2. Collect and Publish Images to your Private Registry
This section describes how to set up your private registry so that when you install Rancher, Rancher will pull all the required images from this registry.
By default, all images used to provision Kubernetes clusters or launch any tools in Rancher, e.g. monitoring, pipelines, alerts, are pulled from Docker Hub. In an air gapped installation of Rancher, you will need a private registry that is located somewhere accessible by your Rancher server. Then, you will load the registry with all the images.
Populating the private registry with images is the same process for installing Rancher with Docker and for installing Rancher on a Kubernetes cluster.
The steps in this section differ depending on whether or not you are planning to use Rancher to provision a downstream cluster with Windows nodes or not. By default, we provide the steps of how to populate your private registry assuming that Rancher will provision downstream Kubernetes clusters with only Linux nodes. But if you plan on provisioning any downstream Kubernetes clusters using Windows nodes, there are separate instructions to support the images needed.
Prerequisites:
You must have a private registry available to use.
If the registry has certs, follow this K3s documentation about adding a private registry. The certs and registry configuration files need to be mounted into the Rancher container.
For Rancher servers that will only provision Linux clusters, these are the steps to populate your private registry.
- Find the required assets for your Rancher version
- Collect the cert-manager image (unless you are bringing your own certificates or terminating TLS on a load balancer)
- Save the images to your workstation
- Populate the private registry
Prerequisites
These steps expect you to use a Linux workstation that has internet access, access to your private registry, and at least 20 GB of disk space.
If you will use ARM64 hosts, the registry must support manifests. As of April 2020, Amazon Elastic Container Registry does not support manifests.
1. Find the required assets for your Rancher version
Go to our releases page, find the Rancher v2.x.x release that you want to install, and click Assets. Note: Don’t use releases marked
rc
orPre-release
, as they are not stable for production environments.From the release’s Assets section, download the following files, which are required to install Rancher in an air gap environment:
Release File | Description |
---|---|
rancher-images.txt | This file contains a list of images needed to install Rancher, provision clusters and user Rancher tools. |
rancher-save-images.sh | This script pulls all the images in the rancher-images.txt from Docker Hub and saves all of the images as rancher-images.tar.gz . |
rancher-load-images.sh | This script loads images from the rancher-images.tar.gz file and pushes them to your private registry. |
2. Collect the cert-manager image
Skip this step if you are using your own certificates, or if you are terminating TLS on an external load balancer.
In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the cert-manager
image to rancher-images.txt
as well.
Fetch the latest
cert-manager
Helm chart and parse the template for image details:Note: Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.12.0, please see our upgrade documentation.
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm fetch jetstack/cert-manager --version v1.5.1
helm template ./cert-manager-<version>.tgz | grep -oP '(?<=image: ").*(?=")' >> ./rancher-images.txt
Sort and unique the images list to remove any overlap between the sources:
sort -u rancher-images.txt -o rancher-images.txt
3. Save the images to your workstation
Make
rancher-save-images.sh
an executable:chmod +x rancher-save-images.sh
Run
rancher-save-images.sh
with therancher-images.txt
image list to create a tarball of all the required images:./rancher-save-images.sh --image-list ./rancher-images.txt
Result: Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named
rancher-images.tar.gz
. Check that the output is in the directory.
4. Populate the private registry
Next, you will move the images in the rancher-images.tar.gz
to your private registry using the scripts to load the images.
Move the images in the rancher-images.tar.gz
to your private registry using the scripts to load the images.
The rancher-images.txt
is expected to be on the workstation in the same directory that you are running the rancher-load-images.sh
script. The rancher-images.tar.gz
should also be in the same directory.
- Log into your private registry if required:
plain docker login <REGISTRY.YOURDOMAIN.COM:PORT>
Make
rancher-load-images.sh
an executable:chmod +x rancher-load-images.sh
Use
rancher-load-images.sh
to extract, tag and pushrancher-images.txt
andrancher-images.tar.gz
to your private registry:./rancher-load-images.sh --image-list ./rancher-images.txt --registry <REGISTRY.YOURDOMAIN.COM:PORT>
For Rancher servers that will provision Linux and Windows clusters, there are distinctive steps to populate your private registry for the Windows images and the Linux images. Since a Windows cluster is a mix of Linux and Windows nodes, the Linux images pushed into the private registry are manifests.
Windows Steps
The Windows images need to be collected and pushed from a Windows server workstation.
- Find the required assets for your Rancher version
- Save the images to your Windows Server workstation
- Prepare the Docker daemon
- Populate the private registry
Prerequisites
These steps expect you to use a Windows Server 1809 workstation that has internet access, access to your private registry, and at least 50 GB of disk space.
The workstation must have Docker 18.02+ in order to support manifests, which are required when provisioning Windows clusters.
Your registry must support manifests. As of April 2020, Amazon Elastic Container Registry does not support manifests.
1. Find the required assets for your Rancher version
Browse to our releases page and find the Rancher v2.x.x release that you want to install. Don’t download releases marked
rc
orPre-release
, as they are not stable for production environments.From the release’s “Assets” section, download the following files:
Release File | Description |
---|---|
rancher-windows-images.txt | This file contains a list of Windows images needed to provision Windows clusters. |
rancher-save-images.ps1 | This script pulls all the images in the rancher-windows-images.txt from Docker Hub and saves all of the images as rancher-windows-images.tar.gz . |
rancher-load-images.ps1 | This script loads the images from the rancher-windows-images.tar.gz file and pushes them to your private registry. |
2. Save the images to your Windows Server workstation
Using
powershell
, go to the directory that has the files that were downloaded in the previous step.Run
rancher-save-images.ps1
to create a tarball of all the required images:./rancher-save-images.ps1
Result: Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named rancher-windows-images.tar.gz
. Check that the output is in the directory.
3. Prepare the Docker daemon
Append your private registry address to the allow-nondistributable-artifacts
config field in the Docker daemon (C:\ProgramData\Docker\config\daemon.json
). Since the base image of Windows images are maintained by the mcr.microsoft.com
registry, this step is required as the layers in the Microsoft registry are missing from Docker Hub and need to be pulled into the private registry.
{
...
"allow-nondistributable-artifacts": [
...
"<REGISTRY.YOURDOMAIN.COM:PORT>"
]
...
}
4. Populate the private registry
Move the images in the rancher-windows-images.tar.gz
to your private registry using the scripts to load the images.
The rancher-windows-images.txt
is expected to be on the workstation in the same directory that you are running the rancher-load-images.ps1
script. The rancher-windows-images.tar.gz
should also be in the same directory.
Using
powershell
, log into your private registry if required:docker login <REGISTRY.YOURDOMAIN.COM:PORT>
Using
powershell
, userancher-load-images.ps1
to extract, tag and push the images fromrancher-images.tar.gz
to your private registry:./rancher-load-images.ps1 --registry <REGISTRY.YOURDOMAIN.COM:PORT>
Linux Steps
The Linux images need to be collected and pushed from a Linux host, but must be done after populating the Windows images into the private registry. These step are different from the Linux only steps as the Linux images that are pushed will actually manifests that support Windows and Linux images.
- Find the required assets for your Rancher version
- Collect all the required images
- Save the images to your Linux workstation
- Populate the private registry
Prerequisites
You must populate the private registry with the Windows images before populating the private registry with Linux images. If you have already populated the registry with Linux images, you will need to follow these instructions again as they will publish manifests that support Windows and Linux images.
These steps expect you to use a Linux workstation that has internet access, access to your private registry, and at least 20 GB of disk space.
The workstation must have Docker 18.02+ in order to support manifests, which are required when provisioning Windows clusters.
1. Find the required assets for your Rancher version
Browse to our releases page and find the Rancher v2.x.x release that you want to install. Don’t download releases marked
rc
orPre-release
, as they are not stable for production environments. Click Assets.From the release’s Assets section, download the following files:
Release File | Description |
---|---|
rancher-images.txt | This file contains a list of images needed to install Rancher, provision clusters and user Rancher tools. |
rancher-windows-images.txt | This file contains a list of images needed to provision Windows clusters. |
rancher-save-images.sh | This script pulls all the images in the rancher-images.txt from Docker Hub and saves all of the images as rancher-images.tar.gz . |
rancher-load-images.sh | This script loads images from the rancher-images.tar.gz file and pushes them to your private registry. |
2. Collect all the required images
For Kubernetes Installs using Rancher Generated Self-Signed Certificate: In a Kubernetes Install, if you elect to use the Rancher default self-signed TLS certificates, you must add the cert-manager
image to rancher-images.txt
as well. You skip this step if you are using you using your own certificates.
Fetch the latest
cert-manager
Helm chart and parse the template for image details: > Note: Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.12.0, please see our upgrade documentation.helm repo add jetstack https://charts.jetstack.io
helm repo update
helm fetch jetstack/cert-manager --version v0.12.0
helm template ./cert-manager-<version>.tgz | grep -oP '(?<=image: ").*(?=")' >> ./rancher-images.txt
Sort and unique the images list to remove any overlap between the sources:
sort -u rancher-images.txt -o rancher-images.txt
3. Save the images to your workstation
Make
rancher-save-images.sh
an executable:chmod +x rancher-save-images.sh
Run
rancher-save-images.sh
with therancher-images.txt
image list to create a tarball of all the required images:./rancher-save-images.sh --image-list ./rancher-images.txt
Result: Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. When the process completes, your current directory will output a tarball named rancher-images.tar.gz
. Check that the output is in the directory.
4. Populate the private registry
Move the images in the rancher-images.tar.gz
to your private registry using the rancher-load-images.sh script
to load the images.
The image list, rancher-images.txt
or rancher-windows-images.txt
, is expected to be on the workstation in the same directory that you are running the rancher-load-images.sh
script. The rancher-images.tar.gz
should also be in the same directory.
Log into your private registry if required:
docker login <REGISTRY.YOURDOMAIN.COM:PORT>
Make
rancher-load-images.sh
an executable:chmod +x rancher-load-images.sh
Use
rancher-load-images.sh
to extract, tag and push the images fromrancher-images.tar.gz
to your private registry:
./rancher-load-images.sh --image-list ./rancher-images.txt \
--windows-image-list ./rancher-windows-images.txt \
--registry <REGISTRY.YOURDOMAIN.COM:PORT>