Creating a mirror registry with mirror registry for Red Hat OpenShift

The mirror registry for Red Hat OpenShift is a small and streamlined container registry that you can use as a target for mirroring the required container images of OKD for disconnected installations.

If you already have a container image registry, such as Red Hat Quay, you can skip this section and go straight to Mirroring the OpenShift Container Platform image repository.

Prerequisites

  • An OKD subscription.

  • Fedora 8 and 9 with Podman 3.4.2 or later and OpenSSL installed.

  • Fully qualified domain name for the Red Hat Quay service, which must resolve through a DNS server.

  • Key-based SSH connectivity on the target host. SSH keys are automatically generated for local installs. For remote hosts, you must generate your own SSH keys.

  • 2 or more vCPUs.

  • 8 GB of RAM.

  • About 12 GB for OKD 4 release images, or about 358 GB for OKD 4 release images and OKD 4 Red Hat Operator images. Up to 1 TB per stream or more is suggested.

    These requirements are based on local testing results with only release images and Operator images. Storage requirements can vary based on your organization’s needs. You might require more space, for example, when you mirror multiple z-streams. You can use standard Red Hat Quay functionality or the proper API callout to remove unnecessary images and free up space.

Mirror registry for Red Hat OpenShift introduction

For disconnected deployments of OKD, a container registry is required to carry out the installation of the clusters. To run a production-grade registry service on such a cluster, you must create a separate registry deployment to install the first cluster. The mirror registry for Red Hat OpenShift addresses this need and is included in every OpenShift subscription. It is available for download on the OpenShift console Downloads page.

The mirror registry for Red Hat OpenShift allows users to install a small-scale version of Red Hat Quay and its required components using the mirror-registry command line interface (CLI) tool. The mirror registry for Red Hat OpenShift is deployed automatically with preconfigured local storage and a local database. It also includes auto-generated user credentials and access permissions with a single set of inputs and no additional configuration choices to get started.

The mirror registry for Red Hat OpenShift provides a pre-determined network configuration and reports deployed component credentials and access URLs upon success. A limited set of optional configuration inputs like fully qualified domain name (FQDN) services, superuser name and password, and custom TLS certificates are also provided. This provides users with a container registry so that they can easily create an offline mirror of all OKD release content when running OKD in restricted network environments.

Use of the mirror registry for Red Hat OpenShift is optional if another container registry is already available in the install environment.

Mirror registry for Red Hat OpenShift limitations

The following limitations apply to the mirror registry for Red Hat OpenShift:

  • The mirror registry for Red Hat OpenShift is not a highly-available registry and only local file system storage is supported. It is not intended to replace Red Hat Quay or the internal image registry for OKD.

  • The mirror registry for Red Hat OpenShift is only supported for hosting images that are required to install a disconnected OKD cluster, such as Release images or Red Hat Operator images. It uses local storage on your Fedora machine, and storage supported by Fedora is supported by the mirror registry for Red Hat OpenShift.

  • Support for Red Hat product images that are pushed to the mirror registry for Red Hat OpenShift for bootstrapping purposes are covered by valid subscriptions for each respective product. A list of exceptions to further enable the bootstrap experience can be found on the Self-managed Red Hat OpenShift sizing and subscription guide.

  • Content built by customers should not be hosted by the mirror registry for Red Hat OpenShift.

  • Using the mirror registry for Red Hat OpenShift with more than one cluster is discouraged because multiple clusters can create a single point of failure when updating your cluster fleet. It is advised to leverage the mirror registry for Red Hat OpenShift to install a cluster that can host a production-grade, highly-available registry such as Red Hat Quay, which can serve OKD content to other clusters.

Mirroring on a local host with mirror registry for Red Hat OpenShift

This procedure explains how to install the mirror registry for Red Hat OpenShift on a local host using the mirror-registry installer tool. By doing so, users can create a local host registry running on port 443 for the purpose of storing a mirror of OKD images.

Installing the mirror registry for Red Hat OpenShift using the mirror-registry CLI tool makes several changes to your machine. After installation, a $HOME/quay-install directory is created, which has installation files, local storage, and the configuration bundle. Trusted SSH keys are generated in case the deployment target is the local host, and systemd files on the host machine are set up to ensure that container runtimes are persistent. Additionally, an initial user named init is created with an automatically generated password. All access credentials are printed at the end of the install routine.

Procedure

  1. Download the mirror-registry.tar.gz package for the latest version of the mirror registry for Red Hat OpenShift found on the OpenShift console Downloads page.

  2. Install the mirror registry for Red Hat OpenShift on your local host with your current user account by using the mirror-registry tool. For a full list of available flags, see “mirror registry for Red Hat OpenShift flags”.

    1. $ ./mirror-registry install \
    2. --quayHostname <host_example_com> \
    3. --quayRoot <example_directory_name>
  3. Use the user name and password generated during installation to log into the registry by running the following command:

    1. $ podman login -u init \
    2. -p <password> \
    3. <host_example_com>:8443> \
    4. --tls-verify=false (1)
    1You can avoid running —tls-verify=false by configuring your system to trust the generated rootCA certificates. See “Using SSL to protect connections to Red Hat Quay” and “Configuring the system to trust the certificate authority” for more information.

    You can also log in by accessing the UI at https://<host.example.com>:8443 after installation.

  4. You can mirror OKD images after logging in. Depending on your needs, see either the “Mirroring the OKD image repository” or the “Mirroring Operator catalogs for use with disconnected clusters” sections of this document.

    If there are issues with images stored by the mirror registry for Red Hat OpenShift due to storage layer problems, you can remirror the OKD images, or reinstall mirror registry on more stable storage.

Updating mirror registry for Red Hat OpenShift from a local host

This procedure explains how to update the mirror registry for Red Hat OpenShift from a local host using the upgrade command. Updating to the latest version ensures new features, bug fixes, and security vulnerability fixes.

When updating, there is intermittent downtime of your mirror registry, as it is restarted during the update process.

Prerequisites

  • You have installed the mirror registry for Red Hat OpenShift on a local host.

Procedure

  • If you are upgrading the mirror registry for Red Hat OpenShift from 1.2.z → 1.3.0, and your installation directory is the default at /etc/quay-install, you can enter the following command:

    1. $ sudo ./mirror-registry upgrade -v
    • mirror registry for Red Hat OpenShift migrates Podman volumes for Quay storage, Postgres data, and /etc/quay-install data to the new $HOME/quay-install location. This allows you to use mirror registry for Red Hat OpenShift without the —quayRoot flag during future upgrades.

    • Users who upgrade mirror registry for Red Hat OpenShift with the ./mirror-registry upgrade -v flag must include the same credentials used when creating their mirror registry. For example, if you installed the mirror registry for Red Hat OpenShift with —quayHostname <host_example_com> and —quayRoot <example_directory_name>, you must include that string to properly upgrade the mirror registry.

  • If you are upgrading the mirror registry for Red Hat OpenShift from 1.2.z → 1.3.0 and you used a specified directory in your 1.2.z deployment, you must pass in the new --pgStorage and --quayStorage flags. For example:

    1. $ sudo ./mirror-registry upgrade --quayHostname <host_example_com> --quayRoot <example_directory_name> --pgStorage <example_directory_name>/pg-data --quayStorage <example_directory_name>/quay-storage -v

Mirroring on a remote host with mirror registry for Red Hat OpenShift

This procedure explains how to install the mirror registry for Red Hat OpenShift on a remote host using the mirror-registry tool. By doing so, users can create a registry to hold a mirror of OKD images.

Installing the mirror registry for Red Hat OpenShift using the mirror-registry CLI tool makes several changes to your machine. After installation, a $HOME/quay-install directory is created, which has installation files, local storage, and the configuration bundle. Trusted SSH keys are generated in case the deployment target is the local host, and systemd files on the host machine are set up to ensure that container runtimes are persistent. Additionally, an initial user named init is created with an automatically generated password. All access credentials are printed at the end of the install routine.

Procedure

  1. Download the mirror-registry.tar.gz package for the latest version of the mirror registry for Red Hat OpenShift found on the OpenShift console Downloads page.

  2. Install the mirror registry for Red Hat OpenShift on your local host with your current user account by using the mirror-registry tool. For a full list of available flags, see “mirror registry for Red Hat OpenShift flags”.

    1. $ ./mirror-registry install -v \
    2. --targetHostname <host_example_com> \
    3. --targetUsername <example_user> \
    4. -k ~/.ssh/my_ssh_key \
    5. --quayHostname <host_example_com> \
    6. --quayRoot <example_directory_name>
  3. Use the user name and password generated during installation to log into the mirror registry by running the following command:

    1. $ podman login -u init \
    2. -p <password> \
    3. <host_example_com>:8443> \
    4. --tls-verify=false (1)
    1You can avoid running —tls-verify=false by configuring your system to trust the generated rootCA certificates. See “Using SSL to protect connections to Red Hat Quay” and “Configuring the system to trust the certificate authority” for more information.

    You can also log in by accessing the UI at https://<host.example.com>:8443 after installation.

  4. You can mirror OKD images after logging in. Depending on your needs, see either the “Mirroring the OpenShift Container Platform image repository” or the “Mirroring Operator catalogs for use with disconnected clusters” sections of this document.

    If there are issues with images stored by the mirror registry for Red Hat OpenShift due to storage layer problems, you can remirror the OKD images, or reinstall mirror registry on more stable storage.

Updating mirror registry for Red Hat OpenShift from a remote host

This procedure explains how to update the mirror registry for Red Hat OpenShift from a remote host using the upgrade command. Updating to the latest version ensures bug fixes and security vulnerability fixes.

When updating, there is intermittent downtime of your mirror registry, as it is restarted during the update process.

Prerequisites

  • You have installed the mirror registry for Red Hat OpenShift on a remote host.

Procedure

  • To upgrade the mirror registry for Red Hat OpenShift from a remote host, enter the following command:

    1. $ ./mirror-registry upgrade -v --targetHostname <remote_host_url> --targetUsername <user_name> -k ~/.ssh/my_ssh_key

    Users who upgrade the mirror registry for Red Hat OpenShift with the ./mirror-registry upgrade -v flag must include the same credentials used when creating their mirror registry. For example, if you installed the mirror registry for Red Hat OpenShift with —quayHostname <host_example_com> and —quayRoot <example_directory_name>, you must include that string to properly upgrade the mirror registry.

Replacing mirror registry for Red Hat OpenShift SSL/TLS certificates

In some cases, you might want to update your SSL/TLS certificates for the mirror registry for Red Hat OpenShift. This is useful in the following scenarios:

  • If you are replacing the current mirror registry for Red Hat OpenShift certificate.

  • If you are using the same certificate as the previous mirror registry for Red Hat OpenShift installation.

  • If you are periodically updating the mirror registry for Red Hat OpenShift certificate.

Use the following procedure to replace mirror registry for Red Hat OpenShift SSL/TLS certificates.

Prerequisites

Procedure

  1. Enter the following command to install the mirror registry for Red Hat OpenShift:

    1. $ ./mirror-registry install \
    2. --quayHostname <host_example_com> \
    3. --quayRoot <example_directory_name>

    This installs the mirror registry for Red Hat OpenShift to the $HOME/quay-install directory.

  2. Prepare a new certificate authority (CA) bundle and generate new ssl.key and ssl.crt key files. For more information, see Using SSL/TLS.

  3. Assign /$HOME/quay-install an environment variable, for example, QUAY, by entering the following command:

    1. $ export QUAY=/$HOME/quay-install
  4. Copy the new ssl.crt file to the /$HOME/quay-install directory by entering the following command:

    1. $ cp ~/ssl.crt $QUAY/quay-config
  5. Copy the new ssl.key file to the /$HOME/quay-install directory by entering the following command:

    1. $ cp ~/ssl.key $QUAY/quay-config
  6. Restart the quay-app application pod by entering the following command:

    1. $ systemctl restart quay-app

Uninstalling the mirror registry for Red Hat OpenShift

  • You can uninstall the mirror registry for Red Hat OpenShift from your local host by running the following command:

    1. $ ./mirror-registry uninstall -v \
    2. --quayRoot <example_directory_name>
    • Deleting the mirror registry for Red Hat OpenShift will prompt the user before deletion. You can use —autoApprove to skip this prompt.

    • Users who install the mirror registry for Red Hat OpenShift with the —quayRoot flag must include the —quayRoot flag when uninstalling. For example, if you installed the mirror registry for Red Hat OpenShift with —quayRoot example_directory_name, you must include that string to properly uninstall the mirror registry.

Mirror registry for Red Hat OpenShift flags

The following flags are available for the mirror registry for Red Hat OpenShift:

FlagsDescription

—autoApprove

A boolean value that disables interactive prompts. If set to true, the quayRoot directory is automatically deleted when uninstalling the mirror registry. Defaults to false if left unspecified.

—initPassword

The password of the init user created during Quay installation. Must be at least eight characters and contain no whitespace.

—initUser string

Shows the username of the initial user. Defaults to init if left unspecified.

—no-color, -c

Allows users to disable color sequences and propagate that to Ansible when running install, uninstall, and upgrade commands.

—pgStorage

The folder where Postgres persistent storage data is saved. Defaults to the pg-storage Podman volume. Root privileges are required to uninstall.

—quayHostname

The fully-qualified domain name of the mirror registry that clients will use to contact the registry. Equivalent to SERVER_HOSTNAME in the Quay config.yaml. Must resolve by DNS. Defaults to <targetHostname>:8443 if left unspecified. [1]

—quayStorage

The folder where Quay persistent storage data is saved. Defaults to the quay-storage Podman volume. Root privileges are required to uninstall.

—quayRoot, -r

The directory where container image layer and configuration data is saved, including rootCA.key, rootCA.pem, and rootCA.srl certificates. Defaults to $HOME/quay-install if left unspecified.

—ssh-key, -k

The path of your SSH identity key. Defaults to ~/.ssh/quay_installer if left unspecified.

—sslCert

The path to the SSL/TLS public key / certificate. Defaults to {quayRoot}/quay-config and is auto-generated if left unspecified.

—sslCheckSkip

Skips the check for the certificate hostname against the SERVER_HOSTNAME in the config.yaml file. [2]

—sslKey

The path to the SSL/TLS private key used for HTTPS communication. Defaults to {quayRoot}/quay-config and is auto-generated if left unspecified.

—targetHostname, -H

The hostname of the target you want to install Quay to. Defaults to $HOST, for example, a local host, if left unspecified.

—targetUsername, -u

The user on the target host which will be used for SSH. Defaults to $USER, for example, the current user if left unspecified.

—verbose, -v

Shows debug logs and Ansible playbook outputs.

—version

Shows the version for the mirror registry for Red Hat OpenShift.

  1. --quayHostname must be modified if the public DNS name of your system is different from the local hostname. Additionally, the --quayHostname flag does not support installation with an IP address. Installation with a hostname is required.

  2. --sslCheckSkip is used in cases when the mirror registry is set behind a proxy and the exposed hostname is different from the internal Quay hostname. It can also be used when users do not want the certificates to be validated against the provided Quay hostname during installation.

Mirror registry for Red Hat OpenShift release notes

The mirror registry for Red Hat OpenShift is a small and streamlined container registry that you can use as a target for mirroring the required container images of OKD for disconnected installations.

These release notes track the development of the mirror registry for Red Hat OpenShift in OKD.

For an overview of the mirror registry for Red Hat OpenShift, see Creating a mirror registry with mirror registry for Red Hat OpenShift.

Mirror registry for Red Hat OpenShift 1.3.10

Issued: 2023-12-07

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.14.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.9

Issued: 2023-09-19

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.12.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.8

Issued: 2023-08-16

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.11.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.7

Issued: 2023-07-19

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.10.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.6

Issued: 2023-05-30

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.8.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.5

Issued: 2023-05-18

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.7.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.4

Issued: 2023-04-25

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.6.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.3

Issued: 2023-04-05

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.5.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.2

Issued: 2023-03-21

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.4.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.1

Issued: 2023-03-7

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.3.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.3.0

Issued: 2023-02-20

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.8.1.

The following advisory is available for the mirror registry for Red Hat OpenShift:

New features

  • Mirror registry for Red Hat OpenShift is now supported on Fedora 9 installations.

  • IPv6 support is now available on mirror registry for Red Hat OpenShift local host installations.

    IPv6 is currently unsupported on mirror registry for Red Hat OpenShift remote host installations.

  • A new feature flag, --quayStorage, has been added. By specifying this flag, you can manually set the location for the Quay persistent storage.

  • A new feature flag, --pgStorage, has been added. By specifying this flag, you can manually set the location for the Postgres persistent storage.

  • Previously, users were required to have root privileges (sudo) to install mirror registry for Red Hat OpenShift. With this update, sudo is no longer required to install mirror registry for Red Hat OpenShift.

    When mirror registry for Red Hat OpenShift was installed with sudo, an /etc/quay-install directory that contained installation files, local storage, and the configuration bundle was created. With the removal of the sudo requirement, installation files and the configuration bundle are now installed to $HOME/quay-install. Local storage, for example Postgres and Quay, are now stored in named volumes automatically created by Podman.

    To override the default directories that these files are stored in, you can use the command line arguments for mirror registry for Red Hat OpenShift. For more information about mirror registry for Red Hat OpenShift command line arguments, see “Mirror registry for Red Hat OpenShift flags”.

Bug fixes

  • Previously, the following error could be returned when attempting to uninstall mirror registry for Red Hat OpenShift: ["Error: no container with name or ID \"quay-postgres\" found: no such container"], "stdout": "", "stdout_lines": []*****. With this update, the order that mirror registry for Red Hat OpenShift services are stopped and uninstalled have been changed so that the error no longer occurs when uninstalling mirror registry for Red Hat OpenShift. For more information, see PROJQUAY-4629.

Mirror registry for Red Hat OpenShift 1.2.9

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.10.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.2.8

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.9.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.2.7

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.8.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Bug fixes

  • Previously, getFQDN() relied on the fully-qualified domain name (FQDN) library to determine its FQDN, and the FQDN library tried to read the /etc/hosts folder directly. Consequently, on some Fedora CoreOS (FCOS) installations with uncommon DNS configurations, the FQDN library would fail to install and abort the installation. With this update, mirror registry for Red Hat OpenShift uses hostname to determine the FQDN. As a result, the FQDN library does not fail to install. (PROJQUAY-4139)

Mirror registry for Red Hat OpenShift 1.2.6

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.7.

The following advisory is available for the mirror registry for Red Hat OpenShift:

New features

A new feature flag, --no-color (-c) has been added. This feature flag allows users to disable color sequences and propagate that to Ansible when running install, uninstall, and upgrade commands.

Mirror registry for Red Hat OpenShift 1.2.5

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.6.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.2.4

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.5.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.2.3

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.4.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.2.2

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.3.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.2.1

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.2.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Mirror registry for Red Hat OpenShift 1.2.0

Mirror registry for Red Hat OpenShift is now available with Red Hat Quay 3.7.1.

The following advisory is available for the mirror registry for Red Hat OpenShift:

Bug fixes

  • Previously, all components and workers running inside of the Quay pod Operator had log levels set to DEBUG. As a result, large traffic logs were created that consumed unnecessary space. With this update, log levels are set to WARN by default, which reduces traffic information while emphasizing problem scenarios. (PROJQUAY-3504)

Mirror registry for Red Hat OpenShift 1.1.0

The following advisory is available for the mirror registry for Red Hat OpenShift:

New features

  • A new command, mirror-registry upgrade has been added. This command upgrades all container images without interfering with configurations or data.

    If quayRoot was previously set to something other than default, it must be passed into the upgrade command.

Bug fixes

  • Previously, the absence of quayHostname or targetHostname did not default to the local hostname. With this update, quayHostname and targetHostname now default to the local hostname if they are missing. (PROJQUAY-3079)

  • Previously, the command ./mirror-registry --version returned an unknown flag error. Now, running ./mirror-registry --version returns the current version of the mirror registry for Red Hat OpenShift. (PROJQUAY-3086)

  • Previously, users could not set a password during installation, for example, when running ./mirror-registry install --initUser <user_name> --initPassword <password> --verbose. With this update, users can set a password during installation. (PROJQUAY-3149)

  • Previously, the mirror registry for Red Hat OpenShift did not recreate pods if they were destroyed. Now, pods are recreated if they are destroyed. (PROJQUAY-3261)

Troubleshooting mirror registry for Red Hat OpenShift

To assist in troubleshooting mirror registry for Red Hat OpenShift, you can gather logs of systemd services installed by the mirror registry. The following services are installed:

  • quay-app.service

  • quay-postgres.service

  • quay-redis.service

  • quay-pod.service

Prerequisites

  • You have installed mirror registry for Red Hat OpenShift.

Procedure

  • If you installed mirror registry for Red Hat OpenShift with root privileges, you can get the status information of its systemd services by entering the following command:

    1. $ sudo systemctl status <service>
  • If you installed mirror registry for Red Hat OpenShift as a standard user, you can get the status information of its systemd services by entering the following command:

    1. $ systemctl --user status <service>

Additional resources