Air-gapped installation

Download oc client

Download oc client from cloud.redhat.com or mirror.openshift.com

Create mirror registry

This follows the official documentation: Creating a mirror registry for installation in a restricted network. It is just a short wrap up for me.

Install & prepare image registry

yum -y install podman httpd-tools

mkdir -p /var/lib/libvirt/images/mirror-registry/{auth,certs,data}

openssl req -newkey rsa:4096 -nodes -sha256 \
  -keyout /var/lib/libvirt/images/mirror-registry/certs/domain.key \
  -x509 -days 365 -subj "/CN=host.compute.local" \
  -out /var/lib/libvirt/images/mirror-registry/certs/domain.crt

cp -v /var/lib/libvirt/images/mirror-registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust

htpasswd -bBc /var/lib/libvirt/images/mirror-registry/auth/htpasswd admin r3dh4t\!1

Create internal registry service: /etc/systemd/system/mirror-registry.service

Change REGISTRY_HTTP_ADDR in case you use different network

cat - > /etc/systemd/system/mirror-registry.service <<EOF
[Unit]
Description=Mirror registry (mirror-registry)
After=network.target

[Service]
Type=simple
TimeoutStartSec=5m

ExecStartPre=-/usr/bin/podman rm "mirror-registry"
ExecStartPre=/usr/bin/podman pull quay.io/redhat-emea-ssa-team/registry:2
ExecStart=/usr/bin/podman run --name mirror-registry --net host \
  -v /var/lib/libvirt/images/mirror-registry/data:/var/lib/registry:z \
  -v /var/lib/libvirt/images/mirror-registry/auth:/auth:z \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_HTTP_ADDR=192.168.50.1:5000" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=registry-realm" \
  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
  -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=TRUE" \
  -v /var/lib/libvirt/images/mirror-registry/certs:/certs:z \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true \
  quay.io/redhat-emea-ssa-team/registry:2

ExecReload=-/usr/bin/podman stop "mirror-registry"
ExecReload=-/usr/bin/podman rm "mirror-registry"
ExecStop=-/usr/bin/podman stop "mirror-registry"
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target
EOF

Enable and start mirror registry

systemctl enable --now mirror-registry.service
systemctl status mirror-registry.service

Configure firewall for Centos or RHEL

firewall-cmd --zone=public --permanent --add-port=5000/tcp
firewall-cmd --reload

Check registry

$ curl -u admin:r3dh4t\!1 https://host.compute.local:5000/v2/_catalog
{"repositories":[]}

Create mirror registry pullsecret

podman login --authfile mirror-registry-pullsecret.json host.compute.local:5000

Download Red Hat pull secret

Download Red Hat pull secret and store it in redhat-pullsecret.json

Mirror images

Merge mirror-registry-pullsecret.json & redhat-pullsecret.json

jq -s '{"auths": ( .[0].auths + .[1].auths ) }' mirror-registry-pullsecret.json redhat-pullsecret.json > pullsecret.json

Mirror images:

export OCP_RELEASE=$(oc version -o json  --client | jq -r '.releaseClientVersion')
export LOCAL_REGISTRY='host.compute.local:5000'
export LOCAL_REPOSITORY='ocp4/openshift4'
export PRODUCT_REPO='openshift-release-dev'
export LOCAL_SECRET_JSON='pullsecret.json'
export RELEASE_NAME="ocp-release"
export ARCHITECTURE=x86_64
# export REMOVABLE_MEDIA_PATH=<path>

# Try run:

oc adm -a ${LOCAL_SECRET_JSON} release mirror \
     --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
     --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
     --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run

oc adm -a ${LOCAL_SECRET_JSON} release mirror \
     --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
     --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
     --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}

Save the output:

info: Mirroring completed in 57.1s (81.95MB/s)

Success
Update image:  host.compute.local:5000/ocp4/openshift4:4.2.0
Mirror prefix: host.compute.local:5000/ocp4/openshift4

To use the new mirrored repository to install, add the following section to the install-config.yaml:

imageContentSources:
- mirrors:
  - host.compute.local:5000/ocp4/openshift4
  source: quay.io/openshift-release-dev/ocp-release
- mirrors:
  - host.compute.local:5000/ocp4/openshift4
  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev


To use the new mirrored repository for upgrades, use the following to create an ImageContentSourcePolicy:

apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
  name: example
spec:
  repositoryDigestMirrors:
  - mirrors:
    - host.compute.local:5000/ocp4/openshift4
    source: quay.io/openshift-release-dev/ocp-release
  - mirrors:
    - host.compute.local:5000/ocp4/openshift4
    source: quay.io/openshift-release-dev/ocp-v4.0-art-dev

Extract openshift-install command

oc adm release extract -a pullsecret.json --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"

Check openshift-install version:

$ ./openshift-install version
./openshift-install 4.5.2
built from commit 6336a4b3d696dd898eed192e4188edbac99e8c27
release image host.compute.local:5000/ocp4/openshift4@sha256:8f923b7b8efdeac619eb0e7697106c1d17dd3d262c49d8742b38600417cf7d1d

Ressources

• Creating a mirror registry for installation in a restricted network
• Installing a cluster on bare metal in a restricted network
• https://github.com/openshift-telco/openshift4x-poc/blob/master/utils/Registry/local-registry.md
• https://github.com/ashcrow/filetranspiler
• https://github.com/dwojciec/OLM-disconnected
• https://github.com/operator-framework/operator-registry
• RH-INTERN: Disconnected “Air-gapped” Install Procedure
• RH-INTERN: OLM Disconnected Install

---

Last update: December 6, 2020