Mirror Openshift Images

We will mirror OCP images to:

  • From OCP release 4.9.10 to the registry v2 in registry.dsal:5000

  • From OCP release 4.9.10 and 4.9.22 to the registry mirror-registry in registry.dsal:8443

There 2 official methods to mirror images to a registry:

  • Normal method with oc binary

  • New method with oc-mirror plugin

Mirror with oc binary

From the Hypervisor machine with root user.

  • Import certificate from registry VM to Hypervisor for avoid certificated x509 problems

    kcli scp registry:/data/registry/certs/registry.crt .
cp registry.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
rm -Rf registry.crt

  • Now we will mirror images for Openshift 4.9.10 with oc command:

    OCP_RELEASE=4.9.10
LOCAL_REGISTRY='registry.dsal:5000'
LOCAL_REPOSITORY='ocp4'
PRODUCT_REPO='openshift-release-dev'
LOCAL_SECRET_JSON='/root/pull-secret-all.json'
RELEASE_NAME="ocp-release"
ARCHITECTURE=x86_64
oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
    It takes some time, you can continue with the next steps in another terminal

  • A OCP kcli-deployment run some custom pods. To be able to run in a disconnected environment we need to mirror de kcli images (you can do it in another terminal ):

    oc image mirror -a ~/pull-secret-all.json  quay.io/karmab/curl:latest registry.dsal:5000/karmab/curl:latest
oc image mirror -a ~/pull-secret-all.json  quay.io/karmab/origin-coredns:latest registry.dsal:5000/karmab/origin-coredns:latest
oc image mirror -a ~/pull-secret-all.json  quay.io/karmab/haproxy:latest registry.dsal:5000/karmab/haproxy:latest
oc image mirror -a ~/pull-secret-all.json  quay.io/karmab/origin-keepalived-ipfailover:latest registry.dsal:5000/karmab/origin-keepalived-ipfailover:latest
oc image mirror -a ~/pull-secret-all.json  quay.io/karmab/mdns-publisher:latest registry.dsal:5000/karmab/mdns-publisher:latest
oc image mirror -a ~/pull-secret-all.json  quay.io/karmab/kubectl:latest registry.dsal:5000/karmab/kubectl:latest
oc image mirror -a ~/pull-secret-all.json  quay.io/karmab/kcli:latest registry.dsal:5000/karmab/kcli:latest

Mirror with oc-mirror binary

From the Hypervisor machine we will download de oc-mirror binary, and then we will build a "mirror-set" (config for oc-mirror) for releases 4.9.10 and 4.9.22:

  • Download binary oc-mirror

    wget https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/oc-mirror.tar.gz
tar xvfz oc-mirror.tar.gz
cp oc-mirror /usr/local/bin/
chmod +x /usr/local/bin/oc-mirror
    We use the latest version because problems with custom catalog sources

  • Copy auth/pull-secret to docker directory (we did the same in the Registry VM, but now we do it in the hypervisor)

    mkdir -p ~/.docker && cp pull-secret-all.json ~/.docker/config.json

  • We can "Init" the image set config file, and then edit it:

    oc-mirror init --registry registry.dsal:8443/mirror > 3-imageset-config.yaml

  • Please, create or modify the file named 3-imageset-config.yaml to match the following content:

    kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
archiveSize: 10
storageConfig:
  registry:
    imageURL: registry.dsal:8443/imagetset/mirror:metadata
    skipTLS: true
mirror:
  platform:
    channels:
    - name: stable-4.10
      type: ocp
      minVersion: 4.9.10
      maxVersion: 4.9.22
      shortestPath: true
    architectures:
    - amd64

  • Run mirror

    oc-mirror --config=./3-imageset-config.yaml  docker://registry.dsal:8443/mirror

If you wish, you can browse the Web UI of the Quay mirror-registry in the port 8443 and watch images mirrored (https://registry.dsal:8443). Remember, you should have sshuttle tunnel running if you want to access to the libvirt network.

oc-mirror in quay