy.
5.2.4. Removing tags from image streams
You can remove tags from an image stream.
Procedure
- To remove a tag completely from an image stream run: - oc delete istag/ruby:latest - $ oc delete istag/ruby:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - or: - oc tag -d ruby:latest - $ oc tag -d ruby:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.2.5. Referencing images in imagestreams
You can use tags to reference images in image streams using the following reference types.
| Reference type | Description | 
|---|---|
| 
									 | 
									An  | 
| 
									 | 
									An  | 
| 
									 | 
									A  | 
					When viewing example image stream definitions you may notice they contain definitions of ImageStreamTag and references to DockerImage, but nothing related to ImageStreamImage.
				
					This is because the ImageStreamImage objects are automatically created in OpenShift Container Platform when you import or tag an image into the image stream. You should never have to explicitly define an ImageStreamImage object in any image stream definition that you use to create image streams.
				
Procedure
- To reference an image for a given image stream and tag, use - ImageStreamTag:- <image_stream_name>:<tag> - <image_stream_name>:<tag>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To reference an image for a given image stream and image - shaID, use- ImageStreamImage:- <image_stream_name>@<id> - <image_stream_name>@<id>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The - <id>is an immutable identifier for a specific image, also called a digest.
- To reference or retrieve an image for a given external registry, use - DockerImage:- openshift/ruby-20-centos7:2.0 - openshift/ruby-20-centos7:2.0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- When no tag is specified, it is assumed the - latesttag is used.- You can also reference a third-party registry: - registry.redhat.io/rhel7:latest - registry.redhat.io/rhel7:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Or an image with a digest: - centos/ruby-22-centos7@sha256:3a335d7d8a452970c5b4054ad7118ff134b3a6b50a2bb6d0c07c746e8986b28e - centos/ruby-22-centos7@sha256:3a335d7d8a452970c5b4054ad7118ff134b3a6b50a2bb6d0c07c746e8986b28e- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.3. Image pull policy
Each container in a pod has a container image. After you have created an image and pushed it to a registry, you can then refer to it in the pod.
5.3.1. Image pull policy overview
					When OpenShift Container Platform creates containers, it uses the container imagePullPolicy to determine if the image should be pulled prior to starting the container. There are three possible values for imagePullPolicy:
				
| Value | Description | 
|---|---|
| 
									 | Always pull the image. | 
| 
									 | Only pull the image if it does not already exist on the node. | 
| 
									 | Never pull the image. | 
					If a container imagePullPolicy parameter is not specified, OpenShift Container Platform sets it based on the image tag:
				
- 
							If the tag is latest, OpenShift Container Platform defaultsimagePullPolicytoAlways.
- 
							Otherwise, OpenShift Container Platform defaults imagePullPolicytoIfNotPresent.
5.4. Using image pull secrets
If you are using the OpenShift image registry and are pulling from image streams located in the same project, then your pod service account should already have the correct permissions and no additional action should be required.
However, for other scenarios, such as referencing images across OpenShift Container Platform projects or from secured registries, additional configuration steps are required.
				You can obtain the image pull secret from Red Hat OpenShift Cluster Manager. This pull secret is called pullSecret.
			
You use this pull secret to authenticate with the services that are provided by the included authorities, Quay.io and registry.redhat.io, which serve the container images for OpenShift Container Platform components.
5.4.1. Allowing pods to reference images across projects
					When using the OpenShift image registry, to allow pods in project-a to reference images in project-b, a service account in project-a must be bound to the system:image-puller role in project-b.
				
When you create a pod service account or a namespace, wait until the service account is provisioned with a docker pull secret; if you create a pod before its service account is fully provisioned, the pod fails to access the OpenShift image registry.
Procedure
- To allow pods in - project-ato reference images in- project-b, bind a service account in- project-ato the- system:image-pullerrole in- project-b:- oc policy add-role-to-user \ system:image-puller system:serviceaccount:project-a:default \ --namespace=project-b- $ oc policy add-role-to-user \ system:image-puller system:serviceaccount:project-a:default \ --namespace=project-b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After adding that role, the pods in - project-athat reference the default service account are able to pull images from- project-b.
- To allow access for any service account in - project-a, use the group:- oc policy add-role-to-group \ system:image-puller system:serviceaccounts:project-a \ --namespace=project-b- $ oc policy add-role-to-group \ system:image-puller system:serviceaccounts:project-a \ --namespace=project-b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4.2. Allowing pods to reference images from other secured registries
To pull a secured container from other private or secured registries, you must create a pull secret from your container client credentials, such as Docker or Podman, and add it to your service account.
Both Docker and Podman use a configuration file to store authentication details to log in to secured or insecure registry:
- 
							Docker: By default, Docker uses $HOME/.docker/config.json.
- 
							Podman: By default, Podman uses $HOME/.config/containers/auth.json.
These files store your authentication information if you have previously logged in to a secured or insecure registry.
						Both Docker and Podman credential files and the associated pull secret can contain multiple references to the same registry if they have unique paths, for example, quay.io and quay.io/<example_repository>. However, neither Docker nor Podman support multiple entries for the exact same registry path.
					
Example config.json file
Example pull secret
5.4.2.1. Creating a pull secret
Procedure
- Create a secret from an existing authentication file: - For Docker clients using - .docker/config.json, enter the following command:- oc create secret generic <pull_secret_name> \ --from-file=.dockerconfigjson=<path/to/.docker/config.json> \ --type=kubernetes.io/dockerconfigjson- $ oc create secret generic <pull_secret_name> \ --from-file=.dockerconfigjson=<path/to/.docker/config.json> \ --type=kubernetes.io/dockerconfigjson- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- For Podman clients using - .config/containers/auth.json, enter the following command:- oc create secret generic <pull_secret_name> \ --from-file=<path/to/.config/containers/auth.json> \ --type=kubernetes.io/podmanconfigjson- $ oc create secret generic <pull_secret_name> \ --from-file=<path/to/.config/containers/auth.json> \ --type=kubernetes.io/podmanconfigjson- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- If you do not already have a Docker credentials file for the secured registry, you can create a secret by running the following command: - oc create secret docker-registry <pull_secret_name> \ --docker-server=<registry_server> \ --docker-username=<user_name> \ --docker-password=<password> \ --docker-email=<email>- $ oc create secret docker-registry <pull_secret_name> \ --docker-server=<registry_server> \ --docker-username=<user_name> \ --docker-password=<password> \ --docker-email=<email>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4.2.2. Using a pull secret in a workload
You can use a pull secret to allow workloads to pull images from a private registry with one of the following methods:
- 
								By linking the secret to a ServiceAccount, which automatically applies the secret to all pods using that service account.
- 
								By defining imagePullSecretsdirectly in workload configurations, which is useful for environments like GitOps or ArgoCD.
Procedure
- You can use a secret for pulling images for pods by adding the secret to your service account. Note that the name of the service account should match the name of the service account that pod uses. The default service account is - default.- Enter the following command to link the pull secret to a - ServiceAccount:- oc secrets link default <pull_secret_name> --for=pull - $ oc secrets link default <pull_secret_name> --for=pull- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To verify the change, enter the following command: - oc get serviceaccount default -o yaml - $ oc get serviceaccount default -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Instead of linking the secret to a service account, you can alternatively reference it directly in your pod or workload definition. This is useful for GitOps workflows such as ArgoCD. For example: - Example pod specification - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example ArgoCD workflow - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4.2.3. Pulling from private registries with delegated authentication
A private registry can delegate authentication to a separate service. In these cases, image pull secrets must be defined for both the authentication and registry endpoints.
Procedure
- Create a secret for the delegated authentication server: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a secret for the private registry: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4.3. Updating the global cluster pull secret
You can update the global pull secret for your cluster by either replacing the current pull secret or appending a new pull secret.
To transfer your cluster to another owner, you must initiate the transfer in OpenShift Cluster Manager and then update the pull secret on the cluster. Updating a cluster’s pull secret without initiating the transfer in OpenShift Cluster Manager causes the cluster to stop reporting Telemetry metrics in OpenShift Cluster Manager.
For more information, see "Transferring cluster ownership" in the Red Hat OpenShift Cluster Manager documentation.
Prerequisites
- 
							You have access to the cluster as a user with the cluster-adminrole.
Procedure
- Optional: To append a new pull secret to the existing pull secret, complete the following steps: - Enter the following command to download the pull secret: - oc get secret/pull-secret -n openshift-config \ --template='{{index .data ".dockerconfigjson" | base64decode}}' \ <pull_secret_location>- $ oc get secret/pull-secret -n openshift-config \ --template='{{index .data ".dockerconfigjson" | base64decode}}' \ <pull_secret_location>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Include the path to the pull secret file.
 
- Enter the following command to add the new pull secret: - oc registry login --registry="<registry>" \ --auth-basic="<username>:<password>" \ --to=<pull_secret_location> - $ oc registry login --registry="<registry>" \- 1 - --auth-basic="<username>:<password>" \- 2 - --to=<pull_secret_location>- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can also perform a manual update to the pull secret file. 
 
- Enter the following command to update the global pull secret for your cluster: - oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location> - $ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Include the path to the new pull secret file.
 - This update rolls out to all nodes, which can take some time depending on the size of your cluster. Note- As of OpenShift Container Platform 4.7.4, changes to the global pull secret no longer trigger a node drain or reboot. 
Chapter 6. Managing image streams
Image streams provide a means of creating and updating container images in an on-going way. As improvements are made to an image, tags can be used to assign new version numbers and keep track of changes. This document describes how image streams are managed.
6.1. Why use imagestreams
An image stream and its associated tags provide an abstraction for referencing container images from within OpenShift Container Platform. The image stream and its tags allow you to see what images are available and ensure that you are using the specific image you need even if the image in the repository changes.
Image streams do not contain actual image data, but present a single virtual view of related images, similar to an image repository.
You can configure builds and deployments to watch an image stream for notifications when new images are added and react by performing a build or deployment, respectively.
For example, if a deployment is using a certain image and a new version of that image is created, a deployment could be automatically performed to pick up the new version of the image.
However, if the image stream tag used by the deployment or build is not updated, then even if the container image in the container image registry is updated, the build or deployment continues using the previous, presumably known good image.
The source images can be stored in any of the following:
- OpenShift Container Platform’s integrated registry.
- An external registry, for example registry.redhat.io or quay.io.
- Other image streams in the OpenShift Container Platform cluster.
When you define an object that references an image stream tag, such as a build or deployment configuration, you point to an image stream tag and not the repository. When you build or deploy your application, OpenShift Container Platform queries the repository using the image stream tag to locate the associated ID of the image and uses that exact image.
The image stream metadata is stored in the etcd instance along with other cluster information.
Using image streams has several significant benefits:
- You can tag, rollback a tag, and quickly deal with images, without having to re-push using the command line.
- You can trigger builds and deployments when a new image is pushed to the registry. Also, OpenShift Container Platform has generic triggers for other resources, such as Kubernetes objects.
- You can mark a tag for periodic re-import. If the source image has changed, that change is picked up and reflected in the image stream, which triggers the build or deployment flow, depending upon the build or deployment configuration.
- You can share images using fine-grained access control and quickly distribute images across your teams.
- If the source image changes, the image stream tag still points to a known-good version of the image, ensuring that your application does not break unexpectedly.
- You can configure security around who can view and use the images through permissions on the image stream objects.
- Users that lack permission to read or list images on the cluster level can still retrieve the images tagged in a project using image streams.
6.2. Configuring image streams
				An ImageStream object file contains the following elements.
			
Imagestream object definition
- 1
- The name of the image stream.
- 2
- Docker repository path where new images can be pushed to add or update them in this image stream.
- 3
- The SHA identifier that this image stream tag currently references. Resources that reference this image stream tag use this identifier.
- 4
- The SHA identifier that this image stream tag previously referenced. Can be used to rollback to an older image.
- 5
- The image stream tag name.
6.3. Image stream images
An image stream image points from within an image stream to a particular image ID.
Image stream images allow you to retrieve metadata about an image from a particular image stream where it is tagged.
Image stream image objects are automatically created in OpenShift Container Platform whenever you import or tag an image into the image stream. You should never have to explicitly define an image stream image object in any image stream definition that you use to create image streams.
				The image stream image consists of the image stream name and image ID from the repository, delimited by an @ sign:
			
<image-stream-name>@<image-id>
<image-stream-name>@<image-id>
				To refer to the image in the ImageStream object example, the image stream image looks like:
			
origin-ruby-sample@sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d
origin-ruby-sample@sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d6.4. Image stream tags
				An image stream tag is a named pointer to an image in an image stream. It is abbreviated as istag. An image stream tag is used to reference or retrieve an image for a given image stream and tag.
			
Image stream tags can reference any local or externally managed image. It contains a history of images represented as a stack of all images the tag ever pointed to. Whenever a new or existing image is tagged under particular image stream tag, it is placed at the first position in the history stack. The image previously occupying the top position is available at the second position. This allows for easy rollbacks to make tags point to historical images again.
				The following image stream tag is from an ImageStream object:
			
Image stream tag with two images in its history
Image stream tags can be permanent tags or tracking tags.
- Permanent tags are version-specific tags that point to a particular version of an image, such as Python 3.5.
- Tracking tags are reference tags that follow another image stream tag and can be updated to change which image they follow, like a symlink. These new levels are not guaranteed to be backwards-compatible. - For example, the - latestimage stream tags that ship with OpenShift Container Platform are tracking tags. This means consumers of the- latestimage stream tag are updated to the newest level of the framework provided by the image when a new level becomes available. A- latestimage stream tag to- v3.10can be changed to- v3.11at any time. It is important to be aware that these- latestimage stream tags behave differently than the Docker- latesttag. The- latestimage stream tag, in this case, does not point to the latest image in the Docker repository. It points to another image stream tag, which might not be the latest version of an image. For example, if the- latestimage stream tag points to- v3.10of an image, when the- 3.11version is released, the- latesttag is not automatically updated to- v3.11, and remains at- v3.10until it is manually updated to point to a- v3.11image stream tag.Note- Tracking tags are limited to a single image stream and cannot reference other image streams. 
You can create your own image stream tags for your own needs.
The image stream tag is composed of the name of the image stream and a tag, separated by a colon:
<imagestream name>:<tag>
<imagestream name>:<tag>
				For example, to refer to the sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d image in the ImageStream object example earlier, the image stream tag would be:
			
origin-ruby-sample:latest
origin-ruby-sample:latest6.5. Image stream change triggers
Image stream triggers allow your builds and deployments to be automatically invoked when a new version of an upstream image is available.
For example, builds and deployments can be automatically started when an image stream tag is modified. This is achieved by monitoring that particular image stream tag and notifying the build or deployment when a change is detected.
6.6. Image stream mapping
When the integrated registry receives a new image, it creates and sends an image stream mapping to OpenShift Container Platform, providing the image’s project, name, tag, and image metadata.
Configuring image stream mappings is an advanced feature.
This information is used to create a new image, if it does not already exist, and to tag the image into the image stream. OpenShift Container Platform stores complete metadata about each image, such as commands, entry point, and environment variables. Images in OpenShift Container Platform are immutable and the maximum name length is 63 characters.
				The following image stream mapping example results in an image being tagged as test/origin-ruby-sample:latest:
			
Image stream mapping object definition
6.7. Working with image streams
The following sections describe how to use image streams and image stream tags.
Do not run workloads in or share access to default projects. Default projects are reserved for running core cluster components.
					The following default projects are considered highly privileged: default, kube-public, kube-system, openshift, openshift-infra, openshift-node, and other system-created projects that have the openshift.io/run-level label set to 0 or 1. Functionality that relies on admission plugins, such as pod security admission, security context constraints, cluster resource quotas, and image reference resolution, does not work in highly privileged projects.
				
6.7.1. Getting information about image streams
You can get general information about the image stream and detailed information about all the tags it is pointing to.
Procedure
- To get general information about the image stream and detailed information about all the tags it is pointing to, enter the following command: - oc describe is/<image-name> - $ oc describe is/<image-name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc describe is/python - $ oc describe is/python- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To get all of the information available about a particular image stream tag, enter the following command: - oc describe istag/<image-stream>:<tag-name> - $ oc describe istag/<image-stream>:<tag-name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc describe istag/python:latest - $ oc describe istag/python:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- More information is output than shown. 
- Enter the following command to discover which architecture or operating system that an image stream tag supports: - oc get istag <image-stream-tag> -ojsonpath="{range .image.dockerImageManifests[*]}{.os}/{.architecture}{'\n'}{end}"- $ oc get istag <image-stream-tag> -ojsonpath="{range .image.dockerImageManifests[*]}{.os}/{.architecture}{'\n'}{end}"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc get istag busybox:latest -ojsonpath="{range .image.dockerImageManifests[*]}{.os}/{.architecture}{'\n'}{end}"- $ oc get istag busybox:latest -ojsonpath="{range .image.dockerImageManifests[*]}{.os}/{.architecture}{'\n'}{end}"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.7.2. Adding tags to an image stream
You can add additional tags to image streams.
Procedure
- Add a tag that points to one of the existing tags by using the `oc tag`command: - oc tag <image-name:tag1> <image-name:tag2> - $ oc tag <image-name:tag1> <image-name:tag2>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc tag python:3.5 python:latest - $ oc tag python:3.5 python:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Tag python:latest set to python@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25. - Tag python:latest set to python@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm the image stream has two tags, one, - 3.5, pointing at the external container image and another tag,- latest, pointing to the same image because it was created based on the first tag.- oc describe is/python - $ oc describe is/python- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.7.3. Adding tags for an external image
You can add tags for external images.
Procedure
- Add tags pointing to internal or external images, by using the - oc tagcommand for all tag-related operations:- oc tag <repository/image> <image-name:tag> - $ oc tag <repository/image> <image-name:tag>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example, this command maps the - docker.io/python:3.6.0image to the- 3.6tag in the- pythonimage stream.- oc tag docker.io/python:3.6.0 python:3.6 - $ oc tag docker.io/python:3.6.0 python:3.6- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Tag python:3.6 set to docker.io/python:3.6.0. - Tag python:3.6 set to docker.io/python:3.6.0.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If the external image is secured, you must create a secret with credentials for accessing that registry. 
6.7.4. Updating image stream tags
You can update a tag to reflect another tag in an image stream.
Procedure
- Update a tag: - oc tag <image-name:tag> <image-name:latest> - $ oc tag <image-name:tag> <image-name:latest>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example, the following updates the - latesttag to reflect the- 3.6tag in an image stream:- oc tag python:3.6 python:latest - $ oc tag python:3.6 python:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Tag python:latest set to python@sha256:438208801c4806548460b27bd1fbcb7bb188273d13871ab43f. - Tag python:latest set to python@sha256:438208801c4806548460b27bd1fbcb7bb188273d13871ab43f.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.7.5. Removing image stream tags
You can remove old tags from an image stream.
Procedure
- Remove old tags from an image stream: - oc tag -d <image-name:tag> - $ oc tag -d <image-name:tag>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc tag -d python:3.6 - $ oc tag -d python:3.6- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Deleted tag default/python:3.6 - Deleted tag default/python:3.6- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
See Removing deprecated image stream tags from the Cluster Samples Operator for more information on how the Cluster Samples Operator handles deprecated image stream tags.
6.7.6. Configuring periodic importing of image stream tags
					When working with an external container image registry, to periodically re-import an image, for example to get latest security updates, you can use the --scheduled flag.
				
Procedure
- Schedule importing images: - oc tag <repository/image> <image-name:tag> --scheduled - $ oc tag <repository/image> <image-name:tag> --scheduled- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc tag docker.io/python:3.6.0 python:3.6 --scheduled - $ oc tag docker.io/python:3.6.0 python:3.6 --scheduled- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Tag python:3.6 set to import docker.io/python:3.6.0 periodically. - Tag python:3.6 set to import docker.io/python:3.6.0 periodically.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This command causes OpenShift Container Platform to periodically update this particular image stream tag. This period is a cluster-wide setting set to 15 minutes by default. 
- Remove the periodic check, re-run above command but omit the - --scheduledflag. This will reset its behavior to default.- oc tag <repositiory/image> <image-name:tag> - $ oc tag <repositiory/image> <image-name:tag>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.8. Importing and working with images and image streams
The following sections describe how to import, and work with, image streams.
6.8.1. Importing images and image streams from private registries
An image stream can be configured to import tag and image metadata from private image registries requiring authentication. This procedures applies if you change the registry that the Cluster Samples Operator uses to pull content from to something other than registry.redhat.io.
						When importing from insecure or secure registries, the registry URL defined in the secret must include the :80 port suffix or the secret is not used when attempting to import from the registry.
					
Procedure
- You must create a - secretobject that is used to store your credentials by entering the following command:- oc create secret generic <secret_name> --from-file=.dockerconfigjson=<file_absolute_path> --type=kubernetes.io/dockerconfigjson - $ oc create secret generic <secret_name> --from-file=.dockerconfigjson=<file_absolute_path> --type=kubernetes.io/dockerconfigjson- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- After the secret is configured, create the new image stream or enter the - oc import-imagecommand:- oc import-image <imagestreamtag> --from=<image> --confirm - $ oc import-image <imagestreamtag> --from=<image> --confirm- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - During the import process, OpenShift Container Platform picks up the secrets and provides them to the remote party. 
6.8.2. Working with manifest lists
					You can import a single sub-manifest, or all manifests, of a manifest list when using oc import-image or oc tag CLI commands by adding the --import-mode flag.
				
Refer to the commands below to create an image stream that includes a single sub-manifest or multi-architecture images.
Procedure
- Create an image stream that includes multi-architecture images, and sets the import mode to - PreserveOriginal, by entering the following command:- oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='PreserveOriginal' --reference-policy=local --confirm - $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='PreserveOriginal' --reference-policy=local --confirm- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Alternatively, enter the following command to import an image with the - Legacyimport mode, which discards manifest lists and imports a single sub-manifest:- oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='Legacy' --confirm - $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='Legacy' --confirm- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The - --import-mode=default value is- Legacy. Excluding this value, or failing to specify either- Legacyor- PreserveOriginal, imports a single sub-manifest. An invalid import mode returns the following error:- error: valid ImportMode values are Legacy or PreserveOriginal.
6.8.2.1. Limitations
Working with manifest lists has the following limitations:
- In some cases, users might want to use sub-manifests directly. When - oc adm prune imagesis run, or the- CronJobpruner runs, they cannot detect when a sub-manifest list is used. As a result, an administrator using- oc adm prune images, or the- CronJobpruner, might delete entire manifest lists, including sub-manifests.- To avoid this limitation, you can use the manifest list by tag or by digest instead. 
6.8.2.2. Configuring periodic importing of manifest lists
						To periodically re-import a manifest list, you can use the --scheduled flag.
					
Procedure
- Set the image stream to periodically update the manifest list by entering the following command: - oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='PreserveOriginal' --scheduled=true - $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='PreserveOriginal' --scheduled=true- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.8.2.3. Configuring SSL/TSL when importing manifest lists
						To configure SSL/TSL when importing a manifest list, you can use the --insecure flag.
					
Procedure
- Set - --insecure=trueso that importing a manifest list skips SSL/TSL verification. For example:- oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='PreserveOriginal' --insecure=true - $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='PreserveOriginal' --insecure=true- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.8.3. Specifying architecture for --import-mode
					You can swap your imported image stream between multi-architecture and single architecture by excluding or including the --import-mode= flag
				
Procedure
- Run the following command to update your image stream from multi-architecture to single architecture by excluding the - --import-mode=flag:- oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> - $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the following command to update your image stream from single-architecture to multi-architecture: - oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='PreserveOriginal' - $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \ --import-mode='PreserveOriginal'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
6.8.4. Configuration fields for --import-mode
					The following table describes the options available for the --import-mode= flag:
				
| Parameter | Description | 
|---|---|
| Legacy | 
									The default option for  
 | 
| PreserveOriginal | When specified, the original manifest is preserved. For manifest lists, the manifest list and all of its sub-manifests are imported. | 
Chapter 7. Using image streams with Kubernetes resources
			Image streams, being OpenShift Container Platform native resources, work with all native resources available in OpenShift Container Platform, such as Build or DeploymentConfigs resources. It is also possible to make them work with native Kubernetes resources, such as Job, ReplicationController, ReplicaSet or Kubernetes Deployment resources.
		
7.1. Enabling image streams with Kubernetes resources
				When using image streams with Kubernetes resources, you can only reference image streams that reside in the same project as the resource. The image stream reference must consist of a single segment value, for example ruby:2.5, where ruby is the name of an image stream that has a tag named 2.5 and resides in the same project as the resource making the reference.
			
Do not run workloads in or share access to default projects. Default projects are reserved for running core cluster components.
					The following default projects are considered highly privileged: default, kube-public, kube-system, openshift, openshift-infra, openshift-node, and other system-created projects that have the openshift.io/run-level label set to 0 or 1. Functionality that relies on admission plugins, such as pod security admission, security context constraints, cluster resource quotas, and image reference resolution, does not work in highly privileged projects.
				
There are two ways to enable image streams with Kubernetes resources:
- Enabling image stream resolution on a specific resource. This allows only this resource to use the image stream name in the image field.
- Enabling image stream resolution on an image stream. This allows all resources pointing to this image stream to use it in the image field.
Procedure
					You can use oc set image-lookup to enable image stream resolution on a specific resource or image stream resolution on an image stream.
				
- To allow all resources to reference the image stream named - mysql, enter the following command:- oc set image-lookup mysql - $ oc set image-lookup mysql- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This sets the - Imagestream.spec.lookupPolicy.localfield to true.- Imagestream with image lookup enabled - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When enabled, the behavior is enabled for all tags within the image stream. 
- Then you can query the image streams and see if the option is set: - oc set image-lookup imagestream --list - $ oc set image-lookup imagestream --list- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
You can enable image lookup on a specific resource.
- To allow the Kubernetes deployment named - mysqlto use image streams, run the following command:- oc set image-lookup deploy/mysql - $ oc set image-lookup deploy/mysql- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This sets the - alpha.image.policy.openshift.io/resolve-namesannotation on the deployment.- Deployment with image lookup enabled - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
You can disable image lookup.
- To disable image lookup, pass - --enabled=false:- oc set image-lookup deploy/mysql --enabled=false - $ oc set image-lookup deploy/mysql --enabled=false- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Chapter 8. Triggering updates on image stream changes
When an image stream tag is updated to point to a new image, OpenShift Container Platform can automatically take action to roll the new image out to resources that were using the old image. You configure this behavior in different ways depending on the type of resource that references the image stream tag.
8.1. OpenShift Container Platform resources
OpenShift Container Platform deployment configurations and build configurations can be automatically triggered by changes to image stream tags. The triggered action can be run using the new value of the image referenced by the updated image stream tag.
8.2. Triggering Kubernetes resources
Kubernetes resources do not have fields for triggering, unlike deployment and build configurations, which include as part of their API definition a set of fields for controlling triggers. Instead, you can use annotations in OpenShift Container Platform to request triggering.
The annotation is defined as follows:
- 1
- Required:kindis the resource to trigger from must beImageStreamTag.
- 2
- Required:namemust be the name of an image stream tag.
- 3
- Optional:namespacedefaults to the namespace of the object.
- 4
- Required:fieldPathis the JSON path to change. This field is limited and accepts only a JSON path expression that precisely matches a container by ID or index. For pods, the JSON path isspec.containers[?(@.name='web')].image.
- 5
- Optional:pausedis whether or not the trigger is paused, and the default value isfalse. Setpausedtotrueto temporarily disable this trigger.
				When one of the core Kubernetes resources contains both a pod template and this annotation, OpenShift Container Platform attempts to update the object by using the image currently associated with the image stream tag that is referenced by trigger. The update is performed against the fieldPath specified.
			
Examples of core Kubernetes resources that can contain both a pod template and annotation include:
- 
						CronJobs
- 
						Deployments
- 
						StatefulSets
- 
						DaemonSets
- 
						Jobs
- 
						ReplicationControllers
- 
						Pods
8.3. Setting the image trigger on Kubernetes resources
				When adding an image trigger to deployments, you can use the oc set triggers command. For example, the sample command in this procedure adds an image change trigger to the deployment named example so that when the example:latest image stream tag is updated, the web container inside the deployment updates with the new image value. This command sets the correct image.openshift.io/triggers annotation on the deployment resource.
			
Procedure
- Trigger Kubernetes resources by entering the - oc set triggerscommand:- oc set triggers deploy/example --from-image=example:latest -c web - $ oc set triggers deploy/example --from-image=example:latest -c web- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example deployment with trigger annotation - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Unless the deployment is paused, this pod template update automatically causes a deployment to occur with the new image value. 
Chapter 9. Image configuration resources
Use the following procedure to configure image registries.
9.1. Image controller configuration parameters
				The image.config.openshift.io/cluster resource holds cluster-wide information about how to handle images. The canonical, and only valid name is cluster. Its spec offers the following configuration parameters.
			
					Parameters such as DisableScheduledImport, MaxImagesBulkImportedPerRepository, MaxScheduledImportsPerMinute, ScheduledImageImportMinimumIntervalSeconds, InternalRegistryHostname are not configurable.
				
| Parameter | Description | 
|---|---|
| 
								 | 
								Limits the container image registries from which normal users can import images. Set this list to the registries that you trust to contain valid images, and that you want applications to be able to import from. Users with permission to create images or  Every element of this list contains a location of the registry specified by the registry domain name. 
								 
								 | 
| 
								 | 
								A reference to a config map containing additional CAs that should be trusted during  
								The namespace for this config map is  | 
| 
								 | 
								Provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in  | 
| 
								 | Contains configuration that determines how the container runtime should treat individual registries when accessing images for builds and pods. For instance, whether or not to allow insecure access. It does not contain configuration for the internal cluster registry. 
								 
								 
								 
								 
								Either  | 
					When the allowedRegistries parameter is defined, all registries, including registry.redhat.io and quay.io registries and the default OpenShift image registry, are blocked unless explicitly listed. When using the parameter, to prevent pod failure, add all registries including the registry.redhat.io and quay.io registries and the internalRegistryHostname to the allowedRegistries list, as they are required by payload images within your environment. For disconnected clusters, mirror registries should also be added.
				
				The status field of the image.config.openshift.io/cluster resource holds observed values from the cluster.
			
| Parameter | Description | 
|---|---|
| 
								 | 
								Set by the Image Registry Operator, which controls the  | 
| 
								 | 
								Set by the Image Registry Operator, provides the external hostnames for the image registry when it is exposed externally. The first value is used in  | 
9.2. Configuring image registry settings
				You can configure image registry settings by editing the image.config.openshift.io/cluster custom resource (CR). When changes to the registry are applied to the image.config.openshift.io/cluster CR, the Machine Config Operator (MCO) performs the following sequential actions:
			
- Cordons the node
- Applies changes by restarting CRI-O
- Uncordons the node Note- The MCO does not restart nodes when it detects changes. 
Procedure
- Edit the - image.config.openshift.io/clustercustom resource:- oc edit image.config.openshift.io/cluster - $ oc edit image.config.openshift.io/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following is an example - image.config.openshift.io/clusterCR:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Image: Holds cluster-wide information about how to handle images. The canonical, and only valid name is- cluster.
- 2
- allowedRegistriesForImport: Limits the container image registries from which normal users may import images. Set this list to the registries that you trust to contain valid images, and that you want applications to be able to import from. Users with permission to create images or- ImageStreamMappingsfrom the API are not affected by this policy. Typically only cluster administrators have the appropriate permissions.
- 3
- additionalTrustedCA: A reference to a config map containing additional certificate authorities (CA) that are trusted during image stream import, pod image pull,- openshift-image-registrypullthrough, and builds. The namespace for this config map is- openshift-config. The format of the config map is to use the registry hostname as the key, and the PEM certificate as the value, for each additional registry CA to trust.
- 4
- registrySources: Contains configuration that determines whether the container runtime allows or blocks individual registries when accessing images for builds and pods. Either the- allowedRegistriesparameter or the- blockedRegistriesparameter can be set, but not both. You can also define whether or not to allow access to insecure registries or registries that allow registries that use image short names. This example uses the- allowedRegistriesparameter, which defines the registries that are allowed to be used. The insecure registry- insecure.comis also allowed. The- registrySourcesparameter does not contain configuration for the internal cluster registry.
 Note- When the - allowedRegistriesparameter is defined, all registries, including the registry.redhat.io and quay.io registries and the default OpenShift image registry, are blocked unless explicitly listed. If you use the parameter, to prevent pod failure, you must add the- registry.redhat.ioand- quay.ioregistries and the- internalRegistryHostnameto the- allowedRegistrieslist, as they are required by payload images within your environment. Do not add the- registry.redhat.ioand- quay.ioregistries to the- blockedRegistrieslist.- When using the - allowedRegistries,- blockedRegistries, or- insecureRegistriesparameter, you can specify an individual repository within a registry. For example:- reg1.io/myrepo/myapp:latest.- Insecure external registries should be avoided to reduce possible security risks. 
- To check that the changes are applied, list your nodes: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
9.2.1. Adding specific registries
					You can add a list of registries, and optionally an individual repository within a registry, that are permitted for image pull and push actions by editing the image.config.openshift.io/cluster custom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.
				
					When pulling or pushing images, the container runtime searches the registries listed under the registrySources parameter in the image.config.openshift.io/cluster CR. If you created a list of registries under the allowedRegistries parameter, the container runtime searches only those registries. Registries not in the list are blocked.
				
						When the allowedRegistries parameter is defined, all registries, including the registry.redhat.io and quay.io registries and the default OpenShift image registry, are blocked unless explicitly listed. If you use the parameter, to prevent pod failure, add the registry.redhat.io and quay.io registries and the internalRegistryHostname to the allowedRegistries list, as they are required by payload images within your environment. For disconnected clusters, mirror registries should also be added.
					
Procedure
- Edit the - image.config.openshift.io/clustercustom resource:- oc edit image.config.openshift.io/cluster - $ oc edit image.config.openshift.io/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following is an example - image.config.openshift.io/clusterCR with an allowed list:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Contains configurations that determine how the container runtime should treat individual registries when accessing images for builds and pods. It does not contain configuration for the internal cluster registry.
- 2
- Specify registries, and optionally a repository in that registry, to use for image pull and push actions. All other registries are blocked.
 Note- Either the - allowedRegistriesparameter or the- blockedRegistriesparameter can be set, but not both.- The Machine Config Operator (MCO) watches the - image.config.openshift.io/clusterresource for any changes to the registries. When the MCO detects a change, it triggers a rollout on nodes in machine config pool (MCP). The allowed registries list is used to update the image signature policy in the- /etc/containers/policy.jsonfile on each node. Changes to the- /etc/containers/policy.jsonfile do not require the node to drain.
Verification
- Enter the following command to obtain a list of your nodes: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION <node_name> Ready control-plane,master 37m v1.27.8+4fab27b - NAME STATUS ROLES AGE VERSION <node_name> Ready control-plane,master 37m v1.27.8+4fab27b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Run the following command to enter debug mode on the node: - oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- When prompted, enter - chroot /hostinto the terminal:- chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter the following command to check that the registries have been added to the policy file: - cat /etc/containers/policy.json | jq '.' - sh-5.1# cat /etc/containers/policy.json | jq '.'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following policy indicates that only images from the example.com, quay.io, and registry.redhat.io registries are permitted for image pulls and pushes: - Example 9.1. Example image signature policy file - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
						If your cluster uses the registrySources.insecureRegistries parameter, ensure that any insecure registries are included in the allowed list.
					
For example:
9.2.2. Blocking specific registries
					You can block any registry, and optionally an individual repository within a registry, by editing the image.config.openshift.io/cluster custom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.
				
					When pulling or pushing images, the container runtime searches the registries listed under the registrySources parameter in the image.config.openshift.io/cluster CR. If you created a list of registries under the blockedRegistries parameter, the container runtime does not search those registries. All other registries are allowed.
				
						To prevent pod failure, do not add the registry.redhat.io and quay.io registries to the blockedRegistries list, as they are required by payload images within your environment.
					
Procedure
- Edit the - image.config.openshift.io/clustercustom resource:- oc edit image.config.openshift.io/cluster - $ oc edit image.config.openshift.io/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following is an example - image.config.openshift.io/clusterCR with a blocked list:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Contains configurations that determine how the container runtime should treat individual registries when accessing images for builds and pods. It does not contain configuration for the internal cluster registry.
- 2
- Specify registries, and optionally a repository in that registry, that should not be used for image pull and push actions. All other registries are allowed.
 Note- Either the - blockedRegistriesregistry or the- allowedRegistriesregistry can be set, but not both.- The Machine Config Operator (MCO) watches the - image.config.openshift.io/clusterresource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. After the nodes return to the- Readystate, changes to the blocked registries appear in the- /etc/containers/registries.conffile on each node. During this period, you might experience service unavailability.
Verification
- Enter the following command to obtain a list of your nodes: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION <node_name> Ready control-plane,master 37m v1.27.8+4fab27b - NAME STATUS ROLES AGE VERSION <node_name> Ready control-plane,master 37m v1.27.8+4fab27b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Run the following command to enter debug mode on the node: - oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- When prompted, enter - chroot /hostinto the terminal:- chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter the following command to check that the registries have been added to the policy file: - cat etc/containers/registries.conf - sh-5.1# cat etc/containers/registries.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following example indicates that images from the - untrusted.comregistry are prevented for image pulls and pushes:- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
9.2.2.1. Blocking a payload registry
						In a mirroring configuration, you can block upstream payload registries in a disconnected environment using a ImageContentSourcePolicy (ICSP) object. The following example procedure demonstrates how to block the quay.io/openshift-payload payload registry.
					
Procedure
- Create the mirror configuration using an - ImageContentSourcePolicy(ICSP) object to mirror the payload to a registry in your instance. The following example ICSP file mirrors the payload- internal-mirror.io/openshift-payload:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- After the object deploys onto your nodes, verify that the mirror configuration is set by checking the - /etc/containers/registries.conffile:- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use the following command to edit the - image.config.openshift.iocustom resource file:- oc edit image.config.openshift.io cluster - $ oc edit image.config.openshift.io cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To block the payload registry, add the following configuration to the - image.config.openshift.iocustom resource file:- spec: registrySources: blockedRegistries: - quay.io/openshift-payload- spec: registrySources: blockedRegistries: - quay.io/openshift-payload- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify that the upstream payload registry is blocked by checking the - /etc/containers/registries.conffile on the node.- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
9.2.3. Allowing insecure registries
					You can add insecure registries, and optionally an individual repository within a registry, by editing the image.config.openshift.io/cluster custom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.
				
Registries that do not use valid SSL certificates or do not require HTTPS connections are considered insecure.
Insecure external registries should be avoided to reduce possible security risks.
Procedure
- Edit the - image.config.openshift.io/clustercustom resource:- oc edit image.config.openshift.io/cluster - $ oc edit image.config.openshift.io/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following is an example - image.config.openshift.io/clusterCR with an insecure registries list:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Contains configurations that determine how the container runtime should treat individual registries when accessing images for builds and pods. It does not contain configuration for the internal cluster registry.
- 2
- Specify an insecure registry. You can specify a repository in that registry.
- 3
- Ensure that any insecure registries are included in theallowedRegistrieslist.
 Note- When the - allowedRegistriesparameter is defined, all registries, including the registry.redhat.io and quay.io registries and the default OpenShift image registry, are blocked unless explicitly listed. If you use the parameter, to prevent pod failure, add all registries including the- registry.redhat.ioand- quay.ioregistries and the- internalRegistryHostnameto the- allowedRegistrieslist, as they are required by payload images within your environment. For disconnected clusters, mirror registries should also be added.- The Machine Config Operator (MCO) watches the - image.config.openshift.io/clusterCR for any changes to the registries, then drains and uncordons the nodes when it detects changes. After the nodes return to the- Readystate, changes to the insecure and blocked registries appear in the- /etc/containers/registries.conffile on each node.
Verification
- To check that the registries have been added to the policy file, use the following command on a node: - cat /etc/containers/registries.conf - $ cat /etc/containers/registries.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following example indicates that images from the - insecure.comregistry is insecure and is allowed for image pulls and pushes.- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
9.2.4. Adding registries that allow image short names
					You can add registries to search for an image short name by editing the image.config.openshift.io/cluster custom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.
				
					An image short name enables you to search for images without including the fully qualified domain name in the pull spec. For example, you could use rhel7/etcd instead of registry.access.redhat.com/rhe7/etcd.
				
You might use short names in situations where using the full path is not practical. For example, if your cluster references multiple internal registries whose DNS changes frequently, you would need to update the fully qualified domain names in your pull specs with each change. In this case, using an image short name might be beneficial.
					When pulling or pushing images, the container runtime searches the registries listed under the registrySources parameter in the image.config.openshift.io/cluster CR. If you created a list of registries under the containerRuntimeSearchRegistries parameter, when pulling an image with a short name, the container runtime searches those registries.
				
Using image short names with public registries is strongly discouraged because the image might not deploy if the public registry requires authentication. Use fully-qualified image names with public registries.
Red Hat internal or private registries typically support the use of image short names.
						If you list public registries under the containerRuntimeSearchRegistries parameter (including the registry.redhat.io, docker.io, and quay.io registries), you expose your credentials to all the registries on the list, and you risk network and registry attacks. Because you can only have one pull secret for pulling images, as defined by the global pull secret, that secret is used to authenticate against every registry in that list. Therefore, if you include public registries in the list, you introduce a security risk.
					
						You cannot list multiple public registries under the containerRuntimeSearchRegistries parameter if each public registry requires different credentials and a cluster does not list the public registry in the global pull secret.
					
For a public registry that requires authentication, you can use an image short name only if the registry has its credentials stored in the global pull secret.
					The Machine Config Operator (MCO) watches the image.config.openshift.io/cluster resource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. During this period, you might experience service unavailability. After the nodes return to the Ready state, if the containerRuntimeSearchRegistries parameter is added, the MCO creates a file in the /etc/containers/registries.conf.d directory on each node with the listed registries. The file overrides the default list of unqualified search registries in the /etc/containers/registries.conf file. There is no way to fall back to the default list of unqualified search registries.
				
					The containerRuntimeSearchRegistries parameter works only with the Podman and CRI-O container engines. The registries in the list can be used only in pod specs, not in builds and image streams.
				
Procedure
- Edit the - image.config.openshift.io/clustercustom resource:- oc edit image.config.openshift.io/cluster - $ oc edit image.config.openshift.io/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following is an example - image.config.openshift.io/clusterCR:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- When the - allowedRegistriesparameter is defined, all registries, including the- registry.redhat.ioand- quay.ioregistries and the default OpenShift image registry, are blocked unless explicitly listed. If you use this parameter, to prevent pod failure, add all registries including the- registry.redhat.ioand- quay.ioregistries and the- internalRegistryHostnameto the- allowedRegistrieslist, as they are required by payload images within your environment. For disconnected clusters, mirror registries should also be added.
Verification
- Enter the following command to obtain a list of your nodes: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION <node_name> Ready control-plane,master 37m v1.27.8+4fab27b - NAME STATUS ROLES AGE VERSION <node_name> Ready control-plane,master 37m v1.27.8+4fab27b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Run the following command to enter debug mode on the node: - oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- When prompted, enter - chroot /hostinto the terminal:- chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Enter the following command to check that the registries have been added to the policy file: - cat /etc/containers/registries.conf.d/01-image-searchRegistries.conf - sh-5.1# cat /etc/containers/registries.conf.d/01-image-searchRegistries.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - unqualified-search-registries = ['reg1.io', 'reg2.io', 'reg3.io'] - unqualified-search-registries = ['reg1.io', 'reg2.io', 'reg3.io']- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
9.2.5. Configuring additional trust stores for image registry access
					The image.config.openshift.io/cluster custom resource can contain a reference to a config map that contains additional certificate authorities to be trusted during image registry access.
				
Prerequisites
- The certificate authorities (CA) must be PEM-encoded.
Procedure
						You can create a config map in the openshift-config namespace and use its name in AdditionalTrustedCA in the image.config.openshift.io custom resource to provide additional CAs that should be trusted when contacting external registries.
					
The config map key is the hostname of a registry with the port for which this CA is to be trusted, and the PEM certificate content is the value, for each additional registry CA to trust.
Image registry CA config map example
- 1
- If the registry has the port, such asregistry-with-port.example.com:5000,:should be replaced with...
You can configure additional CAs with the following procedure.
- To configure an additional CA: - oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config - $ oc create configmap registry-config --from-file=<external_registry_address>=ca.crt -n openshift-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - oc edit image.config.openshift.io cluster - $ oc edit image.config.openshift.io cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - spec: additionalTrustedCA: name: registry-config- spec: additionalTrustedCA: name: registry-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
9.3. Understanding image registry repository mirroring
Setting up container registry repository mirroring enables you to perform the following tasks:
- Configure your OpenShift Container Platform cluster to redirect requests to pull images from a repository on a source image registry and have it resolved by a repository on a mirrored image registry.
- Identify multiple mirrored repositories for each target repository, to make sure that if one mirror is down, another can be used.
Repository mirroring in OpenShift Container Platform includes the following attributes:
- Image pulls are resilient to registry downtimes.
- Clusters in disconnected environments can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images.
- A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried.
- 
						The mirror information you enter is added to the /etc/containers/registries.conffile on every node in the OpenShift Container Platform cluster.
- When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. If successful, the image is pulled to the node.
Setting up repository mirroring can be done in the following ways:
- At OpenShift Container Platform installation: - By pulling container images needed by OpenShift Container Platform and then bringing those images behind your company’s firewall, you can install OpenShift Container Platform into a datacenter that is in a disconnected environment. 
- After OpenShift Container Platform installation: - If you did not configure mirroring during OpenShift Container Platform installation, you can do so postinstallation by using any of the following custom resource (CR) objects: - 
								ImageDigestMirrorSet(IDMS). This object allows you to pull images from a mirrored registry by using digest specifications. The IDMS CR enables you to set a fall back policy that allows or stops continued attempts to pull from the source registry if the image pull fails.
- 
								ImageTagMirrorSet(ITMS). This object allows you to pull images from a mirrored registry by using image tags. The ITMS CR enables you to set a fall back policy that allows or stops continued attempts to pull from the source registry if the image pull fails.
- 
								ImageContentSourcePolicy(ICSP). This object allows you to pull images from a mirrored registry by using digest specifications. The ICSP CR always falls back to the source registry if the mirrors do not work.
 Important- Using an - ImageContentSourcePolicy(ICSP) object to configure repository mirroring is a deprecated feature. Deprecated functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. If you have existing YAML files that you used to create- ImageContentSourcePolicyobjects, you can use the- oc adm migrate icspcommand to convert those files to an- ImageDigestMirrorSetYAML file. For more information, see "Converting ImageContentSourcePolicy (ICSP) files for image registry repository mirroring" in the following section.
- 
								
Each of these custom resource objects identify the following information:
- The source of the container image repository you want to mirror.
- A separate entry for each mirror repository you want to offer the content requested from the source repository.
For new clusters, you can use IDMS, ITMS, and ICSP CRs objects as desired. However, using IDMS and ITMS is recommended.
				If you upgraded a cluster, any existing ICSP objects remain stable, and both IDMS and ICSP objects are supported. Workloads using ICSP objects continue to function as expected. However, if you want to take advantage of the fallback policies introduced in the IDMS CRs, you can migrate current workloads to IDMS objects by using the oc adm migrate icsp command as shown in the Converting ImageContentSourcePolicy (ICSP) files for image registry repository mirroring section that follows. Migrating to IDMS objects does not require a cluster reboot.
			
					If your cluster uses an ImageDigestMirrorSet, ImageTagMirrorSet, or ImageContentSourcePolicy object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
				
9.3.1. Configuring image registry repository mirroring
You can create postinstallation mirror configuration custom resources (CR) to redirect image pull requests from a source image registry to a mirrored image registry.
Prerequisites
- 
							Access to the cluster as a user with the cluster-adminrole.
Procedure
- Configure mirrored repositories, by either: - Setting up a mirrored repository with Red Hat Quay, as described in Red Hat Quay Repository Mirroring. Using Red Hat Quay allows you to copy images from one repository to another and also automatically sync those repositories repeatedly over time.
- Using a tool such as - skopeoto copy images manually from the source repository to the mirrored repository.- For example, after installing the skopeo RPM package on a Red Hat Enterprise Linux (RHEL) 7 or RHEL 8 system, use the - skopeocommand as shown in this example:- skopeo copy \ docker://registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:5cf... \ docker://example.io/example/ubi-minimal - $ skopeo copy \ docker://registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:5cf... \ docker://example.io/example/ubi-minimal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, you have a container image registry that is named - example.iowith an image repository named- exampleto which you want to copy the- ubi9/ubi-minimalimage from- registry.access.redhat.com. After you create the mirrored registry, you can configure your OpenShift Container Platform cluster to redirect requests made of the source repository to the mirrored repository.
 
- Log in to your OpenShift Container Platform cluster.
- Create a postinstallation mirror configuration CR, by using one of the following examples: - Create an - ImageDigestMirrorSetor- ImageTagMirrorSetCR, as needed, replacing the source and mirrors with your own registry and repository pairs and images:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Indicates the API to use with this CR. This must beconfig.openshift.io/v1.
- 2
- Indicates the kind of object according to the pull type:- 
													ImageDigestMirrorSet: Pulls a digest reference image.
- 
													ImageTagMirrorSet: Pulls a tag reference image.
 
- 
													
- 3
- Indicates the type of image pull method, either:- 
													imageDigestMirrors: Use for anImageDigestMirrorSetCR.
- 
													imageTagMirrors: Use for anImageTagMirrorSetCR.
 
- 
													
- 4
- Indicates the name of the mirrored image registry and repository.
- 5
- Optional: Indicates a secondary mirror repository for each target repository. If one mirror is down, the target repository can use another mirror.
- 6
- Indicates the registry and repository source, which is the repository that is referred to in image pull specifications.
- 7
- Optional: Indicates the fallback policy if the image pull fails:- 
													AllowContactingSource: Allows continued attempts to pull the image from the source repository. This is the default.
- 
													NeverContactSource: Prevents continued attempts to pull the image from the source repository.
 
- 
													
- 8
- Optional: Indicates a namespace inside a registry, which allows you to use any image in that namespace. If you use a registry domain as a source, the object is applied to all repositories from the registry.
- 9
- Optional: Indicates a registry, which allows you to use any image in that registry. If you specify a registry name, the object is applied to all repositories from a source registry to a mirror registry.
- 10
- Pulls the imageregistry.example.com/example/myimage@sha256:…from the mirrormirror.example.net/image@sha256:...
- 11
- Pulls the imageregistry.example.com/example/image@sha256:…in the source registry namespace from the mirrormirror.example.net/image@sha256:….
- 12
- Pulls the imageregistry.example.com/myimage@sha256from the mirror registryexample.net/registry-example-com/myimage@sha256:….
 
- Create an - ImageContentSourcePolicycustom resource, replacing the source and mirrors with your own registry and repository pairs and images:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Create the new object: - oc create -f registryrepomirror.yaml - $ oc create -f registryrepomirror.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the object is created, the Machine Config Operator (MCO) drains the nodes for - ImageTagMirrorSetobjects only. The MCO does not drain the nodes for- ImageDigestMirrorSetand- ImageContentSourcePolicyobjects.
- To check that the mirrored configuration settings are applied, do the following on one of the nodes. - List your nodes: - oc get node - $ oc get node- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Start the debugging process to access the node: - oc debug node/ip-10-0-147-35.ec2.internal - $ oc debug node/ip-10-0-147-35.ec2.internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Starting pod/ip-10-0-147-35ec2internal-debug ... To use host binaries, run `chroot /host` - Starting pod/ip-10-0-147-35ec2internal-debug ... To use host binaries, run `chroot /host`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Change your root directory to - /host:- chroot /host - sh-4.2# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the - /etc/containers/registries.conffile to make sure the changes were made:- cat /etc/containers/registries.conf - sh-4.2# cat /etc/containers/registries.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following output represents a - registries.conffile where postinstallation mirror configuration CRs were applied. The final two entries are marked- digest-onlyand- tag-onlyrespectively.- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Indicates the repository that is referred to in a pull spec.
- 2
- Indicates the mirror for that repository.
- 3
- Indicates that the image pull from the mirror is a digest reference image.
- 4
- Indicates that theNeverContactSourceparameter is set for this repository.
- 5
- Indicates that the image pull from the mirror is a tag reference image.
 
- Pull an image to the node from the source and check if it is resolved by the mirror. - podman pull --log-level=debug registry.access.redhat.com/ubi9/ubi-minimal@sha256:5cf... - sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi9/ubi-minimal@sha256:5cf...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Troubleshooting repository mirroring
If the repository mirroring procedure does not work as described, use the following information about how repository mirroring works to help troubleshoot the problem.
- The first working mirror is used to supply the pulled image.
- The main registry is only used if no other mirror works.
- 
							From the system context, the Insecureflags are used as fallback.
- 
							The format of the /etc/containers/registries.conffile has changed recently. It is now version 2 and in TOML format.
9.3.2. Converting ImageContentSourcePolicy (ICSP) files for image registry repository mirroring
					Using an ImageContentSourcePolicy (ICSP) object to configure repository mirroring is a deprecated feature. This functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments.
				
					ICSP objects are being replaced by ImageDigestMirrorSet and ImageTagMirrorSet objects to configure repository mirroring. If you have existing YAML files that you used to create ImageContentSourcePolicy objects, you can use the oc adm migrate icsp command to convert those files to an ImageDigestMirrorSet YAML file. The command updates the API to the current version, changes the kind value to ImageDigestMirrorSet, and changes spec.repositoryDigestMirrors to spec.imageDigestMirrors. The rest of the file is not changed.
				
					Because the migration does not change the registries.conf file, the cluster does not need to reboot.
				
					For more information about ImageDigestMirrorSet or ImageTagMirrorSet objects, see "Configuring image registry repository mirroring" in the previous section.
				
Prerequisites
- 
							Access to the cluster as a user with the cluster-adminrole.
- 
							Ensure that you have ImageContentSourcePolicyobjects on your cluster.
Procedure
- Use the following command to convert one or more - ImageContentSourcePolicyYAML files to an- ImageDigestMirrorSetYAML file:- oc adm migrate icsp <file_name>.yaml <file_name>.yaml <file_name>.yaml --dest-dir <path_to_the_directory> - $ oc adm migrate icsp <file_name>.yaml <file_name>.yaml <file_name>.yaml --dest-dir <path_to_the_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <file_name>
- 
										Specifies the name of the source ImageContentSourcePolicyYAML. You can list multiple file names.
- --dest-dir
- 
										Optional: Specifies a directory for the output ImageDigestMirrorSetYAML. If unset, the file is written to the current directory.
 - For example, the following command converts the - icsp.yamland- icsp-2.yamlfile and saves the new YAML files to the- idms-filesdirectory.- oc adm migrate icsp icsp.yaml icsp-2.yaml --dest-dir idms-files - $ oc adm migrate icsp icsp.yaml icsp-2.yaml --dest-dir idms-files- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi8repo.5911620242173376087.yaml wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi9repo.6456931852378115011.yaml - wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi8repo.5911620242173376087.yaml wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi9repo.6456931852378115011.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the CR object by running the following command: - oc create -f <path_to_the_directory>/<file-name>.yaml - $ oc create -f <path_to_the_directory>/<file-name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <path_to_the_directory>
- 
										Specifies the path to the directory, if you used the --dest-dirflag.
- <file_name>
- 
										Specifies the name of the ImageDigestMirrorSetYAML.
 
- Remove the ICSP objects after the IDMS objects are rolled out.
Chapter 10. Using images
10.1. Using images overview
Use the following topics to discover the different Source-to-Image (S2I), database, and other container images that are available for OpenShift Container Platform users.
				Red Hat official container images are provided in the Red Hat Registry at registry.redhat.io. OpenShift Container Platform’s supported S2I, database, and Jenkins images are provided in the openshift4 repository in the Red Hat Quay Registry. For example, quay.io/openshift-release-dev/ocp-v4.0-<address> is the name of the OpenShift Application Platform image.
			
				The xPaaS middleware images are provided in their respective product repositories on the Red Hat Registry but suffixed with a -openshift. For example, registry.redhat.io/jboss-eap-6/eap64-openshift is the name of the JBoss EAP image.
			
All Red Hat supported images covered in this section are described in the Container images section of the Red Hat Ecosystem Catalog. For every version of each image, you can find details on its contents and usage. Browse or search for the image that interests you.
The newer versions of container images are not compatible with earlier versions of OpenShift Container Platform. Verify and use the correct version of container images, based on your version of OpenShift Container Platform.
10.2. Source-to-image
You can use the Red Hat Software Collections images as a foundation for applications that rely on specific runtime environments such as Node.js, Perl, or Python. You can use the Red Hat Java Source-to-Image for OpenShift documentation as a reference for runtime environments that use Java. Special versions of some of these runtime base images are referred to as Source-to-Image (S2I) images. With S2I images, you can insert your code into a base image environment that is ready to run that code.
S2I images include:
- .NET
- Java
- Go
- Node.js
- Perl
- PHP
- Python
- Ruby
S2I images are available for you to use directly from the OpenShift Container Platform web console by following procedure:
- Log in to the OpenShift Container Platform web console using your login credentials. The default view for the OpenShift Container Platform web console is the Administrator perspective.
- Use the perspective switcher to switch to the Developer perspective.
- In the +Add view, use the Project drop-down list to select an existing project or create a new project.
- Click All services in the Developer Catalog tile.
- Click Builder Images under Type to see the available S2I images.
S2I images are also available though the Cluster Samples Operator.
10.2.1. Source-to-image build process overview
Source-to-image (S2I) produces ready-to-run images by injecting source code into a container that prepares that source code to be run. It performs the following steps:
- 
							Runs the FROM <builder image>command
- Copies the source code to a defined location in the builder image
- Runs the assemble script in the builder image
- Sets the run script in the builder image as the default command
Buildah then creates the container image.
10.3. Customizing source-to-image images
Source-to-image (S2I) builder images include assemble and run scripts, but the default behavior of those scripts is not suitable for all users. You can customize the behavior of an S2I builder that includes default scripts.
10.3.1. Invoking scripts embedded in an image
					Builder images provide their own version of the source-to-image (S2I) scripts that cover the most common use-cases. If these scripts do not fulfill your needs, S2I provides a way of overriding them by adding custom ones in the .s2i/bin directory. However, by doing this, you are completely replacing the standard scripts. In some cases, replacing the scripts is acceptable, but, in other scenarios, you can run a few commands before or after the scripts while retaining the logic of the script provided in the image. To reuse the standard scripts, you can create a wrapper script that runs custom logic and delegates further work to the default scripts in the image.
				
Procedure
- Look at the value of the - io.openshift.s2i.scripts-urllabel to determine the location of the scripts inside of the builder image:- podman inspect --format='{{ index .Config.Labels "io.openshift.s2i.scripts-url" }}' wildfly/wildfly-centos7- $ podman inspect --format='{{ index .Config.Labels "io.openshift.s2i.scripts-url" }}' wildfly/wildfly-centos7- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - image:///usr/libexec/s2i - image:///usr/libexec/s2i- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You inspected the - wildfly/wildfly-centos7builder image and found out that the scripts are in the- /usr/libexec/s2idirectory.
- Create a script that includes an invocation of one of the standard scripts wrapped in other commands: - .s2i/bin/assemblescript- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This example shows a custom assemble script that prints the message, runs the standard assemble script from the image, and prints another message depending on the exit code of the assemble script. Important- When wrapping the run script, you must use - execfor invoking it to ensure signals are handled properly. The use of- execalso precludes the ability to run additional commands after invoking the default image run script.- .s2i/bin/runscript- #!/bin/bash echo "Before running application" exec /usr/libexec/s2i/run - #!/bin/bash echo "Before running application" exec /usr/libexec/s2i/run- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
        Legal Notice
        
          
            
          
        
      
 
Copyright © 2025 Red Hat
OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Modified versions must remove all Red Hat trademarks.
Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.