이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Disconnected environments
Managing OpenShift Container Platform clusters in a disconnected environment
Abstract
Chapter 1. About disconnected environments
A disconnected environment is an environment that does not have full access to the internet.
OpenShift Container Platform is designed to perform many automatic functions that depend on an internet connection, such as retrieving release images from a registry or retrieving update paths and recommendations for the cluster. Without a direct internet connection, you must perform additional setup and configuration for your cluster to maintain full functionality in the disconnected environment.
1.1. Glossary of disconnected environment terms
Although it is used throughout the OpenShift Container Platform documentation, disconnected environment is a broad term that can refer to environments with various levels of internet connectivity. Other terms are sometimes used to refer to a specific level of internet connectivity, and these environments might require additional unique configurations.
The following table describes the different terms used to refer to environments without a full internet connection:
| Term | Description | 
|---|---|
| Air-gapped network | An environment or network that is completely isolated from an external network. This isolation depends on a physical separation, or an "air gap", between machines on the internal network and any other part of an external network. Air-gapped environments are often used in industries with strict security or regulatory requirements. | 
| Disconnected environment | An environment or network that has some level of isolation from an external network. This isolation could be enabled by physical or logical separation between machines on the internal network and an external network. Regardless of the level of isolation from the external network, a cluster in a disconnected environment does not have access to public services hosted by Red Hat and requires additional setup to maintain full cluster functionality. | 
| Restricted Network | An environment or network with limited connection to an external network. A physical connection may exist between machines on the internal network and an external network, but network traffic is limited by additional configurations, such as with firewalls and proxies. | 
1.2. Preferred methods for working with disconnected environments
				You can choose between multiple options for most aspects of managing a cluster in a disconnected environment. For example, when mirroring images you can choose between using the oc-mirror OpenShift CLI (oc) plugin or using the oc adm command.
			
However, some options provide a simpler and more convenient user experience for disconnected environments, and are the preferred method over their alternatives.
Unless your organizational needs require you to choose another option, use the following methods for mirroring images, installing your cluster, and updating your cluster:
- Mirror your images using the oc-mirror plugin v2.
- Install your cluster using the Agent-based Installer.
- Update your cluster using a local OpenShift Update Service instance.
Chapter 2. Converting a connected cluster to a disconnected cluster
There might be some scenarios where you need to convert your OpenShift Container Platform cluster from a connected cluster to a disconnected cluster.
A disconnected cluster, also known as a restricted cluster, does not have an active connection to the internet. As such, you must mirror the contents of your registries and installation media. You can create this mirror registry on a host that can access both the internet and your closed network, or copy images to a device that you can move across network boundaries.
This topic describes the general process for converting an existing, connected cluster into a disconnected cluster.
2.1. About the mirror registry
You can mirror the images that are required for OpenShift Container Platform installation and subsequent product updates to a container mirror registry such as Red Hat Quay, JFrog Artifactory, Sonatype Nexus Repository, or Harbor. If you do not have access to a large-scale container registry, you can use the mirror registry for Red Hat OpenShift, a small-scale container registry included with OpenShift Container Platform subscriptions.
You can use any container registry that supports Docker v2-2, such as Red Hat Quay, the mirror registry for Red Hat OpenShift, Artifactory, Sonatype Nexus Repository, or Harbor. Regardless of your chosen registry, the procedure to mirror content from Red Hat hosted sites on the internet to an isolated image registry is the same. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.
The OpenShift image registry cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.
If choosing a container registry that is not the mirror registry for Red Hat OpenShift, it must be reachable by every machine in the clusters that you provision. If the registry is unreachable, installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OpenShift Container Platform clusters.
When you populate your mirror registry with OpenShift Container Platform images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.
				For mirrored registries, to view the source of pulled images, you must review the Trying to access log entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images command on a node, show the non-mirrored image name, even though the image is pulled from the mirrored location.
			
Red Hat does not test third party registries with OpenShift Container Platform.
2.2. Prerequisites
- 
						The occlient is installed.
- A running cluster.
- An installed mirror registry, which is a container image registry that supports Docker v2-2 in the location that will host the OpenShift Container Platform cluster, such as one of the following registries: - If you have a subscription to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or by using the Quay Operator. 
- The mirror repository must be configured to share images. For example, a Red Hat Quay repository requires Organizations in order to share images.
- Access to the internet to obtain the necessary container images.
2.3. Preparing the cluster for mirroring
Before disconnecting your cluster, you must mirror, or copy, the images to a mirror registry that is reachable by every node in your disconnected cluster. In order to mirror the images, you must prepare your cluster by:
- Adding the mirror registry certificates to the list of trusted CAs on your host.
- 
						Creating a .dockerconfigjsonfile that contains your image pull secret, which is from thecloud.openshift.comtoken.
Procedure
- Configuring credentials that allow image mirroring: - Add the CA certificate for the mirror registry, in the simple PEM or DER file formats, to the list of trusted CAs. For example: - cp </path/to/cert.crt> /usr/share/pki/ca-trust-source/anchors/ - $ cp </path/to/cert.crt> /usr/share/pki/ca-trust-source/anchors/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where, </path/to/cert.crt>
- Specifies the path to the certificate on your local file system.
 
- where, 
- Update the CA trust. For example, in Linux: - update-ca-trust - $ update-ca-trust- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the - .dockerconfigjsonfile from the global pull secret:- oc extract secret/pull-secret -n openshift-config --confirm --to=. - $ oc extract secret/pull-secret -n openshift-config --confirm --to=.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - .dockerconfigjson - .dockerconfigjson- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the - .dockerconfigjsonfile to add your mirror registry and authentication credentials and save it as a new file:- {"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}},"<registry>:<port>/<namespace>/":{"auth":"<token>"}}}- {"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}},"<registry>:<port>/<namespace>/":{"auth":"<token>"}}}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <local_registry>
- Specifies the registry domain name, and optionally the port, that your mirror registry uses to serve content.
- auth
- Specifies the base64-encoded user name and password for your mirror registry.
- <registry>:<port>/<namespace>
- Specifies the mirror registry details.
- <token>
- Specifies the base64-encoded - username:passwordfor your mirror registry.- For example: - {"auths":{"cloud.openshift.com":{"auth":"b3BlbnNoaWZ0Y3UjhGOVZPT0lOMEFaUjdPUzRGTA==","email":"user@example.com"},- $ {"auths":{"cloud.openshift.com":{"auth":"b3BlbnNoaWZ0Y3UjhGOVZPT0lOMEFaUjdPUzRGTA==","email":"user@example.com"}, "quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGVhc2UtZGOVZPT0lOMEFaUGSTd4VGVGVUjdPUzRGTA==","email":"user@example.com"}, "registry.connect.redhat.com"{"auth":"NTE3MTMwNDB8dWhjLTFEZlN3VHkxOSTd4VGVGVU1MdTpleUpoYkdjaUailA==","email":"user@example.com"}, "registry.redhat.io":{"auth":"NTE3MTMwNDB8dWhjLTFEZlN3VH3BGSTd4VGVGVU1MdTpleUpoYkdjaU9fZw==","email":"user@example.com"}, "registry.svc.ci.openshift.org":{"auth":"dXNlcjpyWjAwWVFjSEJiT2RKVW1pSmg4dW92dGp1SXRxQ3RGN1pwajJhN1ZXeTRV"},"my-registry:5000/my-namespace/":{"auth":"dXNlcm5hbWU6cGFzc3dvcmQ="}}}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
2.4. Mirroring the images
After the cluster is properly configured, you can mirror the images from your external repositories to the mirror repository.
Procedure
- Mirror the Operator Lifecycle Manager (OLM) images: - oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v{product-version} <mirror_registry>:<port>/olm -a <reg_creds>- $ oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v{product-version} <mirror_registry>:<port>/olm -a <reg_creds>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - product-version
- 
									Specifies the tag that corresponds to the version of OpenShift Container Platform to install, such as 4.8.
- mirror_registry
- 
									Specifies the fully qualified domain name (FQDN) for the target registry and namespace to mirror the Operator content to, where <namespace>is any existing namespace on the registry.
- reg_creds
- 
									Specifies the location of your modified .dockerconfigjsonfile.
 - For example: - oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v4.8 mirror.registry.com:443/olm -a ./.dockerconfigjson --index-filter-by-os='.*' - $ oc adm catalog mirror registry.redhat.io/redhat/redhat-operator-index:v4.8 mirror.registry.com:443/olm -a ./.dockerconfigjson --index-filter-by-os='.*'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Mirror the content for any other Red Hat-provided Operator: - oc adm catalog mirror <index_image> <mirror_registry>:<port>/<namespace> -a <reg_creds> - $ oc adm catalog mirror <index_image> <mirror_registry>:<port>/<namespace> -a <reg_creds>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - index_image
- Specifies the index image for the catalog that you want to mirror.
- mirror_registry
- 
									Specifies the FQDN for the target registry and namespace to mirror the Operator content to, where <namespace>is any existing namespace on the registry.
- reg_creds
- Optional: Specifies the location of your registry credentials file, if required.
 - For example: - oc adm catalog mirror registry.redhat.io/redhat/community-operator-index:v4.8 mirror.registry.com:443/olm -a ./.dockerconfigjson --index-filter-by-os='.*' - $ oc adm catalog mirror registry.redhat.io/redhat/community-operator-index:v4.8 mirror.registry.com:443/olm -a ./.dockerconfigjson --index-filter-by-os='.*'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Mirror the OpenShift Container Platform image repository: - oc adm release mirror -a .dockerconfigjson --from=quay.io/openshift-release-dev/ocp-release:v<product-version>-<architecture> --to=<local_registry>/<local_repository> --to-release-image=<local_registry>/<local_repository>:v<product-version>-<architecture> - $ oc adm release mirror -a .dockerconfigjson --from=quay.io/openshift-release-dev/ocp-release:v<product-version>-<architecture> --to=<local_registry>/<local_repository> --to-release-image=<local_registry>/<local_repository>:v<product-version>-<architecture>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - product-version
- 
									Specifies the tag that corresponds to the version of OpenShift Container Platform to install, such as 4.8.15-x86_64.
- architecture
- 
									Specifies the type of architecture for your server, such as x86_64.
- local_registry
- Specifies the registry domain name for your mirror repository.
- local_repository
- 
									Specifies the name of the repository to create in your registry, such as ocp4/openshift4.
 - For example: - oc adm release mirror -a .dockerconfigjson --from=quay.io/openshift-release-dev/ocp-release:4.8.15-x86_64 --to=mirror.registry.com:443/ocp/release --to-release-image=mirror.registry.com:443/ocp/release:4.8.15-x86_64 - $ oc adm release mirror -a .dockerconfigjson --from=quay.io/openshift-release-dev/ocp-release:4.8.15-x86_64 --to=mirror.registry.com:443/ocp/release --to-release-image=mirror.registry.com:443/ocp/release:4.8.15-x86_64- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Mirror any other registries, as needed: - oc image mirror <online_registry>/my/image:latest <mirror_registry> - $ oc image mirror <online_registry>/my/image:latest <mirror_registry>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.5. Configuring the cluster for the mirror registry
After creating and mirroring the images to the mirror registry, you must modify your cluster so that pods can pull images from the mirror registry.
You must:
- Add the mirror registry credentials to the global pull secret.
- Add the mirror registry server certificate to the cluster.
- Create an - ImageContentSourcePolicycustom resource (ICSP), which associates the mirror registry with the source registry.- Add mirror registry credential to the cluster global pull-secret: - oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location> - $ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Provide the path to the new pull secret file.
 - For example: - oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=.mirrorsecretconfigjson - $ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=.mirrorsecretconfigjson- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the CA-signed mirror registry server certificate to the nodes in the cluster: - Create a config map that includes the server certificate for the mirror registry - oc create configmap <config_map_name> --from-file=<mirror_address_host>..<port>=$path/ca.crt -n openshift-config - $ oc create configmap <config_map_name> --from-file=<mirror_address_host>..<port>=$path/ca.crt -n openshift-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - S oc create configmap registry-config --from-file=mirror.registry.com..443=/root/certs/ca-chain.cert.pem -n openshift-config - S oc create configmap registry-config --from-file=mirror.registry.com..443=/root/certs/ca-chain.cert.pem -n openshift-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use the config map to update the - image.config.openshift.io/clustercustom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster:- oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"<config_map_name>"}}}' --type=merge- $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"<config_map_name>"}}}' --type=merge- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge- $ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Create an ICSP to redirect container pull requests from the online registries to the mirror registry: - Create the - ImageContentSourcePolicycustom resource:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the ICSP object: - oc create -f registryrepomirror.yaml - $ oc create -f registryrepomirror.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - imagecontentsourcepolicy.operator.openshift.io/mirror-ocp created - imagecontentsourcepolicy.operator.openshift.io/mirror-ocp created- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - OpenShift Container Platform applies the changes to this CR to all nodes in the cluster. 
 
- Verify that the credentials, CA, and ICSP for mirror registry were added: - Log into a node: - oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell:- chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the - config.jsonfile for the credentials:- cat /var/lib/kubelet/config.json - sh-4.4# cat /var/lib/kubelet/config.json- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - {"auths":{"brew.registry.redhat.io":{"xx=="},"brewregistry.stage.redhat.io":{"auth":"xxx=="},"mirror.registry.com:443":{"auth":"xx="}}}- {"auths":{"brew.registry.redhat.io":{"xx=="},"brewregistry.stage.redhat.io":{"auth":"xxx=="},"mirror.registry.com:443":{"auth":"xx="}}}- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Ensure that the mirror registry and credentials are present.
 
- Change to the - certs.ddirectory- cd /etc/docker/certs.d/ - sh-4.4# cd /etc/docker/certs.d/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- List the certificates in the - certs.ddirectory:- ls - sh-4.4# ls- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - image-registry.openshift-image-registry.svc.cluster.local:5000 image-registry.openshift-image-registry.svc:5000 mirror.registry.com:443 - image-registry.openshift-image-registry.svc.cluster.local:5000 image-registry.openshift-image-registry.svc:5000 mirror.registry.com:443- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Ensure that the mirror registry is in the list.
 
- Check that the ICSP added the mirror registry to the - registries.conffile:- cat /etc/containers/registries.conf - sh-4.4# cat /etc/containers/registries.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The - registry.mirrorparameters indicate that the mirror registry is searched before the original registry.
- Exit the node. - exit - sh-4.4# exit- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
2.6. Ensure applications continue to work
Before disconnecting the cluster from the network, ensure that your cluster is working as expected and all of your applications are working as expected.
Procedure
Use the following commands to check the status of your cluster:
- Ensure your pods are running: - oc get pods --all-namespaces - $ oc get pods --all-namespaces- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Ensure your nodes are in the READY status: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.7. Disconnect the cluster from the network
After mirroring all the required repositories and configuring your cluster to work as a disconnected cluster, you can disconnect the cluster from the network.
The Insights Operator is degraded when the cluster loses its Internet connection. You can avoid this problem by temporarily disabling the Insights Operator until you can restore it.
2.8. Restoring a degraded Insights Operator
Disconnecting the cluster from the network necessarily causes the cluster to lose the Internet connection. The Insights Operator becomes degraded because it requires access to Red Hat Insights.
This topic describes how to recover from a degraded Insights Operator.
Procedure
- Edit your - .dockerconfigjsonfile to remove the- cloud.openshift.comentry, for example:- "cloud.openshift.com":{"auth":"<hash>","email":"user@example.com"}- "cloud.openshift.com":{"auth":"<hash>","email":"user@example.com"}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file.
- Update the cluster secret with the edited - .dockerconfigjsonfile:- oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=./.dockerconfigjson - $ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=./.dockerconfigjson- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the Insights Operator is no longer degraded: - oc get co insights - $ oc get co insights- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE insights 4.5.41 True False False 3d - NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE insights 4.5.41 True False False 3d- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.9. Restoring the network
If you want to reconnect a disconnected cluster and pull images from online registries, delete the cluster’s ImageContentSourcePolicy (ICSP) objects. Without the ICSP, pull requests to external registries are no longer redirected to the mirror registry.
Procedure
- View the ICSP objects in your cluster: - oc get imagecontentsourcepolicy - $ oc get imagecontentsourcepolicy- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE mirror-ocp 6d20h ocp4-index-0 6d18h qe45-index-0 6d15h - NAME AGE mirror-ocp 6d20h ocp4-index-0 6d18h qe45-index-0 6d15h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete all the ICSP objects you created when disconnecting your cluster: - oc delete imagecontentsourcepolicy <icsp_name> <icsp_name> <icsp_name> - $ oc delete imagecontentsourcepolicy <icsp_name> <icsp_name> <icsp_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc delete imagecontentsourcepolicy mirror-ocp ocp4-index-0 qe45-index-0 - $ oc delete imagecontentsourcepolicy mirror-ocp ocp4-index-0 qe45-index-0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - imagecontentsourcepolicy.operator.openshift.io "mirror-ocp" deleted imagecontentsourcepolicy.operator.openshift.io "ocp4-index-0" deleted imagecontentsourcepolicy.operator.openshift.io "qe45-index-0" deleted - imagecontentsourcepolicy.operator.openshift.io "mirror-ocp" deleted imagecontentsourcepolicy.operator.openshift.io "ocp4-index-0" deleted imagecontentsourcepolicy.operator.openshift.io "qe45-index-0" deleted- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Wait for all the nodes to restart and return to the READY status and verify that the - registries.conffile is pointing to the original registries and not the mirror registries:- Log into a node: - oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell:- chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Examine the - registries.conffile:- cat /etc/containers/registries.conf - sh-4.4# cat /etc/containers/registries.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - unqualified-search-registries = ["registry.access.redhat.com", "docker.io"] - unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Theregistryandregistry.mirrorentries created by the ICSPs you deleted are removed.
 
 
Chapter 3. About disconnected installation mirroring
As a cluster administrator, you can use a mirror registry to ensure that your clusters only use container images that satisfy your organizational controls on external content.
3.1. Mirror registries for installing clusters in disconnected environments
You must mirror required container images into a disconnected environment before you can install and provision a cluster there. To mirror those container images, you must have a mirror registry. Consider the following options for creating and using a mirror registry:
- If you already have a container image registry, such as Red Hat Quay, you can use it as your mirror registry. If you do not already have a registry, you must create one.
- 
						After you establish your registry, you need mirroring tools. To mirror your OpenShift Container Platform image repository to the mirror registry in your disconnected environment, you can use the oc-mirror OpenShift CLI (oc) plugin. The oc-mirror plugin is a single tool that mirrors all required OpenShift Container Platform content and other images to your mirror registry. The oc-mirror plugin is the preferred method for mirroring.
- 
						Alternately, you can use the oc admcommand to mirror just release and catalog images for OpenShift Container Platform.
Chapter 4. Creating a mirror registry with mirror registry for Red Hat OpenShift
The mirror registry for Red Hat OpenShift is a small and streamlined container registry that you can use as a target for mirroring the required container images of OpenShift Container Platform for disconnected installations.
If you already have a container image registry, such as Red Hat Quay, you can skip this section and go straight to Mirroring the OpenShift Container Platform image repository.
The mirror registry for Red Hat OpenShift is not intended to be a substitute for a production deployment of Red Hat Quay.
4.1. Prerequisites
- An OpenShift Container Platform subscription.
- Red Hat Enterprise Linux (RHEL) 8 and 9 with Podman 3.4.2 or later and OpenSSL installed.
- Fully qualified domain name for the Red Hat Quay service, which must resolve through a DNS server.
- Key-based SSH connectivity on the target host. SSH keys are automatically generated for local installs. For remote hosts, you must generate your own SSH keys.
- 2 or more vCPUs.
- 8 GB of RAM.
- About 12 GB for OpenShift Container Platform 4.18 release images, or about 358 GB for OpenShift Container Platform 4.18 release images and OpenShift Container Platform 4.18 Red Hat Operator images. Important- Up to 1 TB per stream or more is suggested.
- These requirements are based on local testing results with only release images and Operator images. Storage requirements can vary based on your organization’s needs. You might require more space, for example, when you mirror multiple z-streams. You can use standard Red Hat Quay functionality or the proper API callout to remove unnecessary images and free up space.
 
4.2. Mirror registry for Red Hat OpenShift introduction
For disconnected deployments of OpenShift Container Platform, a container registry is required to carry out the installation of the clusters. To run a production-grade registry service on such a cluster, you must create a separate registry deployment to install the first cluster. The mirror registry for Red Hat OpenShift addresses this need and is included in every OpenShift Container Platform subscription. It is available for download on the OpenShift console Downloads page.
				The mirror registry for Red Hat OpenShift allows users to install a small-scale version of Red Hat Quay and its required components by using the mirror-registry command-line interface (CLI) tool. The mirror registry for Red Hat OpenShift is deployed automatically with pre-configured local storage and a local database. It also includes auto-generated user credentials and access permissions with a single set of inputs and no additional configuration choices to get started.
			
The mirror registry for Red Hat OpenShift provides a pre-determined network configuration and reports deployed component credentials and access URLs upon success. A limited set of optional configuration inputs such as fully qualified domain name (FQDN) services, superuser name and password, and custom TLS certificates are also provided. This provides users with a container registry so that they can easily create an offline mirror of all OpenShift Container Platform release content when running OpenShift Container Platform in restricted network environments.
Use of the mirror registry for Red Hat OpenShift is optional if another container registry is already available in the install environment.
4.2.1. Mirror registry for Red Hat OpenShift limitations
The following limitations apply to the mirror registry for Red Hat OpenShift:
- The mirror registry for Red Hat OpenShift is not a highly-available registry and only local file system storage is supported. It is not intended to replace Red Hat Quay or the internal image registry for OpenShift Container Platform.
- The mirror registry for Red Hat OpenShift is not intended to be a substitute for a production deployment of Red Hat Quay.
- The mirror registry for Red Hat OpenShift is only supported for hosting images that are required to install a disconnected OpenShift Container Platform cluster, such as Release images or Red Hat Operator images. It uses local storage on your Red Hat Enterprise Linux (RHEL) machine, and storage supported by RHEL is supported by the mirror registry for Red Hat OpenShift. Note- Because the mirror registry for Red Hat OpenShift uses local storage, you should remain aware of the storage usage consumed when mirroring images and use Red Hat Quay’s garbage collection feature to mitigate potential issues. For more information about this feature, see "Red Hat Quay garbage collection". 
- Support for Red Hat product images that are pushed to the mirror registry for Red Hat OpenShift for bootstrapping purposes are covered by valid subscriptions for each respective product. A list of exceptions to further enable the bootstrap experience can be found on the Self-managed Red Hat OpenShift sizing and subscription guide.
- Content built by customers should not be hosted by the mirror registry for Red Hat OpenShift.
- Using the mirror registry for Red Hat OpenShift with more than one cluster is discouraged because multiple clusters can create a single point of failure when updating your cluster fleet. Instead, use the mirror registry for Red Hat OpenShift to install a cluster that can host a production-grade, highly-available registry such as Red Hat Quay, which can serve OpenShift Container Platform content to other clusters.
4.3. Mirroring on a local host with mirror registry for Red Hat OpenShift
				This procedure explains how to install the mirror registry for Red Hat OpenShift on a local host by using the mirror-registry installer tool. By doing so, users can create a local host registry running on port 443 for the purpose of storing a mirror of OpenShift Container Platform images.
			
					Installing the mirror registry for Red Hat OpenShift using the mirror-registry CLI tool makes several changes to your machine. After installation, a $HOME/quay-install directory is created, which has installation files, local storage, and the configuration bundle. Trusted SSH keys are generated in case the deployment target is the local host, and systemd files on the host machine are set up to ensure that container runtimes are persistent. Additionally, an initial user named init is created with an automatically generated password. All access credentials are printed at the end of the install routine.
				
Procedure
- 
						Download the mirror-registry.tar.gzpackage for the latest version of the mirror registry for Red Hat OpenShift found on the OpenShift console Downloads page.
- Install the mirror registry for Red Hat OpenShift on your local host with your current user account by using the - mirror-registrytool. For a full list of available flags, see "mirror registry for Red Hat OpenShift flags".- ./mirror-registry install \ --quayHostname <host_example_com> \ --quayRoot <example_directory_name> - $ ./mirror-registry install \ --quayHostname <host_example_com> \ --quayRoot <example_directory_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use the username and password generated during installation to log in to the registry by running the following command: - podman login -u init \ -p <password> \ <host_example_com>:8443> \ --tls-verify=false - $ podman login -u init \ -p <password> \ <host_example_com>:8443> \ --tls-verify=false- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- You can avoid running--tls-verify=falseby configuring your system to trust the generated rootCA certificates. See "Securing Red Hat Quay" and "Configuring the system to trust the certificate authority" for more information.
 Note- You can also log in by accessing the UI at - https://<host.example.com>:8443after installation.
- You can mirror OpenShift Container Platform images after logging in. Depending on your needs, see either the "Mirroring the OpenShift Container Platform image repository" or the "Mirroring Operator catalogs for use with disconnected clusters" sections of this document. Note- If there are issues with images stored by the mirror registry for Red Hat OpenShift due to storage layer problems, you can re-mirror the OpenShift Container Platform images, or reinstall mirror registry on more stable storage. 
4.4. Updating mirror registry for Red Hat OpenShift from a local host
				This procedure explains how to update the mirror registry for Red Hat OpenShift from a local host by using the upgrade command. Updating to the latest version ensures new features, bug fixes, and security vulnerability fixes.
			
When upgrading from version 1 to version 2, be aware of the following constraints:
- 
							The worker count is set to 1because multiple writes are not allowed in SQLite.
- You must not use the mirror registry for Red Hat OpenShift user interface (UP).
- 
							Do not access the sqlite-storagePodman volume during the upgrade.
- There is intermittent downtime of your mirror registry because it is restarted during the upgrade process.
- 
							PostgreSQL data is backed up under the /$HOME/quay-install/quay-postgres-backup/directory for recovery.
Prerequisites
- You have installed the mirror registry for Red Hat OpenShift on a local host.
Procedure
- If you are upgrading the mirror registry for Red Hat OpenShift from 1.3 → 2.y, and your installation directory is the default at - /etc/quay-install, you can enter the following command:- sudo ./mirror-registry upgrade -v - $ sudo ./mirror-registry upgrade -v- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- 
									mirror registry for Red Hat OpenShift migrates Podman volumes for Red Hat Quay storage, Postgres data, and /etc/quay-installdata to the new$HOME/quay-installlocation. This allows you to use mirror registry for Red Hat OpenShift without the--quayRootflag during future upgrades.
- 
									Users who upgrade mirror registry for Red Hat OpenShift with the ./mirror-registry upgrade -vflag must include the same credentials used when creating their mirror registry. For example, if you installed the mirror registry for Red Hat OpenShift with--quayHostname <host_example_com>and--quayRoot <example_directory_name>, you must include that string to properly upgrade the mirror registry.
 
- 
									mirror registry for Red Hat OpenShift migrates Podman volumes for Red Hat Quay storage, Postgres data, and 
- If you are upgrading the mirror registry for Red Hat OpenShift from 1.3 → 2.y and you used a custom quay configuration and storage directory in your 1.y deployment, you must pass in the - --quayRootand- --quayStorageflags. For example:- sudo ./mirror-registry upgrade --quayHostname <host_example_com> --quayRoot <example_directory_name> --quayStorage <example_directory_name>/quay-storage -v - $ sudo ./mirror-registry upgrade --quayHostname <host_example_com> --quayRoot <example_directory_name> --quayStorage <example_directory_name>/quay-storage -v- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you are upgrading the mirror registry for Red Hat OpenShift from 1.3 → 2.y and want to specify a custom SQLite storage path, you must pass in the - --sqliteStorageflag, for example:- sudo ./mirror-registry upgrade --sqliteStorage <example_directory_name>/sqlite-storage -v - $ sudo ./mirror-registry upgrade --sqliteStorage <example_directory_name>/sqlite-storage -v- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Ensure that mirror registry for Red Hat OpenShift has been updated by running the following command: - podman ps - $ podman ps- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - registry.redhat.io/quay/quay-rhel8:v3.12.10 - registry.redhat.io/quay/quay-rhel8:v3.12.10- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.5. Mirroring on a remote host with mirror registry for Red Hat OpenShift
				This procedure explains how to install the mirror registry for Red Hat OpenShift on a remote host by using the mirror-registry tool. By doing so, users can create a registry to hold a mirror of OpenShift Container Platform images.
			
					Installing the mirror registry for Red Hat OpenShift using the mirror-registry CLI tool makes several changes to your machine. After installation, a $HOME/quay-install directory is created, which has installation files, local storage, and the configuration bundle. Trusted SSH keys are generated in case the deployment target is the local host, and systemd files on the host machine are set up to ensure that container runtimes are persistent. Additionally, an initial user named init is created with an automatically generated password. All access credentials are printed at the end of the install routine.
				
Procedure
- 
						Download the mirror-registry.tar.gzpackage for the latest version of the mirror registry for Red Hat OpenShift found on the OpenShift console Downloads page.
- Install the mirror registry for Red Hat OpenShift on your local host with your current user account by using the - mirror-registrytool. For a full list of available flags, see "mirror registry for Red Hat OpenShift flags".- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use the username and password generated during installation to log in to the mirror registry by running the following command: - podman login -u init \ -p <password> \ <host_example_com>:8443> \ --tls-verify=false - $ podman login -u init \ -p <password> \ <host_example_com>:8443> \ --tls-verify=false- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- You can avoid running--tls-verify=falseby configuring your system to trust the generated rootCA certificates. See "Securing Red Hat Quay" and "Configuring the system to trust the certificate authority" for more information.
 Note- You can also log in by accessing the UI at - https://<host.example.com>:8443after installation.
- You can mirror OpenShift Container Platform images after logging in. Depending on your needs, see either the "Mirroring the OpenShift Container Platform image repository" or the "Mirroring Operator catalogs for use with disconnected clusters" sections of this document. Note- If there are issues with images stored by the mirror registry for Red Hat OpenShift due to storage layer problems, you can re-mirror the OpenShift Container Platform images, or reinstall mirror registry on more stable storage. 
4.6. Updating mirror registry for Red Hat OpenShift from a remote host
				This procedure explains how to update the mirror registry for Red Hat OpenShift from a remote host by using the upgrade command. Updating to the latest version ensures bug fixes and security vulnerability fixes.
			
When upgrading from version 1 to version 2, be aware of the following constraints:
- 
							The worker count is set to 1because multiple writes are not allowed in SQLite.
- You must not use the mirror registry for Red Hat OpenShift user interface (UP).
- 
							Do not access the sqlite-storagePodman volume during the upgrade.
- There is intermittent downtime of your mirror registry because it is restarted during the upgrade process.
- 
							PostgreSQL data is backed up under the /$HOME/quay-install/quay-postgres-backup/directory for recovery.
Prerequisites
- You have installed the mirror registry for Red Hat OpenShift on a remote host.
Procedure
- To upgrade the mirror registry for Red Hat OpenShift from a remote host, enter the following command: - ./mirror-registry upgrade -v --targetHostname <remote_host_url> --targetUsername <user_name> -k ~/.ssh/my_ssh_key - $ ./mirror-registry upgrade -v --targetHostname <remote_host_url> --targetUsername <user_name> -k ~/.ssh/my_ssh_key- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Users who upgrade the mirror registry for Red Hat OpenShift with the - ./mirror-registry upgrade -vflag must include the same credentials used when creating their mirror registry. For example, if you installed the mirror registry for Red Hat OpenShift with- --quayHostname <host_example_com>and- --quayRoot <example_directory_name>, you must include that string to properly upgrade the mirror registry.
- If you are upgrading the mirror registry for Red Hat OpenShift from 1.3 → 2.y and want to specify a custom SQLite storage path, you must pass in the - --sqliteStorageflag, for example:- ./mirror-registry upgrade -v --targetHostname <remote_host_url> --targetUsername <user_name> -k ~/.ssh/my_ssh_key --sqliteStorage <example_directory_name>/quay-storage - $ ./mirror-registry upgrade -v --targetHostname <remote_host_url> --targetUsername <user_name> -k ~/.ssh/my_ssh_key --sqliteStorage <example_directory_name>/quay-storage- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Ensure that mirror registry for Red Hat OpenShift has been updated by running the following command: - podman ps - $ podman ps- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - registry.redhat.io/quay/quay-rhel8:v3.12.10 - registry.redhat.io/quay/quay-rhel8:v3.12.10- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.7. Replacing mirror registry for Red Hat OpenShift SSL/TLS certificates
In some cases, you might want to update your SSL/TLS certificates for the mirror registry for Red Hat OpenShift. This is useful in the following scenarios:
- If you are replacing the current mirror registry for Red Hat OpenShift certificate.
- If you are using the same certificate as the previous mirror registry for Red Hat OpenShift installation.
- If you are periodically updating the mirror registry for Red Hat OpenShift certificate.
Use the following procedure to replace mirror registry for Red Hat OpenShift SSL/TLS certificates.
Prerequisites
- 
						You have downloaded and installed the ./mirror-registrybinary from the OpenShift console Downloads page.
Procedure
- Enter the following command to install the mirror registry for Red Hat OpenShift: - ./mirror-registry install \ --quayHostname <host_example_com> \ --quayRoot <example_directory_name> - $ ./mirror-registry install \ --quayHostname <host_example_com> \ --quayRoot <example_directory_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This installs the mirror registry for Red Hat OpenShift to the - $HOME/quay-installdirectory.
- 
						Prepare a new certificate authority (CA) bundle and generate new ssl.keyandssl.crtkey files. For more information, see Configuring SSL and TLS for Red Hat Quay.
- Assign - /$HOME/quay-installan environment variable, for example,- QUAY, by entering the following command:- export QUAY=/$HOME/quay-install - $ export QUAY=/$HOME/quay-install- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the new - ssl.crtfile to the- /$HOME/quay-installdirectory by entering the following command:- cp ~/ssl.crt $QUAY/quay-config - $ cp ~/ssl.crt $QUAY/quay-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the new - ssl.keyfile to the- /$HOME/quay-installdirectory by entering the following command:- cp ~/ssl.key $QUAY/quay-config - $ cp ~/ssl.key $QUAY/quay-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Restart the - quay-appapplication pod by entering the following command:- systemctl --user restart quay-app - $ systemctl --user restart quay-app- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.8. Uninstalling the mirror registry for Red Hat OpenShift
Use the following procedure to uninstall the mirror registry for Red Hat OpenShift from your local host.
Prerequisites
- You have installed mirror registry for Red Hat OpenShift on a local host.
Procedure
- Uninstall the mirror registry for Red Hat OpenShift from your local host by running the following command: - ./mirror-registry uninstall -v \ --quayRoot <example_directory_name> - $ ./mirror-registry uninstall -v \ --quayRoot <example_directory_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- 
									Deleting the mirror registry for Red Hat OpenShift prompts the user before deletion. You can use --autoApproveto skip this prompt.
- 
									Users who install the mirror registry for Red Hat OpenShift with the --quayRootflag must include the--quayRootflag when uninstalling. For example, if you installed the mirror registry for Red Hat OpenShift with--quayRoot example_directory_name, you must include that string to properly uninstall the mirror registry.
 
- 
									Deleting the mirror registry for Red Hat OpenShift prompts the user before deletion. You can use 
4.9. Mirror registry for Red Hat OpenShift flags
The following flags are available for the mirror registry for Red Hat OpenShift:
| Flags | Description | 
|---|---|
| 
								 | 
								A boolean value that disables interactive prompts. If set to  | 
| 
								 | The password of the init user created during Quay installation. Must be at least eight characters and contain no whitespace. | 
| 
								 | 
								Shows the username of the initial user. Defaults to  | 
| 
								 | Allows users to disable color sequences and propagate that to Ansible when running install, uninstall, and upgrade commands. | 
| 
								 | 
								The fully-qualified domain name of the mirror registry that clients will use to contact the registry. Equivalent to  | 
| 
								 | 
								The folder where Quay persistent storage data is saved. Defaults to the  | 
| 
								 | 
								The directory where container image layer and configuration data is saved, including  | 
| 
								 | 
								The folder where SQLite database data is saved. Defaults to  | 
| 
								 | 
								The path of your SSH identity key. Defaults to  | 
| 
								 | 
								The path to the SSL/TLS public key / certificate. Defaults to  | 
| 
								 | 
								Skips the check for the certificate hostname against the  | 
| 
								 | 
								The path to the SSL/TLS private key used for HTTPS communication. Defaults to  | 
| 
								 | 
								The hostname of the target you want to install Quay to. Defaults to  | 
| 
								 | 
								The user on the target host which will be used for SSH. Defaults to  | 
| 
								 | Shows debug logs and Ansible Playbook outputs. | 
| 
								 | Shows the version for the mirror registry for Red Hat OpenShift. | 
- 
						--quayHostnamemust be modified if the public DNS name of your system is different from the local hostname. Additionally, the--quayHostnameflag does not support installation with an IP address. Installation with a hostname is required.
- 
						--sslCheckSkipis used in cases when the mirror registry is set behind a proxy and the exposed hostname is different from the internal Quay hostname. It can also be used when users do not want the certificates to be validated against the provided Quay hostname during installation.
4.10. Mirror registry for Red Hat OpenShift release notes
The mirror registry for Red Hat OpenShift is a small and streamlined container registry that you can use as a target for mirroring the required container images of OpenShift Container Platform for disconnected installations.
These release notes track the development of the mirror registry for Red Hat OpenShift in OpenShift Container Platform.
4.10.1. Mirror registry for Red Hat OpenShift 2.0 release notes
The following sections provide details for each 2.0 release of the mirror registry for Red Hat OpenShift.
4.10.1.1. Mirror registry for Red Hat OpenShift 2.0.8
Issued: 16 October 2025
Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.12.
The following advisory is available for the mirror registry for Red Hat OpenShift:
4.10.1.2. Mirror registry for Red Hat OpenShift 2.0.7
Issued: 14 July 2025
Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.10.
The following advisory is available for the mirror registry for Red Hat OpenShift:
4.10.1.3. Mirror registry for Red Hat OpenShift 2.0.6
Issued: 28 April 2025
Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.8.
The following advisory is available for the mirror registry for Red Hat OpenShift:
4.10.1.4. Mirror registry for Red Hat OpenShift 2.0.5
Issued: 13 January 2025
Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.5.
The following advisory is available for the mirror registry for Red Hat OpenShift:
4.10.1.5. Mirror registry for Red Hat OpenShift 2.0.4
Issued: 06 January 2025
Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.4.
The following advisory is available for the mirror registry for Red Hat OpenShift:
4.10.1.6. Mirror registry for Red Hat OpenShift 2.0.3
Issued: 25 November 2024
Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.3.
The following advisory is available for the mirror registry for Red Hat OpenShift:
4.10.1.7. Mirror registry for Red Hat OpenShift 2.0.2
Issued: 31 October 2024
Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.2.
The following advisory is available for the mirror registry for Red Hat OpenShift:
4.10.1.8. Mirror registry for Red Hat OpenShift 2.0.1
Issued: 26 September 2024
Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.1.
The following advisory is available for the mirror registry for Red Hat OpenShift:
4.10.1.9. Mirror registry for Red Hat OpenShift 2.0.0
Issued: 03 September 2024
Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.12.0.
The following advisory is available for the mirror registry for Red Hat OpenShift:
The following new features are available with mirror registry for Red Hat OpenShift 2.0.0:
- With the release of mirror registry for Red Hat OpenShift, the internal database has been upgraded from PostgreSQL to SQLite. As a result, data is now stored on the - sqlite-storagePodman volume by default, and the overall tarball size is reduced by 300 MB.- New installations use SQLite by default. Before upgrading to version 2.0, see "Updating mirror registry for Red Hat OpenShift from a local host" or "Updating mirror registry for Red Hat OpenShift from a remote host" depending on your environment. 
- 
								A new feature flag, --sqliteStoragehas been added. With this flag, you can manually set the location where SQLite database data is saved.
- 
								Mirror registry for Red Hat OpenShift is now available on IBM Power and IBM Z architectures (s390xandppc64le).
4.10.2. Mirror registry for Red Hat OpenShift 1.3 release notes
To view the mirror registry for Red Hat OpenShift 1.3 release notes, see Mirror registry for Red Hat OpenShift 1.3 release notes.
4.10.3. Mirror registry for Red Hat OpenShift 1.2 release notes
To view the mirror registry for Red Hat OpenShift 1.2 release notes, see Mirror registry for Red Hat OpenShift 1.2 release notes.
4.10.4. Mirror registry for Red Hat OpenShift 1.1 release notes
To view the mirror registry for Red Hat OpenShift 1.1 release notes, see Mirror registry for Red Hat OpenShift 1.1 release notes.
4.11. Troubleshooting mirror registry for Red Hat OpenShift
To assist in troubleshooting mirror registry for Red Hat OpenShift, you can gather logs of systemd services installed by the mirror registry. The following services are installed:
- quay-app.service
- quay-redis.service
- quay-pod.service
Prerequisites
- You have installed mirror registry for Red Hat OpenShift.
Procedure
- If you installed mirror registry for Red Hat OpenShift with root privileges, you can get the status information of its systemd services by entering the following command: - sudo systemctl status <service> - $ sudo systemctl status <service>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you installed mirror registry for Red Hat OpenShift as a standard user, you can get the status information of its systemd services by entering the following command: - systemctl --user status <service> - $ systemctl --user status <service>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.12. Additional resources
Chapter 5. Mirroring images for a disconnected installation by using the oc-mirror plugin v2
You can run your cluster in a disconnected environment if you install the cluster from a mirrored set of OpenShift Container Platform container images in a private registry. This registry must be running whenever your cluster is running.
You can use oc-mirror plugin v2 to mirror images to a mirror registry in your fully or partially disconnected environments. To download the required images from the official Red Hat registries, you must run oc-mirror plugin v2 from a system with internet connectivity.
5.1. About oc-mirror plugin v2
				The oc-mirror OpenShift CLI (oc) plugin is a single tool that mirrors all required OpenShift Container Platform content and other images to your mirror registry.
			
				To use the new version of oc-mirror, add the --v2 flag to the oc-mirror plugin v2 command line.
			
oc-mirror plugin v2 has the following features:
- Provides a centralized method to mirror OpenShift Container Platform releases, Operators, helm charts, and other images.
- Verifies that the complete image set specified in the image set configuration file is mirrored to the mirrored registry, regardless of whether the images were previously mirrored or not.
- Uses a cache system instead of metadata, which prevents the need to start the mirroring process over in the case of a failure for a single step of the process.
- Maintains minimal archive sizes by incorporating only new images into the archive.
- Generates mirroring archives with content selected by mirroring date.
- 
						Can generate ImageDigestMirrorSet(IDMS) andImageTagMirrorSet(ITMS) resources, which cover the full image set, instead of anImageContentSourcePolicy(ICSP) resource, which only covered incremental changes to the image set for each mirroring operation with v1.
- 
						Does not perform automatic pruning. v2 now uses a Deletefeature, which grants users more control over deleting images.
- 
						Introduces support for registries.conffiles. This change facilitates mirroring to multiple enclaves while using the same cache.
5.1.1. High level workflow
The following steps outline the high-level workflow on how to use the oc-mirror plugin v2 to mirror images to a mirror registry:
- Create an image set configuration file.
- Mirror the image set to the target mirror registry by using one of the following workflows: - Mirror an image set directly to the target mirror registry (mirror to mirror).
- 
									Mirror an image set to disk (mirror to disk), transfer the tarfile to the target environment, then mirror the image set to the target mirror registry (disk to mirror).
 
- Configure your cluster to use the resources generated by the oc-mirror plugin v2.
- Repeat these steps to update your target mirror registry as necessary.
5.1.2. oc-mirror plugin v2 compatibility and support
The oc-mirror plugin v2 is supported for OpenShift Container Platform.
						On aarch64, ppc64le, and s390x architectures the oc-mirror plugin v2 is supported only for OpenShift Container Platform 4.14 and later.
					
Use the latest available version of the oc-mirror plugin v2 regardless of which versions of OpenShift Container Platform you need to mirror.
5.2. Prerequisites
- You must have a container image registry that supports Docker V2-2 in the location that hosts the OpenShift Container Platform cluster, such as Red Hat Quay. Note- If you use Red Hat Quay, use version 3.6 or later with the oc-mirror plugin. See Deploying the Red Hat Quay Operator on OpenShift Container Platform (Red Hat Quay documentation). If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support.
- If you do not have an existing solution for a container image registry, OpenShift Container Platform subscribers receive a mirror registry for Red Hat OpenShift. This mirror registry is included with your subscription and serves as a small-scale container registry. You can use this registry to mirror the necessary container images of OpenShift Container Platform for disconnected installations.
 
- Every machine in the provisioned clusters must have access to the mirror registry. If the registry is unreachable, tasks like installation, updating, or routine operations such as workload relocation, might fail. Mirror registries must be operated in a highly available manner, ensuring their availability aligns with the production availability of your OpenShift Container Platform clusters.
5.3. Preparing your mirror hosts
To use the oc-mirror plugin v2 for image mirroring, you must install the plugin and create a file with credentials for container images, enabling you to mirror from Red Hat to your mirror.
5.3.1. Installing the oc-mirror OpenShift CLI plugin
Install the oc-mirror OpenShift CLI plugin to manage image sets in disconnected environments.
Prerequisites
- You have installed the OpenShift CLI ( - oc). If you are mirroring image sets in a fully disconnected environment, ensure the following:- You have installed the oc-mirror plugin on the host that has internet access.
- The host in the disconnected environment has access to the target mirror registry.
 
- 
							You have set the umaskparameter to0022on the operating system that uses oc-mirror.
- You have installed the correct binary for the RHEL version that you are using.
Procedure
- Download the oc-mirror CLI plugin: - Navigate to the Downloads page of the Red Hat Hybrid Cloud Console.
- In the OpenShift disconnected installation tools section, select the OS type and Architecture type of the OpenShift Client (oc) mirror plugin from the dropdown menus.
- Click Download to save the file.
 
- Extract the archive by running the following command: - tar xvzf oc-mirror.tar.gz - $ tar xvzf oc-mirror.tar.gz- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If necessary, update the plugin file to be executable by running the following command: - chmod +x oc-mirror - $ chmod +x oc-mirror- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Do not rename the - oc-mirrorfile.
- Install the oc-mirror CLI plugin by placing the file in your - PATH, for example- /usr/local/bin, by running the following command:- sudo mv oc-mirror /usr/local/bin/. - $ sudo mv oc-mirror /usr/local/bin/.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify that the oc-mirror plugin v2 is successfully installed by running the following command: - oc mirror --v2 --help - $ oc mirror --v2 --help- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.3.2. Configuring credentials that allow images to be mirrored
Create a container image registry credentials file that enables you to mirror images from Red Hat to your mirror.
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.
Prerequisites
- You configured a mirror registry to use in your disconnected environment.
- You identified an image repository location on your mirror registry to mirror images into.
- You provisioned a mirror registry account that allows images to be uploaded to that image repository.
- You have write access to the mirror registry.
Procedure
Complete the following steps on the installation host:
- 
							Download your registry.redhat.iopull secret from Red Hat OpenShift Cluster Manager.
- Make a copy of your pull secret in JSON format by running the following command: - cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> - $ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path to the folder to store the pull secret in and a name for the JSON file that you create.
 - Example pull secret - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If the - $XDG_RUNTIME_DIR/containersdirectory does not exist, create one by entering the following command:- mkdir -p $XDG_RUNTIME_DIR/containers - $ mkdir -p $XDG_RUNTIME_DIR/containers- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Save the pull secret file as $XDG_RUNTIME_DIR/containers/auth.json.
- Generate the base64-encoded user name and password or token for your mirror registry by running the following command: - echo -n '<user_name>:<password>' | base64 -w0 - $ echo -n '<user_name>:<password>' | base64 -w0- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<user_name>and<password>, specify the user name and password that you configured for your registry.
 - Example output - BGVtbYk3ZHAtqXs= - BGVtbYk3ZHAtqXs=- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the JSON file and add a section that describes your registry to it: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example modified pull secret - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4. Mirroring an image set to a mirror registry
Mirroring an image set to a mirror registry ensures that the required images are available in a secure and controlled environment, facilitating smoother deployments, updates, and maintenance tasks.
5.4.1. Creating the image set configuration
Before you can use the oc-mirror plugin v2 to mirror images, you must create an image set configuration file. This image set configuration file defines which OpenShift Container Platform releases, Operators, and other images to mirror, along with other configuration settings for the oc-mirror plugin v2.
Prerequisites
- You have created a container image registry credentials file. For instructions, see Configuring credentials that allow images to be mirrored.
Procedure
- Create an - ImageSetConfigurationYAML file and modify it to include your required images.- Example - ImageSetConfigurationYAML file- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Set the channel to retrieve OpenShift Container Platform images from.
- 2
- Addgraph: trueto build and push the graph-data image to the mirror registry. The graph-data image is required to create OpenShift Update Service (OSUS). Thegraph: truefield also generates theUpdateServicecustom resource manifest. Theoccommand-line interface (CLI) can use theUpdateServicecustom resource manifest to create OSUS. For more information, see About the OpenShift Update Service.
- 3
- Set the Operator catalog to retrieve the OpenShift Container Platform images from.
- 4
- Specify only certain Operator packages to include in the image set. Remove this field to retrieve all packages in the catalog.
- 5
- Specify any additional images to include in image set.
 
5.4.2. Mirroring an image set in a partially disconnected environment
You can mirror image sets to a registry using the oc-mirror plugin v2 in environments with restricted internet access.
Prerequisites
- You have access to the internet and the mirror registry in the environment where you are running the oc-mirror plugin v2.
Procedure
- Mirror the images from the specified image set configuration to a specified registry by running the following command: - oc mirror -c <image_set_configuration> --workspace file://<file_path> docker://<mirror_registry_url> --v2 - $ oc mirror -c <image_set_configuration> --workspace file://<file_path> docker://<mirror_registry_url> --v2- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <image_set_configuration>
- Specifies the name of the image set configuration file.
- <file_path>
- Specifies the directory where cluster resources will be generated in.
- <mirror_registry_url>
- Specifies the URL or address of the mirror registry where the images are stored and from which they need to be deleted.
 
Verification
- 
							Navigate to the working-dir/cluster-resourcesdirectory that was generated in the<file_path>directory.
- 
							Verify that the YAML files are present for the ImageDigestMirrorSet,ImageTagMirrorSet, andCatalogSourceresources.
Next steps
- Configure your cluster to use the resources generated by oc-mirror plugin v2.
5.4.3. Mirroring an image set in a fully disconnected environment
You can mirror image sets in a fully disconnected environment where the OpenShift Container Platform cluster cannot access the public internet. The following high-level workflow describes the mirroring process:
- Mirror to disk: Mirror the image set to an archive.
- Disk transfer: Manually transfer the archive to the network of the disconnected mirror registry.
- Disk to mirror: Mirror the image set from the archive to the target disconnected registry.
5.4.3.1. Mirroring from mirror to disk
You can use the oc-mirror plugin v2 to generate an image set and save the content to disk. Afterwards, you can transfer the generated image set to the disconnected environment and mirror it to the target registry.
oc-mirror plugin v2 retrieves the container images from the source specified in the image set configuration file and packs them into a tar archive in a local directory.
Procedure
- Mirror the images from the specified image set configuration to the disk by running the following command: - oc mirror -c <image_set_configuration> file://<file_path> --v2 - $ oc mirror -c <image_set_configuration> file://<file_path> --v2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <image_set_configuration>
- Specifies the name of the image set configuration file.
- <file_path>
- Specifies the directory where the archives containing the image sets will be generated in.
 
Verification
- 
								Navigate to the <file_path>directory that was generated.
- Verify that the archive files have been generated.
Next steps
- Mirroring from disk to mirror
5.4.3.2. Mirroring from disk to mirror
You can use the oc-mirror plugin v2 to mirror image sets from a disk to a target mirror registry.
The oc-mirror plugin v2 retrieves container images from a local disk and transfers them to the specified mirror registry.
Procedure
- Transfer the disk containing mirrored image sets to the environment that contains the target mirror registry.
- Process the image set file on the disk and mirror the contents to a target mirror registry by running the following command: - oc mirror -c <image_set_configuration> --from file://<file_path> docker://<mirror_registry_url> --v2 - $ oc mirror -c <image_set_configuration> --from file://<file_path> docker://<mirror_registry_url> --v2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <image_set_configuration>
- Specifies the name of the image set configuration file.
- <file_path>
- Specifies the directory on the disk containing the archives. This folder will also contain cluster resources generated for you apply to the cluster, for example the ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) resources.
- <mirror_registry_url>
- Specifies the URL or address of the mirror registry where the images are stored.
 
Verification
- 
								Navigate to the cluster-resourcesdirectory within theworking-dirdirectory that was generated in the<file_path>directory.
- 
								Verify that the YAML files are present for the ImageDigestMirrorSet,ImageTagMirrorSet, andCatalogSourceresources.
Next steps
- Configure your cluster to use the resources generated by oc-mirror plugin v2.
5.5. About custom resources generated by oc-mirror plugin v2
The oc-mirror plugin v2 automatically generates the following custom resources:
- ImageDigestMirrorSet(IDMS)
- Handles registry mirror rules when using image digest pull specifications. Generated if at least one image of the image set is mirrored by digest.
- ImageTagMirrorSet(ITMS)
- Handles registry mirror rules when using image tag pull specifications. Generated if at least one image from the image set is mirrored by tag.
- CatalogSource
- Retrieves information about the available Operators in the mirror registry. Used by Operator Lifecycle Manager (OLM) Classic.
- ClusterCatalog
- Retrieves information about the available cluster extensions (which includes Operators) in the mirror registry. Used by OLM v1.
- UpdateService
- Provides update graph data to the disconnected environment. Used by the OpenShift Update Service.
5.5.1. Restrictions on modifying resources that are generated by the oc-mirror plugin
When using resources that are generated by the oc-mirror plugin v2 to configure your cluster, you must not change certain fields. Modifying these fields can cause errors and is not supported.
The following table lists the resources and their fields that must remain unchanged:
| Resource | Fields that must not be changed | 
|---|---|
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									Signature  | 
									 | 
| 
									 | 
									 | 
					For more information about these resources, see the OpenShift API documentation for CatalogSource, ImageDigestMirrorSet, and ImageTagMirrorSet.
				
5.5.2. Configuring your cluster to use the resources generated by oc-mirror plugin v2
					After you have mirrored your image set to the mirror registry, you must apply the generated ImageDigestMirrorSet (IDMS), ImageTagMirrorSet (ITMS), CatalogSource, and UpdateService resources to the cluster.
				
						In oc-mirror plugin v2, the IDMS and ITMS files cover the entire image set, unlike the ImageContentSourcePolicy (ICSP) files in oc-mirror plugin v1. Therefore, the IDMS and ITMS files contain all images of the set even if you only add new images during incremental mirroring.
					
Prerequisites
- 
							You have access to the cluster as a user with the cluster-adminrole.
Procedure
- 
							Log in to the OpenShift CLI as a user with the cluster-adminrole.
- Apply the YAML files from the results directory to the cluster by running the following command: - oc apply -f <path_to_oc_mirror_workspace>/working-dir/cluster-resources - $ oc apply -f <path_to_oc_mirror_workspace>/working-dir/cluster-resources- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you mirrored release images, apply the release image signatures to the cluster by running the following command: - oc apply -f working-dir/cluster-resources/signature-configmap.json - $ oc apply -f working-dir/cluster-resources/signature-configmap.json- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- If you are mirroring Operators instead of clusters, do not run the preceding command. Running the command results in an error because there are no release image signatures to apply. - Additionally, a YAML file is available in the same directory - working-dir/cluster-resources/. You can use either the JSON or YAML format.
Verification
- Verify that the - ImageDigestMirrorSetresources are successfully installed by running the following command:- oc get imagedigestmirrorset - $ oc get imagedigestmirrorset- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the - ImageTagMirrorSetresources are successfully installed by running the following command:- oc get imagetagmirrorset - $ oc get imagetagmirrorset- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the - CatalogSourceresources are successfully installed by running the following command:- oc get catalogsource -n openshift-marketplace - $ oc get catalogsource -n openshift-marketplace- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the - ClusterCatalogresources are successfully installed by running the following command:- oc get clustercatalog - $ oc get clustercatalog- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
After your cluster is configured to use the resources generated by oc-mirror plugin v2, see Next steps for information about tasks that you can perform using your mirrored images.
5.6. Deletion of images from your disconnected environment
				If you have previously deployed images using the oc-mirror plugin v2, you can delete these images to free up space in your mirror registry. oc-mirror plugin v2 does not automatically prune images that are not included in the ImageSetConfiguration file. This prevents accidentally deleting necessary or deployed images when making changes to the ImageSetConfig.yaml file.
			
				You must create a DeleteImageSetConfiguration file to specify which images to delete.
			
				In the following example, the DeleteImageSetConfiguration file removes the following images:
			
- All release images for OpenShift Container Platform 4.13.3.
- 
						The aws-load-balancer-operatorv0.0.1 bundle and all its related images.
- 
						The additional images for ubiandubi-minimal, referenced by their corresponding digests.
Example DeleteImageSetConfiguration file
Consider using the mirror-to-disk and disk-to-mirror workflows to reduce deletion issues.
oc-mirror plugin v2 deletes only the manifests of the images, which does not reduce the storage occupied in the registry.
To free up storage space from unnecessary images, such as those with deleted manifests, you must enable the garbage collector on your container registry. With the garbage collector enabled, the registry will delete the image blobs that no longer have references to any manifests, reducing the storage previously occupied by the deleted blobs. The process for enabling the garbage collector differs depending on your container registry.
For more information, see "Resolving storage cleanup issues in the distribution registry".
- To skip deleting the Operator catalog image while you are deleting Operator images, you must list the specific Operators under the Operator catalog image in the - DeleteImageSetConfigurationfile. This ensures that only the specified Operators are deleted, not the catalog image.- If only the Operator catalog image is specified, all Operators within that catalog, as well as the catalog image itself, will be deleted. 
- oc-mirror plugin v2 does not delete Operator catalog images automatically because other Operators may still be deployed and depend on these images. - If you are certain that no Operators from a catalog remain in the registry or cluster, you can explicitly add the catalog image to - additionalImagesin- DeleteImageSetConfigurationto remove it.
- Garbage collection behavior depends on the registry. Some registries do not automatically remove deleted images, requiring a system administrator to manually trigger garbage collection to free up space.
5.6.1. Resolving storage cleanup issues in the distribution registry
A known issue in the distribution registry prevents the garbage collector from freeing up storage as expected. This issue does not occur when you use Red Hat Quay.
Procedure
- Choose the appropriate method to work around the known issue in the distribution registry: - To restart the container registry, run the following command: - podman restart <registry_container> - $ podman restart <registry_container>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To disable caching in the registry configuration, perform the following steps: - To disable the - blobdescriptorcache, modify the- /etc/docker/registry/config.ymlfile:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To apply the changes, restart the container registry by running the following command: - podman restart <registry_container> - $ podman restart <registry_container>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
5.6.2. Deleting images from a disconnected environment
To delete images from a disconnected environment using the oc-mirror plugin v2, follow the procedure.
Prerequisites
- You have enabled garbage collection in your environment to delete images that no longer reference manifests.
Procedure
- Create a - delete-image-set-config.yamlfile and include the following content:- DeleteImageSetConfigurationfile- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1 1
- Specify the name of the OpenShift Container Platform channel to delete, for examplestable-4.15.
- 2 3
- Specify a version range of the images to delete within the channel, for example4.15.0for the minimum version and4.15.1for the maximum version. To delete only one version’s images, use that version number for both theminVersionandmaxVersionfields.
- 4
- Specify an Operator catalog image containing the Operators to delete, for exampleregistry.redhat.io/redhat/redhat-operator-index:v4.14. The Operator catalog image will not get deleted. Its presence in the registry might be necessary for other Operators still remaining on the cluster.
- 5
- Specify a specific Operator to delete, for exampleaws-load-balancer-operator.
- 6 7
- Specify a version range of the images to delete for the Operator, for example0.0.1for the minimum version and0.0.2for the maximum version.
 
- Create a - delete-images.yamlfile by running the following command:- oc mirror delete --config delete-image-set-config.yaml --workspace file://<previously_mirrored_work_folder> --v2 --generate docker://<remote_registry> - $ oc mirror delete --config delete-image-set-config.yaml --workspace file://<previously_mirrored_work_folder> --v2 --generate docker://<remote_registry>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <previously_mirrored_work_folder>
- Specifies the directory where images were previously mirrored to or stored during the mirroring process.
- <remote_registry>
- Specifies the URL or address of the remote container registry from which images will be deleted. Important- When deleting images, specify the correct workspace directory. Modify or delete the cache directory only when starting mirroring from scratch, such as setting up a new cluster. Incorrect changes to the cache directory might disrupt further mirroring operations. 
 
- 
							Go to the <previously_mirrored_work_folder>/deletedirectory that was created.
- 
							Verify that the delete-images.yamlfile has been generated.
- Manually ensure that each image listed in the file is no longer needed by the cluster and can be safely removed from the registry.
- After you generate the - delete-imagesYAML file, delete the images from the remote registry by running the following command:- oc mirror delete --v2 --delete-yaml-file <previously_mirrored_work_folder>/working-dir/delete/delete-images.yaml docker://<remote_registry> - $ oc mirror delete --v2 --delete-yaml-file <previously_mirrored_work_folder>/working-dir/delete/delete-images.yaml docker://<remote_registry>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <previously_mirrored_work_folder>
- Specifies the directory where images were previously mirrored or stored during the mirroring process.
- <remote_registry>
- Specifies the URL or address of the remote container registry from which images will be deleted. Important- When using the mirror-to-mirror method to mirror images, images are not cached locally, so you cannot delete images from a local cache. 
 
5.7. Verifying your selected images for mirroring
				You can use oc-mirror plugin v2 to perform a test run (dry run) that does not actually mirror any images. This enables you to review the list of images that would be mirrored. You can also use a dry run to catch any errors with your image set configuration early. When running a dry run on a mirror-to-disk workflow, the oc-mirror plugin v2 checks if all the images within the image set are available in its cache. Any missing images are listed in the missing.txt file. When a dry run is performed before mirroring, both missing.txt and mapping.txt files contain the same list of images.
			
5.7.1. Performing a dry run for oc-mirror plugin v2
Verify your image set configuration by performing a dry run without mirroring any images. This ensures your setup is correct and prevents unintended changes.
Procedure
- To perform a test run, run the - oc mirrorcommand and append the- --dry-runargument to the command:- oc mirror -c <image_set_config_yaml> file://<oc_mirror_workspace_path> --dry-run --v2 - $ oc mirror -c <image_set_config_yaml> file://<oc_mirror_workspace_path> --dry-run --v2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <image_set_config_yaml>
- Specifies the image set configuration file that you created.
- <oc_mirror_workspace_path>
- Insert the address of the workspace path.
- <mirror_registry_url>
- Insert the URL or address of the remote container registry from which images will be mirrored or deleted. - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Verification
- Navigate to the workspace directory that was generated: - cd <oc_mirror_workspace_path> - $ cd <oc_mirror_workspace_path>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Review the mapping.txtandmissing.txtfiles that were generated. These files contain a list of all images that would be mirrored.
5.7.2. Troubleshooting oc-mirror plugin v2 errors
oc-mirror plugin v2 now logs all image mirroring errors in a separate file, making it easier to track and diagnose failures.
When errors occur while mirroring release or release component images, they are critical. This stops the mirroring process immediately.
						Errors with mirroring Operators, Operator-related images, or additional images do not stop the mirroring process. Mirroring continues, and oc-mirror plugin v2 saves a file under the working-dir/logs directory describing which Operator failed to mirror.
					
When an image fails to mirror, and that image is mirrored as part of one or more Operator bundles, oc-mirror plugin v2 notifies the user which Operators are incomplete, providing clarity on the Operator bundles affected by the error.
Procedure
- Check for server-related issues: - Example error - [ERROR] : [Worker] error mirroring image localhost:55000/openshift/graph-image:latest error: copying image 1/4 from manifest list: trying to reuse blob sha256:edab65b863aead24e3ed77cea194b6562143049a9307cd48f86b542db9eecb6e at destination: pinging container registry localhost:5000: Get "https://localhost:5000/v2/": http: server gave HTTP response to HTTPS client - [ERROR] : [Worker] error mirroring image localhost:55000/openshift/graph-image:latest error: copying image 1/4 from manifest list: trying to reuse blob sha256:edab65b863aead24e3ed77cea194b6562143049a9307cd48f86b542db9eecb6e at destination: pinging container registry localhost:5000: Get "https://localhost:5000/v2/": http: server gave HTTP response to HTTPS client- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 
									Open the mirroring_error_date_time.logfile in theworking-dir/logsfolder located in the oc-mirror plugin v2 output directory.
- 
									Look for error messages that typically indicate server-side issues, such as HTTP 500errors, expired tokens, or timeouts.
- Retry the mirroring process or contact support if the issue persists.
 
- 
									Open the 
- Check for incomplete mirroring of Operators: - Example error - error mirroring image docker://registry.redhat.io/3scale-amp2/zync-rhel9@sha256:8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d (Operator bundles: [3scale-operator.v0.11.12] - Operators: [3scale-operator]) error: initializing source docker://localhost:55000/3scale-amp2/zync-rhel9:8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d: reading manifest 8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d in localhost:55000/3scale-amp2/zync-rhel9: manifest unknown error mirroring image docker://registry.redhat.io/3scale-amp2/3scale-rhel7-operator-metadata@sha256:de0a70d1263a6a596d28bf376158056631afd0b6159865008a7263a8e9bf0c7d error: skipping operator bundle docker://registry.redhat.io/3scale-amp2/3scale-rhel7-operator-metadata@sha256:de0a70d1263a6a596d28bf376158056631afd0b6159865008a7263a8e9bf0c7d because one of its related images failed to mirror error mirroring image docker://registry.redhat.io/3scale-amp2/system-rhel7@sha256:fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e (Operator bundles: [3scale-operator.v0.11.12] - Operators: [3scale-operator]) error: initializing source docker://localhost:55000/3scale-amp2/system-rhel7:fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e: reading manifest fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e in localhost:55000/3scale-amp2/system-rhel7: manifest unknown - error mirroring image docker://registry.redhat.io/3scale-amp2/zync-rhel9@sha256:8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d (Operator bundles: [3scale-operator.v0.11.12] - Operators: [3scale-operator]) error: initializing source docker://localhost:55000/3scale-amp2/zync-rhel9:8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d: reading manifest 8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d in localhost:55000/3scale-amp2/zync-rhel9: manifest unknown error mirroring image docker://registry.redhat.io/3scale-amp2/3scale-rhel7-operator-metadata@sha256:de0a70d1263a6a596d28bf376158056631afd0b6159865008a7263a8e9bf0c7d error: skipping operator bundle docker://registry.redhat.io/3scale-amp2/3scale-rhel7-operator-metadata@sha256:de0a70d1263a6a596d28bf376158056631afd0b6159865008a7263a8e9bf0c7d because one of its related images failed to mirror error mirroring image docker://registry.redhat.io/3scale-amp2/system-rhel7@sha256:fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e (Operator bundles: [3scale-operator.v0.11.12] - Operators: [3scale-operator]) error: initializing source docker://localhost:55000/3scale-amp2/system-rhel7:fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e: reading manifest fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e in localhost:55000/3scale-amp2/system-rhel7: manifest unknown- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Check for warnings in the console or log file indicating which Operators are incomplete. - If an Operator is flagged as incomplete, the image related to that Operator likely failed to mirror. 
- Manually mirror the missing image or retry the mirroring process.
 
- Check for errors related to generated cluster resources. Even if some images fail to mirror, oc-mirror v2 will still generate cluster resources such as - IDMS.yamland- ITMS.yamlfiles for the successfully mirrored images.- Check the output directory for the generated files.
- If these files are missing for specific images, ensure that no critical errors occurred for those images during the mirroring process.
 
By following these steps, you can better diagnose issues and ensure smoother mirroring.
5.8. Benefits of enclave support
Enclave support restricts internal access to a specific part of a network. Unlike a demilitarized zone (DMZ) network, which allows inbound and outbound traffic access through firewall boundaries, enclaves do not cross firewall boundaries.
The new enclave support functionality is for scenarios where mirroring is needed for multiple enclaves that are secured behind at least one intermediate disconnected network.
Enclave support has the following benefits:
- You can mirror content for multiple enclaves and centralize it in a single internal registry. Because some customers want to run security checks on the mirrored content, with this setup they can run these checks all at once. The content is then vetted before being mirrored to downstream enclaves.
- You can mirror content directly from the centralized internal registry to enclaves without restarting the mirroring process from the internet for each enclave.
- You can minimize data transfer between network stages, so to ensure that a blob or image is transferred only once from one stage to another.
5.8.1. Enclave mirroring workflow
The previous image outlines the flow for using the oc-mirror plugin in different environments, including environments with and without an internet connection.
Environment with Internet Connection:
- The user executes oc-mirror plugin v2 to mirror content from an online registry to a local disk directory.
- The mirrored content is saved to the disk for transfer to offline environments.
Disconnected Enterprise Environment (No Internet):
- Flow 1: - 
									The user runs oc-mirror plugin v2 to load the mirrored content from the disk directory, which was transferred from the online environment, into the enterprise-registry.inregistry.
 
- 
									The user runs oc-mirror plugin v2 to load the mirrored content from the disk directory, which was transferred from the online environment, into the 
- Flow 2: - 
									After updating the registries.conffile, the user executes the oc-mirror plugin v2 to mirror content from theenterprise-registry.inregistry to an enclave environment.
- The content is saved to a disk directory for transfer to the enclave.
 
- 
									After updating the 
Enclave Environment (No Internet):
- 
							The user runs oc-mirror plugin v2 to load content from the disk directory into the enclave-registry.inregistry.
The image visually represents the data flow across these environments and emphasizes the use of oc-mirror to handle disconnected and enclave environments without an internet connection.
5.8.2. Mirroring to an enclave
When you mirror to an enclave, you must first transfer the necessary images from one or more enclaves into the enterprise central registry.
					The central registry is situated within a secure network, specifically a disconnected environment, and is not directly linked to the public internet. But the user must execute oc mirror in an environment with access to the public internet.
				
Procedure
- Before running oc-mirror plugin v2 in the disconnected environment, create a - registries.conffile. The TOML format of the file is described in this specification:Note- It is recommended to store the file under - $HOME/.config/containers/registries.confor- /etc/containers/registries.conf.- Example - registries.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Generate a mirror archive. - To collect all the OpenShift Container Platform content into an archive on the disk under - <file_path>/enterprise-content, run the following command:- oc mirror --v2 -c isc.yaml file://<file_path>/enterprise-content - $ oc mirror --v2 -c isc.yaml file://<file_path>/enterprise-content- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example of isc.yaml - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the archive is generated, it is transferred to the disconnected environment. The transport mechanism is not part of oc-mirror plugin v2. The enterprise network administrators determine the transfer strategy. - In some cases, the transfer is done manually, in that the disk is physically unplugged from one location, and plugged to another computer in the disconnected environment. In other cases, the Secure File Transfer Protocol (SFTP) or other protocols are used. 
 
- After the transfer of the archive is done, you can execute oc-mirror plugin v2 again in order to mirror the relevant archive contents to the registry ( - entrerpise_registry.inin the example) as demonstrated in the following example:- oc mirror --v2 -c isc.yaml --from file://<disconnected_environment_file_path>/enterprise-content docker://<enterprise_registry.in>/ - $ oc mirror --v2 -c isc.yaml --from file://<disconnected_environment_file_path>/enterprise-content docker://<enterprise_registry.in>/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Where: - 
									--frompoints to the folder containing the archive. It starts with thefile://.
- 
									docker://is the destination of the mirroring is the final argument. Because it is a docker registry.
- 
									-c(--config) is a mandatory argument. It enables oc-mirror plugin v2 to eventually mirror only sub-parts of the archive to the registry. One archive might contain several OpenShift Container Platform releases, but the disconnected environment or an enclave might mirror only a few.
 
- 
									
- Prepare the - imageSetConfigYAML file, which describes the content to mirror to the enclave:- Example isc-enclave.yaml - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You must run oc-mirror plugin v2 on a machine with access to the disconnected registry. In the previous example, the disconnected environment, - enterprise-registry.in, is accessible.
- Update the graph URL - If you are using - graph:true, oc-mirror plugin v2 attempts to reach the- cincinnatiAPI endpoint. Because this environment is disconnected, be sure to export the environment variable- UPDATE_URL_OVERRIDEto refer to the URL for the OpenShift Update Service (OSUS):- export UPDATE_URL_OVERRIDE=https://<osus.enterprise.in>/graph - $ export UPDATE_URL_OVERRIDE=https://<osus.enterprise.in>/graph- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For more information on setting up OSUS on an OpenShift cluster, see "Updating a cluster in a disconnected environment using the OpenShift Update Service". Note- When updating between OpenShift Container Platform Extended Update Support (EUS) versions, you must also include images for an intermediate minor version between the current and target versions. The oc-mirror plugin v2 might not always detect this requirement automatically, so check the Red Hat OpenShift Container Platform Update Graph page to confirm any required intermediate versions. - Use the Update Graph page to find the intermediate minor versions suggested by the application, and include any of these versions in the - ImageSetConfigurationfile when using the oc-mirror plugin v2.
- Generate a mirror archive from the enterprise registry for the enclave. - To prepare an archive for the - enclave1, the user executes oc-mirror plugin v2 in the enterprise disconnected environment by using the- imageSetConfigurationspecific for that enclave. This ensures that only images needed by that enclave are mirrored:- oc mirror --v2 -c isc-enclave.yaml - $ oc mirror --v2 -c isc-enclave.yaml file:///disk-enc1/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This action collects all the OpenShift Container Platform content into an archive and generates an archive on disk. 
- 
							After the archive is generated, it will be transferred to the enclave1network. The transport mechanism is not the responsibility of oc-mirror plugin v2.
- Mirror contents to the enclave registry - After the transfer of the archive is done, the user can execute oc-mirror plugin v2 again in order to mirror the relevant archive contents to the registry. - oc mirror --v2 -c isc-enclave.yaml --from file://local-disk docker://registry.enc1.in - $ oc mirror --v2 -c isc-enclave.yaml --from file://local-disk docker://registry.enc1.in- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The administrators of the OpenShift Container Platform cluster in - enclave1are now ready to install or upgrade that cluster.
5.9. oc-mirror plugin v2 support proxy setting
				The oc-mirror plugin v2 can operate in a proxy-configured environment. The plugin can use system proxy settings to retrieve images for OpenShift Container Platform, Operator catalog, and the additionalImages registry.
			
5.10. How filtering works in the operator catalog
				oc-mirror plugin v2 selects the list of bundles for mirroring by processing the information in imageSetConfig.
			
When oc-mirror plugin v2 selects bundles for mirroring, it does not infer Group Version Kind (GVK) or bundle dependencies, omitting them from the mirroring set. Instead, it strictly adheres to the user instructions. You must explicitly specify any required dependent packages and their versions.
| ImageSetConfig operator filtering | Expected bundle versions | 
|---|---|
| Scenario 1 mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10  | For each package in the catalog, one bundle, corresponding to the head version for each channel of that package. | 
| Scenario 2 mirror:
  operators:
    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
      full: true | All bundles of all channels of the specified catalog. | 
| Scenario 3 mirror:
  operators:
    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
     packages:
    - name: compliance-operator | One bundle, corresponding to the head version for each channel of that package. | 
| Scenario 4 | All bundles of all channels for the packages specified. | 
| Scenario 5 | 
								All bundles in all channels, from the  | 
| Scenario 6 | 
								All bundles in all channels that are lower than the  | 
| Scenario 7 | 
								All bundles in all channels, between the  | 
| Scenario 8 | 
								The head bundle for the selected channel of that package. You must use the  | 
| Scenario 9 | 
								All bundles for the packages and channels specified. The  | 
| Scenario 10 | The head bundle for each selected channel of that package. | 
| Scenario 11 | 
								Within the selected channel of that package, all versions starting with the  | 
| Scenario 12 | 
								Within the selected channel of that package, all versions up to  | 
| Scenario 13 | 
								Within the selected channel of that package, all versions between the  | 
| Scenario 14 | 
								Do not use this scenario. filtering by channel and by package with a  | 
| Scenario 15 | 
								Do not use this scenario. You cannot filter using  | 
| Scenario 16 | 
								Do not use this scenario. You cannot filter using  | 
5.11. ImageSet configuration parameters for oc-mirror plugin v2
				The oc-mirror plugin v2 requires an image set configuration file that defines what images to mirror. The following table lists the available parameters for the ImageSetConfiguration resource.
			
					Using the minVersion and maxVersion properties to filter for a specific Operator version range can result in a multiple channel heads error. The error message states that there are multiple channel heads. This is because when the filter is applied, the update graph of the Operator is truncated.
				
OLM requires that every Operator channel contains versions that form an update graph with exactly one end point, that is, the latest version of the Operator. When the filter range is applied, that graph can turn into two or more separate graphs or a graph that has more than one end point.
					To avoid this error, do not filter out the latest version of an Operator. If you still run into the error, depending on the Operator, either the maxVersion property must be increased or the minVersion property must be decreased. Because every Operator graph can be different, you might need to adjust these values until the error resolves.
				
| Parameter | Description | Values | 
|---|---|---|
| 
								 | 
								The API version of the  | 
								String Example:  | 
| 
								 | The maximum size, in GiB, of each archive file within the image set. | 
								Integer Example:  | 
| 
								 | 
								When set to  | 
								Boolean Example  | 
| 
								 | The configuration of the image set. | Object | 
| 
								 | The additional images configuration of the image set. | Array of objects Example: additionalImages: - name: registry.redhat.io/ubi8/ubi:latest  | 
| 
								 | The tag or digest of the image to mirror. | 
								String Example:  | 
| 
								 | List of images with a tag or digest (SHA) to block from mirroring. | 
								Array of strings Example:  | 
| 
								 | 
								The helm configuration of the image set. The oc-mirror plugin does not support helm charts with manually modified  | Object | 
| 
								 | The local helm charts to mirror. | Array of objects. For example: local:
  - name: podinfo
    path: /test/podinfo-5.0.0.tar.gz | 
| 
								 | The name of the local helm chart to mirror. | 
								String. For example:  | 
| 
								 | The path of the local helm chart to mirror. | 
								String. For example:  | 
| 
								 | The remote helm repositories to mirror from. | Array of objects. For example: | 
| 
								 | The name of the helm repository to mirror from. | 
								String. For example:  | 
| 
								 | The URL of the helm repository to mirror from. | 
								String. For example:  | 
| 
								 | The remote helm charts to mirror. | Array of objects. | 
| 
								 | The name of the helm chart to mirror. | 
								String. For example:  | 
| 
								 | The custom path of a container image inside of the helm chart. + Note 
									 | 
								Array of string. For example:  | 
| 
								 | The Operators configuration of the image set. | Array of objects Example: operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:4.18
    packages:
      - name: elasticsearch-operator
        minVersion: '2.4.0' | 
| 
								 | The Operator catalog to include in the image set. | 
								String Example:  | 
| 
								 | 
								When  | 
								Boolean The default value is  | 
| 
								 | The Operator packages configuration. | Array of objects Example: operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:4.18
    packages:
      - name: elasticsearch-operator
        minVersion: '5.2.3-31' | 
| 
								 | The Operator package name to include in the image set. | 
								String Example:  | 
| 
								 | Operator package channel configuration | Object | 
| 
								 | The Operator channel name, unique within a package, to include in the image set. | 
								String Eample:  | 
| 
								 | The highest version of the Operator mirror across all channels in which it exists. | 
								String Example:  | 
| 
								 | The lowest version of the Operator to mirror across all channels in which it exists | 
								String Example:  | 
| 
								 | The highest version of the Operator to mirror across all channels in which it exists. | 
								String Example:  | 
| 
								 | The lowest version of the Operator to mirror across all channels in which it exists. | 
								String Example:  | 
| 
								 | An alternative name and optional namespace hierarchy to mirror the referenced catalog as | 
								String Example:  | 
| 
								 | Path on disk for a template to use to complete catalogSource custom resource generated by oc-mirror plugin v2. | 
								String Example:  | 
| 
								 | 
								An alternative tag to append to the  | 
								String Example:  | 
| 
								 | The platform configuration of the image set. | Object | 
| 
								 | The architecture of the platform release payload to mirror. | Array of strings Example: 
								The default value is  | 
| 
								 | The platform channel configuration of the image set. | Array of objects Example: channels: - name: stable-4.12 - name: stable-4.18  | 
| 
								 | 
								When  | 
								Boolean The default value is  | 
| 
								 | Name of the release channel | 
								String Example:  | 
| 
								 | The minimum version of the referenced platform to be mirrored. | 
								String Example:  | 
| 
								 | The highest version of the referenced platform to be mirrored. | 
								String Example:  | 
| 
								 | Toggles shortest path mirroring or full range mirroring. | 
								Boolean The default value is  | 
| 
								 | Type of the platform to be mirrored | 
								String Example:  | 
| 
								 | Indicates whether the OSUS graph is added to the image set and subsequently published to the mirror. | 
								Boolean The default value is  | 
| 
								 | Must be defined when excluding the default channel from the filtering. | Array of objects. For example: | 
5.11.1. DeleteImageSetConfiguration parameters
					To use remove images with the oc-mirror plugin v2, you must use a DeleteImageSetConfiguration.yaml configuration file that defines which images to delete from the mirror registry. The following table lists the available parameters for the DeleteImageSetConfiguration resource.
				
| Parameter | Description | Values | 
|---|---|---|
| 
									 | 
									The API version for the  | 
									String Example:  | 
| 
									 | The configuration of the image set to delete. | Object | 
| 
									 | The additional images configuration of the delete image set. | Array of objects Example: additionalImages: - name: registry.redhat.io/ubi8/ubi:latest  | 
| 
									 | The tag or digest of the image to delete. | 
									String Example:  | 
| 
									 | The Operators configuration of the delete image set. | Array of objects Example: operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version}
    packages:
      - name: elasticsearch-operator
        minVersion: '2.4.0' | 
| 
									 | The Operator catalog to include in the delete image set. | 
									String Example:  | 
| 
									 | When true, deletes the full catalog, Operator package, or Operator channel. | 
									Boolean The default value is  | 
| 
									 | Operator packages configuration | Array of objects Example: operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version}
    packages:
      - name: elasticsearch-operator
        minVersion: '5.2.3-31' | 
| 
									 | The Operator package name to include in the delete image set. | 
									String Example:  | 
| 
									 | Operator package channel configuration | Object | 
| 
									 | The Operator channel name, unique within a package, to include in the delete image set. | 
									String Example:  | 
| 
									 | The highest version of the Operator to delete within the selected channel. | 
									String Example:  | 
| 
									 | The lowest version of the Operator to delete within the selection in which it exists. | 
									String Example:  | 
| 
									 | The highest version of the Operator to delete across all channels in which it exists. | 
									String Example:  | 
| 
									 | The lowest version of the Operator to delete across all channels in which it exists. | 
									String Example:  | 
| 
									 | The platform configuration of the image set | Object | 
| 
									 | The architecture of the platform release payload to delete. | Array of strings Example: 
									The default value is  | 
| 
									 | The platform channel configuration of the image set. | Array of objects Example: channels: - name: stable-4.12 - name: stable-4.18  | 
| 
									 | 
									When  | 
									Boolean The default value is  | 
| 
									 | Name of the release channel | 
									String Example:  | 
| 
									 | The minimum version of the referenced platform to be deleted. | 
									String Example:  | 
| 
									 | The highest version of the referenced platform to be deleted. | 
									String Example:  | 
| 
									 | Toggles between deleting the shortest path and deleting the full range. | 
									Boolean The default value is  | 
| 
									 | Type of the platform to be deleted | 
									String Example:  | 
| 
									 | Determines whether the OSUS graph is deleted as well on the mirror registry as well. | 
									Boolean The default value is  | 
5.12. Command reference for oc-mirror plugin v2
				The following tables describe the oc mirror subcommands and flags for oc-mirror plugin v2:
			
| Subcommand | Description | 
|---|---|
| 
								 | Show help about any subcommand | 
| 
								 | Output the oc-mirror version | 
| 
								 | Deletes images in remote registry and local cache. | 
| Flag | Description | 
|---|---|
| 
								 | 
								Displays the string path of the authentication file. Default is  | 
| 
								 | Specifies the path to an image set configuration file. | 
| 
								 | 
								oc-mirror cache directory location. The default value is  | 
| 
								 | 
								Requires HTTPS and verifies certificates when accessing the container registry or daemon. The default value is  | 
| 
								 | Prints actions without mirroring images. | 
| 
								 | Specifies the path to an image set archive that was generated by executing oc-mirror plugin v2 to load a target registry. | 
| 
								 | Displays help | 
| 
								 | 
								Timeout for mirroring an image. The default is 10m0s. Valid time units are  | 
| 
								 | 
								Displays string log levels. Supported values include info, debug, trace, error. The default value is  | 
| 
								 | 
								Determines the HTTP port used by oc-mirror plugin v2 local storage instance. The default value is  | 
| 
								 | 
								Specifies the number of images mirrored in parallel. The default value is  | 
| 
								 | 
								Specifies the number of image layers mirrored in parallel. The default value is  | 
| 
								 | 
								Specifies the maximum number of nested paths for destination registries that limit nested paths. The default value is  | 
| 
								 | 
								The default value is  | 
| 
								 | 
								Includes all new content since a specified date (format:  | 
| 
								 | Requires HTTPS and verifies certificates when accessing the container registry or daemon. | 
| 
								 | 
								The default value is  | 
| 
								 | Displays the version for oc-mirror plugin v2. | 
| 
								 | Determines string oc-mirror plugin v2 workspace where resources and internal artifacts are generated. | 
| 
								 | 
								Delay between 2 retries. The default value is  | 
| 
								 | 
								The number of times to retry. The default value is  | 
| 
								 | 
								Overrides the default container rootless storage path (usually in  | 
5.12.1. Command reference for deleting images
					The following tables describe the oc mirror subcommands and flags for deleting images:
				
| Subcommand | Description | 
|---|---|
| 
									 | 
									Path of the authentication file. The default value is  | 
| 
									 | 
									oc-mirror cache directory location. The default is  | 
| 
									 | Path to the delete imageset configuration file. | 
| 
									 | Used to differentiate between versions for files created by the delete functionality. | 
| 
									 | 
									Used during the migration, along with  | 
| 
									 | If set, uses the generated or updated yaml file to delete contents. | 
| 
									 | 
									Require HTTPS and verify certificates when talking to the container registry or daemon. The default value is  | 
| 
									 | Used to force delete the local cache manifests and blobs. | 
| 
									 | Used to generate the delete yaml for the list of manifests and blobs, used when deleting from local cache and remote registry. | 
| 
									 | Displays help. | 
| 
									 | 
									Log level one of  | 
| 
									 | 
									Indicates the number of images deleted in parallel. The default value is  | 
| 
									 | 
									Indicates the number of image layers mirrored in parallel. The default value is  | 
| 
									 | 
									HTTP port used by oc-mirror’s local storage instance. The default value is  | 
| 
									 | 
									Duration delay between 2 retries. The default value is  | 
| 
									 | 
									The number of times to retry. The default value is  | 
| 
									 | 
									Require HTTPS and verify certificates when talking to the container registry or daemon. The default value is  | 
| 
									 | oc-mirror workspace where resources and internal artifacts are generated. | 
5.13. Next steps
After you mirror images to your disconnected environment using oc-mirror plugin v2, you can perform any of the following actions:
Chapter 6. Migrating from oc-mirror plugin v1 to v2
The oc-mirror v2 plugin introduces major changes to image mirroring workflows. This guide provides step-by-step instructions for migration while ensuring compatibility with oc-mirror plugin v2.
You must manually update the configurations by modifying the API version and removing deprecated fields. For more information, see "Changes from oc-mirror plugin v1 to v2".
6.1. Changes from oc-mirror plugin v1 to v2
Before migrating from oc-mirror plugin v1 to v2, see the following differences between oc-mirror plugin v1 and v2:
- 
						Explicit version selection: Users must explicitly specify --v2when usingoc-mirror. If no version is specified, v1 is executed by default. This behavior is expected to change in future releases, where--v2will be the default.
- Updated commands: Commands for mirroring workflows have changed to align with oc-mirror plugin v2’s new workflow. - For mirror-to-disk, run the following command: - oc-mirror --config isc.yaml file://<directory_name> --v2 - $ oc-mirror --config isc.yaml file://<directory_name> --v2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- For disk-to-mirror, run the following command: - oc-mirror --config isc.yaml --from file://<directory_name> docker://<remote_registry> --v2 - $ oc-mirror --config isc.yaml --from file://<directory_name> docker://<remote_registry> --v2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- For mirror-to-mirror, run the following command: - oc-mirror --config isc.yaml --workspace file://<directory_name> docker://<remote_registry> --v2 - $ oc-mirror --config isc.yaml --workspace file://<directory_name> docker://<remote_registry> --v2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- --workspaceis now required for mirror-to-mirror operation.
 
- 
						API version update: The ImageSetConfigurationAPI version changes fromv1alpha2(v1) tov2alpha1(v2). You must manually update the configuration files before migration.
- Configuration changes: - 
								storageConfigmust be removed in oc-mirror plugin v2.
- Incremental mirroring is now handled automatically through the working directory or local cache.
 
- 
								
- Changes in results directory: All custom resources to be applied to the disconnected cluster are generated in the - <workspace_path>/working-dir/cluster-resourcesdirectory after the migration.- Outputs in oc-mirror plugin v2 are not stored in the same location as oc-mirror plugin v1.
- You must check the - cluster-resourcesfolder under the working directory for the following resources:- 
										ImageDigestMirrorSet(IDMS)
- 
										ImageTagMirrorSet(ITMS)
- 
										CatalogSource
- 
										ClusterCatalog
- 
										UpdateService
 
- 
										
 
- Workspace and directory naming: Follow the new oc-mirror v2 convention to prevent any potential data inconsistencies when transitioning between versions. - 
								The oc-mirror plugin v1 oc-mirror-workspacedirectory is no longer needed.
- Use a new directory for oc-mirror plugin v2 to avoid conflicts.
 
- 
								The oc-mirror plugin v1 
- Replacing - ImageContentSourcePolicy(ICSP) resources with IDMS/ITMS:Important- Deleting all - ImageContentSourcePolicy(ICSP) resources might remove configurations unrelated to oc-mirror.- To avoid unintended deletions, identify ICSP resources generated by oc-mirror before removing them. If you are unsure, check with your cluster administrator. For more information, see "Mirroring images for a disconnected installation by using the oc-mirror plugin v2". - 
								In oc-mirror plugin v2, the ICSP resource is replaced by ImageDigestMirrorSet(IDMS) andImageTagMirrorSet(ITMS) resources.
 
- 
								In oc-mirror plugin v2, the ICSP resource is replaced by 
6.2. Migrating to oc-mirror plugin v2
				To migrate from oc-mirror plugin v1 to v2, you must manually update the ImageSetConfiguration file, modify mirroring commands, and clean up v1 artifacts. Follow these steps to complete the migration.
			
Procedure
- Modify the API version and remove deprecated fields in your - ImageSetConfiguration.- Example - ImageSetConfigurationfile with oc-mirror plugin v1 configuration- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example - ImageSetConfigurationfile with oc-mirror plugin v2 configuration- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the - cluster-resourcesdirectory inside the working directory for IDMS, ITMS,- CatalogSource, and- ClusterCatalogresources by running the following command:- ls <v2_workspace>/working-dir/cluster-resources/ - $ ls <v2_workspace>/working-dir/cluster-resources/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Once the migration is complete, verify that mirrored images and catalogs are available: - Ensure that no errors or warnings occurred during mirroring.
- 
								Ensure that no error file was generated (working-dir/logs/mirroring_errors_YYYYMMdd_HHmmss.txt).
 
- Verify that mirrored images and catalogs are available using the following the commands: - oc get catalogsource -n openshift-marketplace - $ oc get catalogsource -n openshift-marketplace- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - oc get imagedigestmirrorset,imagetagmirrorset - $ oc get imagedigestmirrorset,imagetagmirrorset- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For more information, refer to "Mirroring images for a disconnected installation using oc-mirror plugin v2". 
- Optional: Remove images mirrored using oc-mirror plugin v1: - Mirror the images using oc-mirror plugin v1.
- Update the API version in the - ImageSetConfigurationfile from- v1alpha2(v1) to- v2alpha1(v2), then run the following command:- oc-mirror -c isc.yaml file://some-dir --v2 - $ oc-mirror -c isc.yaml file://some-dir --v2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- storageConfigis not a valid field in the- ImageSetConfigurationand- DeleteImageSetConfigurationfiles. Remove this field when updating to oc-mirror plugin v2.
- Generate a delete manifest and delete v1 images by running the following command: - oc-mirror delete --config=delete-isc.yaml --generate --delete-v1-images --workspace file://some-dir docker://registry.example:5000 --v2 - $ oc-mirror delete --config=delete-isc.yaml --generate --delete-v1-images --workspace file://some-dir docker://registry.example:5000 --v2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- oc-mirror plugin v2 does not automatically prune the destination registry, unlike oc-mirror plugin v1. To clean up images that are no longer needed, use the delete functionality in v2 with the - --delete-v1-imagescommand flag.- Once all images mirrored with oc-mirror plugin v1 are removed, you no longer need to use this flag. If you need to delete images mirrored with oc-mirror plugin v2, do not set - --delete-v1-images.- For more information about deleting images, see "Deletion of images from your disconnected environment". 
- Delete images based on the generated manifest by running the following command: - oc-mirror delete --delete-yaml-file some-dir/working-dir/delete/delete-images.yaml docker://registry.example:5000 --v2 - $ oc-mirror delete --delete-yaml-file some-dir/working-dir/delete/delete-images.yaml docker://registry.example:5000 --v2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Chapter 7. Mirroring images for a disconnected installation using the oc-mirror plugin
Running your cluster in a restricted network without direct internet connectivity is possible by installing the cluster from a mirrored set of OpenShift Container Platform container images in a private registry. This registry must be running at all times as long as the cluster is running. See the Prerequisites section for more information.
			You can use the oc-mirror OpenShift CLI (oc) plugin to mirror images to a mirror registry in your fully or partially disconnected environments. You must run oc-mirror from a system with internet connectivity in order to download the required images from the official Red Hat registries.
		
				The oc-mirror v1 plugin is deprecated. To prevent failures in a future release, specify the --v1 flag to continue using the v1 plugin, or migrate to the supported v2 plugin and use the --v2 flag. Transition to the oc-mirror v2 plugin for continued support and improvements.
			
7.1. About the oc-mirror plugin
				You can use the oc-mirror OpenShift CLI (oc) plugin to mirror all required OpenShift Container Platform content and other images to your mirror registry by using a single tool. It provides the following features:
			
- Provides a centralized method to mirror OpenShift Container Platform releases, Operators, helm charts, and other images.
- Maintains update paths for OpenShift Container Platform and Operators.
- Uses a declarative image set configuration file to include only the OpenShift Container Platform releases, Operators, and images that your cluster needs.
- Performs incremental mirroring, which reduces the size of future image sets.
- Prunes images from the target mirror registry that were excluded from the image set configuration since the previous execution.
- Optionally generates supporting artifacts for OpenShift Update Service (OSUS) usage.
When using the oc-mirror plugin, you specify which content to mirror in an image set configuration file. In this YAML file, you can fine-tune the configuration to only include the OpenShift Container Platform releases and Operators that your cluster needs. This reduces the amount of data that you need to download and transfer. The oc-mirror plugin can also mirror arbitrary helm charts and additional container images to assist users in seamlessly synchronizing their workloads onto mirror registries.
The first time you run the oc-mirror plugin, it populates your mirror registry with the required content to perform your disconnected cluster installation or update. In order for your disconnected cluster to continue receiving updates, you must keep your mirror registry updated. To update your mirror registry, you run the oc-mirror plugin using the same configuration as the first time you ran it. The oc-mirror plugin references the metadata from the storage backend and only downloads what has been released since the last time you ran the tool. This provides update paths for OpenShift Container Platform and Operators and performs dependency resolution as required.
7.1.1. High level workflow
The following steps outline the high-level workflow on how to use the oc-mirror plugin to mirror images to a mirror registry:
- Create an image set configuration file.
- Mirror the image set to the target mirror registry by using one of the following methods: - Mirror an image set directly to the target mirror registry.
- Mirror an image set to disk, transfer the image set to the target environment, then upload the image set to the target mirror registry.
 
- Configure your cluster to use the resources generated by the oc-mirror plugin.
- Repeat these steps to update your target mirror registry as necessary.
When using the oc-mirror CLI plugin to populate a mirror registry, any further updates to the target mirror registry must be made by using the oc-mirror plugin.
7.2. oc-mirror plugin compatibility and support
The oc-mirror plugin supports mirroring OpenShift Container Platform payload images and Operator catalogs for OpenShift Container Platform versions 4.12 and later.
					On aarch64, ppc64le, and s390x architectures the oc-mirror plugin is only supported for OpenShift Container Platform versions 4.14 and later.
				
Use the latest available version of the oc-mirror plugin regardless of which versions of OpenShift Container Platform you need to mirror.
7.3. About the mirror registry
You can mirror the images that are required for OpenShift Container Platform installation and subsequent product updates to a container mirror registry that supports Docker v2-2, such as Red Hat Quay. If you do not have access to a large-scale container registry, you can use the mirror registry for Red Hat OpenShift, which is a small-scale container registry included with OpenShift Container Platform subscriptions.
Regardless of your chosen registry, the procedure to mirror content from Red Hat hosted sites on the internet to an isolated image registry is the same. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.
The OpenShift image registry cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.
If choosing a container registry that is not the mirror registry for Red Hat OpenShift, it must be reachable by every machine in the clusters that you provision. If the registry is unreachable, installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OpenShift Container Platform clusters.
When you populate your mirror registry with OpenShift Container Platform images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.
				For mirrored registries, to view the source of pulled images, you must review the Trying to access log entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images command on a node, show the non-mirrored image name, even though the image is pulled from the mirrored location.
			
Red Hat does not test third party registries with OpenShift Container Platform.
7.4. Prerequisites
- You must have a container image registry that supports Docker v2-2 in the location that will host the OpenShift Container Platform cluster, such as Red Hat Quay. Note- If you use Red Hat Quay, you must use version 3.6 or later with the oc-mirror plugin. If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or by using the Red Hat Quay Operator. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support. - If you do not already have an existing solution for a container image registry, subscribers of OpenShift Container Platform are provided a mirror registry for Red Hat OpenShift. The mirror registry for Red Hat OpenShift is included with your subscription and is a small-scale container registry that can be used to mirror the required container images of OpenShift Container Platform in disconnected installations. 
7.5. Preparing your mirror hosts
Before you can use the oc-mirror plugin to mirror images, you must install the plugin and create a container image registry credentials file to allow the mirroring from Red Hat to your mirror.
7.5.1. Installing the oc-mirror OpenShift CLI plugin
Install the oc-mirror OpenShift CLI plugin to manage image sets in disconnected environments.
Prerequisites
- You have installed the OpenShift CLI ( - oc). If you are mirroring image sets in a fully disconnected environment, ensure the following:- You have installed the oc-mirror plugin on the host that has internet access.
- The host in the disconnected environment has access to the target mirror registry.
 
- 
							You have set the umaskparameter to0022on the operating system that uses oc-mirror.
- You have installed the correct binary for the RHEL version that you are using.
Procedure
- Download the oc-mirror CLI plugin: - Navigate to the Downloads page of the Red Hat Hybrid Cloud Console.
- In the OpenShift disconnected installation tools section, select the OS type and Architecture type of the OpenShift Client (oc) mirror plugin from the dropdown menus.
- Click Download to save the file.
 
- Extract the archive by running the following command: - tar xvzf oc-mirror.tar.gz - $ tar xvzf oc-mirror.tar.gz- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If necessary, update the plugin file to be executable by running the following command: - chmod +x oc-mirror - $ chmod +x oc-mirror- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Do not rename the - oc-mirrorfile.
- Install the oc-mirror CLI plugin by placing the file in your - PATH, for example- /usr/local/bin, by running the following command:- sudo mv oc-mirror /usr/local/bin/. - $ sudo mv oc-mirror /usr/local/bin/.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify that the oc-mirror plugin v1 is successfully installed by running the following command: - oc mirror help - $ oc mirror help- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.5.2. Configuring credentials that allow images to be mirrored
Create a container image registry credentials file that enables you to mirror images from Red Hat to your mirror.
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.
Prerequisites
- You configured a mirror registry to use in your disconnected environment.
- You identified an image repository location on your mirror registry to mirror images into.
- You provisioned a mirror registry account that allows images to be uploaded to that image repository.
- You have write access to the mirror registry.
Procedure
Complete the following steps on the installation host:
- 
							Download your registry.redhat.iopull secret from Red Hat OpenShift Cluster Manager.
- Make a copy of your pull secret in JSON format by running the following command: - cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> - $ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path to the folder to store the pull secret in and a name for the JSON file that you create.
 - Example pull secret - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file as either - ~/.docker/config.jsonor- $XDG_RUNTIME_DIR/containers/auth.json:- If the - .dockeror- $XDG_RUNTIME_DIR/containersdirectories do not exist, create one by entering the following command:- mkdir -p <directory_name> - $ mkdir -p <directory_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Where - <directory_name>is either- ~/.dockeror- $XDG_RUNTIME_DIR/containers.
- Copy the pull secret to the appropriate directory by entering the following command: - cp <path>/<pull_secret_file_in_json> <directory_name>/<auth_file> - $ cp <path>/<pull_secret_file_in_json> <directory_name>/<auth_file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Where - <directory_name>is either- ~/.dockeror- $XDG_RUNTIME_DIR/containers, and- <auth_file>is either- config.jsonor- auth.json.
 
- Generate the base64-encoded user name and password or token for your mirror registry by running the following command: - echo -n '<user_name>:<password>' | base64 -w0 - $ echo -n '<user_name>:<password>' | base64 -w0- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<user_name>and<password>, specify the user name and password that you configured for your registry.
 - Example output - BGVtbYk3ZHAtqXs= - BGVtbYk3ZHAtqXs=- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the JSON file and add a section that describes your registry to it: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example modified pull secret - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.6. Creating the image set configuration
Before you can use the oc-mirror plugin to mirror image sets, you must create an image set configuration file. This image set configuration file defines which OpenShift Container Platform releases, Operators, and other images to mirror, along with other configuration settings for the oc-mirror plugin.
You must specify a storage backend in the image set configuration file. This storage backend can be a local directory or a registry that supports Docker v2-2. The oc-mirror plugin stores metadata in this storage backend during image set creation.
Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.
Prerequisites
- You have created a container image registry credentials file. For instructions, see "Configuring credentials that allow images to be mirrored".
Procedure
- Use the - oc mirror initcommand to create a template for the image set configuration and save it to a file called- imageset-config.yaml:- oc mirror init --registry <storage_backend> > imageset-config.yaml - $ oc mirror init --registry <storage_backend> > imageset-config.yaml- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies the location of your storage backend, such asexample.com/mirror/oc-mirror-metadata.
 
- Edit the file and adjust the settings as necessary: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- AddarchiveSizeto set the maximum size, in GiB, of each file within the image set.
- 2
- Set the back-end location to save the image set metadata to. This location can be a registry or local directory. It is required to specifystorageConfigvalues.
- 3
- Set the registry URL for the storage backend.
- 4
- Set the channel to retrieve the OpenShift Container Platform images from.
- 5
- Addgraph: trueto build and push the graph-data image to the mirror registry. The graph-data image is required to create OpenShift Update Service (OSUS). Thegraph: truefield also generates theUpdateServicecustom resource manifest. Theoccommand-line interface (CLI) can use theUpdateServicecustom resource manifest to create OSUS. For more information, see About the OpenShift Update Service.
- 6
- Set the Operator catalog to retrieve the OpenShift Container Platform images from.
- 7
- Specify only certain Operator packages to include in the image set. Remove this field to retrieve all packages in the catalog.
- 8
- Specify only certain channels of the Operator packages to include in the image set. You must always include the default channel for the Operator package even if you do not use the bundles in that channel. You can find the default channel by running the following command:oc mirror list operators --catalog=<catalog_name> --package=<package_name>.
- 9
- Specify any additional images to include in image set.
 Note- The - graph: truefield also mirrors the- ubi-microimage along with other mirrored images.- When upgrading OpenShift Container Platform Extended Update Support (EUS) versions, an intermediate version might be required between the current and target versions. For example, if the current version is - 4.14and target version is- 4.16, you might need to include a version such as- 4.15.8in the- ImageSetConfigurationwhen using the oc-mirror plugin v1.- The oc-mirror plugin v1 might not always detect this automatically, so check the Cincinnati graph web page to confirm any required intermediate versions and add them manually to your configuration. - See "Image set configuration parameters" for the full list of parameters and "Image set configuration examples" for various mirroring use cases. 
- Save the updated file. - This image set configuration file is required by the - oc mirrorcommand when mirroring content.
7.7. Mirroring an image set to a mirror registry
You can use the oc-mirror CLI plugin to mirror images to a mirror registry in a partially disconnected environment or in a fully disconnected environment.
These procedures assume that you already have your mirror registry set up.
7.7.1. Mirroring an image set in a partially disconnected environment
In a partially disconnected environment, you can mirror an image set directly to the target mirror registry.
7.7.1.1. Mirroring from mirror to mirror
You can use the oc-mirror plugin to mirror an image set directly to a target mirror registry that is accessible during image set creation.
You are required to specify a storage backend in the image set configuration file. This storage backend can be a local directory or a Docker v2 registry. The oc-mirror plugin stores metadata in this storage backend during image set creation.
Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.
Prerequisites
- You have access to the internet to get the required container images.
- 
								You installed the OpenShift CLI (oc).
- You installed the oc-mirror CLI plugin.
- You created the image set configuration file.
Procedure
- Run the - oc mirrorcommand to mirror the images from the specified image set configuration to a specified registry:- oc mirror --config=./<imageset-config.yaml> \ docker://registry.example:5000 - $ oc mirror --config=./<imageset-config.yaml> \- 1 - docker://registry.example:5000- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the image set configuration file that you created. For example,imageset-config.yaml.
- 2
- Specify the registry to mirror the image set file to. The registry must start withdocker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.
 
Verification
- 
								Navigate into the oc-mirror-workspace/directory that was generated.
- 
								Navigate into the results directory, for example, results-1639608409/.
- 
								Verify that YAML files are present for the ImageContentSourcePolicyandCatalogSourceresources.
							The repositoryDigestMirrors section of the ImageContentSourcePolicy YAML file is used for the install-config.yaml file during installation.
						
Next steps
- 
								Convert the ImageContentSourcePolicyYAML content for use in manually configuring CRI-O.
- If required, mirror the images from mirror to disk for disconnected or offline use.
- Configure your cluster to use the resources generated by oc-mirror.
Troubleshooting
7.7.2. Mirroring an image set in a fully disconnected environment
To mirror an image set in a fully disconnected environment, you must first mirror the image set to disk, then mirror the image set file on disk to a mirror.
7.7.2.1. Mirroring from mirror to disk
You can use the oc-mirror plugin to generate an image set and save the contents to disk. The generated image set can then be transferred to the disconnected environment and mirrored to the target registry.
Depending on the configuration specified in the image set configuration file, using oc-mirror to mirror images might download several hundreds of gigabytes of data to disk.
The initial image set download when you populate the mirror registry is often the largest. Because you only download the images that changed since the last time you ran the command, when you run the oc-mirror plugin again, the generated image set is often smaller.
You are required to specify a storage backend in the image set configuration file. This storage backend can be a local directory or a docker v2 registry. The oc-mirror plugin stores metadata in this storage backend during image set creation.
Do not delete or modify the metadata that is generated by the oc-mirror plugin. You must use the same storage backend every time you run the oc-mirror plugin for the same mirror registry.
Prerequisites
- You have access to the internet to obtain the necessary container images.
- 
								You have installed the OpenShift CLI (oc).
- You have installed the oc-mirror CLI plugin.
- You have created the image set configuration file.
Procedure
- Run the - oc mirrorcommand to mirror the images from the specified image set configuration to disk:- oc mirror --config=./imageset-config.yaml \ file://<path_to_output_directory> - $ oc mirror --config=./imageset-config.yaml \- 1 - file://<path_to_output_directory>- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Navigate to your output directory: - cd <path_to_output_directory> - $ cd <path_to_output_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that an image set - .tarfile was created:- ls - $ ls- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - mirror_seq1_000000.tar - mirror_seq1_000000.tar- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- Transfer the image set .tar file to the disconnected environment.
Troubleshooting
7.7.2.2. Mirroring from disk to mirror
You can use the oc-mirror plugin to mirror the contents of a generated image set to the target mirror registry.
Prerequisites
- 
								You have installed the OpenShift CLI (oc) in the disconnected environment.
- You have installed the oc-mirror CLI plugin in the disconnected environment.
- 
								You have generated the image set file by using the oc mirrorcommand.
- You have transferred the image set file to the disconnected environment.
Procedure
- Run the - oc mirrorcommand to process the image set file on disk and mirror the contents to a target mirror registry:- oc mirror --from=./mirror_seq1_000000.tar \ docker://registry.example:5000 - $ oc mirror --from=./mirror_seq1_000000.tar \- 1 - docker://registry.example:5000- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Pass in the image set .tar file to mirror, namedmirror_seq1_000000.tarin this example. If anarchiveSizevalue was specified in the image set configuration file, the image set might be broken up into multiple .tar files. In this situation, you can pass in a directory that contains the image set .tar files.
- 2
- Specify the registry to mirror the image set file to. The registry must start withdocker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.
 - This command updates the mirror registry with the image set and generates the - ImageContentSourcePolicyand- CatalogSourceresources.
Verification
- 
								Navigate into the oc-mirror-workspace/directory that was generated.
- 
								Navigate into the results directory, for example, results-1639608409/.
- 
								Verify that YAML files are present for the ImageContentSourcePolicyandCatalogSourceresources.
Next steps
- Configure your cluster to use the resources generated by oc-mirror.
Troubleshooting
7.8. Configuring your cluster to use the resources generated by oc-mirror
				After you have mirrored your image set to the mirror registry, you must apply the generated ImageContentSourcePolicy, CatalogSource, and release image signature resources into the cluster.
			
				The ImageContentSourcePolicy resource associates the mirror registry with the source registry and redirects image pull requests from the online registries to the mirror registry. The CatalogSource resource is used by Operator Lifecycle Manager (OLM) Classic to retrieve information about the available Operators in the mirror registry. The release image signatures are used to verify the mirrored release images.
			
					OLM v1 uses the ClusterCatalog resource to retrieve information about the available cluster extensions in the mirror registry.
				
					The oc-mirror plugin v1 does not generate ClusterCatalog resources automatically; you must manually create them. For more information on creating and applying ClusterCatalog resources, see "Adding a catalog to a cluster" in "Extensions".
				
Prerequisites
- You have mirrored the image set to the registry mirror in the disconnected environment.
- 
						You have access to the cluster as a user with the cluster-adminrole.
Procedure
- 
						Log in to OpenShift CLI (oc) as a user with thecluster-adminrole.
- Apply the YAML files from the results directory to the cluster by running the following command: - oc apply -f ./oc-mirror-workspace/results-1639608409/ - $ oc apply -f ./oc-mirror-workspace/results-1639608409/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you mirrored release images, apply the release image signatures to the cluster by running the following command: - oc apply -f ./oc-mirror-workspace/results-1639608409/release-signatures/ - $ oc apply -f ./oc-mirror-workspace/results-1639608409/release-signatures/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If you are mirroring Operators instead of clusters, you do not need to run - $ oc apply -f ./oc-mirror-workspace/results-1639608409/release-signatures/. Running that command will return an error, as there are no release image signatures to apply.
Verification
- Verify that the - ImageContentSourcePolicyresources were successfully installed by running the following command:- oc get imagecontentsourcepolicy - $ oc get imagecontentsourcepolicy- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the - CatalogSourceresources were successfully installed by running the following command:- oc get catalogsource -n openshift-marketplace - $ oc get catalogsource -n openshift-marketplace- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.9. Updating your mirror registry content
You can update your mirror registry content by updating the image set configuration file and mirroring the image set to the mirror registry. The next time that you run the oc-mirror plugin, an image set is generated that only contains new and updated images since the previous execution.
While updating the mirror registry, you must take into account the following considerations:
- Images are pruned from the target mirror registry if they are no longer included in the latest image set that was generated and mirrored. Therefore, ensure that you are updating images for the same combination of the following key components so that only a differential image set is created and mirrored: - Image set configuration
- Destination registry
- Storage configuration
 
- The images can be pruned in case of disk to mirror or mirror to mirror workflow.
- The generated image sets must be pushed to the target mirror registry in sequence. You can derive the sequence number from the file name of the generated image set archive file.
- Do not delete or modify the metadata image that is generated by the oc-mirror plugin.
- If you specified a top-level namespace for the mirror registry during the initial image set creation, then you must use this same namespace every time you run the oc-mirror plugin for the same mirror registry.
For more information about the workflow to update the mirror registry content, see the "High level workflow" section.
7.9.1. Mirror registry update examples
This section covers the use cases for updating the mirror registry from disk to mirror.
Example ImageSetConfiguration file that was previously used for mirroring
Updated ImageSetConfiguration file
- 1
- Replacing bystable-4.13prunes all the images ofstable-4.12.
7.9.1.2. Updating to the latest version of an Operator by pruning the existing images
Updated ImageSetConfiguration file
- 1
- Using the same channel without specifying a version prunes the existing images and updates with the latest version of images.
7.9.1.3. Mirroring a new Operator by pruning the existing Operator
Updated ImageSetConfiguration file
- 1
- Replacingrhacs-operatorwithnew_operator_nameprunes the Red Hat Advanced Cluster Security for Kubernetes Operator.
7.9.1.4. Pruning all the OpenShift Container Platform images
Updated ImageSetConfiguration file
7.10. Performing a dry run
You can use oc-mirror to perform a dry run, without actually mirroring any images. This allows you to review the list of images that would be mirrored, as well as any images that would be pruned from the mirror registry. A dry run also allows you to catch any errors with your image set configuration early or use the generated list of images with other tools to carry out the mirroring operation.
Prerequisites
- You have access to the internet to obtain the necessary container images.
- 
						You have installed the OpenShift CLI (oc).
- You have installed the oc-mirror CLI plugin.
- You have created the image set configuration file.
Procedure
- Run the - oc mirrorcommand with the- --dry-runflag to perform a dry run:- oc mirror --config=./imageset-config.yaml \ docker://registry.example:5000 \ --dry-run - $ oc mirror --config=./imageset-config.yaml \- 1 - docker://registry.example:5000 \- 2 - --dry-run- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Pass in the image set configuration file that was created. This procedure assumes that it is namedimageset-config.yaml.
- 2
- Specify the mirror registry. Nothing is mirrored to this registry as long as you use the--dry-runflag.
- 3
- Use the--dry-runflag to generate the dry run artifacts and not an actual image set file.
 - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Navigate into the workspace directory that was generated: - cd oc-mirror-workspace/ - $ cd oc-mirror-workspace/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Review the - mapping.txtfile that was generated.- This file contains a list of all images that would be mirrored. 
- Review the - pruning-plan.jsonfile that was generated.- This file contains a list of all images that would be pruned from the mirror registry when the image set is published. Note- The - pruning-plan.jsonfile is only generated if your oc-mirror command points to your mirror registry and there are images to be pruned.
7.11. Including local OCI Operator catalogs
While mirroring OpenShift Container Platform releases, Operator catalogs, and additional images from a registry to a partially disconnected cluster, you can include Operator catalog images from a local file-based catalog on disk. The local catalog must be in the Open Container Initiative (OCI) format.
The local catalog and its contents are mirrored to your target mirror registry based on the filtering information in the image set configuration file.
When mirroring local OCI catalogs, any OpenShift Container Platform releases or additional images that you want to mirror along with the local OCI-formatted catalog must be pulled from a registry.
You cannot mirror OCI catalogs along with an oc-mirror image set file on disk.
One example use case for using the OCI feature is if you have a CI/CD system building an OCI catalog to a location on disk, and you want to mirror that OCI catalog along with an OpenShift Container Platform release to your mirror registry.
If you used the Technology Preview OCI local catalogs feature for the oc-mirror plugin for OpenShift Container Platform 4.12, you can no longer use the OCI local catalogs feature of the oc-mirror plugin to copy a catalog locally and convert it to OCI format as a first step to mirroring to a fully disconnected cluster.
Prerequisites
- You have access to the internet to obtain the necessary container images.
- 
						You have installed the OpenShift CLI (oc).
- You have installed the oc-mirror CLI plugin.
Procedure
- Create the image set configuration file and adjust the settings as necessary. - The following example image set configuration mirrors an OCI catalog on disk along with an OpenShift Container Platform release and a UBI image from - registry.redhat.io.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Set the back-end location to save the image set metadata to. This location can be a registry or local directory. It is required to specifystorageConfigvalues.
- 2
- Optionally, include an OpenShift Container Platform release to mirror fromregistry.redhat.io.
- 3
- Specify the absolute path to the location of the OCI catalog on disk. The path must start withoci://when using the OCI feature.
- 4
- Optionally, specify an alternative namespace and name to mirror the catalog as.
- 5
- Optionally, specify additional Operator catalogs to pull from a registry.
- 6
- Optionally, specify additional images to pull from a registry.
 
- Run the - oc mirrorcommand to mirror the OCI catalog to a target mirror registry:- oc mirror --config=./imageset-config.yaml \ docker://registry.example:5000 - $ oc mirror --config=./imageset-config.yaml \- 1 - docker://registry.example:5000- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Pass in the image set configuration file. This procedure assumes that it is namedimageset-config.yaml.
- 2
- Specify the registry to mirror the content to. The registry must start withdocker://. If you specify a top-level namespace for the mirror registry, you must also use this same namespace on subsequent executions.
 - Optionally, you can specify other flags to adjust the behavior of the OCI feature: - --oci-insecure-signature-policy
- Do not push signatures to the target mirror registry.
- --oci-registries-config
- Specify the path to a TOML-formatted - registries.conffile. You can use this to mirror from a different registry, such as a pre-production location for testing, without having to change the image set configuration file. This flag only affects local OCI catalogs, not any other mirrored content.- Example registries.conf file - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Next steps
- Configure your cluster to use the resources generated by oc-mirror.
7.12. Image set configuration parameters
				The oc-mirror plugin requires an image set configuration file that defines what images to mirror. The following table lists the available parameters for the ImageSetConfiguration resource.
			
| Parameter | Description | Values | 
|---|---|---|
| 
								 | 
								The API version for the  | 
								String. For example:  | 
| 
								 | The maximum size, in GiB, of each archive file within the image set. | 
								Integer. For example:  | 
| 
								 | The configuration of the image set. | Object | 
| 
								 | The additional images configuration of the image set. | Array of objects. For example: additionalImages: - name: registry.redhat.io/ubi8/ubi:latest  | 
| 
								 | The tag or digest of the image to mirror. | 
								String. For example:  | 
| 
								 | The full tag, digest, or pattern of images to block from mirroring. | 
								Array of strings. For example:  | 
| 
								 | The helm configuration of the image set. Note that the oc-mirror plugin supports only helm charts that do not require user input when rendered. | Object | 
| 
								 | The local helm charts to mirror. | Array of objects. For example: local:
  - name: podinfo
    path: /test/podinfo-5.0.0.tar.gz | 
| 
								 | The name of the local helm chart to mirror. | 
								String. For example:  | 
| 
								 | The path of the local helm chart to mirror. | 
								String. For example:  | 
| 
								 | The remote helm repositories to mirror from. | Array of objects. For example: | 
| 
								 | The name of the helm repository to mirror from. | 
								String. For example:  | 
| 
								 | The URL of the helm repository to mirror from. | 
								String. For example:  | 
| 
								 | The remote helm charts to mirror. | Array of objects. | 
| 
								 | The name of the helm chart to mirror. | 
								String. For example:  | 
| 
								 | The version of the named helm chart to mirror. | 
								String. For example:  | 
| 
								 | The Operators configuration of the image set. | Array of objects. For example: operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.18
    packages:
      - name: elasticsearch-operator
        minVersion: '2.4.0' | 
| 
								 | The Operator catalog to include in the image set. | 
								String. For example:  | 
| 
								 | 
								When  | 
								Boolean. The default value is  | 
| 
								 | The Operator packages configuration. | Array of objects. For example: operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.18
    packages:
      - name: elasticsearch-operator
        minVersion: '5.2.3-31' | 
| 
								 | The Operator package name to include in the image set | 
								String. For example:  | 
| 
								 | The Operator package channel configuration. | Object | 
| 
								 | The Operator channel name, unique within a package, to include in the image set. | 
								String. For example:  | 
| 
								 | The highest version of the Operator mirror across all channels in which it exists. See the following note for further information. | 
								String. For example:  | 
| 
								 | The name of the minimum bundle to include, plus all bundles in the update graph to the channel head. Set this field only if the named bundle has no semantic version metadata. | 
								String. For example:  | 
| 
								 | The lowest version of the Operator to mirror across all channels in which it exists. See the following note for further information. | 
								String. For example:  | 
| 
								 | The highest version of the Operator to mirror across all channels in which it exists. See the following note for further information. | 
								String. For example:  | 
| 
								 | The lowest version of the Operator to mirror across all channels in which it exists. See the following note for further information. | 
								String. For example:  | 
| 
								 | 
								If  | 
								Boolean. The default value is  | 
| 
								 | An alternative name and optional namespace hierarchy to mirror the referenced catalog as. | 
								String. For example:  | 
| 
								 | An alternative name to mirror the referenced catalog as. 
								The  | 
								String. For example:  | 
| 
								 | 
								An alternative tag to append to the  | 
								String. For example:  | 
| 
								 | The platform configuration of the image set. | Object | 
| 
								 | The architecture of the platform release payload to mirror. | Array of strings. For example: 
								The default value is  | 
| 
								 | The platform channel configuration of the image set. | Array of objects. For example: channels: - name: stable-4.10 - name: stable-4.18  | 
| 
								 | 
								When  | 
								Boolean. The default value is  | 
| 
								 | The name of the release channel. | 
								String. For example:  | 
| 
								 | The minimum version of the referenced platform to be mirrored. | 
								String. For example:  | 
| 
								 | The highest version of the referenced platform to be mirrored. | 
								String. For example:  | 
| 
								 | Toggles shortest path mirroring or full range mirroring. | 
								Boolean. The default value is  | 
| 
								 | The type of the platform to be mirrored. | 
								String. For example:  | 
| 
								 | Indicates whether the OSUS graph is added to the image set and subsequently published to the mirror. | 
								Boolean. The default value is  | 
| 
								 | The back-end configuration of the image set. | Object | 
| 
								 | The local back-end configuration of the image set. | Object | 
| 
								 | The path of the directory to contain the image set metadata. | 
								String. For example:  | 
| 
								 | The registry back-end configuration of the image set. | Object | 
| 
								 | The back-end registry URI. Can optionally include a namespace reference in the URI. | 
								String. For example:  | 
| 
								 | Optionally skip TLS verification of the referenced back-end registry. | 
								Boolean. The default value is  | 
					Using the minVersion and maxVersion properties to filter for a specific Operator version range can result in a multiple channel heads error. The error message states that there are multiple channel heads. This is because when the filter is applied, the update graph of the Operator is truncated.
				
Operator Lifecycle Manager requires that every Operator channel contains versions that form an update graph with exactly one end point, that is, the latest version of the Operator. When the filter range is applied, that graph can turn into two or more separate graphs or a graph that has more than one end point.
					To avoid this error, do not filter out the latest version of an Operator. If you still run into the error, depending on the Operator, either the maxVersion property must be increased or the minVersion property must be decreased. Because every Operator graph can be different, you might need to adjust these values until the error resolves.
				
7.13. Image set configuration examples
				The following ImageSetConfiguration file examples show the configuration for various mirroring use cases.
			
7.13.1. Use case: Including the shortest OpenShift Container Platform update path
					The following ImageSetConfiguration file uses a local storage backend and includes all OpenShift Container Platform versions along the shortest update path from the minimum version of 4.11.37 to the maximum version of 4.12.15.
				
Example ImageSetConfiguration file
					The following ImageSetConfiguration file uses a registry storage backend and includes all OpenShift Container Platform versions starting at a minimum version of 4.13.4 to the latest version in the channel. On every invocation of oc-mirror with this image set configuration, the latest release of the stable-4.13 channel is evaluated, so running oc-mirror at regular intervals ensures that you automatically receive the latest releases of OpenShift Container Platform images.
				
					By setting the value of platform.architectures to multi, you can ensure that the mirroring is supported for multi-architecture releases.
				
Example ImageSetConfiguration file
7.13.3. Use case: Including Operator versions from a minimum to the latest
					The following ImageSetConfiguration file uses a local storage backend and includes only the Red Hat Advanced Cluster Security for Kubernetes Operator, versions starting at 4.0.1 and later in the stable channel.
				
When you specify a minimum or maximum version range, you might not receive all Operator versions in that range.
By default, oc-mirror excludes any versions that are skipped or replaced by a newer version in the Operator Lifecycle Manager (OLM) specification. Operator versions that are skipped might be affected by a CVE or contain bugs. Use a newer version instead. For more information on skipped and replaced versions, see Creating an update graph with OLM.
						To receive all Operator versions in a specified range, you can set the mirror.operators.full field to true.
					
Example ImageSetConfiguration file
						To specify a maximum version instead of the latest, set the mirror.operators.packages.channels.maxVersion field.
					
7.13.4. Use case: Including the Nutanix CSI Operator
					The following ImageSetConfiguration file uses a local storage backend and includes the Nutanix CSI Operator, the OpenShift Update Service (OSUS) graph image, and an additional Red Hat Universal Base Image (UBI).
				
Example ImageSetConfiguration file
7.13.5. Use case: Including the default Operator channel
					The following ImageSetConfiguration file includes the stable-5.7 and stable channels for the OpenShift Elasticsearch Operator. Even if only the packages from the stable-5.7 channel are needed, the stable channel must also be included in the ImageSetConfiguration file, because it is the default channel for the Operator. You must always include the default channel for the Operator package even if you do not use the bundles in that channel.
				
					You can find the default channel by running the following command: oc mirror list operators --catalog=<catalog_name> --package=<package_name>.
				
Example ImageSetConfiguration file
7.13.6. Use case: Including an entire catalog (all versions)
					The following ImageSetConfiguration file sets the mirror.operators.full field to true to include all versions for an entire Operator catalog.
				
Example ImageSetConfiguration file
7.13.7. Use case: Including an entire catalog (channel heads only)
					The following ImageSetConfiguration file includes the channel heads for an entire Operator catalog.
				
					By default, for each Operator in the catalog, oc-mirror includes the latest Operator version (channel head) from the default channel. If you want to mirror all Operator versions, and not just the channel heads, you must set the mirror.operators.full field to true.
				
					This example also uses the targetCatalog field to specify an alternative namespace and name to mirror the catalog as.
				
Example ImageSetConfiguration file
7.13.8. Use case: Including arbitrary images and helm charts
					The following ImageSetConfiguration file uses a registry storage backend and includes helm charts and an additional Red Hat Universal Base Image (UBI).
				
Example ImageSetConfiguration file
7.13.9. Use case: Including the upgrade path for EUS releases
					The following ImageSetConfiguration file includes the eus-<version> channel, where the maxVersion value is at least two minor versions higher than the minVersion value.
				
					For example, in this ImageSetConfiguration file, the minVersion is set to 4.12.28, while the maxVersion for the eus-4.14 channel is 4.14.16.
				
Example ImageSetConfiguration file
					The following ImageSetConfiguration file includes multicluster engine for Kubernetes Operator and all OpenShift Container Platform versions starting at a minimum version of 4.18.0 in the channel.
				
Example ImageSetConfiguration file
7.14. Command reference for oc-mirror
				The following tables describe the oc mirror subcommands and flags:
			
| Subcommand | Description | 
|---|---|
| 
								 | Generate the autocompletion script for the specified shell. | 
| 
								 | Output the contents of an image set. | 
| 
								 | Show help about any subcommand. | 
| 
								 | Output an initial image set configuration template. | 
| 
								 | List available platform and Operator content and their version. | 
| 
								 | Output the oc-mirror version. | 
| Flag | Description | 
|---|---|
| 
								 | Specify the path to an image set configuration file. | 
| 
								 | If any non image-pull related error occurs, continue and attempt to mirror as much as possible. | 
| 
								 | Disable TLS validation for the target registry. | 
| 
								 | Use plain HTTP for the target registry. | 
| 
								 | 
								Print actions without mirroring images. Generates  | 
| 
								 | Specify the path to an image set archive that was generated by an execution of oc-mirror to load into a target registry. | 
| 
								 | Show the help. | 
| 
								 | Ignore past mirrors when downloading images and packing layers. Disables incremental mirroring and might download more data. | 
| 
								 | 
								Generate manifests for  | 
| 
								 | 
								Specify the maximum number of nested paths for destination registries that limit nested paths. The default is  | 
| 
								 | 
								Specify the number of concurrent requests allowed per registry. The default is  | 
| 
								 | 
								Do not push signatures when mirroring local OCI catalogs (with  | 
| 
								 | 
								Provide a registries configuration file to specify an alternative registry location to copy from when mirroring local OCI catalogs (with  | 
| 
								 | Skip removal of artifact directories. | 
| 
								 | Do not replace image tags with digest pins in Operator catalogs. | 
| 
								 | Skip metadata when publishing an image set. Note 
									This is recommended only when the image set was created with the  | 
| 
								 | If an image is not found, skip it instead of reporting an error and aborting execution. Does not apply to custom images explicitly specified in the image set configuration. | 
| 
								 | Disable automatic pruning of images from the target mirror registry. | 
| 
								 | Skip digest verification. | 
| 
								 | Disable TLS validation for the source registry. | 
| 
								 | Use plain HTTP for the source registry. | 
| 
								 | 
								Specify the number for the log level verbosity. Valid values are  | 
Chapter 8. Mirroring images for a disconnected installation by using the oc adm command
			You can ensure your clusters only use container images that satisfy your organizational controls on external content. Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. By using the oc adm command, you can mirror release and catalog images in OpenShift. To mirror container images, you must have a registry for mirroring.
		
You must have access to the internet to obtain the necessary container images. In this procedure, you place your mirror registry on a mirror host that has access to both your network and the internet. If you do not have access to a mirror host, use the Mirroring Operator catalogs for use with disconnected clusters procedure to copy images to a device you can move across network boundaries with.
8.1. Prerequisites
- You must have a container image registry that supports Docker v2-2 in the location that will host the OpenShift Container Platform cluster, such as one of the following registries: - If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or by using the Red Hat Quay Operator. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support. 
- If you do not already have an existing solution for a container image registry, subscribers of OpenShift Container Platform are provided a mirror registry for Red Hat OpenShift. The mirror registry for Red Hat OpenShift is included with your subscription and is a small-scale container registry that can be used to mirror the required container images of OpenShift Container Platform in disconnected installations.
8.2. About the mirror registry
You can mirror the images that are required for OpenShift Container Platform installation and subsequent product updates to a container mirror registry such as Red Hat Quay, JFrog Artifactory, Sonatype Nexus Repository, or Harbor. If you do not have access to a large-scale container registry, you can use the mirror registry for Red Hat OpenShift, a small-scale container registry included with OpenShift Container Platform subscriptions.
You can use any container registry that supports Docker v2-2, such as Red Hat Quay, the mirror registry for Red Hat OpenShift, Artifactory, Sonatype Nexus Repository, or Harbor. Regardless of your chosen registry, the procedure to mirror content from Red Hat hosted sites on the internet to an isolated image registry is the same. After you mirror the content, you configure each cluster to retrieve this content from your mirror registry.
The OpenShift image registry cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.
If choosing a container registry that is not the mirror registry for Red Hat OpenShift, it must be reachable by every machine in the clusters that you provision. If the registry is unreachable, installation, updating, or normal operations such as workload relocation might fail. For that reason, you must run mirror registries in a highly available way, and the mirror registries must at least match the production availability of your OpenShift Container Platform clusters.
When you populate your mirror registry with OpenShift Container Platform images, you can follow two scenarios. If you have a host that can access both the internet and your mirror registry, but not your cluster nodes, you can directly mirror the content from that machine. This process is referred to as connected mirroring. If you have no such host, you must mirror the images to a file system and then bring that host or removable media into your restricted environment. This process is referred to as disconnected mirroring.
				For mirrored registries, to view the source of pulled images, you must review the Trying to access log entry in the CRI-O logs. Other methods to view the image pull source, such as using the crictl images command on a node, show the non-mirrored image name, even though the image is pulled from the mirrored location.
			
Red Hat does not test third party registries with OpenShift Container Platform.
Additional information
For information about viewing the CRI-O logs to view the image source, see Viewing the image pull source.
8.3. Preparing your mirror host
Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.
8.3.1. Installing the OpenShift CLI
					You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-line interface. You can install oc on Linux, Windows, or macOS.
				
						If you installed an earlier version of oc, you cannot use it to complete all of the commands in OpenShift Container Platform 4.18. Download and install the new version of oc.
					
8.3.1.1. Installing the OpenShift CLI on Linux
						You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the architecture from the Product Variant drop-down list.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 Linux Clients entry and save the file.
- Unpack the archive: - tar xvf <file> - $ tar xvf <file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - ocbinary in a directory that is on your- PATH.- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.3.1.2. Installing the OpenShift CLI on Windows
						You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 Windows Client entry and save the file.
- Unzip the archive with a ZIP program.
- Move the - ocbinary to a directory that is on your- PATH.- To check your - PATH, open the command prompt and execute the following command:- path - C:\> path- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - C:\> oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.3.1.3. Installing the OpenShift CLI on macOS
						You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 macOS Clients entry and save the file. Note- For macOS arm64, choose the OpenShift v4.18 macOS arm64 Client entry. 
- Unpack and unzip the archive.
- Move the - ocbinary to a directory on your PATH.- To check your - PATH, open a terminal and execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify your installation by using an - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.4. Configuring credentials that allow images to be mirrored
Create a container image registry credentials file that enables you to mirror images from Red Hat to your mirror.
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.
Prerequisites
- You configured a mirror registry to use in your disconnected environment.
- You identified an image repository location on your mirror registry to mirror images into.
- You provisioned a mirror registry account that allows images to be uploaded to that image repository.
- You have write access to the mirror registry.
Procedure
Complete the following steps on the installation host:
- 
						Download your registry.redhat.iopull secret from Red Hat OpenShift Cluster Manager.
- Make a copy of your pull secret in JSON format by running the following command: - cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> - $ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path to the folder to store the pull secret in and a name for the JSON file that you create.
 - Example pull secret - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Generate the base64-encoded user name and password or token for your mirror registry by running the following command: - echo -n '<user_name>:<password>' | base64 -w0 - $ echo -n '<user_name>:<password>' | base64 -w0- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<user_name>and<password>, specify the user name and password that you configured for your registry.
 - Example output - BGVtbYk3ZHAtqXs= - BGVtbYk3ZHAtqXs=- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the JSON file and add a section that describes your registry to it: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example modified pull secret - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.5. Mirroring the OpenShift Container Platform image repository
Mirror the OpenShift Container Platform image repository to your registry to use during cluster installation or upgrade.
Prerequisites
- Your mirror host has access to the internet.
- You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.
- You downloaded the pull secret from Red Hat OpenShift Cluster Manager and modified it to include authentication to your mirror repository.
- If you use self-signed certificates, you have specified a Subject Alternative Name in the certificates.
Procedure
Complete the following steps on the mirror host:
- Review the OpenShift Container Platform downloads page to determine the version of OpenShift Container Platform that you want to install and determine the corresponding tag on the Repository Tags page.
- Set the required environment variables: - Export the release version: - OCP_RELEASE=<release_version> - $ OCP_RELEASE=<release_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform to install, such as- 4.5.4.
- Export the local registry name and host port: - LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' - $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <local_registry_host_name>, specify the registry domain name for your mirror repository, and for- <local_registry_host_port>, specify the port that it serves content on.
- Export the local repository name: - LOCAL_REPOSITORY='<local_repository_name>' - $ LOCAL_REPOSITORY='<local_repository_name>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <local_repository_name>, specify the name of the repository to create in your registry, such as- ocp4/openshift4.
- Export the name of the repository to mirror: - PRODUCT_REPO='openshift-release-dev' - $ PRODUCT_REPO='openshift-release-dev'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For a production release, you must specify - openshift-release-dev.
- Export the path to your registry pull secret: - LOCAL_SECRET_JSON='<path_to_pull_secret>' - $ LOCAL_SECRET_JSON='<path_to_pull_secret>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.
- Export the release mirror: - RELEASE_NAME="ocp-release" - $ RELEASE_NAME="ocp-release"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For a production release, you must specify - ocp-release.
- Export the type of architecture for your cluster: - ARCHITECTURE=<cluster_architecture> - $ ARCHITECTURE=<cluster_architecture>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the architecture of the cluster, such asx86_64,aarch64,s390x, orppc64le.
 
- Export the path to the directory to host the mirrored images: - REMOVABLE_MEDIA_PATH=<path> - $ REMOVABLE_MEDIA_PATH=<path>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the full path, including the initial forward slash (/) character.
 
 
- Mirror the version images to the mirror registry: - If your mirror host does not have internet access, take the following actions: - Connect the removable media to a system that is connected to the internet.
- Review the images and configuration manifests to mirror: - oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
										Record the entire imageContentSourcessection from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add theimageContentSourcessection to theinstall-config.yamlfile during installation.
- Mirror the images to a directory on the removable media: - oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Take the media to the restricted network environment and upload the images to the local container registry. - oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}- $ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- ForREMOVABLE_MEDIA_PATH, you must use the same path that you specified when you mirrored the images.
 Important- Running - oc image mirrormight result in the following error:- error: unable to retrieve source image. This error occurs when image indexes include references to images that no longer exist on the image registry. Image indexes might retain older references to allow users running those images an upgrade path to newer points on the upgrade graph. As a temporary workaround, you can use the- --skip-missingoption to bypass the error and continue downloading the image index. For more information, see Service Mesh Operator mirroring failed.
 
- If the local container registry is connected to the mirror host, take the following actions: - Directly push the release images to the local registry by using following command: - oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This command pulls the release information as a digest, and its output includes the - imageContentSourcesdata that you require when you install your cluster.
- Record the entire - imageContentSourcessection from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add the- imageContentSourcessection to the- install-config.yamlfile during installation.Note- The image name gets patched to Quay.io during the mirroring process, and the podman images will show Quay.io in the registry on the bootstrap virtual machine. 
 
 
- To create the installation program that is based on the content that you mirrored, extract it and pin it to the release: - If your mirror host does not have internet access, run the following command: - oc adm release extract -a ${LOCAL_SECRET_JSON} --icsp-file=<file> --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}" \ --insecure=true- $ oc adm release extract -a ${LOCAL_SECRET_JSON} --icsp-file=<file> --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}" \ --insecure=true- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Optional: If you do not want to configure trust for the target registry, add the--insecure=trueflag.
 
- If the local container registry is connected to the mirror host, run the following command: - oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"- $ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- To ensure that you use the correct images for the version of OpenShift Container Platform that you selected, you must extract the installation program from the mirrored content. - You must perform this step on a machine with an active internet connection. 
 
- For clusters using installer-provisioned infrastructure, run the following command: - openshift-install - $ openshift-install- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.6. The Cluster Samples Operator in a disconnected environment
In a disconnected environment, you must take additional steps after you install a cluster to configure the Cluster Samples Operator. Review the following information in preparation.
8.6.1. Cluster Samples Operator assistance for mirroring
					During installation, OpenShift Container Platform creates a config map named imagestreamtag-to-image in the openshift-cluster-samples-operator namespace. The imagestreamtag-to-image config map contains an entry, the populating image, for each image stream tag.
				
					The format of the key for each entry in the data field in the config map is <image_stream_name>_<image_stream_tag_name>.
				
					During a disconnected installation of OpenShift Container Platform, the status of the Cluster Samples Operator is set to Removed. If you choose to change it to Managed, it installs samples.
				
The use of samples in a network-restricted or discontinued environment may require access to services external to your network. Some example services include: Github, Maven Central, npm, RubyGems, PyPi and others. There might be additional steps to take that allow the cluster samples operators’s objects to reach the services they require.
You can use this config map as a reference for which images need to be mirrored for your image streams to import.
- 
							While the Cluster Samples Operator is set to Removed, you can create your mirrored registry, or determine which existing mirrored registry you want to use.
- Mirror the samples you want to the mirrored registry using the new config map as your guide.
- 
							Add any of the image streams you did not mirror to the skippedImagestreamslist of the Cluster Samples Operator configuration object.
- 
							Set samplesRegistryof the Cluster Samples Operator configuration object to the mirrored registry.
- 
							Then set the Cluster Samples Operator to Managedto install the image streams you have mirrored.
8.7. Mirroring Operator catalogs for use with disconnected clusters
				You can mirror the Operator contents of a Red Hat-provided catalog, or a custom catalog, into a container image registry using the oc adm catalog mirror command. The target registry must support Docker v2-2. For a cluster on a restricted network, this registry can be one that the cluster has network access to, such as a mirror registry created during a restricted network cluster installation.
			
- The OpenShift image registry cannot be used as the target registry because it does not support pushing without a tag, which is required during the mirroring process.
- 
							Running oc adm catalog mirrormight result in the following error:error: unable to retrieve source image. This error occurs when image indexes include references to images that no longer exist on the image registry. Image indexes might retain older references to allow users running those images an upgrade path to newer points on the upgrade graph. As a temporary workaround, you can use the--skip-missingoption to bypass the error and continue downloading the image index. For more information, see Service Mesh Operator mirroring failed.
				The oc adm catalog mirror command also automatically mirrors the index image that is specified during the mirroring process, whether it be a Red Hat-provided index image or your own custom-built index image, to the target registry. You can then use the mirrored index image to create a catalog source that allows Operator Lifecycle Manager (OLM) to load the mirrored catalog onto your OpenShift Container Platform cluster.
			
8.7.1. Prerequisites
Mirroring Operator catalogs for use with disconnected clusters has the following prerequisites:
- Workstation with unrestricted network access.
- 
							podmanversion 1.9.3 or later.
- If you want to filter, or prune, an existing catalog and selectively mirror only a subset of Operators, see the following sections: 
- If you want to mirror a Red Hat-provided catalog, run the following command on your workstation with unrestricted network access to authenticate with - registry.redhat.io:- podman login registry.redhat.io - $ podman login registry.redhat.io- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Access to a mirror registry that supports Docker v2-2.
- 
							On your mirror registry, decide which repository, or namespace, to use for storing mirrored Operator content. For example, you might create an olm-mirrorrepository.
- If your mirror registry does not have internet access, connect removable media to your workstation with unrestricted network access.
- If you are working with private registries, including - registry.redhat.io, set the- REG_CREDSenvironment variable to the file path of your registry credentials for use in later steps. For example, for the- podmanCLI:- REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json- $ REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.7.2. Extracting and mirroring catalog contents
					The oc adm catalog mirror command extracts the contents of an index image to generate the manifests required for mirroring. The default behavior of the command generates manifests, then automatically mirrors all of the image content from the index image, as well as the index image itself, to your mirror registry.
				
Alternatively, if your mirror registry is on a completely disconnected, or airgapped, host, you can first mirror the content to removable media, move the media to the disconnected environment, then mirror the content from the media to the registry.
8.7.2.1. Mirroring catalog contents to registries on the same network
If your mirror registry is co-located on the same network as your workstation with unrestricted network access, take the following actions on your workstation.
Procedure
- If your mirror registry requires authentication, run the following command to log in to the registry: - podman login <mirror_registry> - $ podman login <mirror_registry>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the following command to extract and mirror the content to the mirror registry: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the index image for the catalog that you want to mirror.
- 2
- Specify the fully qualified domain name (FQDN) for the target registry to mirror the Operator contents to. The mirror registry<repository>can be any existing repository, or namespace, on the registry, for exampleolm-mirroras outlined in the prerequisites. If there is an existing repository found during mirroring, the repository name is added to the resulting image name. If you do not want the image name to include the repository name, omit the<repository>value from this line, for example<mirror_registry>:<port>.
- 3
- Optional: If required, specify the location of your registry credentials file.{REG_CREDS}is required forregistry.redhat.io.
- 4
- Optional: If you do not want to configure trust for the target registry, add the--insecureflag.
- 5
- Optional: Specify which platform and architecture of the index image to select when multiple variants are available. Images are passed as'<platform>/<arch>[/<variant>]'. This does not apply to images referenced by the index. Valid values arelinux/amd64,linux/ppc64le,linux/s390x,linux/arm64.
- 6
- Optional: Generate only the manifests required for mirroring without actually mirroring the image content to a registry. This option can be useful for reviewing what will be mirrored, and lets you make any changes to the mapping list, if you require only a subset of packages. You can then use themapping.txtfile with theoc image mirrorcommand to mirror the modified list of images in a later step. This flag is intended for only advanced selective mirroring of content from the catalog.
 - Example output - src image has index label for database path: /database/index.db using database path mapping: /database/index.db:/tmp/153048078 wrote database to /tmp/153048078 ... wrote mirroring manifests to manifests-redhat-operator-index-1614211642 - src image has index label for database path: /database/index.db using database path mapping: /database/index.db:/tmp/153048078 wrote database to /tmp/153048078- 1 - ... wrote mirroring manifests to manifests-redhat-operator-index-1614211642- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Directory for the temporaryindex.dbdatabase generated by the command.
- 2
- Record the manifests directory name that is generated. This directory is referenced in subsequent procedures.NoteRed Hat Quay does not support nested repositories. As a result, running the oc adm catalog mirrorcommand will fail with a401unauthorized error. As a workaround, you can use the--max-components=2option when running theoc adm catalog mirrorcommand to disable the creation of nested repositories. For more information on this workaround, see the Unauthorized error thrown while using catalog mirror command with Quay registry Knowledgebase Solution.
 
8.7.2.2. Mirroring catalog contents to airgapped registries
If your mirror registry is on a completely disconnected, or airgapped, host, take the following actions.
Procedure
- Run the following command on your workstation with unrestricted network access to mirror the content to local files: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the index image for the catalog that you want to mirror.
- 2
- Specify the content to mirror to local files in your current directory.
- 3
- Optional: If required, specify the location of your registry credentials file.
- 4
- Optional: If you do not want to configure trust for the target registry, add the--insecureflag.
- 5
- Optional: Specify which platform and architecture of the index image to select when multiple variants are available. Images are specified as'<platform>/<arch>[/<variant>]'. This does not apply to images referenced by the index. Valid values arelinux/amd64,linux/ppc64le,linux/s390x,linux/arm64, and.*
 - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This command creates a - v2/directory in your current directory.
- 
								Copy the v2/directory to removable media.
- Physically remove the media and attach it to a host in the disconnected environment that has access to the mirror registry.
- If your mirror registry requires authentication, run the following command on your host in the disconnected environment to log in to the registry: - podman login <mirror_registry> - $ podman login <mirror_registry>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the following command from the parent directory containing the - v2/directory to upload the images from local files to the mirror registry:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify thefile://path from the previous command output.
- 2
- Specify the fully qualified domain name (FQDN) for the target registry to mirror the Operator contents to. The mirror registry<repository>can be any existing repository, or namespace, on the registry, for exampleolm-mirroras outlined in the prerequisites. If there is an existing repository found during mirroring, the repository name is added to the resulting image name. If you do not want the image name to include the repository name, omit the<repository>value from this line, for example<mirror_registry>:<port>.
- 3
- Optional: If required, specify the location of your registry credentials file.
- 4
- Optional: If you do not want to configure trust for the target registry, add the--insecureflag.
- 5
- Optional: Specify which platform and architecture of the index image to select when multiple variants are available. Images are specified as'<platform>/<arch>[/<variant>]'. This does not apply to images referenced by the index. Valid values arelinux/amd64,linux/ppc64le,linux/s390x,linux/arm64, and.*
 Note- Red Hat Quay does not support nested repositories. As a result, running the - oc adm catalog mirrorcommand will fail with a- 401unauthorized error. As a workaround, you can use the- --max-components=2option when running the- oc adm catalog mirrorcommand to disable the creation of nested repositories. For more information on this workaround, see the Unauthorized error thrown while using catalog mirror command with Quay registry Knowledgebase Solution.
- Run the - oc adm catalog mirrorcommand again. Use the newly mirrored index image as the source and the same mirror registry target used in the previous step:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--manifests-onlyflag is required for this step so that the command does not copy all of the mirrored content again.
 Important- This step is required because the image mappings in the - imageContentSourcePolicy.yamlfile generated during the previous step must be updated from local paths to valid mirror locations. Failure to do so will cause errors when you create the- ImageContentSourcePolicyobject in a later step.
						After you mirror the catalog, you can continue with the remainder of your cluster installation. After your cluster installation has finished successfully, you must specify the manifests directory from this procedure to create the ImageContentSourcePolicy and CatalogSource objects. These objects are required to enable installation of Operators from OperatorHub.
					
8.7.3. Generated manifests
After mirroring Operator catalog content to your mirror registry, a manifests directory is generated in your current directory.
If you mirrored content to a registry on the same network, the directory name takes the following pattern:
manifests-<index_image_name>-<random_number>
manifests-<index_image_name>-<random_number>If you mirrored content to a registry on a disconnected host in the previous section, the directory name takes the following pattern:
manifests-index/<repository>/<index_image_name>-<random_number>
manifests-index/<repository>/<index_image_name>-<random_number>The manifests directory name is referenced in subsequent procedures.
The manifests directory contains the following files, some of which might require further modification:
- The - catalogSource.yamlfile is a basic definition for a- CatalogSourceobject that is pre-populated with your index image tag and other relevant metadata. This file can be used as is or modified to add the catalog source to your cluster.Important- If you mirrored the content to local files, you must modify your - catalogSource.yamlfile to remove any backslash (- /) characters from the- metadata.namefield. Otherwise, when you attempt to create the object, it fails with an "invalid resource name" error.
- The - imageContentSourcePolicy.yamlfile defines an- ImageContentSourcePolicyobject that can configure nodes to translate between the image references stored in Operator manifests and the mirrored registry.Note- If your cluster uses an - ImageContentSourcePolicyobject to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
- The - mapping.txtfile contains all of the source images and where to map them in the target registry. This file is compatible with the- oc image mirrorcommand and can be used to further customize the mirroring configuration.Important- If you used the - --manifests-onlyflag during the mirroring process and want to further trim the subset of packages to mirror, see the steps in the Mirroring a package manifest format catalog image procedure of the OpenShift Container Platform 4.7 documentation about modifying your- mapping.txtfile and using the file with the- oc image mirrorcommand.
8.7.4. Postinstallation requirements
					After you mirror the catalog, you can continue with the remainder of your cluster installation. After your cluster installation has finished successfully, you must specify the manifests directory from this procedure to create the ImageContentSourcePolicy and CatalogSource objects. These objects are required to populate and enable installation of Operators from OperatorHub.
				
8.8. Next steps
- Install a cluster on infrastructure that you provision in your restricted network, such as on VMware vSphere, bare metal, or Amazon Web Services.
Chapter 9. Installing a cluster in a disconnected environment
You can install an OpenShift Container Platform cluster in a disconnected environment, choosing the installation method and infrastructure that best suits your requirements. This includes installing OpenShift Container Platform on either on-premise hardware or on a cloud hosting service such as Amazon Web Services (AWS).
The following sections outline all of the supported methods for installing a cluster in a disconnected environment.
In order to learn about other requirements for installing a cluster using a particular method, be sure to review other content in the procedure’s respective section of the documentation.
For example, if you plan to install a cluster on AWS with installer-provisioned infrastructure, see Configuring an AWS account and Preparing to install a cluster on AWS
9.1. Installing a cluster with the Agent-based Installer
To learn more about installing a cluster in a disconnected environment with the Agent-based installer, see the following pages:
9.2. Installing a cluster on Amazon Web Services
To learn more about installing a cluster on Amazon Web Services (AWS) in a disconnected environment, see the following procedures:
- Installer-provisioned infrastructure: Installing a cluster on AWS in a restricted network
- User-provisioned infrastructure: Installing a cluster on AWS in a restricted network with user-provisioned infrastructure
9.3. Installing a cluster on Microsoft Azure
To learn more about installing a cluster on Microsoft Azure in a disconnected environment, see the following procedures:
- Installer-provisioned infrastructure: Installing a cluster on Azure in a restricted network
- User-provisioned infrastructure: Installing a cluster on Azure in a restricted network with user-provisioned infrastructure
9.4. Installing a cluster on Google Cloud
To learn more about installing a cluster on Google Cloud in a disconnected environment, see the following procedures:
- Installer-provisioned infrastructure: Installing a cluster on Google Cloud in a restricted network
- User-provisioned infrastructure: Installing a cluster on Google Cloud in a restricted network with user-provisioned infrastructure
9.5. Installing a cluster on IBM Cloud
To learn more about installing a cluster on IBM Cloud® in a disconnected environment, see the following procedure:
9.6. Installing a cluster on Nutanix
To learn more about installing a cluster on Nutanix in a disconnected environment, see the following procedure:
9.7. Installing a bare-metal cluster
To learn more about installing a bare-metal cluster in a disconnected environment, see the following procedure:
9.8. Installing a cluster on IBM Z(R) or IBM(R) LinuxONE
To learn more about installing a cluster on IBM Z® or IBM® LinuxONE in a disconnected environment, see the following procedures:
9.9. Installing a cluster on IBM Power
To learn more about installing a cluster on IBM Power in a disconnected environment, see the following procedure:
9.10. Installing a cluster on OpenStack
To learn more about installing a cluster on Red Hat OpenStack Platform (RHOSP) in a disconnected environment, see the following procedure:
9.11. Installing a cluster on vSphere
To learn more about installing a cluster on VMware vSphere in a disconnected environment, see the following procedures:
- Installer-provisioned infrastructure: Installing a cluster on vSphere in a restricted network
- User-provisioned infrastructure: Installing a cluster on vSphere in a restricted network with user-provisioned infrastructure
Chapter 10. Using Operator Lifecycle Manager in disconnected environments
For OpenShift Container Platform clusters in disconnected environments, Operator Lifecycle Manager (OLM) by default cannot access the Red Hat-provided OperatorHub sources hosted on remote registries because those remote sources require full internet connectivity.
However, as a cluster administrator you can still enable your cluster to use OLM in a disconnected environment if you have a workstation that has full internet access. The workstation, which requires full internet access to pull the remote OperatorHub content, is used to prepare local mirrors of the remote sources, and push the content to a mirror registry.
The mirror registry can be located on a bastion host, which requires connectivity to both your workstation and the disconnected cluster, or a completely disconnected, or airgapped, host, which requires removable media to physically move the mirrored content to the disconnected environment.
This guide describes the following process that is required to enable OLM in disconnected environments:
- Disable the default remote OperatorHub sources for OLM.
- Use a workstation with full internet access to create and push local mirrors of the OperatorHub content to a mirror registry.
- Configure OLM to install and manage Operators from local sources on the mirror registry instead of the default remote sources.
After enabling OLM in a disconnected environment, you can continue to use your unrestricted workstation to keep your local OperatorHub sources updated as newer versions of Operators are released.
While OLM can manage Operators from local sources, the ability for a given Operator to run successfully in a disconnected environment still depends on the Operator itself meeting the following criteria:
- 
						List any related images, or other container images that the Operator might require to perform their functions, in the relatedImagesparameter of itsClusterServiceVersion(CSV) object.
- Reference all specified images by a digest (SHA) and not by a tag.
You can search software on the Red Hat Ecosystem Catalog for a list of Red Hat Operators that support running in disconnected mode by filtering with the following selections:
| Type | Containerized application | 
| Deployment method | Operator | 
| Infrastructure features | Disconnected | 
10.1. Prerequisites
- 
						You are logged in to your OpenShift Container Platform cluster as a user with cluster-adminprivileges.
- If you are using OLM in a disconnected environment on IBM Z®, you must have at least 12 GB allocated to the directory where you place your registry.
10.2. Disabling the default OperatorHub catalog sources
Operator catalogs that source content provided by Red Hat and community projects are configured for OperatorHub by default during an OpenShift Container Platform installation. In a restricted network environment, you must disable the default catalogs as a cluster administrator. You can then configure OperatorHub to use local catalog sources.
Procedure
- Disable the sources for the default catalogs by adding - disableAllDefaultSources: trueto the- OperatorHubobject:- oc patch OperatorHub cluster --type json \ -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'- $ oc patch OperatorHub cluster --type json \ -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Alternatively, you can use the web console to manage catalog sources. From the Administration → Cluster Settings → Configuration → OperatorHub page, click the Sources tab, where you can create, update, delete, disable, and enable individual sources.
10.3. Mirroring an Operator catalog
For instructions about mirroring Operator catalogs for use with disconnected clusters, see Mirroring Operator catalogs for use with disconnected clusters.
As of OpenShift Container Platform 4.11, the default Red Hat-provided Operator catalog releases in the file-based catalog format. The default Red Hat-provided Operator catalogs for OpenShift Container Platform 4.6 through 4.10 released in the deprecated SQLite database format.
					The opm subcommands, flags, and functionality related to the SQLite database format are also deprecated and will be removed in a future release. The features are still supported and must be used for catalogs that use the deprecated SQLite database format.
				
					Many of the opm subcommands and flags for working with the SQLite database format, such as opm index prune, do not work with the file-based catalog format. For more information about working with file-based catalogs, see Operator Framework packaging format, Managing custom catalogs, and Mirroring images for a disconnected installation by using the oc-mirror plugin v2.
				
10.4. Adding a catalog source to a cluster
				Adding a catalog source to an OpenShift Container Platform cluster enables the discovery and installation of Operators for users. Cluster administrators can create a CatalogSource object that references an index image. OperatorHub uses catalog sources to populate the user interface.
			
Alternatively, you can use the web console to manage catalog sources. From the Administration → Cluster Settings → Configuration → OperatorHub page, click the Sources tab, where you can create, update, delete, disable, and enable individual sources.
Prerequisites
- You built and pushed an index image to a registry.
- 
						You have access to the cluster as a user with the cluster-adminrole.
Procedure
- Create a - CatalogSourceobject that references your index image. If you used the- oc adm catalog mirrorcommand to mirror your catalog to a target registry, you can use the generated- catalogSource.yamlfile in your manifests directory as a starting point.- Modify the following to your specifications and save it as a - catalogSource.yamlfile:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- If you mirrored content to local files before uploading to a registry, remove any backslash (/) characters from themetadata.namefield to avoid an "invalid resource name" error when you create the object.
- 2
- If you want the catalog source to be available globally to users in all namespaces, specify theopenshift-marketplacenamespace. Otherwise, you can specify a different namespace for the catalog to be scoped and available only for that namespace.
- 3
- Specify the value oflegacyorrestricted. If the field is not set, the default value islegacy. In a future OpenShift Container Platform release, it is planned that the default value will berestricted. If your catalog cannot run withrestrictedpermissions, it is recommended that you manually set this field tolegacy.
- 4
- Specify your index image. If you specify a tag after the image name, for example:v4.18, the catalog source pod uses an image pull policy ofAlways, meaning the pod always pulls the image prior to starting the container. If you specify a digest, for example@sha256:<id>, the image pull policy isIfNotPresent, meaning the pod pulls the image only if it does not already exist on the node.
- 5
- Specify your name or an organization name publishing the catalog.
- 6
- Catalog sources can automatically check for new versions to keep up to date.
 
- Use the file to create the - CatalogSourceobject:- oc apply -f catalogSource.yaml - $ oc apply -f catalogSource.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Verify the following resources are created successfully. - Check the pods: - oc get pods -n openshift-marketplace - $ oc get pods -n openshift-marketplace- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME READY STATUS RESTARTS AGE my-operator-catalog-6njx6 1/1 Running 0 28s marketplace-operator-d9f549946-96sgr 1/1 Running 0 26h - NAME READY STATUS RESTARTS AGE my-operator-catalog-6njx6 1/1 Running 0 28s marketplace-operator-d9f549946-96sgr 1/1 Running 0 26h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the catalog source: - oc get catalogsource -n openshift-marketplace - $ oc get catalogsource -n openshift-marketplace- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DISPLAY TYPE PUBLISHER AGE my-operator-catalog My Operator Catalog grpc 5s - NAME DISPLAY TYPE PUBLISHER AGE my-operator-catalog My Operator Catalog grpc 5s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the package manifest: - oc get packagemanifest -n openshift-marketplace - $ oc get packagemanifest -n openshift-marketplace- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME CATALOG AGE jaeger-product My Operator Catalog 93s - NAME CATALOG AGE jaeger-product My Operator Catalog 93s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
You can now install the Operators from the OperatorHub page on your OpenShift Container Platform web console.
10.5. Next steps
Chapter 11. Updating a cluster in a disconnected environment
11.1. About cluster updates in a disconnected environment
A disconnected environment is one in which your cluster nodes cannot access the internet or where you want to manage update recommendations and release images locally for policy or performance purposes. This section covers mirroring OpenShift Container Platform images, managing an OpenShift Update Service, and performing cluster updates in a disconnected environment.
11.1.1. Mirroring OpenShift Container Platform images
To update your cluster in a disconnected environment, your cluster environment must have access to a mirror registry that has the necessary images and resources for your targeted update. A single container image registry is sufficient to host mirrored images for several clusters in the disconnected network. The following page has instructions for mirroring images onto a repository in your disconnected cluster:
11.1.2. Performing a cluster update in a disconnected environment
You can use one of the following procedures to update a disconnected OpenShift Container Platform cluster:
11.1.3. Uninstalling the OpenShift Update Service from a cluster
You can use the following procedure to uninstall a local copy of the OpenShift Update Service (OSUS) from your cluster:
11.2. Mirroring OpenShift Container Platform images
You must mirror container images onto a mirror registry before you can update a cluster in a disconnected environment. You can also use this procedure in connected environments to ensure your clusters run only approved container images that have satisfied your organizational controls for external content.
Your mirror registry must be running at all times while the cluster is running.
The following steps outline the high-level workflow on how to mirror images to a mirror registry:
- 
						Install the OpenShift CLI (oc) on all devices being used to retrieve and push release images.
- Download the registry pull secret and add it to your cluster.
- If you use the oc-mirror OpenShift CLI ( - oc) plugin:- Install the oc-mirror plugin on all devices being used to retrieve and push release images.
- Create an image set configuration file for the plugin to use when determining which release images to mirror. You can edit this configuration file later to change which release images that the plugin mirrors.
- Mirror your targeted release images directly to a mirror registry, or to removable media and then to a mirror registry.
- Configure your cluster to use the resources generated by the oc-mirror plugin.
- Repeat these steps as needed to update your mirror registry.
 
- If you use the - oc adm release mirrorcommand:- Set environment variables that correspond to your environment and the release images you want to mirror.
- Mirror your targeted release images directly to a mirror registry, or to removable media and then to a mirror registry.
- Repeat these steps as needed to update your mirror registry.
 
				Compared to using the oc adm release mirror command, the oc-mirror plugin has the following advantages:
			
- It can mirror content other than container images.
- After mirroring images for the first time, it is easier to update images in the registry.
- The oc-mirror plugin provides an automated way to mirror the release payload from Quay, and also builds the latest graph data image for the OpenShift Update Service running in the disconnected environment.
11.2.1. Mirroring resources using the oc-mirror plugin
					You can use the oc-mirror OpenShift CLI (oc) plugin to mirror images to a mirror registry in your fully or partially disconnected environments. You must run oc-mirror from a system with internet connectivity to download the required images from the official Red Hat registries.
				
See Mirroring images for a disconnected installation by using the oc-mirror plugin v2 for additional details.
11.2.2. Mirroring images using the oc adm release mirror command
					You can use the oc adm release mirror command to mirror images to your mirror registry.
				
11.2.2.1. Prerequisites
- You must have a container image registry that supports Docker v2-2 in the location that will host the OpenShift Container Platform cluster, such as Red Hat Quay. Note- If you use Red Hat Quay, you must use version 3.6 or later with the oc-mirror plugin. If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or by using the Quay Operator. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support. - If you do not have an existing solution for a container image registry, the mirror registry for Red Hat OpenShift is included in OpenShift Container Platform subscriptions. The mirror registry for Red Hat OpenShift is a small-scale container registry that you can use to mirror OpenShift Container Platform container images in disconnected installations and updates. 
11.2.2.2. Preparing your mirror host
Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.
11.2.2.2.1. Installing the OpenShift CLI
							You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-line interface. You can install oc on Linux, Windows, or macOS.
						
								If you installed an earlier version of oc, you cannot use it to complete all of the commands in OpenShift Container Platform 4.18. Download and install the new version of oc. If you are updating a cluster in a disconnected environment, install the oc version that you plan to update to.
							
11.2.2.2.1.1. Installing the OpenShift CLI on Linux
								You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
							
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the architecture from the Product Variant drop-down list.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 Linux Clients entry and save the file.
- Unpack the archive: - tar xvf <file> - $ tar xvf <file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - ocbinary in a directory that is on your- PATH.- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
11.2.2.2.1.2. Installing the OpenShift CLI on Windows
								You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
							
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 Windows Client entry and save the file.
- Unzip the archive with a ZIP program.
- Move the - ocbinary to a directory that is on your- PATH.- To check your - PATH, open the command prompt and execute the following command:- path - C:\> path- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - C:\> oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
11.2.2.2.1.3. Installing the OpenShift CLI on macOS
								You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
							
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 macOS Clients entry and save the file. Note- For macOS arm64, choose the OpenShift v4.18 macOS arm64 Client entry. 
- Unpack and unzip the archive.
- Move the - ocbinary to a directory on your PATH.- To check your - PATH, open a terminal and execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify your installation by using an - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
11.2.2.2.2. Configuring credentials that allow images to be mirrored
Create a container image registry credentials file that enables you to mirror images from Red Hat to your mirror.
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.
Prerequisites
- You configured a mirror registry to use in your disconnected environment.
- You identified an image repository location on your mirror registry to mirror images into.
- You provisioned a mirror registry account that allows images to be uploaded to that image repository.
- You have write access to the mirror registry.
Procedure
Complete the following steps on the installation host:
- 
									Download your registry.redhat.iopull secret from Red Hat OpenShift Cluster Manager.
- Make a copy of your pull secret in JSON format by running the following command: - cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> - $ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path to the folder to store the pull secret in and a name for the JSON file that you create.
 - Example pull secret - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: If using the oc-mirror plugin, save the file as either - ~/.docker/config.jsonor- $XDG_RUNTIME_DIR/containers/auth.json:- If the - .dockeror- $XDG_RUNTIME_DIR/containersdirectories do not exist, create one by entering the following command:- mkdir -p <directory_name> - $ mkdir -p <directory_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Where - <directory_name>is either- ~/.dockeror- $XDG_RUNTIME_DIR/containers.
- Copy the pull secret to the appropriate directory by entering the following command: - cp <path>/<pull_secret_file_in_json> <directory_name>/<auth_file> - $ cp <path>/<pull_secret_file_in_json> <directory_name>/<auth_file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Where - <directory_name>is either- ~/.dockeror- $XDG_RUNTIME_DIR/containers, and- <auth_file>is either- config.jsonor- auth.json.
 
- Generate the base64-encoded user name and password or token for your mirror registry by running the following command: - echo -n '<user_name>:<password>' | base64 -w0 - $ echo -n '<user_name>:<password>' | base64 -w0- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<user_name>and<password>, specify the user name and password that you configured for your registry.
 - Example output - BGVtbYk3ZHAtqXs= - BGVtbYk3ZHAtqXs=- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the JSON file and add a section that describes your registry to it: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example modified pull secret - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
11.2.2.3. Mirroring images to a mirror registry
To avoid excessive memory usage by the OpenShift Update Service application, you must mirror release images to a separate repository as described in the following procedure.
Prerequisites
- You configured a mirror registry to use in your disconnected environment and can access the certificate and credentials that you configured.
- You downloaded the pull secret from Red Hat OpenShift Cluster Manager and modified it to include authentication to your mirror repository.
- If you use self-signed certificates, you have specified a Subject Alternative Name in the certificates.
Procedure
- Use the Red Hat OpenShift Container Platform Update Graph visualizer and update planner to plan an update from one version to another. The OpenShift Update Graph provides channel graphs and a way to confirm that there is an update path between your current and intended cluster versions.
- Set the required environment variables: - Export the release version: - export OCP_RELEASE=<release_version> - $ export OCP_RELEASE=<release_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform to which you want to update, such as- 4.5.4.
- Export the local registry name and host port: - LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' - $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <local_registry_host_name>, specify the registry domain name for your mirror repository, and for- <local_registry_host_port>, specify the port that it serves content on.
- Export the local repository name: - LOCAL_REPOSITORY='<local_repository_name>' - $ LOCAL_REPOSITORY='<local_repository_name>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <local_repository_name>, specify the name of the repository to create in your registry, such as- ocp4/openshift4.
- If you are using the OpenShift Update Service, export an additional local repository name to contain the release images: - LOCAL_RELEASE_IMAGES_REPOSITORY='<local_release_images_repository_name>' - $ LOCAL_RELEASE_IMAGES_REPOSITORY='<local_release_images_repository_name>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <local_release_images_repository_name>, specify the name of the repository to create in your registry, such as- ocp4/openshift4-release-images.
- Export the name of the repository to mirror: - PRODUCT_REPO='openshift-release-dev' - $ PRODUCT_REPO='openshift-release-dev'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For a production release, you must specify - openshift-release-dev.
- Export the path to your registry pull secret: - LOCAL_SECRET_JSON='<path_to_pull_secret>' - $ LOCAL_SECRET_JSON='<path_to_pull_secret>'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.Note- If your cluster uses an - ImageContentSourcePolicyobject to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
- Export the release mirror: - RELEASE_NAME="ocp-release" - $ RELEASE_NAME="ocp-release"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For a production release, you must specify - ocp-release.
- Export the type of architecture for your cluster: - ARCHITECTURE=<cluster_architecture> - $ ARCHITECTURE=<cluster_architecture>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the architecture of the cluster, such asx86_64,aarch64,s390x, orppc64le.
 
- Export the path to the directory to host the mirrored images: - REMOVABLE_MEDIA_PATH=<path> - $ REMOVABLE_MEDIA_PATH=<path>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the full path, including the initial forward slash (/) character.
 
 
- Review the images and configuration manifests to mirror: - oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Mirror the version images to the mirror registry. - If your mirror host does not have internet access, take the following actions: - Connect the removable media to a system that is connected to the internet.
- Mirror the images and configuration manifests to a directory on the removable media: - oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- This command also generates and saves the mirrored release image signature config map onto the removable media. 
- Take the media to the disconnected environment and upload the images to the local container registry. - oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}- $ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- ForREMOVABLE_MEDIA_PATH, you must use the same path that you specified when you mirrored the images.
 
- 
												Use occommand-line interface (CLI) to log in to the cluster that you are updating.
- Apply the mirrored release image signature config map to the connected cluster: - oc apply -f ${REMOVABLE_MEDIA_PATH}/mirror/config/<image_signature_file>- $ oc apply -f ${REMOVABLE_MEDIA_PATH}/mirror/config/<image_signature_file>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<image_signature_file>, specify the path and name of the file, for example,signature-sha256-81154f5c03294534.yaml.
 
- If you are using the OpenShift Update Service, mirror the release image to a separate repository: - oc image mirror -a ${LOCAL_SECRET_JSON} ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}- $ oc image mirror -a ${LOCAL_SECRET_JSON} ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- If the local container registry and the cluster are connected to the mirror host, take the following actions: - Directly push the release images to the local registry and apply the config map to the cluster by using following command: - oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --apply-release-image-signature- $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --apply-release-image-signature- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If you include the - --apply-release-image-signatureoption, do not create the config map for image signature verification.
- If you are using the OpenShift Update Service, mirror the release image to a separate repository: - oc image mirror -a ${LOCAL_SECRET_JSON} ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}- $ oc image mirror -a ${LOCAL_SECRET_JSON} ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
11.3. Updating a cluster in a disconnected environment using the OpenShift Update Service
To get an update experience similar to connected clusters, you can use the following procedures to install and configure the OpenShift Update Service (OSUS) in a disconnected environment.
The following steps outline the high-level workflow on how to update a cluster in a disconnected environment using OSUS:
- Configure access to a secured registry.
- Update the global cluster pull secret to access your mirror registry.
- Install the OSUS Operator.
- Create a graph data container image for the OpenShift Update Service.
- Install the OSUS application and configure your clusters to use the OpenShift Update Service in your environment.
- Perform a supported update procedure from the documentation as you would with a connected cluster.
11.3.1. Using the OpenShift Update Service in a disconnected environment
The OpenShift Update Service (OSUS) provides update recommendations to OpenShift Container Platform clusters. Red Hat publicly hosts the OpenShift Update Service, and clusters in a connected environment can connect to the service through public APIs to retrieve update recommendations.
However, clusters in a disconnected environment cannot access these public APIs to retrieve update information. To have a similar update experience in a disconnected environment, you can install and configure the OpenShift Update Service so that it is available within the disconnected environment.
A single OSUS instance is capable of serving recommendations to thousands of clusters. OSUS can be scaled horizontally to cater to more clusters by changing the replica value. So for most disconnected use cases, one OSUS instance is enough. For example, Red Hat hosts just one OSUS instance for the entire fleet of connected clusters.
If you want to keep update recommendations separate in different environments, you can run one OSUS instance for each environment. For example, in a case where you have separate test and stage environments, you might not want a cluster in a stage environment to receive update recommendations to version A if that version has not been tested in the test environment yet.
The following sections describe how to install an OSUS instance and configure it to provide update recommendations to a cluster.
Additional resources
11.3.2. Prerequisites
- 
							You must have the occommand-line interface (CLI) tool installed.
- You must provision a container image registry in your environment with the container images for your update, as described in Mirroring OpenShift Container Platform images.
11.3.3. Configuring access to a secured registry for the OpenShift Update Service
If the release images are contained in a registry whose HTTPS X.509 certificate is signed by a custom certificate authority, complete the steps in Configuring additional trust stores for image registry access along with following changes for the update service.
					The OpenShift Update Service Operator needs the config map key name updateservice-registry in the registry CA cert.
				
Image registry CA config map example for the update service
11.3.4. Updating the global cluster pull secret
You can update the global pull secret for your cluster by either replacing the current pull secret or appending a new pull secret.
Use the procedure when you need a separate registry to store images than the registry used during installation.
Prerequisites
- 
							You have access to the cluster as a user with the cluster-adminrole.
Procedure
- Optional: To append a new pull secret to the existing pull secret, complete the following steps: - Enter the following command to download the pull secret: - oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > <pull_secret_location>- $ oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > <pull_secret_location>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <pull_secret_location>: Include the path to the pull secret file.
 
- Enter the following command to add the new pull secret: - oc registry login --registry="<registry>" \ --auth-basic="<username>:<password>" \ --to=<pull_secret_location> - $ oc registry login --registry="<registry>" \- 1 - --auth-basic="<username>:<password>" \- 2 - --to=<pull_secret_location>- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <registry>: Include the new registry. You can include many repositories within the same registry, for example:- --registry="<registry/my-namespace/my-repository>.
- 2
- <username>:<password>: Include the credentials of the new registry.
- 3
- <pull_secret_location>: Include the path to the pull secret file.
 - You can also perform a manual update to the pull secret file. 
 
- Enter the following command to update the global pull secret for your cluster: - oc set data secret/pull-secret -n openshift-config \ --from-file=.dockerconfigjson=<pull_secret_location> - $ oc set data secret/pull-secret -n openshift-config \ --from-file=.dockerconfigjson=<pull_secret_location>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <pull_secret_location>: Include the path to the new pull secret file.
 - This update rolls out to all nodes, which can take some time depending on the size of your cluster. Note- As of OpenShift Container Platform 4.7.4, changes to the global pull secret no longer trigger a node drain or reboot. 
11.3.5. Installing the OpenShift Update Service Operator
To install the OpenShift Update Service, you must first install the OpenShift Update Service Operator by using the OpenShift Container Platform web console or CLI.
For clusters that are installed in disconnected environments, also known as disconnected clusters, Operator Lifecycle Manager by default cannot access the Red Hat-provided OperatorHub sources hosted on remote registries because those remote sources require full internet connectivity. For more information, see Using Operator Lifecycle Manager in disconnected environments.
11.3.5.1. Installing the OpenShift Update Service Operator by using the web console
You can use the web console to install the OpenShift Update Service Operator.
Procedure
- In the web console, click Operators → OperatorHub. Note- Enter - Update Serviceinto the Filter by keyword… field to find the Operator faster.
- Choose OpenShift Update Service from the list of available Operators, and click Install. - Select an Update channel.
- Select a Version.
- Select A specific namespace on the cluster under Installation Mode.
- 
										Select a namespace for Installed Namespace or accept the recommended namespace openshift-update-service.
- Select an Update approval strategy: - The Automatic strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
- The Manual strategy requires a cluster administrator to approve the Operator update.
 
- Click Install.
 
- Go to Operators → Installed Operators and verify that the OpenShift Update Service Operator is installed.
- Ensure that OpenShift Update Service is listed in the correct namespace with a Status of Succeeded.
11.3.5.2. Installing the OpenShift Update Service Operator by using the CLI
						You can use the OpenShift CLI (oc) to install the OpenShift Update Service Operator.
					
Procedure
- Create a namespace for the OpenShift Update Service Operator: - Create a - Namespaceobject YAML file, for example,- update-service-namespace.yaml, for the OpenShift Update Service Operator:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Set theopenshift.io/cluster-monitoringlabel to enable Operator-recommended cluster monitoring on this namespace.
 
- Create the namespace: - oc create -f <filename>.yaml - $ oc create -f <filename>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc create -f update-service-namespace.yaml - $ oc create -f update-service-namespace.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Install the OpenShift Update Service Operator by creating the following objects: - Create an - OperatorGroupobject YAML file, for example,- update-service-operator-group.yaml:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create an - OperatorGroupobject:- oc -n openshift-update-service create -f <filename>.yaml - $ oc -n openshift-update-service create -f <filename>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc -n openshift-update-service create -f update-service-operator-group.yaml - $ oc -n openshift-update-service create -f update-service-operator-group.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a - Subscriptionobject YAML file, for example,- update-service-subscription.yaml:- Example Subscription - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name of the catalog source that provides the Operator. For clusters that do not use a custom Operator Lifecycle Manager (OLM), specifyredhat-operators. If your OpenShift Container Platform cluster is installed in a disconnected environment, specify the name of theCatalogSourceobject created when you configured Operator Lifecycle Manager (OLM).
 
- Create the - Subscriptionobject:- oc create -f <filename>.yaml - $ oc create -f <filename>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc -n openshift-update-service create -f update-service-subscription.yaml - $ oc -n openshift-update-service create -f update-service-subscription.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The OpenShift Update Service Operator is installed to the - openshift-update-servicenamespace and targets the- openshift-update-servicenamespace.
 
- Verify the Operator installation: - oc -n openshift-update-service get clusterserviceversions - $ oc -n openshift-update-service get clusterserviceversions- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DISPLAY VERSION REPLACES PHASE update-service-operator.v4.6.0 OpenShift Update Service 4.6.0 Succeeded ... - NAME DISPLAY VERSION REPLACES PHASE update-service-operator.v4.6.0 OpenShift Update Service 4.6.0 Succeeded ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If the OpenShift Update Service Operator is listed, the installation was successful. The version number might be different than shown. 
11.3.6. Creating the OpenShift Update Service graph data container image
The OpenShift Update Service requires a graph data container image, from which the OpenShift Update Service retrieves information about channel membership and blocked update edges. Graph data is typically fetched directly from the update graph data repository. In environments where an internet connection is unavailable, loading this information from an init container is another way to make the graph data available to the OpenShift Update Service. The role of the init container is to provide a local copy of the graph data, and during pod initialization, the init container copies the data to a volume that is accessible by the service.
						The oc-mirror OpenShift CLI (oc) plugin creates this graph data container image in addition to mirroring release images. If you used the oc-mirror plugin to mirror your release images, you can skip this procedure.
					
Procedure
- Create a Dockerfile, for example, - ./Dockerfile, containing the following:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use the docker file created in the above step to build a graph data container image, for example, - registry.example.com/openshift/graph-data:latest:- podman build -f ./Dockerfile -t registry.example.com/openshift/graph-data:latest - $ podman build -f ./Dockerfile -t registry.example.com/openshift/graph-data:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Push the graph data container image created in the previous step to a repository that is accessible to the OpenShift Update Service, for example, - registry.example.com/openshift/graph-data:latest:- podman push registry.example.com/openshift/graph-data:latest - $ podman push registry.example.com/openshift/graph-data:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- To push a graph data image to a registry in a disconnected environment, copy the graph data container image created in the previous step to a repository that is accessible to the OpenShift Update Service. Run - oc image mirror --helpfor available options.
11.3.7. Creating an OpenShift Update Service application
You can create an OpenShift Update Service application by using the OpenShift Container Platform web console or CLI.
11.3.7.1. Creating an OpenShift Update Service application by using the web console
You can use the OpenShift Container Platform web console to create an OpenShift Update Service application by using the OpenShift Update Service Operator.
Prerequisites
- The OpenShift Update Service Operator has been installed.
- The OpenShift Update Service graph data container image has been created and pushed to a repository that is accessible to the OpenShift Update Service.
- The current release and update target releases have been mirrored to a registry in the disconnected environment.
Procedure
- In the web console, click Operators → Installed Operators.
- Choose OpenShift Update Service from the list of installed Operators.
- Click the Update Service tab.
- Click Create UpdateService.
- 
								Enter a name in the Name field, for example, service.
- 
								Enter the local pullspec in the Graph Data Image field to the graph data container image created in "Creating the OpenShift Update Service graph data container image", for example, registry.example.com/openshift/graph-data:latest.
- 
								In the Releases field, enter the registry and repository created to contain the release images in "Mirroring the OpenShift Container Platform image repository", for example, registry.example.com/ocp4/openshift4-release-images.
- 
								Enter 2in the Replicas field.
- Click Create to create the OpenShift Update Service application.
- Verify the OpenShift Update Service application: - From the UpdateServices list in the Update Service tab, click the Update Service application just created.
- Click the Resources tab.
- Verify each application resource has a status of Created.
 
11.3.7.2. Creating an OpenShift Update Service application by using the CLI
						You can use the OpenShift CLI (oc) to create an OpenShift Update Service application.
					
Prerequisites
- The OpenShift Update Service Operator has been installed.
- The OpenShift Update Service graph data container image has been created and pushed to a repository that is accessible to the OpenShift Update Service.
- The current release and update target releases have been mirrored to a registry in the disconnected environment.
Procedure
- Configure the OpenShift Update Service target namespace, for example, - openshift-update-service:- NAMESPACE=openshift-update-service - $ NAMESPACE=openshift-update-service- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The namespace must match the - targetNamespacesvalue from the operator group.
- Configure the name of the OpenShift Update Service application, for example, - service:- NAME=service - $ NAME=service- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the registry and repository for the release images as configured in "Mirroring the OpenShift Container Platform image repository", for example, - registry.example.com/ocp4/openshift4-release-images:- RELEASE_IMAGES=registry.example.com/ocp4/openshift4-release-images - $ RELEASE_IMAGES=registry.example.com/ocp4/openshift4-release-images- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the local pullspec for the graph data image to the graph data container image created in "Creating the OpenShift Update Service graph data container image", for example, - registry.example.com/openshift/graph-data:latest:- GRAPH_DATA_IMAGE=registry.example.com/openshift/graph-data:latest - $ GRAPH_DATA_IMAGE=registry.example.com/openshift/graph-data:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create an OpenShift Update Service application object: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify the OpenShift Update Service application: - Use the following command to obtain a policy engine route: - while sleep 1; do POLICY_ENGINE_GRAPH_URI="$(oc -n "${NAMESPACE}" get -o jsonpath='{.status.policyEngineURI}/api/upgrades_info/v1/graph{"\n"}' updateservice "${NAME}")"; SCHEME="${POLICY_ENGINE_GRAPH_URI%%:*}"; if test "${SCHEME}" = http -o "${SCHEME}" = https; then break; fi; done- $ while sleep 1; do POLICY_ENGINE_GRAPH_URI="$(oc -n "${NAMESPACE}" get -o jsonpath='{.status.policyEngineURI}/api/upgrades_info/v1/graph{"\n"}' updateservice "${NAME}")"; SCHEME="${POLICY_ENGINE_GRAPH_URI%%:*}"; if test "${SCHEME}" = http -o "${SCHEME}" = https; then break; fi; done- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You might need to poll until the command succeeds. 
- Retrieve a graph from the policy engine. Be sure to specify a valid version for - channel. For example, if running in OpenShift Container Platform 4.18, use- stable-4.18:- while sleep 10; do HTTP_CODE="$(curl --header Accept:application/json --output /dev/stderr --write-out "%{http_code}" "${POLICY_ENGINE_GRAPH_URI}?channel=stable-4.6")"; if test "${HTTP_CODE}" -eq 200; then break; fi; echo "${HTTP_CODE}"; done- $ while sleep 10; do HTTP_CODE="$(curl --header Accept:application/json --output /dev/stderr --write-out "%{http_code}" "${POLICY_ENGINE_GRAPH_URI}?channel=stable-4.6")"; if test "${HTTP_CODE}" -eq 200; then break; fi; echo "${HTTP_CODE}"; done- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This polls until the graph request succeeds; however, the resulting graph might be empty depending on which release images you have mirrored. 
 
							The policy engine route name must not be more than 63 characters based on RFC-1123. If you see ReconcileCompleted status as false with the reason CreateRouteFailed caused by host must conform to DNS 1123 naming convention and must be no more than 63 characters, try creating the Update Service with a shorter name.
						
11.3.8. Configuring the Cluster Version Operator (CVO)
After the OpenShift Update Service Operator has been installed and the OpenShift Update Service application has been created, the Cluster Version Operator (CVO) can be updated to pull graph data from the OpenShift Update Service installed in your environment.
Prerequisites
- The OpenShift Update Service Operator has been installed.
- The OpenShift Update Service graph data container image has been created and pushed to a repository that is accessible to the OpenShift Update Service.
- The current release and update target releases have been mirrored to a registry in the disconnected environment.
- The OpenShift Update Service application has been created.
Procedure
- Set the OpenShift Update Service target namespace, for example, - openshift-update-service:- NAMESPACE=openshift-update-service - $ NAMESPACE=openshift-update-service- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the name of the OpenShift Update Service application, for example, - service:- NAME=service - $ NAME=service- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the policy engine route: - POLICY_ENGINE_GRAPH_URI="$(oc -n "${NAMESPACE}" get -o jsonpath='{.status.policyEngineURI}/api/upgrades_info/v1/graph{"\n"}' updateservice "${NAME}")"- $ POLICY_ENGINE_GRAPH_URI="$(oc -n "${NAMESPACE}" get -o jsonpath='{.status.policyEngineURI}/api/upgrades_info/v1/graph{"\n"}' updateservice "${NAME}")"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the patch for the pull graph data: - PATCH="{\"spec\":{\"upstream\":\"${POLICY_ENGINE_GRAPH_URI}\"}}"- $ PATCH="{\"spec\":{\"upstream\":\"${POLICY_ENGINE_GRAPH_URI}\"}}"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Patch the CVO to use the OpenShift Update Service in your environment: - oc patch clusterversion version -p $PATCH --type merge - $ oc patch clusterversion version -p $PATCH --type merge- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
See Configuring the cluster-wide proxy to configure the CA to trust the update server.
11.3.9. Next steps
Before updating your cluster, confirm that the following conditions are met:
- The Cluster Version Operator (CVO) is configured to use your installed OpenShift Update Service application.
- The release image signature config map for the new release is applied to your cluster. Note- The Cluster Version Operator (CVO) uses release image signatures to ensure that release images have not been modified, by verifying that the release image signatures match the expected result. 
- The current release and update target release images are mirrored to a registry in the disconnected environment.
- A recent graph data container image has been mirrored to your registry.
- A recent version of the OpenShift Update Service Operator is installed. Note- If you have not recently installed or updated the OpenShift Update Service Operator, there might be a more recent version available. See Using Operator Lifecycle Manager in disconnected environments for more information about how to update your OLM catalog in a disconnected environment. 
After you configure your cluster to use the installed OpenShift Update Service and local mirror registry, you can use any of the following update methods:
11.4. Updating a cluster in a disconnected environment without the OpenShift Update Service
Use the following procedures to update a cluster in a disconnected environment without access to the OpenShift Update Service.
11.4.1. Prerequisites
- 
							You must have the occommand-line interface (CLI) tool installed.
- You must provision a local container image registry with the container images for your update, as described in Mirroring OpenShift Container Platform images.
- 
							You must have access to the cluster as a user with adminprivileges. See Using RBAC to define and apply permissions.
- You must have a recent etcd backup in case your update fails and you must restore your cluster to a previous state.
- You have updated all Operators previously installed through Operator Lifecycle Manager (OLM) to a version that is compatible with your target release. Updating the Operators ensures they have a valid update path when the default OperatorHub catalogs switch from the current minor version to the next during a cluster update. See Updating installed Operators for more information on how to check compatibility and, if necessary, update the installed Operators.
- You must ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy.
- If your cluster uses manually maintained credentials, update the cloud provider resources for the new release. For more information, including how to determine if this is a requirement for your cluster, see Preparing to update a cluster with manually maintained credentials.
- 
							If you run an Operator or you have configured any application with the pod disruption budget, you might experience an interruption during the update process. If minAvailableis set to 1 inPodDisruptionBudget, the nodes are drained to apply pending machine configs which might block the eviction process. If several nodes are rebooted, all the pods might run on only one node, and thePodDisruptionBudgetfield can prevent the node drain.
						If you run an Operator or you have configured any application with the pod disruption budget, you might experience an interruption during the update process. If minAvailable is set to 1 in PodDisruptionBudget, the nodes are drained to apply pending machine configs which might block the eviction process. If several nodes are rebooted, all the pods might run on only one node, and the PodDisruptionBudget field can prevent the node drain.
					
11.4.2. Pausing a MachineHealthCheck resource
					During the update process, nodes in the cluster might become temporarily unavailable. In the case of worker nodes, the MachineHealthCheck resources might identify such nodes as unhealthy and reboot them. To avoid rebooting such nodes, pause all the MachineHealthCheck resources before updating the cluster.
				
						Some MachineHealthCheck resources might not need to be paused. If your MachineHealthCheck resource relies on unrecoverable conditions, pausing that MHC is unnecessary.
					
Prerequisites
- 
							Install the OpenShift CLI (oc).
Procedure
- To list all the available - MachineHealthCheckresources that you want to pause, run the following command:- oc get machinehealthcheck -n openshift-machine-api - $ oc get machinehealthcheck -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To pause the machine health checks, add the - cluster.x-k8s.io/paused=""annotation to the- MachineHealthCheckresource. Run the following command:- oc -n openshift-machine-api annotate mhc <mhc-name> cluster.x-k8s.io/paused="" - $ oc -n openshift-machine-api annotate mhc <mhc-name> cluster.x-k8s.io/paused=""- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The annotated - MachineHealthCheckresource resembles the following YAML file:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- Resume the machine health checks after updating the cluster. To resume the check, remove the pause annotation from the - MachineHealthCheckresource by running the following command:- oc -n openshift-machine-api annotate mhc <mhc-name> cluster.x-k8s.io/paused- - $ oc -n openshift-machine-api annotate mhc <mhc-name> cluster.x-k8s.io/paused-- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
11.4.3. Retrieving a release image digest
					In order to update a cluster in a disconnected environment using the oc adm upgrade command with the --to-image option, you must reference the sha256 digest that corresponds to your targeted release image.
				
Procedure
- Run the following command on a device that is connected to the internet: - oc adm release info -o 'jsonpath={.digest}{"\n"}' quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_VERSION}-${ARCHITECTURE}- $ oc adm release info -o 'jsonpath={.digest}{"\n"}' quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_VERSION}-${ARCHITECTURE}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - {OCP_RELEASE_VERSION}, specify the version of OpenShift Container Platform to which you want to update, such as- 4.10.16.- For - {ARCHITECTURE}, specify the architecture of the cluster, such as- x86_64,- aarch64,- s390x, or- ppc64le.- Example output - sha256:a8bfba3b6dddd1a2fbbead7dac65fe4fb8335089e4e7cae327f3bad334add31d - sha256:a8bfba3b6dddd1a2fbbead7dac65fe4fb8335089e4e7cae327f3bad334add31d- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the sha256 digest for use when updating your cluster.
11.4.4. Updating the disconnected cluster
Update the disconnected cluster to the OpenShift Container Platform version that you downloaded the release images for.
If you have a local OpenShift Update Service, you can update by using the connected web console or CLI instructions instead of this procedure.
Prerequisites
- You mirrored the images for the new release to your registry.
- You applied the release image signature ConfigMap for the new release to your cluster. Note- The release image signature config map allows the Cluster Version Operator (CVO) to ensure the integrity of release images by verifying that the actual image signatures match the expected signatures. 
- You obtained the sha256 digest for your targeted release image.
- 
							You installed the OpenShift CLI (oc).
- 
							You paused all MachineHealthCheckresources.
Procedure
- Update the cluster: - oc adm upgrade --allow-explicit-upgrade --to-image <defined_registry>/<defined_repository>@<digest> - $ oc adm upgrade --allow-explicit-upgrade --to-image <defined_registry>/<defined_repository>@<digest>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Where: - <defined_registry>
- Specifies the name of the mirror registry you mirrored your images to.
- <defined_repository>
- Specifies the name of the image repository you want to use on the mirror registry.
- <digest>
- 
										Specifies the sha256 digest for the targeted release image, for example, sha256:81154f5c03294534e1eaf0319bef7a601134f891689ccede5d705ef659aa8c92.
 Note- See "Mirroring OpenShift Container Platform images" to review how your mirror registry and repository names are defined.
- 
										If you used an ImageContentSourcePolicyorImageDigestMirrorSet, you can use the canonical registry and repository names instead of the names you defined. The canonical registry name isquay.ioand the canonical repository name isopenshift-release-dev/ocp-release.
- 
										You can only configure global pull secrets for clusters that have an ImageContentSourcePolicy,ImageDigestMirrorSet, orImageTagMirrorSetobject. You cannot add a pull secret to a project.
 
11.4.5. Understanding image registry repository mirroring
Setting up container registry repository mirroring enables you to perform the following tasks:
- Configure your OpenShift Container Platform cluster to redirect requests to pull images from a repository on a source image registry and have it resolved by a repository on a mirrored image registry.
- Identify multiple mirrored repositories for each target repository, to make sure that if one mirror is down, another can be used.
Repository mirroring in OpenShift Container Platform includes the following attributes:
- Image pulls are resilient to registry downtimes.
- Clusters in disconnected environments can pull images from critical locations, such as quay.io, and have registries behind a company firewall provide the requested images.
- A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried.
- 
							The mirror information you enter is added to the /etc/containers/registries.conffile on every node in the OpenShift Container Platform cluster.
- When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. If successful, the image is pulled to the node.
Setting up repository mirroring can be done in the following ways:
- At OpenShift Container Platform installation: - By pulling container images needed by OpenShift Container Platform and then bringing those images behind your company’s firewall, you can install OpenShift Container Platform into a data center that is in a disconnected environment. 
- After OpenShift Container Platform installation: - If you did not configure mirroring during OpenShift Container Platform installation, you can do so postinstallation by using any of the following custom resource (CR) objects: - 
									ImageDigestMirrorSet(IDMS). This object allows you to pull images from a mirrored registry by using digest specifications. The IDMS CR enables you to set a fall back policy that allows or stops continued attempts to pull from the source registry if the image pull fails.
- 
									ImageTagMirrorSet(ITMS). This object allows you to pull images from a mirrored registry by using image tags. The ITMS CR enables you to set a fall back policy that allows or stops continued attempts to pull from the source registry if the image pull fails.
- 
									ImageContentSourcePolicy(ICSP). This object allows you to pull images from a mirrored registry by using digest specifications. The ICSP CR always falls back to the source registry if the mirrors do not work.
 Important- Using an - ImageContentSourcePolicy(ICSP) object to configure repository mirroring is a deprecated feature. Deprecated functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments. If you have existing YAML files that you used to create- ImageContentSourcePolicyobjects, you can use the- oc adm migrate icspcommand to convert those files to an- ImageDigestMirrorSetYAML file. For more information, see "Converting ImageContentSourcePolicy (ICSP) files for image registry repository mirroring" in the following section.
- 
									
Each of these custom resource objects identify the following information:
- The source of the container image repository you want to mirror.
- A separate entry for each mirror repository you want to offer the content requested from the source repository.
Note the following actions and how they affect node drain behavior:
- If you create an IDMS or ICSP CR object, the MCO does not drain or reboot the node.
- If you create an ITMS CR object, the MCO drains and reboots the node.
- If you delete an ITMS, IDMS, or ICSP CR object, the MCO drains and reboots the node.
- If you modify an ITMS, IDMS, or ICSP CR object, the MCO drains and reboots the node. Important- When the MCO detects any of the following changes, it applies the update without draining or rebooting the node: - 
												Changes to the SSH key in the spec.config.passwd.users.sshAuthorizedKeysparameter of a machine config.
- 
												Changes to the global pull secret or pull secret in the openshift-confignamespace.
- 
												Automatic rotation of the /etc/kubernetes/kubelet-ca.crtcertificate authority (CA) by the Kubernetes API Server Operator.
 
- 
												Changes to the SSH key in the 
- When the MCO detects changes to the - /etc/containers/registries.conffile, such as editing an- ImageDigestMirrorSet,- ImageTagMirrorSet, or- ImageContentSourcePolicyobject, it drains the corresponding nodes, applies the changes, and uncordons the nodes. The node drain does not happen for the following changes:- 
												The addition of a registry with the pull-from-mirror = "digest-only"parameter set for each mirror.
- 
												The addition of a mirror with the pull-from-mirror = "digest-only"parameter set in a registry.
- 
												The addition of items to the unqualified-search-registrieslist.
 
- 
												The addition of a registry with the 
 
For new clusters, you can use IDMS, ITMS, and ICSP CRs objects as desired. However, using IDMS and ITMS is recommended.
					If you upgraded a cluster, any existing ICSP objects remain stable, and both IDMS and ICSP objects are supported. Workloads using ICSP objects continue to function as expected. However, if you want to take advantage of the fallback policies introduced in the IDMS CRs, you can migrate current workloads to IDMS objects by using the oc adm migrate icsp command as shown in the Converting ImageContentSourcePolicy (ICSP) files for image registry repository mirroring section that follows. Migrating to IDMS objects does not require a cluster reboot.
				
						If your cluster uses an ImageDigestMirrorSet, ImageTagMirrorSet, or ImageContentSourcePolicy object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
					
11.4.5.1. Configuring image registry repository mirroring
You can create postinstallation mirror configuration custom resources (CR) to redirect image pull requests from a source image registry to a mirrored image registry.
Prerequisites
- 
								Access to the cluster as a user with the cluster-adminrole.
Procedure
- Configure mirrored repositories, by either: - Setting up a mirrored repository with Red Hat Quay, as described in Red Hat Quay Repository Mirroring. Using Red Hat Quay allows you to copy images from one repository to another and also automatically sync those repositories repeatedly over time.
- Using a tool such as - skopeoto copy images manually from the source repository to the mirrored repository.- For example, after installing the skopeo RPM package on a Red Hat Enterprise Linux (RHEL) 7 or RHEL 8 system, use the - skopeocommand as shown in this example:- skopeo copy --all \ docker://registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:5cf... \ docker://example.io/example/ubi-minimal - $ skopeo copy --all \ docker://registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:5cf... \ docker://example.io/example/ubi-minimal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, you have a container image registry that is named - example.iowith an image repository named- exampleto which you want to copy the- ubi9/ubi-minimalimage from- registry.access.redhat.com. After you create the mirrored registry, you can configure your OpenShift Container Platform cluster to redirect requests made of the source repository to the mirrored repository.
 
- Create a postinstallation mirror configuration CR, by using one of the following examples: - Create an - ImageDigestMirrorSetor- ImageTagMirrorSetCR, as needed, replacing the source and mirrors with your own registry and repository pairs and images:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Indicates the API to use with this CR. This must beconfig.openshift.io/v1.
- 2
- Indicates the kind of object according to the pull type:- 
														ImageDigestMirrorSet: Pulls a digest reference image.
- 
														ImageTagMirrorSet: Pulls a tag reference image.
 
- 
														
- 3
- Indicates the type of image pull method, either:- 
														imageDigestMirrors: Use for anImageDigestMirrorSetCR.
- 
														imageTagMirrors: Use for anImageTagMirrorSetCR.
 
- 
														
- 4
- Indicates the name of the mirrored image registry and repository.
- 5
- Optional: Indicates a secondary mirror repository for each target repository. If one mirror is down, the target repository can use the secondary mirror.
- 6
- Indicates the registry and repository source, which is the repository that is referred to in an image pull specification.
- 7
- Optional: Indicates the fallback policy if the image pull fails:- 
														AllowContactingSource: Allows continued attempts to pull the image from the source repository. This is the default.
- 
														NeverContactSource: Prevents continued attempts to pull the image from the source repository.
 
- 
														
- 8
- Optional: Indicates a namespace inside a registry, which allows you to use any image in that namespace. If you use a registry domain as a source, the object is applied to all repositories from the registry.
- 9
- Optional: Indicates a registry, which allows you to use any image in that registry. If you specify a registry name, the object is applied to all repositories from a source registry to a mirror registry.
- 10
- Pulls the imageregistry.example.com/example/myimage@sha256:…from the mirrormirror.example.net/image@sha256:...
- 11
- Pulls the imageregistry.example.com/example/image@sha256:…in the source registry namespace from the mirrormirror.example.net/image@sha256:….
- 12
- Pulls the imageregistry.example.com/myimage@sha256from the mirror registryexample.net/registry-example-com/myimage@sha256:….
 
- Create an - ImageContentSourcePolicycustom resource, replacing the source and mirrors with your own registry and repository pairs and images:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Create the new object: - oc create -f registryrepomirror.yaml - $ oc create -f registryrepomirror.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the object is created, the Machine Config Operator (MCO) drains the nodes for - ImageTagMirrorSetobjects only. The MCO does not drain the nodes for- ImageDigestMirrorSetand- ImageContentSourcePolicyobjects.
- To check that the mirrored configuration settings are applied, do the following on one of the nodes. - List your nodes: - oc get node - $ oc get node- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Start the debugging process to access the node: - oc debug node/ip-10-0-147-35.ec2.internal - $ oc debug node/ip-10-0-147-35.ec2.internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Starting pod/ip-10-0-147-35ec2internal-debug ... To use host binaries, run `chroot /host` - Starting pod/ip-10-0-147-35ec2internal-debug ... To use host binaries, run `chroot /host`- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Change your root directory to - /host:- chroot /host - sh-4.2# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the - /etc/containers/registries.conffile to make sure the changes were made:- cat /etc/containers/registries.conf - sh-4.2# cat /etc/containers/registries.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The following output represents a - registries.conffile where postinstallation mirror configuration CRs were applied. The final two entries are marked- digest-onlyand- tag-onlyrespectively.- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Indicates the repository that is referred to in a pull spec.
- 2
- Indicates the mirror for that repository.
- 3
- Indicates that the image pull from the mirror is a digest reference image.
- 4
- Indicates that theNeverContactSourceparameter is set for this repository.
- 5
- Indicates that the image pull from the mirror is a tag reference image.
 
- Pull an image to the node from the source and check if it is resolved by the mirror. - podman pull --log-level=debug registry.access.redhat.com/ubi9/ubi-minimal@sha256:5cf... - sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi9/ubi-minimal@sha256:5cf...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Troubleshooting repository mirroring
If the repository mirroring procedure does not work as described, use the following information about how repository mirroring works to help troubleshoot the problem.
- The first working mirror is used to supply the pulled image.
- The main registry is only used if no other mirror works.
- 
								From the system context, the Insecureflags are used as fallback.
- 
								The format of the /etc/containers/registries.conffile has changed recently. It is now version 2 and in TOML format.
						Using an ImageContentSourcePolicy (ICSP) object to configure repository mirroring is a deprecated feature. This functionality is still included in OpenShift Container Platform and continues to be supported; however, it will be removed in a future release of this product and is not recommended for new deployments.
					
						ICSP objects are being replaced by ImageDigestMirrorSet and ImageTagMirrorSet objects to configure repository mirroring. If you have existing YAML files that you used to create ImageContentSourcePolicy objects, you can use the oc adm migrate icsp command to convert those files to an ImageDigestMirrorSet YAML file. The command updates the API to the current version, changes the kind value to ImageDigestMirrorSet, and changes spec.repositoryDigestMirrors to spec.imageDigestMirrors. The rest of the file is not changed.
					
						Because the migration does not change the registries.conf file, the cluster does not need to reboot.
					
						For more information about ImageDigestMirrorSet or ImageTagMirrorSet objects, see "Configuring image registry repository mirroring" in the previous section.
					
Prerequisites
- 
								Access to the cluster as a user with the cluster-adminrole.
- 
								Ensure that you have ImageContentSourcePolicyobjects on your cluster.
Procedure
- Use the following command to convert one or more - ImageContentSourcePolicyYAML files to an- ImageDigestMirrorSetYAML file:- oc adm migrate icsp <file_name>.yaml <file_name>.yaml <file_name>.yaml --dest-dir <path_to_the_directory> - $ oc adm migrate icsp <file_name>.yaml <file_name>.yaml <file_name>.yaml --dest-dir <path_to_the_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <file_name>
- 
											Specifies the name of the source ImageContentSourcePolicyYAML. You can list multiple file names.
- --dest-dir
- 
											Optional: Specifies a directory for the output ImageDigestMirrorSetYAML. If unset, the file is written to the current directory.
 - For example, the following command converts the - icsp.yamland- icsp-2.yamlfile and saves the new YAML files to the- idms-filesdirectory.- oc adm migrate icsp icsp.yaml icsp-2.yaml --dest-dir idms-files - $ oc adm migrate icsp icsp.yaml icsp-2.yaml --dest-dir idms-files- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi8repo.5911620242173376087.yaml wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi9repo.6456931852378115011.yaml - wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi8repo.5911620242173376087.yaml wrote ImageDigestMirrorSet to idms-files/imagedigestmirrorset_ubi9repo.6456931852378115011.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the CR object by running the following command: - oc create -f <path_to_the_directory>/<file-name>.yaml - $ oc create -f <path_to_the_directory>/<file-name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <path_to_the_directory>
- 
											Specifies the path to the directory, if you used the --dest-dirflag.
- <file_name>
- 
											Specifies the name of the ImageDigestMirrorSetYAML.
 
- Remove the ICSP objects after the IDMS objects are rolled out.
					You can scope the mirrored image catalog at the repository level or the wider registry level. A widely scoped ImageContentSourcePolicy resource reduces the number of times the nodes need to reboot in response to changes to the resource.
				
					To widen the scope of the mirror image catalog in the ImageContentSourcePolicy resource, perform the following procedure.
				
Prerequisites
- 
							Install the OpenShift Container Platform CLI oc.
- 
							Log in as a user with cluster-adminprivileges.
- Configure a mirrored image catalog for use in your disconnected cluster.
Procedure
- Run the following command, specifying values for - <local_registry>,- <pull_spec>, and- <pull_secret_file>:- oc adm catalog mirror <local_registry>/<pull_spec> <local_registry> -a <pull_secret_file> --icsp-scope=registry - $ oc adm catalog mirror <local_registry>/<pull_spec> <local_registry> -a <pull_secret_file> --icsp-scope=registry- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <local_registry>
- 
										is the local registry you have configured for your disconnected cluster, for example, local.registry:5000.
- <pull_spec>
- 
										is the pull specification as configured in your disconnected registry, for example, redhat/redhat-operator-index:v4.18
- <pull_secret_file>
- 
										is the registry.redhat.iopull secret in.jsonfile format. You can download the pull secret from Red Hat OpenShift Cluster Manager.
 - The - oc adm catalog mirrorcommand creates a- /redhat-operator-index-manifestsdirectory and generates- imageContentSourcePolicy.yaml,- catalogSource.yaml, and- mapping.txtfiles.
- Apply the new - ImageContentSourcePolicyresource to the cluster:- oc apply -f imageContentSourcePolicy.yaml - $ oc apply -f imageContentSourcePolicy.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify that - oc applysuccessfully applied the change to- ImageContentSourcePolicy:- oc get ImageContentSourcePolicy -o yaml - $ oc get ImageContentSourcePolicy -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					After you update the ImageContentSourcePolicy resource, OpenShift Container Platform deploys the new settings to each node and the cluster starts using the mirrored repository for requests to the source repository.
				
11.5. Uninstalling the OpenShift Update Service from a cluster
To remove a local copy of the OpenShift Update Service (OSUS) from your cluster, you must first delete the OSUS application and then uninstall the OSUS Operator.
11.5.1. Deleting an OpenShift Update Service application
You can delete an OpenShift Update Service application by using the OpenShift Container Platform web console or CLI.
11.5.1.1. Deleting an OpenShift Update Service application by using the web console
You can use the OpenShift Container Platform web console to delete an OpenShift Update Service application by using the OpenShift Update Service Operator.
Prerequisites
- The OpenShift Update Service Operator has been installed.
Procedure
- In the web console, click Operators → Installed Operators.
- Choose OpenShift Update Service from the list of installed Operators.
- Click the Update Service tab.
- From the list of installed OpenShift Update Service applications, select the application to be deleted and then click Delete UpdateService.
- From the Delete UpdateService? confirmation dialog, click Delete to confirm the deletion.
11.5.1.2. Deleting an OpenShift Update Service application by using the CLI
						You can use the OpenShift CLI (oc) to delete an OpenShift Update Service application.
					
Procedure
- Get the OpenShift Update Service application name using the namespace the OpenShift Update Service application was created in, for example, - openshift-update-service:- oc get updateservice -n openshift-update-service - $ oc get updateservice -n openshift-update-service- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE service 6s - NAME AGE service 6s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete the OpenShift Update Service application using the - NAMEvalue from the previous step and the namespace the OpenShift Update Service application was created in, for example,- openshift-update-service:- oc delete updateservice service -n openshift-update-service - $ oc delete updateservice service -n openshift-update-service- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - updateservice.updateservice.operator.openshift.io "service" deleted - updateservice.updateservice.operator.openshift.io "service" deleted- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
11.5.2. Uninstalling the OpenShift Update Service Operator
You can uninstall the OpenShift Update Service Operator by using the OpenShift Container Platform web console or CLI.
11.5.2.1. Uninstalling the OpenShift Update Service Operator by using the web console
You can use the OpenShift Container Platform web console to uninstall the OpenShift Update Service Operator.
Prerequisites
- All OpenShift Update Service applications have been deleted.
Procedure
- In the web console, click Operators → Installed Operators.
- Select OpenShift Update Service from the list of installed Operators and click Uninstall Operator.
- From the Uninstall Operator? confirmation dialog, click Uninstall to confirm the uninstallation.
11.5.2.2. Uninstalling the OpenShift Update Service Operator by using the CLI
						You can use the OpenShift CLI (oc) to uninstall the OpenShift Update Service Operator.
					
Prerequisites
- All OpenShift Update Service applications have been deleted.
Procedure
- Change to the project containing the OpenShift Update Service Operator, for example, - openshift-update-service:- oc project openshift-update-service - $ oc project openshift-update-service- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Now using project "openshift-update-service" on server "https://example.com:6443". - Now using project "openshift-update-service" on server "https://example.com:6443".- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Get the name of the OpenShift Update Service Operator operator group: - oc get operatorgroup - $ oc get operatorgroup- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE openshift-update-service-fprx2 4m41s - NAME AGE openshift-update-service-fprx2 4m41s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete the operator group, for example, - openshift-update-service-fprx2:- oc delete operatorgroup openshift-update-service-fprx2 - $ oc delete operatorgroup openshift-update-service-fprx2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - operatorgroup.operators.coreos.com "openshift-update-service-fprx2" deleted - operatorgroup.operators.coreos.com "openshift-update-service-fprx2" deleted- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Get the name of the OpenShift Update Service Operator subscription: - oc get subscription - $ oc get subscription- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME PACKAGE SOURCE CHANNEL update-service-operator update-service-operator updateservice-index-catalog v1 - NAME PACKAGE SOURCE CHANNEL update-service-operator update-service-operator updateservice-index-catalog v1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Using the - Namevalue from the previous step, check the current version of the subscribed OpenShift Update Service Operator in the- currentCSVfield:- oc get subscription update-service-operator -o yaml | grep " currentCSV" - $ oc get subscription update-service-operator -o yaml | grep " currentCSV"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - currentCSV: update-service-operator.v0.0.1 - currentCSV: update-service-operator.v0.0.1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete the subscription, for example, - update-service-operator:- oc delete subscription update-service-operator - $ oc delete subscription update-service-operator- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - subscription.operators.coreos.com "update-service-operator" deleted - subscription.operators.coreos.com "update-service-operator" deleted- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete the CSV for the OpenShift Update Service Operator using the - currentCSVvalue from the previous step:- oc delete clusterserviceversion update-service-operator.v0.0.1 - $ oc delete clusterserviceversion update-service-operator.v0.0.1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - clusterserviceversion.operators.coreos.com "update-service-operator.v0.0.1" deleted - clusterserviceversion.operators.coreos.com "update-service-operator.v0.0.1" deleted- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
        Legal Notice
        
          
            
          
        
      
 
Copyright © 2025 Red Hat
OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Modified versions must remove all Red Hat trademarks.
Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
