12.2. Mise en miroir du référentiel d'images d'OpenShift Container Platform

PDF

Vous devez mettre en miroir les images de conteneur sur un registre miroir avant de pouvoir mettre à jour un cluster dans un environnement déconnecté. Vous pouvez également utiliser cette procédure dans les environnements connectés pour vous assurer que vos clusters n'exécutent que des images de conteneurs approuvées qui ont satisfait aux contrôles organisationnels pour le contenu externe.

Note

Votre registre miroir doit fonctionner en permanence lorsque le cluster est en cours d'exécution.

Les étapes suivantes décrivent le flux de travail de haut niveau pour la mise en miroir d'images dans un registre miroir :

Installer le CLI OpenShift (oc) sur tous les appareils utilisés pour récupérer et pousser les images de version.
Téléchargez le secret d'extraction du registre et ajoutez-le à votre cluster.
Si vous utilisez le plugin oc-mirror OpenShift CLI (oc) :
1. Installer le plugin oc-mirror sur tous les dispositifs utilisés pour récupérer et envoyer des images de version.
2. Créez un fichier de configuration du jeu d'images que le plugin utilisera pour déterminer les images de la version à mettre en miroir. Vous pouvez modifier ce fichier de configuration ultérieurement pour changer les images de la version que le plugin met en miroir.
3. Mettez en miroir vos images de versions ciblées directement dans un registre miroir, ou sur un support amovible, puis dans un registre miroir.
4. Configure your cluster to use the resources generated by the oc-mirror plugin.
5. Répétez ces étapes si nécessaire pour mettre à jour le registre du miroir.
Si vous utilisez la commandeoc adm release mirror :
1. Définissez les variables d'environnement correspondant à votre environnement et aux images de la version que vous souhaitez reproduire.
2. Mettez en miroir vos images de versions ciblées directement dans un registre miroir, ou sur un support amovible, puis dans un registre miroir.
3. Répétez ces étapes si nécessaire pour mettre à jour le registre du miroir.

Par rapport à la commande oc adm release mirror, le plugin oc-mirror présente les avantages suivants :

Il peut mettre en miroir des contenus autres que des images de conteneurs.
Après la première mise en miroir des images, il est plus facile de mettre à jour les images dans le registre.
Le plugin oc-mirror fournit un moyen automatisé de mettre en miroir la charge utile de Quay, et construit également la dernière image de données graphiques pour le service de mise à jour OpenShift fonctionnant dans l'environnement déconnecté.

12.2.1. Conditions préalables

You must have a container image registry that supports Docker v2-2 in the location that will host the OpenShift Container Platform cluster, such as Red Hat Quay.
Note
If you use Red Hat Quay, you must use version 3.6 or later with the oc-mirror plugin. If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or by using the Quay Operator. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support.
Si vous n'avez pas de solution existante pour un registre d'images de conteneurs, le registre miroir pour Red Hat OpenShift est inclus dans les abonnements à OpenShift Container Platform. Le site mirror registry for Red Hat OpenShift est un registre de conteneurs à petite échelle que vous pouvez utiliser pour mettre en miroir les images de conteneurs OpenShift Container Platform dans des installations et des mises à jour déconnectées.

12.2.2. Preparing your mirror host

Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.

12.2.2.1. Installer le CLI OpenShift en téléchargeant le binaire

Vous pouvez installer l'OpenShift CLI (oc) pour interagir avec OpenShift Container Platform à partir d'une interface de ligne de commande. Vous pouvez installer oc sur Linux, Windows ou macOS.

Important

Si vous avez installé une version antérieure de oc, vous ne pouvez pas l'utiliser pour effectuer toutes les commandes dans OpenShift Container Platform 4.12. Téléchargez et installez la nouvelle version de oc. Si vous mettez à niveau un cluster dans un environnement déconnecté, installez la version de oc vers laquelle vous prévoyez de passer.

Installation de la CLI OpenShift sur Linux

Vous pouvez installer le binaire OpenShift CLI (oc) sur Linux en utilisant la procédure suivante.

Procédure

Naviguez jusqu'à la page de téléchargements OpenShift Container Platform sur le portail client Red Hat.
Sélectionnez l'architecture dans la liste déroulante Product Variant.
Sélectionnez la version appropriée dans la liste déroulante Version.
Cliquez sur Download Now à côté de l'entrée OpenShift v4.12 Linux Client et enregistrez le fichier.
Décompressez l'archive :
```
tar xvf <file>
```
Placez le fichier binaire oc dans un répertoire situé sur votre site PATH.
Pour vérifier votre PATH, exécutez la commande suivante :
```
$ echo $PATH
```

Après l'installation de la CLI OpenShift, elle est disponible à l'aide de la commande oc:

oc <command>

Installation de la CLI OpenShift sur Windows

Vous pouvez installer le binaire OpenShift CLI (oc) sur Windows en utilisant la procédure suivante.

Procédure

Naviguez jusqu'à la page de téléchargements OpenShift Container Platform sur le portail client Red Hat.
Sélectionnez la version appropriée dans la liste déroulante Version.
Cliquez sur Download Now à côté de l'entrée OpenShift v4.12 Windows Client et enregistrez le fichier.
Décompressez l'archive à l'aide d'un programme ZIP.
Déplacez le fichier binaire oc dans un répertoire situé sur votre site PATH.
Pour vérifier votre PATH, ouvrez l'invite de commande et exécutez la commande suivante :
```
C:\N> path
```

Après l'installation de la CLI OpenShift, elle est disponible à l'aide de la commande oc:

C:\N> oc <command>

Installation de la CLI OpenShift sur macOS

Vous pouvez installer le binaire OpenShift CLI (oc) sur macOS en utilisant la procédure suivante.

Procédure

Naviguez jusqu'à la page de téléchargements OpenShift Container Platform sur le portail client Red Hat.
Sélectionnez la version appropriée dans la liste déroulante Version.
Cliquez sur Download Now à côté de l'entrée OpenShift v4.12 macOS Client et enregistrez le fichier.
Note
Pour macOS arm64, choisissez l'entrée OpenShift v4.12 macOS arm64 Client.
Décompressez l'archive.
Déplacez le binaire oc dans un répertoire de votre PATH.
Pour vérifier votre PATH, ouvrez un terminal et exécutez la commande suivante :
```
$ echo $PATH
```

Après l'installation de la CLI OpenShift, elle est disponible à l'aide de la commande oc:

oc <command>

Ressources supplémentaires

Installing and using CLI plugins

12.2.2.2. Configuration des informations d'identification permettant la mise en miroir des images

Créez un fichier d'informations d'identification pour le registre des images de conteneurs qui permet la mise en miroir des images de Red Hat vers votre miroir.

Avertissement

Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.

Avertissement

This process requires that you have write access to a container image registry on the mirror registry and adds the credentials to a registry pull secret.

Conditions préalables

Vous avez configuré un registre miroir à utiliser dans votre environnement déconnecté.
You identified an image repository location on your mirror registry to mirror images into.
You provisioned a mirror registry account that allows images to be uploaded to that image repository.

Procédure

Effectuez les étapes suivantes sur l'hôte d'installation :

Téléchargez votre registry.redhat.io pull secret depuis le gestionnaire de cluster Red Hat OpenShift.

Faites une copie de votre secret d'extraction au format JSON :

$ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> 1

1: Indiquez le chemin d'accès au dossier dans lequel stocker le secret d'extraction et un nom pour le fichier JSON que vous créez.

Le contenu du fichier ressemble à l'exemple suivant :

{
  "auths": {
    "cloud.openshift.com": {
      "auth": "b3BlbnNo...",
      "email": "you@example.com"
    },
    "quay.io": {
      "auth": "b3BlbnNo...",
      "email": "you@example.com"
    },
    "registry.connect.redhat.com": {
      "auth": "NTE3Njg5Nj...",
      "email": "you@example.com"
    },
    "registry.redhat.io": {
      "auth": "NTE3Njg5Nj...",
      "email": "you@example.com"
    }
  }
}

Facultatif : si vous utilisez le plugin oc-mirror, enregistrez le fichier sous ~/.docker/config.json ou $XDG_RUNTIME_DIR/containers/auth.json.
Générer le nom d'utilisateur et le mot de passe ou le jeton encodés en base64 pour votre registre miroir :
```
$ echo -n '<user_name>:<password>' | base64 -w0 1
BGVtbYk3ZHAtqXs=
```
1
Pour <user_name> et <password>, indiquez le nom d'utilisateur et le mot de passe que vous avez configurés pour votre registre.

Modifiez le fichier JSON et ajoutez-y une section décrivant votre registre :

  "auths": {
    "<mirror_registry>": { 1
      "auth": "<credentials>", 2
      "email": "you@example.com"
    }
  },

1: Pour <mirror_registry>, indiquez le nom de domaine du registre, et éventuellement le port, que votre registre miroir utilise pour servir le contenu. Par exemple, registry.example.com ou registry.example.com:8443
2: Pour <credentials>, indiquez le nom d'utilisateur et le mot de passe encodés en base64 pour le registre miroir.

Le fichier ressemble à l'exemple suivant :

{
  "auths": {
    "registry.example.com": {
      "auth": "BGVtbYk3ZHAtqXs=",
      "email": "you@example.com"
    },
    "cloud.openshift.com": {
      "auth": "b3BlbnNo...",
      "email": "you@example.com"
    },
    "quay.io": {
      "auth": "b3BlbnNo...",
      "email": "you@example.com"
    },
    "registry.connect.redhat.com": {
      "auth": "NTE3Njg5Nj...",
      "email": "you@example.com"
    },
    "registry.redhat.io": {
      "auth": "NTE3Njg5Nj...",
      "email": "you@example.com"
    }
  }
}

12.2.3. Mise en miroir des ressources à l'aide du plugin oc-mirror

Vous pouvez utiliser le plugin oc-mirror OpenShift CLI (oc) pour mettre en miroir des images vers un registre miroir dans vos environnements totalement ou partiellement déconnectés. Vous devez exécuter oc-mirror à partir d'un système disposant d'une connectivité Internet pour télécharger les images requises à partir des registres officiels de Red Hat.

12.2.3.1. About the oc-mirror plugin

You can use the oc-mirror OpenShift CLI (oc) plugin to mirror all required OpenShift Container Platform content and other images to your mirror registry by using a single tool. It provides the following features:

Provides a centralized method to mirror OpenShift Container Platform releases, Operators, helm charts, and other images.
Maintains update paths for OpenShift Container Platform and Operators.
Uses a declarative image set configuration file to include only the OpenShift Container Platform releases, Operators, and images that your cluster needs.
Performs incremental mirroring, which reduces the size of future image sets.
Prunes images from the target mirror registry that were excluded from the image set configuration since the previous execution.
Optionally generates supporting artifacts for OpenShift Update Service (OSUS) usage.

When using the oc-mirror plugin, you specify which content to mirror in an image set configuration file. In this YAML file, you can fine-tune the configuration to only include the OpenShift Container Platform releases and Operators that your cluster needs. This reduces the amount of data that you need to download and transfer. The oc-mirror plugin can also mirror arbitrary helm charts and additional container images to assist users in seamlessly synchronizing their workloads onto mirror registries.

The first time you run the oc-mirror plugin, it populates your mirror registry with the required content to perform your disconnected cluster installation or update. In order for your disconnected cluster to continue receiving updates, you must keep your mirror registry updated. To update your mirror registry, you run the oc-mirror plugin using the same configuration as the first time you ran it. The oc-mirror plugin references the metadata from the storage backend and only downloads what has been released since the last time you ran the tool. This provides update paths for OpenShift Container Platform and Operators and performs dependency resolution as required.

Important

When using the oc-mirror CLI plugin to populate a mirror registry, any further updates to the mirror registry must be made using the oc-mirror tool.

12.2.3.2. oc-mirror compatibility and support

The oc-mirror plugin supports mirroring OpenShift Container Platform payload images and Operator catalogs for OpenShift Container Platform versions 4.9 and later.

Use the latest available version of the oc-mirror plugin regardless of which versions of OpenShift Container Platform you need to mirror.

12.2.3.3. À propos du registre miroir

You can mirror the images that are required for OpenShift Container Platform installation and subsequent product updates to a container mirror registry that supports Docker v2-2, such as Red Hat Quay. If you do not have access to a large-scale container registry, you can use the mirror registry for Red Hat OpenShift, which is a small-scale container registry included with OpenShift Container Platform subscriptions.

Regardless of your chosen registry, the procedure to mirror content from Red Hat hosted sites on the internet to an isolated image registry is the same. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.

Important

Le registre d'images OpenShift ne peut pas être utilisé comme registre cible car il ne prend pas en charge la poussée sans balise, ce qui est nécessaire pendant le processus de mise en miroir.

Si vous choisissez un registre de conteneurs qui n'est pas mirror registry for Red Hat OpenShift, il doit être accessible par chaque machine des clusters que vous provisionnez. Si le registre est inaccessible, l'installation, la mise à jour ou les opérations normales telles que la relocalisation de la charge de travail risquent d'échouer. Pour cette raison, vous devez exécuter les registres miroirs de manière hautement disponible, et les registres miroirs doivent au moins correspondre à la disponibilité de production de vos clusters OpenShift Container Platform.

Lorsque vous remplissez votre registre miroir avec des images OpenShift Container Platform, vous pouvez suivre deux scénarios. Si vous avez un hôte qui peut accéder à la fois à Internet et à votre registre miroir, mais pas à vos nœuds de cluster, vous pouvez directement mettre en miroir le contenu à partir de cette machine. Ce processus est appelé connected mirroring. Si vous ne disposez pas d'un tel hôte, vous devez mettre en miroir les images sur un système de fichiers, puis amener cet hôte ou ce support amovible dans votre environnement restreint. Ce processus est appelé disconnected mirroring.

Dans le cas des registres en miroir, pour connaître la source des images extraites, vous devez consulter l'entrée de journal Trying to access dans les journaux CRI-O. Les autres méthodes permettant d'afficher la source d'extraction des images, telles que la commande crictl images sur un nœud, affichent le nom de l'image non miroitée, même si l'image est extraite de l'emplacement miroitant.

Note

Red Hat ne teste pas les registres tiers avec OpenShift Container Platform.

Ressources supplémentaires

For information about viewing the CRI-O logs to view the image source, see Viewing the image pull source.

12.2.3.4. Installing the oc-mirror OpenShift CLI plugin

To use the oc-mirror OpenShift CLI plugin to mirror registry images, you must install the plugin. If you are mirroring image sets in a fully disconnected environment, ensure that you install the oc-mirror plugin on the host with internet access and the host in the disconnected environment with access to the mirror registry.

Conditions préalables

Vous avez installé l'OpenShift CLI (oc).

Procédure

Download the oc-mirror CLI plugin.
1. Navigate to the Downloads page of the OpenShift Cluster Manager Hybrid Cloud Console.
2. Under the OpenShift disconnected installation tools section, click Download for OpenShift Client (oc) mirror plugin and save the file.
Extract the archive:
```
$ tar xvzf oc-mirror.tar.gz
```
If necessary, update the plugin file to be executable:
```
$ chmod +x oc-mirror
```
Note
Do not rename the oc-mirror file.
Install the oc-mirror CLI plugin by placing the file in your PATH, for example, /usr/local/bin:
```
$ sudo mv oc-mirror /usr/local/bin/.
```

Vérification

Run oc mirror help to verify that the plugin was successfully installed:
```
$ oc-mirror help
```

12.2.3.5. Creating the image set configuration

Before you can use the oc-mirror plugin to mirror image sets, you must create an image set configuration file. This image set configuration file defines which OpenShift Container Platform releases, Operators, and other images to mirror, along with other configuration settings for the oc-mirror plugin.

You must specify a storage backend in the image set configuration file. This storage backend can be a local directory or a registry that supports Docker v2-2. The oc-mirror plugin stores metadata in this storage backend during image set creation.

Important

Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.

Conditions préalables

You have created a container image registry credentials file. For instructions, see Configuring credentials that allow images to be mirrored.

Procédure

Use the oc mirror init command to create a template for the image set configuration and save it to a file called imageset-config.yaml:
```
oc mirror init --registry example.com/mirror/oc-mirror-metadata > imageset-config.yaml 1
```
1
Replace example.com/mirror/oc-mirror-metadata with the location of your registry for the storage backend.
Edit the file and adjust the settings as necessary:
```
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
archiveSize: 4                                                      1
storageConfig:                                                      2
  registry:
    imageURL: example.com/mirror/oc-mirror-metadata                 3
    skipTLS: false
mirror:
  platform:
    channels:
    - name: stable-4.12                                             4
      type: ocp
    graph: true                                                     5
  operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.12  6
    packages:
    - name: serverless-operator                                     7
      channels:
      - name: stable                                                8
  additionalImages:
  - name: registry.redhat.io/ubi8/ubi:latest                        9
  helm: {}
```
1
Add archiveSize to set the maximum size, in GiB, of each file within the image set.
2
Set the back-end location to save the image set metadata to. This location can be a registry or local directory. It is required to specify storageConfig values, unless you are using the Technology Preview OCI feature.
3
Set the registry URL for the storage backend.
4
Set the channel to retrieve the OpenShift Container Platform images from.
5
Add graph: true to build and push the graph-data image to the mirror registry. The graph-data image is required to create OpenShift Update Service (OSUS) applications. The graph: true field also generates the UpdateService CR manifest. The oc command-line interface (CLI) can use the UpdateService CR manifest to create OSUS applications. For more information, see About the OpenShift Update Service.
6
Set the Operator catalog to retrieve the OpenShift Container Platform images from.
7
Specify only certain Operator packages to include in the image set. Remove this field to retrieve all packages in the catalog.
8
Specify only certain channels of the Operator packages to include in the image set. You must always include the default channel for the Operator package even if you do not use the bundles in that channel. You can find the default channel by running the following command: oc mirror list operators --catalog=<catalog_name> --package=<package_name>.
9
Specify any additional images to include in image set.
See Image set configuration parameters for the full list of parameters and Image set configuration examples for various mirroring use cases.
Save the updated file.
This image set configuration file is required by the oc mirror command when mirroring content.

Ressources supplémentaires

12.2.3.6. Mirroring an image set to a mirror registry

Vous pouvez utiliser le plugin CLI oc-mirror pour mettre en miroir des images vers un registre miroir dans un environnement partiellement déconnecté ou dans un environnement totalement déconnecté.

Les procédures suivantes supposent que le registre du miroir est déjà configuré.

12.2.3.6.1. Mirroring an image set in a partially disconnected environment

In a partially disconnected environment, you can mirror an image set directly to the target mirror registry.

12.2.3.6.1.1. Mirroring from mirror to mirror

You can use the oc-mirror plugin to mirror an image set directly to a target mirror registry that is accessible during image set creation.

You are required to specify a storage backend in the image set configuration file. This storage backend can be a local directory or a Docker v2 registry. The oc-mirror plugin stores metadata in this storage backend during image set creation.

Important

Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.

Conditions préalables

You have access to the internet to obtain the necessary container images.
Vous avez installé l'OpenShift CLI (oc).
You have installed the oc-mirror CLI plugin.
You have created the image set configuration file.

Procédure

Run the oc mirror command to mirror the images from the specified image set configuration to a specified registry:
```
$ oc mirror --config=./imageset-config.yaml \1
  docker://registry.example:5000             2
```
1
Pass in the image set configuration file that was created. This procedure assumes that it is named imageset-config.yaml.
2
Specify the registry to mirror the image set file to. The registry must start with docker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.

Vérification

Navigate into the oc-mirror-workspace/ directory that was generated.
Navigate into the results directory, for example, results-1639608409/.
Verify that YAML files are present for the ImageContentSourcePolicy and CatalogSource resources.

Prochaines étapes

Configure your cluster to use the resources generated by oc-mirror.

12.2.3.6.2. Mirroring an image set in a fully disconnected environment

Pour mettre en miroir un jeu d'images dans un environnement totalement déconnecté, vous devez d'abord mettre en miroir le jeu d'images sur le disque, puis mettre en miroir le fichier du jeu d'images sur le disque vers un miroir.

12.2.3.6.2.1. Mirroring from mirror to disk

You can use the oc-mirror plugin to generate an image set and save the contents to disk. The generated image set can then be transferred to the disconnected environment and mirrored to the target registry.

Important

Depending on the configuration specified in the image set configuration file, using oc-mirror to mirror images might download several hundreds of gigabytes of data to disk.

The initial image set download when you populate the mirror registry is often the largest. Because you only download the images that changed since the last time you ran the command, when you run the oc-mirror plugin again, the generated image set is often smaller.

You are required to specify a storage backend in the image set configuration file. This storage backend can be a local directory or a docker v2 registry. The oc-mirror plugin stores metadata in this storage backend during image set creation.

Important

Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.

Conditions préalables

You have access to the internet to obtain the necessary container images.
Vous avez installé l'OpenShift CLI (oc).
You have installed the oc-mirror CLI plugin.
You have created the image set configuration file.

Procédure

Run the oc mirror command to mirror the images from the specified image set configuration to disk:
```
$ oc mirror --config=./imageset-config.yaml \1
  file://<path_to_output_directory>          2
```
1
Pass in the image set configuration file that was created. This procedure assumes that it is named imageset-config.yaml.
2
Specify the target directory where you want to output the image set file. The target directory path must start with file://.

Vérification

Navigate to your output directory:
```
$ cd <path_to_output_directory>
```
Verify that an image set .tar file was created:
```
$ ls
```
Exemple de sortie
```
mirror_seq1_000000.tar
```

Prochaines étapes

Transfer the image set .tar file to the disconnected environment.

12.2.3.6.2.2. Mirroring from disk to mirror

You can use the oc-mirror plugin to mirror the contents of a generated image set to the target mirror registry.

Conditions préalables

You have installed the OpenShift CLI (oc) in the disconnected environment.
You have installed the oc-mirror CLI plugin in the disconnected environment.
You have generated the image set file by using the oc mirror command.
You have transferred the image set file to the disconnected environment.

Procédure

Run the oc mirror command to process the image set file on disk and mirror the contents to a target mirror registry:
```
$ oc mirror --from=./mirror_seq1_000000.tar \1
  docker://registry.example:5000             2
```
1
Pass in the image set .tar file to mirror, named mirror_seq1_000000.tar in this example. If an archiveSize value was specified in the image set configuration file, the image set might be broken up into multiple .tar files. In this situation, you can pass in a directory that contains the image set .tar files.
2
Specify the registry to mirror the image set file to. The registry must start with docker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.
This command updates the mirror registry with the image set and generates the ImageContentSourcePolicy and CatalogSource resources.

Vérification

Navigate into the oc-mirror-workspace/ directory that was generated.
Navigate into the results directory, for example, results-1639608409/.
Verify that YAML files are present for the ImageContentSourcePolicy and CatalogSource resources.

Prochaines étapes

Configure your cluster to use the resources generated by oc-mirror.

12.2.3.7. Configuring your cluster to use the resources generated by oc-mirror

After you have mirrored your image set to the mirror registry, you must apply the generated ImageContentSourcePolicy, CatalogSource, and release image signature resources into the cluster.

The ImageContentSourcePolicy resource associates the mirror registry with the source registry and redirects image pull requests from the online registries to the mirror registry. The CatalogSource resource is used by Operator Lifecycle Manager (OLM) to retrieve information about the available Operators in the mirror registry. The release image signatures are used to verify the mirrored release images.

Conditions préalables

You have mirrored the image set to the registry mirror in the disconnected environment.
Vous avez accès au cluster en tant qu'utilisateur ayant le rôle cluster-admin.

Procédure

Log in to the OpenShift CLI as a user with the cluster-admin role.
Apply the YAML files from the results directory to the cluster by running the following command:
```
$ oc apply -f ./oc-mirror-workspace/results-1639608409/
```
Apply the release image signatures to the cluster by running the following command:
```
$ oc apply -f ./oc-mirror-workspace/results-1639608409/release-signatures/
```

Vérification

Verify that the ImageContentSourcePolicy resources were successfully installed by running the following command:
```
$ oc get imagecontentsourcepolicy --all-namespaces
```
Verify that the CatalogSource resources were successfully installed by running the following command:
```
$ oc get catalogsource --all-namespaces
```

12.2.3.8. Keeping your mirror registry content updated

Après avoir rempli le registre du miroir cible avec le jeu d'images initial, vous devez le mettre à jour régulièrement pour qu'il contienne le contenu le plus récent. Si possible, vous pouvez configurer une tâche cron pour mettre à jour le registre miroir régulièrement.

Mettez à jour votre configuration d'ensemble d'images pour ajouter ou supprimer les versions d'OpenShift Container Platform et d'Operator si nécessaire. Les images supprimées sont élaguées du registre des miroirs.

12.2.3.8.1. About updating your mirror registry content

When you run the oc-mirror plugin again, it generates an image set that only contains new and updated images since the previous execution. Because it only pulls in the differences since the previous image set was created, the generated image set is often smaller and faster to process than the initial image set.

Important

Generated image sets are sequential and must be pushed to the target mirror registry in order. You can derive the sequence number from the file name of the generated image set archive file.

Adding new and updated images

Depending on the settings in your image set configuration, future executions of oc-mirror can mirror additional new and updated images. Review the settings in your image set configuration to ensure that you are retrieving new versions as necessary. For example, you can set the minimum and maximum versions of Operators to mirror if you want to restrict to specific versions. Alternatively, you can set the minimum version as a starting point to mirror, but keep the version range open so you keep receiving new Operator versions on future executions of oc-mirror. Omitting any minimum or maximum version gives you the full version history of an Operator in a channel. Omitting explicitly named channels gives you all releases in all channels of the specified Operator. Omitting any named Operator gives you the entire catalog of all Operators and all their versions ever released.

All these constraints and conditions are evaluated against the publicly released content by Red Hat on every invocation of oc-mirror. This way, it automatically picks up new releases and entirely new Operators. Constraints can be specified by only listing a desired set of Operators, which will not automatically add other newly released Operators into the mirror set. You can also specify a particular release channel, which limits mirroring to just this channel and not any new channels that have been added. This is important for Operator products, such as Red Hat Quay, that use different release channels for their minor releases. Lastly, you can specify a maximum version of a particular Operator, which causes the tool to only mirror the specified version range so that you do not automatically get any newer releases past the maximum version mirrored. In all these cases, you must update the image set configuration file to broaden the scope of the mirroring of Operators to get other Operators, new channels, and newer versions of Operators to be available in your target registry.

It is recommended to align constraints like channel specification or version ranges with the release strategy that a particular Operator has chosen. For example, when the Operator uses a stable channel, you should restrict mirroring to that channel and potentially a minimum version to find the right balance between download volume and getting stable updates regularly. If the Operator chooses a release version channel scheme, for example stable-3.7, you should mirror all releases in that channel. This allows you to keep receiving patch versions of the Operator, for example 3.7.1. You can also regularly adjust the image set configuration to add channels for new product releases, for example stable-3.8.

Pruning images

Images are pruned automatically from the target mirror registry if they are no longer included in the latest image set that was generated and mirrored. This allows you to easily manage and clean up unneeded content and reclaim storage resources.

If there are OpenShift Container Platform releases or Operator versions that you no longer need, you can modify your image set configuration to exclude them, and they will be pruned from the mirror registry upon mirroring. This can be done by adjusting a minimum or maximum version range setting per Operator in the image set configuration file or by deleting the Operator from the list of Operators to mirror from the catalog. You can also remove entire Operator catalogs or entire OpenShift Container Platform releases from the configuration file.

Important

If there are no new or updated images to mirror, the excluded images are not pruned from the target mirror registry. Additionally, if an Operator publisher removes an Operator version from a channel, the removed versions are pruned from the target mirror registry.

To disable automatic pruning of images from the target mirror registry, pass the --skip-pruning flag to the oc mirror command.

12.2.3.8.2. Updating your mirror registry content

After you publish the initial image set to the mirror registry, you can use the oc-mirror plugin to keep your disconnected clusters updated.

Depending on your image set configuration, oc-mirror automatically detects newer releases of OpenShift Container Platform and your selected Operators that have been released after you completed the inital mirror. It is recommended to run oc-mirror at regular intervals, for example in a nightly cron job, to receive product and security updates on a timely basis.

Conditions préalables

You have used the oc-mirror plugin to mirror the initial image set to your mirror registry.
You have access to the storage backend that was used for the initial execution of the oc-mirror plugin.
Note
You must use the same storage backend as the initial execution of oc-mirror for the same mirror registry. Do not delete or modify the metadata image that is generated by the oc-mirror plugin.

Procédure

If necessary, update your image set configuration file to pick up new OpenShift Container Platform and Operator versions. See Image set configuration examples for example mirroring use cases.
Follow the same steps that you used to mirror your initial image set to the mirror registry. For instructions, see Mirroring an image set in a partially disconnected environment or Mirroring an image set in a fully disconnected environment.
Important
- You must provide the same storage backend so that only a differential image set is created and mirrored.
- If you specified a top-level namespace for the mirror registry during the initial image set creation, then you must use this same namespace every time you run the oc-mirror plugin for the same mirror registry.
Configure your cluster to use the resources generated by oc-mirror.

Ressources supplémentaires

12.2.3.9. Performing a dry run

You can use oc-mirror to perform a dry run, without actually mirroring any images. This allows you to review the list of images that would be mirrored, as well as any images that would be pruned from the mirror registry. It also allows you to catch any errors with your image set configuration early or use the generated list of images with other tools to carry out the mirroring operation.

Conditions préalables

You have access to the internet to obtain the necessary container images.
Vous avez installé l'OpenShift CLI (oc).
You have installed the oc-mirror CLI plugin.
You have created the image set configuration file.

Procédure

Run the oc mirror command with the --dry-run flag to perform a dry run:

$ oc mirror --config=./imageset-config.yaml \1
  docker://registry.example:5000            \2
  --dry-run                                  3

1: Pass in the image set configuration file that was created. This procedure assumes that it is named imageset-config.yaml.
2: Specify the mirror registry. Nothing is mirrored to this registry as long as you use the --dry-run flag.
3: Use the --dry-run flag to generate the dry run artifacts and not an actual image set file.

Exemple de sortie

Checking push permissions for registry.example:5000
Creating directory: oc-mirror-workspace/src/publish
Creating directory: oc-mirror-workspace/src/v2
Creating directory: oc-mirror-workspace/src/charts
Creating directory: oc-mirror-workspace/src/release-signatures
No metadata detected, creating new workspace
wrote mirroring manifests to oc-mirror-workspace/operators.1658342351/manifests-redhat-operator-index

...

info: Planning completed in 31.48s
info: Dry run complete
Writing image mapping to oc-mirror-workspace/mapping.txt

Navigate into the workspace directory that was generated:
```
$ cd oc-mirror-workspace/
```
Review the mapping.txt file that was generated.
This file contains a list of all images that would be mirrored.
Review the pruning-plan.json file that was generated.
This file contains a list of all images that would be pruned from the mirror registry when the image set is published.
Note
The pruning-plan.json file is only generated if your oc-mirror command points to your mirror registry and there are images to be pruned.

12.2.3.10. Mirroring file-based catalog Operator images in OCI format

You can use the oc-mirror plugin to mirror Operators in the Open Container Initiative (OCI) image format, instead of Docker v2 format. You can copy Operator images to a file-based catalog on disk in OCI format. Then you can copy local OCI images to your target mirror registry.

Important

Using the oc-mirror plugin to mirror Operator images in OCI format is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

Pour plus d'informations sur la portée de l'assistance des fonctionnalités de l'aperçu technologique de Red Hat, voir Portée de l'assistance des fonctionnalités de l'aperçu technologique.

Conditions préalables

You have access to the internet to obtain the necessary container images.
Vous avez installé l'OpenShift CLI (oc).
You have installed the oc-mirror CLI plugin.

Procédure

Optional: Retrieve the catalogs and images that you require and save them to disk. If you already have the catalog image in OCI format on disk, you can skip this step.
1. Create the image set configuration file:
  Example image set configuration file for copying to disk
```
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
mirror:
 operators:
 - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.12
   packages:
   - name: aws-load-balancer-operator
```
  Note
  When using the OCI feature, only the mirror.operators.catalog setting is available for use.
  The storageConfig setting is ignored in favor of the location passed in to the oc mirror command.
2. Run the oc mirror command to mirror the images from the specified image set configuration to disk:
```
$ oc mirror --config=./imageset-config.yaml \ 1
  --use-oci-feature \                         2
  --oci-feature-action=copy \                 3
  oci://my-oci-catalog                        4
```
  1
  Pass in the image set configuration file. This procedure assumes that it is named imageset-config.yaml.
  2
  Use the --use-oci-feature flag to enable the OCI feature.
  3
  To copy the catalog to disk, set the --oci-feature-action flag to copy.
  4
  Specify a directory on disk where you want to output the catalog. This procedure assumes that it is named my-oci-catalog. The path must start with oci://. If the specified directory is not a full path, the directory is created in the current working directory where the oc mirror command is run.
  Note
  You can optionally use the --oci-registries-config flag to specify the path to a TOML-formatted registries.conf file. You can use this to mirror from a different registry, such as a pre-production location for testing, without having to change the image set configuration file.
  Example registries.conf file
  
  [[registry]] location = "registry.redhat.io:5000" insecure = false blocked = false mirror-by-digest-only = true prefix = "" [[registry.mirror]] location = "preprod-registry.example.com" insecure = false
  
  Set the location field in the registry.mirror section to an alternative registry location that you want to pull images from. The location field in the registry section must be the same registry location as the one you specify in the image set configuration file.
3. List your directory contents and verify that the following directories were created:
```
$ ls -l
```
  Exemple de sortie
```
my-oci-catalog      1
oc-mirror-workspace 2
olm_artifacts       3
```
  1
  Directory that contains the OCI catalog. This procedure assumes that it is named my-oci-catalog.
  2
  Directory that contains each image in the catalog in its original format.
  3
  Directory that contains the files that describe the Operator bundles that this catalog references.
Update the image set configuration file to specify the location of the catalog on disk to mirror to the target mirror registry:
Example image set configuration file for mirroring to mirror registry
```
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
mirror:
 operators:
 - catalog: oci:///home/user/oc-mirror/my-oci-catalog/redhat-operator-index 1
   packages:
   - name: aws-load-balancer-operator
```
1
Specify the absolute path to the location of the OCI catalog on disk. This procedure assumes that you used my-oci-catalog as the directory and mirrored the redhat-operator-index catalog. The path must start with oci://.
Run the oc mirror command to process the image set file on disk and mirror the contents to a target mirror registry:
```
$ oc mirror --config=./imageset-config.yaml \ 1
  --use-oci-feature \                         2
  --oci-feature-action=mirror \               3
  docker://registry.example:5000              4
```
1
Pass in the updated image set configuration file. This procedure assumes that it is named imageset-config.yaml.
2
Use the --use-oci-feature flag to enable the OCI feature.
3
To mirror the catalog to the target mirror registry, set the --oci-feature-action flag to mirror.
4
Specify the registry to mirror the image set file to. The registry must start with docker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.
Note
You can optionally use the --oci-insecure-signature-policy flag to not push signatures to the target mirror registry.

Prochaines étapes

Configure your cluster to use the resources generated by oc-mirror.

Ressources supplémentaires

File-based catalogs

12.2.3.11. Image set configuration parameters

The oc-mirror plugin requires an image set configuration file that defines what images to mirror. The following table lists the available parameters for the ImageSetConfiguration resource.

Tableau 12.1. ImageSetConfiguration parameters
Paramètres	Description	Valeurs
`apiVersion`	The API version for the `ImageSetConfiguration` content.	String. For example: `mirror.openshift.io/v1alpha2`.
`archiveSize`	The maximum size, in GiB, of each archive file within the image set.	Integer. For example: `4`
`mirror`	The configuration of the image set.	Objet
`mirror.additionalImages`	The additional images configuration of the image set.	Array of objects. For example: additionalImages: - name: registry.redhat.io/ubi8/ubi:latest
`mirror.additionalImages.name`	The tag or digest of the image to mirror.	String. For example: `registry.redhat.io/ubi8/ubi:latest`
`mirror.blockedImages`	The full tag, digest, or pattern of images to block from mirroring.	Array of strings. For example: `docker.io/library/alpine`
`mirror.helm`	The helm configuration of the image set. Note that the oc-mirror plugin supports only helm charts that do not require user input when rendered.	Objet
`mirror.helm.local`	The local helm charts to mirror.	Array of objects. For example: local: - name: podinfo path: /test/podinfo-5.0.0.tar.gz
`mirror.helm.local.name`	The name of the local helm chart to mirror.	String. For example: `podinfo`.
`mirror.helm.local.path`	The path of the local helm chart to mirror.	String. For example: `/test/podinfo-5.0.0.tar.gz`.
`mirror.helm.repositories`	The remote helm repositories to mirror from.	Array of objects. For example: repositories: - name: podinfo url: https://example.github.io/podinfo charts: - name: podinfo version: 5.0.0
`mirror.helm.repositories.name`	The name of the helm repository to mirror from.	String. For example: `podinfo`.
`mirror.helm.repositories.url`	The URL of the helm repository to mirror from.	String. For example: `https://example.github.io/podinfo`.
`mirror.helm.repositories.charts`	The remote helm charts to mirror.	Array of objects.
`mirror.helm.repositories.charts.name`	The name of the helm chart to mirror.	String. For example: `podinfo`.
`mirror.helm.repositories.charts.version`	The version of the named helm chart to mirror.	String. For example: `5.0.0`.
`mirror.operators`	The Operators configuration of the image set.	Array of objects. For example: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.12 packages: - name: elasticsearch-operator minVersion: '2.4.0'
`mirror.operators.catalog`	The Operator catalog to include in the image set.	String. For example: `registry.redhat.io/redhat/redhat-operator-index:v4.12`.
`mirror.operators.full`	When `true`, downloads the full catalog, Operator package, or Operator channel.	Boolean. The default value is `false`.
`mirror.operators.packages`	The Operator packages configuration.	Array of objects. For example: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.12 packages: - name: elasticsearch-operator minVersion: '5.2.3-31'
`mirror.operators.packages.name`	The Operator package name to include in the image set	String. For example: `elasticsearch-operator`.
`mirror.operators.packages.channels`	The Operator package channel configuration.	Objet
`mirror.operators.packages.channels.name`	The Operator channel name, unique within a package, to include in the image set.	String. For example: `fast` or `stable-v4.12`.
`mirror.operators.packages.channels.maxVersion`	The highest version of the Operator mirror across all channels in which it exists.	String. For example: `5.2.3-31`
`mirror.operators.packages.channels.minBundle`	The name of the minimum bundle to include, plus all bundles in the upgrade graph to the channel head. Set this field only if the named bundle has no semantic version metadata.	String. For example: `bundleName`
`mirror.operators.packages.channels.minVersion`	The lowest version of the Operator to mirror across all channels in which it exists.	String. For example: `5.2.3-31`
`mirror.operators.packages.maxVersion`	The highest version of the Operator to mirror across all channels in which it exists.	String. For example: `5.2.3-31`.
`mirror.operators.packages.minVersion`	The lowest version of the Operator to mirror across all channels in which it exists.	String. For example: `5.2.3-31`.
`mirror.operators.skipDependencies`	If `true`, dependencies of bundles are not included.	Boolean. The default value is `false`.
`mirror.operators.targetName`	Optional alternative name to mirror the referenced catalog as.	String. For example: `my-operator-catalog`
`mirror.operators.targetTag`	Optional alternative tag to append to the `targetName`.	String. For example: `v1`
`mirror.platform`	The platform configuration of the image set.	Objet
`mirror.platform.architectures`	The architecture of the platform release payload to mirror.	Array of strings. For example: architectures: - amd64 - arm64
`mirror.platform.channels`	The platform channel configuration of the image set.	Array of objects. For example: channels: - name: stable-4.10 - name: stable-4.12
`mirror.platform.channels.full`	When `true`, sets the `minVersion` to the first release in the channel and the `maxVersion` to the last release in the channel.	Boolean. The default value is `false`.
`mirror.platform.channels.name`	The name of the release channel.	String. For example: `stable-4.12`
`mirror.platform.channels.minVersion`	The minimum version of the referenced platform to be mirrored.	String. For example: `4.9.6`
`mirror.platform.channels.maxVersion`	The highest version of the referenced platform to be mirrored.	String. For example: `4.12.1`
`mirror.platform.channels.shortestPath`	Toggles shortest path mirroring or full range mirroring.	Boolean. The default value is `false`.
`mirror.platform.channels.type`	The type of the platform to be mirrored.	String. For example: `ocp` or `okd`. The default is `ocp`.
`mirror.platform.graph`	Indicates whether the OSUS graph is added to the image set and subsequently published to the mirror.	Boolean. The default value is `false`.
`storageConfig`	The back-end configuration of the image set.	Objet
`storageConfig.local`	The local back-end configuration of the image set.	Objet
`storageConfig.local.path`	The path of the directory to contain the image set metadata.	String. For example: `./path/to/dir/`.
`storageConfig.registry`	The registry back-end configuration of the image set.	Objet
`storageConfig.registry.imageURL`	The back-end registry URI. Can optionally include a namespace reference in the URI.	String. For example: `quay.io/myuser/imageset:metadata`.
`storageConfig.registry.skipTLS`	Optionally skip TLS verification of the referenced back-end registry.	Boolean. The default value is `false`.

12.2.3.12. Image set configuration examples

The following ImageSetConfiguration file examples show the configuration for various mirroring use cases.

Use case: Including arbitrary images and helm charts

The following ImageSetConfiguration file uses a registry storage backend and includes helm charts and an additional Red Hat Universal Base Image (UBI).