Offline registry for Openshift 4!
In the following post, we are going to talk about creating an offline container base registry.
Prerequisites
- Linux Operating System ( in the further steps example of this post, we are going to use Fedora Linux 36 (Workstation Edition) ).
- The host should have internet connectivity
Offiline registry
Step 1. Installing podman
sudo dnf -y install podman
For other type of Linux Operating System check the Podman docs for the right command.
Step 2. Creating the application directory
of the offline registry
mkdir -p /apps/registry/{auth,certs,data}
Step 3. Installing the htpasswd
sudo dnf -y install httpd-tools
Step 4. Creating the username:password
of the offline registry
htpasswd -bBc /apps/registry/auth/htpasswd <username> <password>
Note, that the username
and password
should be replaced with the values you are going to use for your environment.
Step 5. Creating the offline self-signed certificate.
host_fqdn=$( hostname --long )
cert_c="<Country Name>" # Country Name (C, 2 letter code)
cert_s="<State>" # Certificate State (S)
cert_l="<Locality>" # Certificate Locality (L)
cert_o="<Organization>" # Certificate Organization (O)
cert_ou="<Org Unit>" # Certificate Organizational Unit (OU)
cert_cn="${host_fqdn}" # Certificate Common Name (CN)
openssl req \
-newkey rsa:4096 \
-nodes \
-sha256 \
-keyout /apps/registry/certs/domain.key \
-x509 \
-days 365 \
-out /apps/registry/certs/domain.crt \
-addext "subjectAltName = DNS:${host_fqdn}" \
-subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
sudo cp /apps/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
In order to validate the trust certificats use the following command
sudo trust list | grep -i "registry"
Step 6. Creating the registry container
podman run -d --name ocpdiscon-registry -p 5000:5000 \
-e REGISTRY_AUTH=htpasswd \
-e REGISTRY_AUTH_HTPASSWD_REALM=Registry \
-e REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
-e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true \
-e REGISTRY_STORAGE_DELETE_ENABLED=true \
-v /apps/registry/data:/var/lib/registry:z \
-v /apps/registry/auth:/auth:z \
-v /apps/registry/certs:/certs:z docker.io/library/registry:2.8.1
Step 7. Make sure that the firewall is having the port 5000
open
sudo firewall-cmd --add-port=5000/tcp --zone=internal --permanent
sudo firewall-cmd --add-port=5000/tcp --zone=public --permanent
sudo firewall-cmd --reload
Step 8. Manage the ocpdiscon-registry
container with systemd
mkdir -p ${HOME}/.config/systemd/user/
cd ${HOME}/.config/systemd/user/
podman generate systemd --new --files --name ocpdiscon-registry
systemctl --user daemon-reload
systemctl --user start container-ocpdiscon-registry.service
systemctl --user enable container-ocpdiscon-registry.service
systemctl --user is-active container-ocpdiscon-registry.service
cd ${HOME}
Step 9. Download the openshift-cli-client
Go to the Download Openshift CLI for linux to download the oc-cli-client
for linux.
tar xvf ${HOME}/Downloads/oc-4.10.21-linux.tar.gz
cp ${HOME}/Downloads/oc-4.10.21-linux/oc /usr/local/bin/oc
cp ${HOME}/Downloads/oc-4.10.21-linux/kubectl /usr/local/bin/kubectl
Step 10. Download the pull-secret
Go to the Download Openshift pull-secret to download the pull-secret file. Once you obtain the file check the following command to
Step 11. Modifying pull-secret
file for offline-registry use
cat ${HOME}/Downloads/pull-secret | jq . > /apps/registry/pull-secret.json
The following /apps/registry/pull-secret.json
content would follow the following template:
{
"auths": {
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
}
}
}
Now we should add the section that describes the credentials to the offline registry:
"auths": {
"<mirror_registry>": {
"auth": "<credentials>",
"email": "you@example.com"
},
Replace the
In the end the pull-secret.json
should follow the following template:
{
"auths": {
"cloud.openshift.com": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"quay.io": {
"auth": "b3BlbnNo...",
"email": "you@example.com"
},
"registry.connect.redhat.com": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
},
"registry.redhat.io": {
"auth": "NTE3Njg5Nj...",
"email": "you@example.com"
},
"<mirror_registry>": {
"auth": "<credentials>",
"email": "you@example.com"
}
}
}
Step 12. Login to the offline registry
podman login --authfile pull-secret.json -u <username> -p <password> INBACRNRDL0100.offline.oxtechnix.lan:5000
Login Succeeded!
Step 13. Mirroring OCP container base images to the offline registry
export LOCAL_REG_PORT="5000"
export OCP_VERSION="4.8.45"
export LOCAL_REG=$(hostname -f):$LOCAL_REG_PORT
export LOCAL_REPO=ocp-release
export UPSTREAM_REPO=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$OCP_VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
export PULLSECRET_FILE=/apps/registry/pull-secret.json
oc adm release mirror -a ${PULLSECRET_FILE} --from=$UPSTREAM_REPO --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} --to=$LOCAL_REG/$LOCAL_REPO --apply-release-image-signature
Step 14. ICSP.yaml and install-config.yaml
Once the container base image mirroring will be finished, you will be promt with the following message:
To use the new mirrored repository to install, add the following section to the install-config.yaml:
imageContentSources:
- mirrors:
- INBACRNRDL0100.offline.oxtechnix.lan:5000/ocp-release
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- INBACRNRDL0100.offline.oxtechnix.lan:5000/ocp-release
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
To use the new mirrored repository for upgrades, use the following to create an ImageContentSourcePolicy:
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: example
spec:
repositoryDigestMirrors:
- mirrors:
- INBACRNRDL0100.offline.oxtechnix.lan:5000/ocp-release
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- INBACRNRDL0100.offline.oxtechnix.lan:5000/ocp-release
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
Save this information for later use. For more information you can check Openshift Documentation.
Step 15. Validating the mirroring
curl --user <username>:<password> https://INBACRNRDL0100.offline.oxtechnix.lan:5000/v2/_catalog
{"repositories":["ocp-release"]}