You can ensure your clusters only use container images that satisfy your organizational controls on external content. Before you install a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. By using the oc adm command, you can mirror release and catalog images in OpenShift. To mirror container images, you must have a registry for mirroring.
|
Important
|
You must have access to the internet to obtain the necessary container images. In this procedure, you place your mirror registry on a mirror host that has access to both your network and the internet. If you do not have access to a mirror host, use the Mirroring Operator catalogs for use with disconnected clusters procedure to copy images to a device you can move across network boundaries with. |
-
You must have a container image registry that supports Docker v2-2 in the location that will host the {product-title} cluster, such as one of the following registries:
If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or by using the Red Hat Quay Operator. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support.
-
If you do not already have an existing solution for a container image registry, subscribers of {product-title} are provided a mirror registry for Red Hat OpenShift. The mirror registry for Red Hat OpenShift is included with your subscription and is a small-scale container registry that can be used to mirror the required container images of {product-title} in disconnected installations.
For information about viewing the CRI-O logs to view the image source, see Viewing the image pull source.
Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.
In a disconnected environment, you must take additional steps after you install a cluster to configure the Cluster Samples Operator. Review the following information in preparation.
Mirroring Operator catalogs for use with disconnected clusters has the following prerequisites:
-
Workstation with unrestricted network access.
-
podmanversion 1.9.3 or later. -
If you want to filter, or prune, an existing catalog and selectively mirror only a subset of Operators, see the following sections:
-
If you want to mirror a Red Hat-provided catalog, run the following command on your workstation with unrestricted network access to authenticate with
registry.redhat.io:$ podman login registry.redhat.io -
Access to a mirror registry that supports Docker v2-2.
-
On your mirror registry, decide which repository, or namespace, to use for storing mirrored Operator content. For example, you might create an
olm-mirrorrepository. -
If your mirror registry does not have internet access, connect removable media to your workstation with unrestricted network access.
-
If you are working with private registries, including
registry.redhat.io, set theREG_CREDSenvironment variable to the file path of your registry credentials for use in later steps. For example, for thepodmanCLI:$ REG_CREDS=${XDG_RUNTIME_DIR}/containers/auth.json
-
Install a cluster on infrastructure that you provision in your restricted network, such as on VMware vSphere, bare metal, or Amazon Web Services.
-
See Gathering data about specific features for more information about using must-gather.