Mirroring images for a disconnected installation using oc-mirror plugin v2 - Mirroring in disconnected environments | Disconnected environments

About oc-mirror plugin v2
- High level workflow
- oc-mirror plugin v2 compatibility and support
Prerequisites
Preparing your mirror hosts
- Installing the oc-mirror OpenShift CLI plugin
- Configuring credentials that allow images to be mirrored
Mirroring an image set to a mirror registry
About custom resources generated by oc-mirror plugin v2
- Configuring your cluster to use the resources generated by oc-mirror plugin v2
Deletion of images from your disconnected environment
- Resolving storage cleanup issues in the distribution registry
- Deleting images from a disconnected environment
Verifying your selected images for mirroring
- Performing a dry run for oc-mirror plugin v2
- Troubleshooting oc-mirror plugin v2 errors
Benefits of enclave support
- Enclave mirroring workflow
- Mirroring to an enclave
oc-mirror plugin v2 support proxy setting
How filtering works in the operator catalog
ImageSet configuration parameters for oc-mirror plugin v2
- Delete ImageSet Configuration parameters
Command reference for oc-mirror plugin v2
- Command reference for deleting images
Next steps

You can run your cluster in a disconnected environment if you install the cluster from a mirrored set of OpenShift Container Platform container images in a private registry. This registry must be running whenever your cluster is running.

You can use oc-mirror plugin v2 to mirror images to a mirror registry in your fully or partially disconnected environments. To download the required images from the official Red Hat registries, you must run oc-mirror plugin v2 from a system with internet connectivity.

About oc-mirror plugin v2

The oc-mirror OpenShift CLI (oc) plugin is a single tool that mirrors all required OpenShift Container Platform content and other images to your mirror registry.

To use the new version of oc-mirror, add the --v2 flag to the oc-mirror plugin v2 command line.

oc-mirror plugin v2 has the following features:

Provides a centralized method to mirror OpenShift Container Platform releases, Operators, helm charts, and other images.
Verifies that the complete image set specified in the image set configuration file is mirrored to the mirrored registry, regardless of whether the images were previously mirrored or not.
Uses a cache system instead of metadata, which prevents the need to start the mirroring process over in the case of a failure for a single step of the process.
Maintains minimal archive sizes by incorporating only new images into the archive.
Generates mirroring archives with content selected by mirroring date.
Can generate ImageDigestMirrorSet (IDMS) and ImageTagMirrorSet (ITMS) resources, which cover the full image set, instead of an ImageContentSourcePolicy (ICSP) resource, which only covered incremental changes to the image set for each mirroring operation with v1.
Does not perform automatic pruning. v2 now uses a Delete feature, which grants users more control over deleting images.
Introduces support for registries.conf files. This change facilitates mirroring to multiple enclaves while using the same cache.

High level workflow

The following steps outline the high-level workflow on how to use the oc-mirror plugin v2 to mirror images to a mirror registry:

Create an image set configuration file.
Mirror the image set to the target mirror registry by using one of the following workflows:
- Mirror an image set directly to the target mirror registry (mirror to mirror).
- Mirror an image set to disk (mirror to disk), transfer the tar file to the target environment, then mirror the image set to the target mirror registry (disk to mirror).
Configure your cluster to use the resources generated by the oc-mirror plugin v2.
Repeat these steps to update your target mirror registry as necessary.

oc-mirror plugin v2 compatibility and support

The oc-mirror plugin v2 is supported for OpenShift Container Platform.

On aarch64, ppc64le, and s390x architectures the oc-mirror plugin v2 is supported only for OpenShift Container Platform 4.14 and later.

Use the latest available version of the oc-mirror plugin v2 regardless of which versions of OpenShift Container Platform you need to mirror.

Prerequisites

You must have a container image registry that supports Docker V2-2 in the location that hosts the OpenShift Container Platform cluster, such as Red Hat Quay.

If you use Red Hat Quay, use version 3.6 or later with the oc-mirror plugin. See Deploying the Red Hat Quay Operator on OpenShift Container Platform (Red Hat Quay documentation). If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support.
If you do not have an existing solution for a container image registry, OpenShift Container Platform subscribers receive a mirror registry for Red Hat OpenShift. This mirror registry is included with your subscription and serves as a small-scale container registry. You can use this registry to mirror the necessary container images of OpenShift Container Platform for disconnected installations.

Every machine in the provisioned clusters must have access to the mirror registry. If the registry is unreachable, tasks like installation, updating, or routine operations such as workload relocation, might fail. Mirror registries must be operated in a highly available manner, ensuring their availability aligns with the production availability of your OpenShift Container Platform clusters.

Preparing your mirror hosts

To use the oc-mirror plugin v2 for image mirroring, you must install the plugin and create a file with credentials for container images, enabling you to mirror from Red Hat to your mirror.

Installing the oc-mirror OpenShift CLI plugin

Install the oc-mirror OpenShift CLI plugin to manage image sets in disconnected environments.

Prerequisites

You have installed the OpenShift CLI (oc). If you are mirroring image sets in a fully disconnected environment, ensure the following:
- You have installed the oc-mirror plugin on the host that has internet access.
- The host in the disconnected environment has access to the target mirror registry.
You have set the umask parameter to 0022 on the operating system that uses oc-mirror.
You have installed the correct binary for the RHEL version that you are using.

Procedure

Download the oc-mirror CLI plugin:
1. Navigate to the Downloads page of the Red Hat Hybrid Cloud Console.
2. In the OpenShift disconnected installation tools section, select the OS type and Architecture type of the OpenShift Client (oc) mirror plugin from the dropdown menus.
3. Click Download to save the file.
Extract the archive by running the following command:
```
$ tar xvzf oc-mirror.tar.gz
```
If necessary, update the plugin file to be executable by running the following command:
```
$ chmod +x oc-mirror
```
Do not rename the oc-mirror file.
Install the oc-mirror CLI plugin by placing the file in your PATH, for example /usr/local/bin, by running the following command:
```
$ sudo mv oc-mirror /usr/local/bin/.
```

Verification

Verify that the oc-mirror plugin v2 is successfully installed by running the following command:
```
$ oc mirror --v2 --help
```

Configuring credentials that allow images to be mirrored

Create a container image registry credentials file that enables you to mirror images from Red Hat to your mirror.

Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.

Prerequisites

You configured a mirror registry to use in your disconnected environment.
You identified an image repository location on your mirror registry to mirror images into.
You provisioned a mirror registry account that allows images to be uploaded to that image repository.
You have write access to the mirror registry.

Procedure

Complete the following steps on the installation host:

Download your registry.redhat.io pull secret from Red Hat OpenShift Cluster Manager.

Make a copy of your pull secret in JSON format by running the following command:

$ cat ./pull-secret | jq . > <path>/<pull_secret_file_in_json> (1)

1	Specify the path to the folder to store the pull secret in and a name for the JSON file that you create.

Example pull secret

{
  "auths": {
    "cloud.openshift.com": {
      "auth": "b3BlbnNo...",
      "email": "you@example.com"
    },
    "quay.io": {
      "auth": "b3BlbnNo...",
      "email": "you@example.com"
    },
    "registry.connect.redhat.com": {
      "auth": "NTE3Njg5Nj...",
      "email": "you@example.com"
    },
    "registry.redhat.io": {
      "auth": "NTE3Njg5Nj...",
      "email": "you@example.com"
    }
  }
}

If the $XDG_RUNTIME_DIR/containers directory does not exist, create one by entering the following command:
```
$ mkdir -p $XDG_RUNTIME_DIR/containers
```
Save the pull secret file as $XDG_RUNTIME_DIR/containers/auth.json.
Generate the base64-encoded user name and password or token for your mirror registry by running the following command:
```
$ echo -n '<user_name>:<password>' | base64 -w0 (1)
```
1 For <user_name> and <password>, specify the user name and password that you configured for your registry.
Example output
```
BGVtbYk3ZHAtqXs=
```

Edit the JSON file and add a section that describes your registry to it:

  "auths": {
    "<mirror_registry>": { (1)
      "auth": "<credentials>", (2)
      "email": "you@example.com"
    }
  },

1	Specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example, `registry.example.com` or `registry.example.com:8443`
2	Specify the base64-encoded user name and password for the mirror registry.

Example modified pull secret

{
  "auths": {
    "registry.example.com": {
      "auth": "BGVtbYk3ZHAtqXs=",
      "email": "you@example.com"
    },
    "cloud.openshift.com": {
      "auth": "b3BlbnNo...",
      "email": "you@example.com"
    },
    "quay.io": {
      "auth": "b3BlbnNo...",
      "email": "you@example.com"
    },
    "registry.connect.redhat.com": {
      "auth": "NTE3Njg5Nj...",
      "email": "you@example.com"
    },
    "registry.redhat.io": {
      "auth": "NTE3Njg5Nj...",
      "email": "you@example.com"
    }
  }
}

Mirroring an image set to a mirror registry

Mirroring an image set to a mirror registry ensures that the required images are available in a secure and controlled environment, facilitating smoother deployments, updates, and maintenance tasks.

Creating the image set configuration

Before you can use the oc-mirror plugin v2 to mirror images, you must create an image set configuration file. This image set configuration file defines which OpenShift Container Platform releases, Operators, and other images to mirror, along with other configuration settings for the oc-mirror plugin v2.

Prerequisites

You have created a container image registry credentials file. For instructions, see Configuring credentials that allow images to be mirrored.

Procedure

Create an ImageSetConfiguration YAML file and modify it to include your required images.

Example ImageSetConfiguration YAML file

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v2alpha1
mirror:
  platform:
    channels:
    - name: stable-4.18 (1)
      minVersion: 4.18.2
      maxVersion: 4.18.2
    graph: true (2)
  operators:
    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.18 (3)
      packages: (4)
       - name: aws-load-balancer-operator
       - name: 3scale-operator
       - name: node-observability-operator
  additionalImages: (5)
   - name: registry.redhat.io/ubi8/ubi:latest
   - name: registry.redhat.io/ubi9/ubi@sha256:20f695d2a91352d4eaa25107535126727b5945bff38ed36a3e59590f495046f0

1	Set the channel to retrieve OpenShift Container Platform images from.
2	Add `graph: true` to build and push the graph-data image to the mirror registry. The graph-data image is required to create OpenShift Update Service (OSUS). The `graph: true` field also generates the `UpdateService` custom resource manifest. The `oc` command-line interface (CLI) can use the `UpdateService` custom resource manifest to create OSUS. For more information, see About the OpenShift Update Service.
3	Set the Operator catalog to retrieve the OpenShift Container Platform images from.
4	Specify only certain Operator packages to include in the image set. Remove this field to retrieve all packages in the catalog.
5	Specify any additional images to include in image set.

Additional resources

About the OpenShift Update Service

Mirroring an image set in a partially disconnected environment

You can mirror image sets to a registry using the oc-mirror plugin v2 in environments with restricted internet access.

Prerequisites

You have access to the internet and the mirror registry in the environment where you are running the oc-mirror plugin v2.

Procedure

Mirror the images from the specified image set configuration to a specified registry by running the following command:
```
$ oc mirror -c <image_set_configuration> --workspace file://<file_path> docker://<mirror_registry_url> --v2 (1)
```
where:

<image_set_configuration>

Specifies the name of the image set configuration file.

<file_path>

Specifies the directory where cluster resources will be generated in.

<mirror_registry_url>

Specifies the URL or address of the mirror registry where the images are stored and from which they need to be deleted.

Verification

Navigate to the working-dir/cluster-resources directory that was generated in the <file_path> directory.
Verify that the YAML files are present for the ImageDigestMirrorSet, ImageTagMirrorSet, and CatalogSource resources.

Next steps

Configure your cluster to use the resources generated by oc-mirror plugin v2.

Mirroring an image set in a fully disconnected environment

You can mirror image sets in a fully disconnected environment where the OpenShift Container Platform cluster cannot access the public internet. The following high-level workflow describes the mirroring process:

Mirror to disk: Mirror the image set to an archive.
Disk transfer: Manually transfer the archive to the network of the disconnected mirror registry.
Disk to mirror: Mirror the image set from the archive to the target disconnected registry.

Mirroring from mirror to disk

You can use the oc-mirror plugin v2 to generate an image set and save the content to disk. Afterwards, you can transfer the generated image set to the disconnected environment and mirror it to the target registry.

oc-mirror plugin v2 retrieves the container images from the source specified in the image set configuration file and packs them into a tar archive in a local directory.

Procedure

Mirror the images from the specified image set configuration to the disk by running the following command:
```
$ oc mirror -c <image_set_configuration> file://<file_path> --v2
```
where:

<image_set_configuration>

Specifies the name of the image set configuration file.

<file_path>

Specifies the directory where the archives containing the image sets will be generated in.

Verification

Navigate to the <file_path> directory that was generated.
Verify that the archive files have been generated.

Next steps

Mirroring from disk to mirror

Mirroring from disk to mirror

You can use the oc-mirror plugin v2 to mirror image sets from a disk to a target mirror registry.

The oc-mirror plugin v2 retrieves container images from a local disk and transfers them to the specified mirror registry.

Procedure

Transfer the disk containing mirrored image sets to the environment that contains the target mirror registry.
Process the image set file on the disk and mirror the contents to a target mirror registry by running the following command:
```
$ oc mirror -c <image_set_configuration> --from file://<file_path> docker://<mirror_registry_url> --v2
```
where:

<image_set_configuration>

Specifies the name of the image set configuration file.

<file_path>

Specifies the directory on the disk containing the archives. This folder will also contain cluster resources generated for you apply to the cluster, for example the ImageDigestMirrorSet (IDMS) or ImageTagMirrorSet (ITMS) resources.

<mirror_registry_url>

Specifies the URL or address of the mirror registry where the images are stored.

Verification

Navigate to the cluster-resources directory within the working-dir directory that was generated in the <file_path> directory.
Verify that the YAML files are present for the ImageDigestMirrorSet, ImageTagMirrorSet, and CatalogSource resources.

Next steps

Configure your cluster to use the resources generated by oc-mirror plugin v2.

About custom resources generated by oc-mirror plugin v2

The oc-mirror plugin v2 automatically generates the following custom resources:

ImageDigestMirrorSet (IDMS): Handles registry mirror rules when using image digest pull specifications. Generated if at least one image of the image set is mirrored by digest.
ImageTagMirrorSet (ITMS): Handles registry mirror rules when using image tag pull specifications. Generated if at least one image from the image set is mirrored by tag.
CatalogSource: Retrieves information about the available Operators in the mirror registry. Used by Operator Lifecycle Manager (OLM) Classic.
ClusterCatalog: Retrieves information about the available cluster extensions (which includes Operators) in the mirror registry. Used by OLM v1.
UpdateService: Provides update graph data to the disconnected environment. Used by the OpenShift Update Service.

Additional resources

Configuring your cluster to use the resources generated by oc-mirror plugin v2

After you have mirrored your image set to the mirror registry, you must apply the generated ImageDigestMirrorSet (IDMS), ImageTagMirrorSet (ITMS), CatalogSource, and UpdateService resources to the cluster.

In oc-mirror plugin v2, the IDMS and ITMS files cover the entire image set, unlike the ImageContentSourcePolicy (ICSP) files in oc-mirror plugin v1. Therefore, the IDMS and ITMS files contain all images of the set even if you only add new images during incremental mirroring.

Prerequisites

You have access to the cluster as a user with the cluster-admin role.

Procedure

Log in to the OpenShift CLI as a user with the cluster-admin role.
Apply the YAML files from the results directory to the cluster by running the following command:
```
$ oc apply -f <path_to_oc_mirror_workspace>/working-dir/cluster-resources
```

Verification

Verify that the ImageDigestMirrorSet resources are successfully installed by running the following command:
```
$ oc get imagedigestmirrorset
```
Verify that the ImageTagMirrorSet resources are successfully installed by running the following command:
```
$ oc get imagetagmirrorset
```
Verify that the CatalogSource resources are successfully installed by running the following command:
```
$ oc get catalogsource -n openshift-marketplace
```
Verify that the ClusterCatalog resources are successfully installed by running the following command:
```
$ oc get clustercatalog
```

After your cluster is configured to use the resources generated by oc-mirror plugin v2, see Next Steps for information about tasks that you can perform using your mirrored images.

Additional resources

Disconnected environment support in OLM v1

Deletion of images from your disconnected environment

If you have previously deployed images using the oc-mirror plugin v2, you can delete these images to free up space in your mirror registry. oc-mirror plugin v2 does not automatically prune images that are not included in the ImageSetConfiguration file. This prevents accidentally deleting necessary or deployed images when making changes to the ImageSetConfig.yaml file.

You must create a DeleteImageSetConfiguration file to specify which images to delete.

In the following example, the DeleteImageSetConfiguration file removes the following images:

All release images for OpenShift Container Platform 4.13.3.
The aws-load-balancer-operator v0.0.1 bundle and all its related images.
The additional images for ubi and ubi-minimal, referenced by their corresponding digests.

Example DeleteImageSetConfiguration file

apiVersion: mirror.openshift.io/v2alpha1
kind: DeleteImageSetConfiguration
delete:
  platform:
    channels:
      - name: stable-4.13
        minVersion: 4.13.3
        maxVersion: 4.13.3
  operators:
    - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.12
      packages:
      - name: aws-load-balancer-operator
         minVersion: 0.0.1
         maxVersion: 0.0.1
  additionalImages:
    - name: registry.redhat.io/ubi8/ubi@sha256:bce7e9f69fb7d4533447232478fd825811c760288f87a35699f9c8f030f2c1a6
    - name: registry.redhat.io/ubi8/ubi-minimal@sha256:8bedbe742f140108897fb3532068e8316900d9814f399d676ac78b46e740e34e

Consider using the mirror-to-disk and disk-to-mirror workflows to reduce deletion issues.

oc-mirror plugin v2 deletes only the manifests of the images, which does not reduce the storage occupied in the registry.

To free up storage space from unnecessary images, such as those with deleted manifests, you must enable the garbage collector on your container registry. With the garbage collector enabled, the registry will delete the image blobs that no longer have references to any manifests, reducing the storage previously occupied by the deleted blobs. The process for enabling the garbage collector differs depending on your container registry.

For more information, see "Resolving storage cleanup issues in the distribution registry".

To skip deleting the Operator catalog image while you are deleting Operator images, you must list the specific Operators under the Operator catalog image in the DeleteImageSetConfiguration file. This ensures that only the specified Operators are deleted, not the catalog image.

If only the Operator catalog image is specified, all Operators within that catalog, as well as the catalog image itself, will be deleted.
oc-mirror plugin v2 does not delete Operator catalog images automatically because other Operators may still be deployed and depend on these images.

If you are certain that no Operators from a catalog remain in the registry or cluster, you can explicitly add the catalog image to additionalImages in DeleteImageSetConfiguration to remove it.
Garbage collection behavior depends on the registry. Some registries do not automatically remove deleted images, requiring a system administrator to manually trigger garbage collection to free up space.

Additional resources

Resolving storage cleanup issues in the distribution registry

Resolving storage cleanup issues in the distribution registry

A known issue in the distribution registry prevents the garbage collector from freeing up storage as expected. This issue does not occur when you use Red Hat Quay.

Procedure

Choose the appropriate method to work around the known issue in the distribution registry:

To restart the container registry, run the following command:
```
$ podman restart <registry_container>
```

To disable caching in the registry configuration, perform the following steps:

To disable the blobdescriptor cache, modify the /etc/docker/registry/config.yml file:

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: ""
  filesystem:
    rootdirectory: /var/lib/registry
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3

To apply the changes, restart the container registry by running the following command:
```
$ podman restart <registry_container>
```

Deleting images from a disconnected environment

To delete images from a disconnected environment using the oc-mirror plugin v2, follow the procedure.

Prerequisites

You have enabled garbage collection in your environment to delete images that no longer reference manifests.

Procedure

Create a delete-image-set-config.yaml file and include the following content:

DeleteImageSetConfiguration file

apiVersion: mirror.openshift.io/v2alpha1
kind: DeleteImageSetConfiguration
delete:
  platform:
    channels:
      - name: <channel_name> (1)
        minVersion: <channel_min_version> (2)
        maxVersion: <channel_max_version> (2)
  operators:
    - catalog: <operator_catalog_name> (3)
      packages:
      - name: <operator_name> (4)
         minVersion: <operator_max_version> (5)
         maxVersion: <operator_min_version> (5)
  additionalImages:
    - name: <additional_images>

1	Specify the name of the OpenShift Container Platform channel to delete, for example `stable-4.15`.
2	Specify a version range of the images to delete within the channel, for example `4.15.0` for the minimum version and `4.15.1` for the maximum version. To delete only one version’s images, use that version number for both the `minVersion` and `maxVersion` fields.
3	Specify an Operator catalog image containing the Operators to delete, for example `registry.redhat.io/redhat/redhat-operator-index:v4.14`. The Operator catalog image will not get deleted. Its presence in the registry might be necessary for other Operators still remaining on the cluster.
4	Specify a specific Operator to delete, for example `aws-load-balancer-operator`.
5	Specify a version range of the images to delete for the Operator, for example `0.0.1` for the minimum version and `0.0.2` for the maximum version.

Create a delete-images.yaml file by running the following command:

$ oc mirror delete --config delete-image-set-config.yaml --workspace file://<previously_mirrored_work_folder> --v2 --generate docker://<remote_registry>

where:

<previously_mirrored_work_folder>

Specifies the directory where images were previously mirrored to or stored during the mirroring process.

<remote_registry>

Specifies the URL or address of the remote container registry from which images will be deleted.

When deleting images, specify the correct workspace directory. Modify or delete the cache directory only when starting mirroring from scratch, such as setting up a new cluster. Incorrect changes to the cache directory might disrupt further mirroring operations.

Go to the <previously_mirrored_work_folder>/delete directory that was created.
Verify that the delete-images.yaml file has been generated.
Manually ensure that each image listed in the file is no longer needed by the cluster and can be safely removed from the registry.
After you generate the delete-images YAML file, delete the images from the remote registry by running the following command:
```
$ oc mirror delete --v2 --delete-yaml-file <previously_mirrored_work_folder>/working-dir/delete/delete-images.yaml docker://<remote_registry>
```
where:

<previously_mirrored_work_folder>

Specifies the directory where images were previously mirrored or stored during the mirroring process.

<remote_registry>

Specifies the URL or address of the remote container registry from which images will be deleted.

When using the mirror-to-mirror method to mirror images, images are not cached locally, so you cannot delete images from a local cache.

Verifying your selected images for mirroring

You can use oc-mirror plugin v2 to perform a test run (dry run) that does not actually mirror any images. This enables you to review the list of images that would be mirrored. You can also use a dry run to catch any errors with your image set configuration early. When running a dry run on a mirror-to-disk workflow, the oc-mirror plugin v2 checks if all the images within the image set are available in its cache. Any missing images are listed in the missing.txt file. When a dry run is performed before mirroring, both missing.txt and mapping.txt files contain the same list of images.

Performing a dry run for oc-mirror plugin v2

Verify your image set configuration by performing a dry run without mirroring any images. This ensures your setup is correct and prevents unintended changes.

Procedure

To perform a test run, run the oc mirror command and append the --dry-run argument to the command:

$ oc mirror -c <image_set_config_yaml> file://<oc_mirror_workspace_path> --dry-run --v2

where:

<image_set_config_yaml>

Specifies the image set configuration file that you created.

<oc_mirror_workspace_path>

Insert the address of the workspace path.

<mirror_registry_url>

Insert the URL or address of the remote container registry from which images will be mirrored or deleted.

Example output

[INFO]   : :wave: Hello, welcome to oc-mirror
[INFO]   : :gear:  setting up the environment for you...
[INFO]   : :twisted_rightwards_arrows: workflow mode: mirrorToDisk
[INFO]   : :sleuth_or_spy:  going to discover the necessary images...
[INFO]   : :mag: collecting release images...
[INFO]   : :mag: collecting operator images...
[INFO]   : :mag: collecting additional images...
[WARN]   : :warning:  54/54 images necessary for mirroring are not available in the cache.
[WARN]   : List of missing images in : CLID-19/working-dir/dry-run/missing.txt.
please re-run the mirror to disk process
[INFO]   : :page_facing_up: list of all images for mirroring in : CLID-19/working-dir/dry-run/mapping.txt
[INFO]   : mirror time     : 9.641091076s
[INFO]   : :wave: Goodbye, thank you for using oc-mirror

Verification

Navigate to the workspace directory that was generated:
```
$ cd <oc_mirror_workspace_path>
```
Review the mapping.txt and missing.txt files that were generated. These files contain a list of all images that would be mirrored.

Troubleshooting oc-mirror plugin v2 errors

oc-mirror plugin v2 now logs all image mirroring errors in a separate file, making it easier to track and diagnose failures.

When errors occur while mirroring release or release component images, they are critical. This stops the mirroring process immediately.

Errors with mirroring Operators, Operator-related images, or additional images do not stop the mirroring process. Mirroring continues, and oc-mirror plugin v2 saves a file under the working-dir/logs directory describing which Operator failed to mirror.

When an image fails to mirror, and that image is mirrored as part of one or more Operator bundles, oc-mirror plugin v2 notifies the user which Operators are incomplete, providing clarity on the Operator bundles affected by the error.

Procedure

Check for server-related issues:

Example error

[ERROR]  : [Worker] error mirroring image localhost:55000/openshift/graph-image:latest error: copying image 1/4 from manifest list: trying to reuse blob sha256:edab65b863aead24e3ed77cea194b6562143049a9307cd48f86b542db9eecb6e at destination: pinging container registry localhost:5000: Get "https://localhost:5000/v2/": http: server gave HTTP response to HTTPS client

Open the mirroring_error_date_time.log file in the working-dir/logs folder located in the oc-mirror plugin v2 output directory.
Look for error messages that typically indicate server-side issues, such as HTTP 500 errors, expired tokens, or timeouts.
Retry the mirroring process or contact support if the issue persists.

Check for incomplete mirroring of Operators:

Example error

error mirroring image docker://registry.redhat.io/3scale-amp2/zync-rhel9@sha256:8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d (Operator bundles: [3scale-operator.v0.11.12] - Operators: [3scale-operator]) error: initializing source docker://localhost:55000/3scale-amp2/zync-rhel9:8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d: reading manifest 8bb6b31e108d67476cc62622f20ff8db34efae5d58014de9502336fcc479d86d in localhost:55000/3scale-amp2/zync-rhel9: manifest unknown
error mirroring image docker://registry.redhat.io/3scale-amp2/3scale-rhel7-operator-metadata@sha256:de0a70d1263a6a596d28bf376158056631afd0b6159865008a7263a8e9bf0c7d error: skipping operator bundle docker://registry.redhat.io/3scale-amp2/3scale-rhel7-operator-metadata@sha256:de0a70d1263a6a596d28bf376158056631afd0b6159865008a7263a8e9bf0c7d because one of its related images failed to mirror
error mirroring image docker://registry.redhat.io/3scale-amp2/system-rhel7@sha256:fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e (Operator bundles: [3scale-operator.v0.11.12] - Operators: [3scale-operator]) error: initializing source docker://localhost:55000/3scale-amp2/system-rhel7:fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e: reading manifest fe77272021867cc6b6d5d0c9bd06c99d4024ad53f1ab94ec0ab69d0fda74588e in localhost:55000/3scale-amp2/system-rhel7: manifest unknown

Check for warnings in the console or log file indicating which Operators are incomplete.

If an Operator is flagged as incomplete, the image related to that Operator likely failed to mirror.
Manually mirror the missing image or retry the mirroring process.

Check for errors related to generated cluster resources. Even if some images fail to mirror, oc-mirror v2 will still generate cluster resources such as IDMS.yaml and ITMS.yaml files for the successfully mirrored images.
1. Check the output directory for the generated files.
2. If these files are missing for specific images, ensure that no critical errors occurred for those images during the mirroring process.

By following these steps, you can better diagnose issues and ensure smoother mirroring.

Benefits of enclave support

Enclave support restricts internal access to a specific part of a network. Unlike a demilitarized zone (DMZ) network, which allows inbound and outbound traffic access through firewall boundaries, enclaves do not cross firewall boundaries.

The new enclave support functionality is for scenarios where mirroring is needed for multiple enclaves that are secured behind at least one intermediate disconnected network.

Enclave support has the following benefits:

You can mirror content for multiple enclaves and centralize it in a single internal registry. Because some customers want to run security checks on the mirrored content, with this setup they can run these checks all at once. The content is then vetted before being mirrored to downstream enclaves.
You can mirror content directly from the centralized internal registry to enclaves without restarting the mirroring process from the internet for each enclave.
You can minimize data transfer between network stages, so to ensure that a blob or image is transferred only once from one stage to another.

Enclave mirroring workflow

The previous image outlines the flow for using the oc-mirror plugin in different environments, including environments with and without an internet connection.

Environment with Internet Connection:

The user executes oc-mirror plugin v2 to mirror content from an online registry to a local disk directory.
The mirrored content is saved to the disk for transfer to offline environments.

Disconnected Enterprise Environment (No Internet):

Flow 1:
- The user runs oc-mirror plugin v2 to load the mirrored content from the disk directory, which was transferred from the online environment, into the enterprise-registry.in registry.
Flow 2:
1. After updating the registries.conf file, the user executes the oc-mirror plugin v2 to mirror content from the enterprise-registry.in registry to an enclave environment.
2. The content is saved to a disk directory for transfer to the enclave.

Enclave Environment (No Internet):

The user runs oc-mirror plugin v2 to load content from the disk directory into the enclave-registry.in registry.

The image visually represents the data flow across these environments and emphasizes the use of oc-mirror to handle disconnected and enclave environments without an internet connection.

Mirroring to an enclave

When you mirror to an enclave, you must first transfer the necessary images from one or more enclaves into the enterprise central registry.

The central registry is situated within a secure network, specifically a disconnected environment, and is not directly linked to the public internet. But the user must execute oc mirror in an environment with access to the public internet.

Procedure

Before running oc-mirror plugin v2 in the disconnected environment, create a registries.conf file. The TOML format of the file is described in this specification:

It is recommended to store the file under $HOME/.config/containers/registries.conf or /etc/containers/registries.conf.
Example registries.conf
```
[[registry]]
location="registry.redhat.io"
[[registry.mirror]]
location="<enterprise-registry.in>"

[[registry]]
location="quay.io"
[[registry.mirror]]
location="<enterprise-registry.in>"
```
Generate a mirror archive.
1. To collect all the OpenShift Container Platform content into an archive on the disk under <file_path>/enterprise-content, run the following command:
  $ oc mirror --v2 -c isc.yaml file://<file_path>/enterprise-content
  Example of isc.yaml
  apiVersion: mirror.openshift.io/v2alpha1 kind: ImageSetConfiguration mirror: platform: architectures: - "amd64" channels: - name: stable-4.15 minVersion: 4.15.0 maxVersion: 4.15.3
  After the archive is generated, it is transferred to the disconnected environment. The transport mechanism is not part of oc-mirror plugin v2. The enterprise network administrators determine the transfer strategy.
  
  In some cases, the transfer is done manually, in that the disk is physically unplugged from one location, and plugged to another computer in the disconnected environment. In other cases, the Secure File Transfer Protocol (SFTP) or other protocols are used.
After the transfer of the archive is done, you can execute oc-mirror plugin v2 again in order to mirror the relevant archive contents to the registry (entrerpise_registry.in in the example) as demonstrated in the following example:
```
$ oc mirror --v2 -c isc.yaml --from file://<disconnected_environment_file_path>/enterprise-content docker://<enterprise_registry.in>/
```
Where:
- --from points to the folder containing the archive. It starts with the file://.
- docker:// is the destination of the mirroring is the final argument. Because it is a docker registry.
- -c (--config) is a mandatory argument. It enables oc-mirror plugin v2 to eventually mirror only sub-parts of the archive to the registry. One archive might contain several OpenShift Container Platform releases, but the disconnected environment or an enclave might mirror only a few.
Prepare the imageSetConfig YAML file, which describes the content to mirror to the enclave:
Example isc-enclave.yaml
```
apiVersion: mirror.openshift.io/v2alpha1
kind: ImageSetConfiguration
mirror:
  platform:
    architectures:
      - "amd64"
    channels:
      - name: stable-4.15
        minVersion: 4.15.2
        maxVersion: 4.15.2
```
You must run oc-mirror plugin v2 on a machine with access to the disconnected registry. In the previous example, the disconnected environment, enterprise-registry.in, is accessible.

Update the graph URL

If you are using graph:true, oc-mirror plugin v2 attempts to reach the cincinnati API endpoint. Because this environment is disconnected, be sure to export the environment variable UPDATE_URL_OVERRIDE to refer to the URL for the OpenShift Update Service (OSUS):

$ export UPDATE_URL_OVERRIDE=https://<osus.enterprise.in>/graph

For more information on setting up OSUS on an OpenShift cluster, see "Updating a cluster in a disconnected environment using the OpenShift Update Service".

When updating between OpenShift Container Platform Extended Update Support (EUS) versions, you must also include images for an intermediate minor version between the current and target versions. The oc-mirror plugin v2 might not always detect this requirement automatically, so check the Red Hat OpenShift Container Platform Update Graph page to confirm any required intermediate versions.

Use the Update Graph page to find the intermediate minor versions suggested by the application, and include any of these versions in the ImageSetConfiguration file when using the oc-mirror plugin v2.

Generate a mirror archive from the enterprise registry for the enclave.

To prepare an archive for the enclave1, the user executes oc-mirror plugin v2 in the enterprise disconnected environment by using the imageSetConfiguration specific for that enclave. This ensures that only images needed by that enclave are mirrored:
```
$ oc mirror --v2 -c isc-enclave.yaml
file:///disk-enc1/
```
This action collects all the OpenShift Container Platform content into an archive and generates an archive on disk.
After the archive is generated, it will be transferred to the enclave1 network. The transport mechanism is not the responsibility of oc-mirror plugin v2.
Mirror contents to the enclave registry

After the transfer of the archive is done, the user can execute oc-mirror plugin v2 again in order to mirror the relevant archive contents to the registry.
```
$ oc mirror --v2 -c isc-enclave.yaml --from file://local-disk docker://registry.enc1.in
```
The administrators of the OpenShift Container Platform cluster in enclave1 are now ready to install or upgrade that cluster.

oc-mirror plugin v2 support proxy setting

The oc-mirror plugin v2 can operate in a proxy-configured environment. The plugin can use system proxy settings to retrieve images for OpenShift Container Platform, Operator catalog, and the additionalImages registry.

Additional resources

How filtering works in the operator catalog

oc-mirror plugin v2 selects the list of bundles for mirroring by processing the information in imageSetConfig.

When oc-mirror plugin v2 selects bundles for mirroring, it does not infer Group Version Kind (GVK) or bundle dependencies, omitting them from the mirroring set. Instead, it strictly adheres to the user instructions. You must explicitly specify any required dependent packages and their versions.

Table 1. Use the following table to see what bundle versions are included in different scenarios
ImageSetConfig operator filtering	Expected bundle versions
Scenario 1 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10`	For each package in the catalog, one bundle, corresponding to the head version for each channel of that package.
Scenario 2 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10 full: true`	All bundles of all channels of the specified catalog.
Scenario 3 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10 packages: - name: compliance-operator`	One bundle, corresponding to the head version for each channel of that package.
Scenario 4 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10 full: true - packages: - name: elasticsearch-operator`	All bundles of all channels for the packages specified.
Scenario 5 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator minVersion: 5.6.0`	All bundles in all channels, from the `minVersion`, up to the channel head for that package.
Scenario 6 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator maxVersion: 6.0.0`	All bundles in all channels that are lower than the `maxVersion` for that package.
Scenario 7 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator minVersion: 5.6.0 maxVersion: 6.0.0`	All bundles in all channels, between the `minVersion` and `maxVersion` for that package. The head of the channel is not included, even if multiple channels are included in the filtering.
Scenario 8 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator channels - name: stable`	The head bundle for the selected channel of that package. You must use the `defaultChannel` field in case the filtered channels are not the default.
Scenario 9 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10 full: true - packages: - name: elasticsearch-operator channels: - name: 'stable-v0'`	All bundles for the packages and channels specified. The `defaultChannel` should be used in case the filtered channels are not the default.
Scenario 10 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator channels - name: stable - name: stable-5.5`	The head bundle for each selected channel of that package.
Scenario 11 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator channels - name: stable minVersion: 5.6.0`	Within the selected channel of that package, all versions starting with the `minVersion` up to the channel head. You must use the `defaultChannel` field in case the filtered channels are not the default.
Scenario 12 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator channels - name: stable maxVersion: 6.0.0`	Within the selected channel of that package, all versions up to `maxVersion`. Head of channel is not included, even if multiple channels are included in the filtering. You might see errors if this filtering leads to a channel with multiple heads. You must use the `defaultChannel` field in case the filtered channels are not the default.
Scenario 13 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator channels - name: stable minVersion: 5.6.0 maxVersion: 6.0.0`	Within the selected channel of that package, all versions between the `minVersion` and `maxVersion`. The head of channel is not included, even if multiple channels are included in the filtering. You might see errors if this filtering leads to a channel with multiple heads. You must use the `defaultChannel` field in case the filtered channels are not the default.
Scenario 14 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator channels - name: stable minVersion: 5.6.0 maxVersion: 6.0.0`	Do not use this scenario. filtering by channel and by package with a `minVersion` or `maxVersion` is not allowed.
Scenario 15 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 packages: - name: compliance-operator channels - name: stable minVersion: 5.6.0 maxVersion: 6.0.0`	Do not use this scenario. You cannot filter using `full:true` and the `minVersion` or `maxVersion`.
Scenario 16 `mirror: operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:v4.15 full: true packages: - name: compliance-operator channels - name: stable minVersion: 5.6.0 maxVersion: 6.0.0`	Do not use this scenario. You cannot filter using `full:true` and the `minVersion` or `maxVersion`.

`ImageSet` configuration parameters for oc-mirror plugin v2

The oc-mirror plugin v2 requires an image set configuration file that defines what images to mirror. The following table lists the available parameters for the ImageSetConfiguration resource.

Using the minVersion and maxVersion properties to filter for a specific Operator version range can result in a multiple channel heads error. The error message states that there are multiple channel heads. This is because when the filter is applied, the update graph of the Operator is truncated.

OLM requires that every Operator channel contains versions that form an update graph with exactly one end point, that is, the latest version of the Operator. When the filter range is applied, that graph can turn into two or more separate graphs or a graph that has more than one end point.

To avoid this error, do not filter out the latest version of an Operator. If you still run into the error, depending on the Operator, either the maxVersion property must be increased or the minVersion property must be decreased. Because every Operator graph can be different, you might need to adjust these values until the error resolves.

Parameter Description Values

apiVersion

The API version of the ImageSetConfiguration content.

String Example: mirror.openshift.io/v2alpha1

archiveSize

The maximum size, in GiB, of each archive file within the image set.

Integer Example: 4

kubeVirtContainer

When set to true, includes images from the HyperShift KubeVirt CoreOS container.

Boolean Example ImageSetConfiguration file:

apiVersion: mirror.openshift.io/v2alpha1
kind: ImageSetConfiguration
mirror:
  platform:
    channels:
    - name: stable-4.16
      minVersion: 4.16.0
      maxVersion: 4.16.0
    kubeVirtContainer: true

mirror

The configuration of the image set.

Object

mirror.additionalImages

The additional images configuration of the image set.

Array of objects

Example:

additionalImages:
  - name: registry.redhat.io/ubi8/ubi:latest

mirror.additionalImages.name

The tag or digest of the image to mirror.

String Example: registry.redhat.io/ubi8/ubi:latest

mirror.blockedImages

The full tag, digest, or pattern of images to block from mirroring.

Array of strings Example: docker.io/library/alpine

mirror.helm

The helm configuration of the image set. The oc-mirror plugin does not support helm charts with manually modified values.yaml files.

Object

mirror.helm.local

The local helm charts to mirror.

Array of objects. For example:

local:
  - name: podinfo
    path: /test/podinfo-5.0.0.tar.gz

mirror.helm.local.name

The name of the local helm chart to mirror.

String. For example: podinfo.

mirror.helm.local.path

The path of the local helm chart to mirror.

String. For example: /test/podinfo-5.0.0.tar.gz.

mirror.helm.repositories

The remote helm repositories to mirror from.

Array of objects. For example:

repositories:
  - name: podinfo
    url: https://example.github.io/podinfo
    charts:
      - name: podinfo
        version: 5.0.0
         imagePaths:
         - "{.spec.template.spec.custom[*].image}"

mirror.helm.repositories.name

The name of the helm repository to mirror from.

String. For example: podinfo.

mirror.helm.repositories.url

The URL of the helm repository to mirror from.

String. For example: https://example.github.io/podinfo.

mirror.helm.repositories.charts

The remote helm charts to mirror.

Array of objects.

mirror.helm.repositories.charts.name

The name of the helm chart to mirror.

String. For example: podinfo.

mirror.helm.repositories.charts.imagePaths

The custom path of a container image inside of the helm chart.

oc-mirror detects and mirrors container images from the helm chart by searching well-known paths. You can also specify custom paths using this field.

Array of string. For example: "- {.spec.template.spec.custom[*].image}".

mirror.operators

The Operators configuration of the image set.

Array of objects

Example:

operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:4.18
    packages:
      - name: elasticsearch-operator
        minVersion: '2.4.0'

mirror.operators.catalog

The Operator catalog to include in the image set.

String Example: registry.redhat.io/redhat/redhat-operator-index:v4.15

mirror.operators.full

When true, downloads the full catalog, Operator package, or Operator channel.

Boolean The default value is false.

mirror.operators.packages

The Operator packages configuration.

Array of objects

Example:

operators:
  - catalog: registry.redhat.io/redhat/redhat-operator-index:4.18
    packages:
      - name: elasticsearch-operator
        minVersion: '5.2.3-31'

mirror.operators.packages.name

The Operator package name to include in the image set.

String Example: elasticsearch-operator

mirror.operators.packages.channels

Operator package channel configuration

Object

mirror.operators.packages.channels.name

The Operator channel name, unique within a package, to include in the image set.

String Eample: fast or stable-v4.15

mirror.operators.packages.channels.maxVersion

The highest version of the Operator mirror across all channels in which it exists.

String Example: 5.2.3-31

mirror.operators.packages.channels.minVersion

The lowest version of the Operator to mirror across all channels in which it exists

String Example: 5.2.3-31

mirror.operators.packages.maxVersion

The highest version of the Operator to mirror across all channels in which it exists.

String Example: 5.2.3-31

mirror.operators.packages.minVersion

The lowest version of the Operator to mirror across all channels in which it exists.

String Example: 5.2.3-31

mirror.operators.targetCatalog

An alternative name and optional namespace hierarchy to mirror the referenced catalog as

String Example: my-namespace/my-operator-catalog

mirror.operators.targetCatalogSourceTemplate

Path on disk for a template to use to complete catalogSource custom resource generated by oc-mirror plugin v2.

String Example: /tmp/catalog-source_template.yaml Example of a template file:

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: discarded
  namespace: openshift-marketplace
spec:
  image: discarded
  sourceType: grpc
  updateStrategy:
    registryPoll:
      interval: 30m0s

mirror.operators.targetTag

An alternative tag to append to the targetName or targetCatalog.

String Example: v1

mirror.platform

The platform configuration of the image set.

Object

mirror.platform.architectures

The architecture of the platform release payload to mirror.

Array of strings Example:

architectures:
  - amd64
  - arm64
  - multi
  - ppc64le
  - s390x

The default value is amd64. The value multi ensures that the mirroring is supported for all available architectures, eliminating the need to specify individual architectures

mirror.platform.channels

The platform channel configuration of the image set.

Array of objects Example:

channels:
  - name: stable-4.12
  - name: stable-4.18

mirror.platform.channels.full

When true, sets the minVersion to the first release in the channel and the maxVersion to the last release in the channel.

Boolean The default value is false

mirror.platform.channels.name

Name of the release channel

String Example: stable-4.15

mirror.platform.channels.minVersion

The minimum version of the referenced platform to be mirrored.

String Example: 4.12.6

mirror.platform.channels.maxVersion

The highest version of the referenced platform to be mirrored.

String Example: 4.15.1

mirror.platform.channels.shortestPath

Toggles shortest path mirroring or full range mirroring.

Boolean The default value is false

mirror.platform.channels.type

Type of the platform to be mirrored

String Example: ocp or okd. The default is ocp.

mirror.platform.graph

Indicates whether the OSUS graph is added to the image set and subsequently published to the mirror.

Boolean The default value is false

Delete `ImageSet` Configuration parameters

To use the oc-mirror plugin v2, you must have delete image set configuration file that defines which images to delete from the mirror registry. The following table lists the available parameters for the DeleteImageSetConfiguration resource.

Table 3. `DeleteImageSetConfiguration` parameters
Parameter	Description	Values
`apiVersion`	The API version for the `DeleteImageSetConfiguration` content.	String Example: `mirror.openshift.io/v2alpha1`
`delete`	The configuration of the image set to delete.	Object
`delete.additionalImages`	The additional images configuration of the delete image set.	Array of objects Example: `additionalImages: - name: registry.redhat.io/ubi8/ubi:latest`
`delete.additionalImages.name`	The tag or digest of the image to delete.	String Example: `registry.redhat.io/ubi8/ubi:latest`
`delete.operators`	The Operators configuration of the delete image set.	Array of objects Example: `operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version} packages: - name: elasticsearch-operator minVersion: '2.4.0'`
`delete.operators.catalog`	The Operator catalog to include in the delete image set.	String Example: `registry.redhat.io/redhat/redhat-operator-index:v4.15`
`delete.operators.full`	When true, deletes the full catalog, Operator package, or Operator channel.	Boolean The default value is `false`
`delete.operators.packages`	Operator packages configuration	Array of objects Example: `operators: - catalog: registry.redhat.io/redhat/redhat-operator-index:{product-version} packages: - name: elasticsearch-operator minVersion: '5.2.3-31'`
`delete.operators.packages.name`	The Operator package name to include in the delete image set.	String Example: `elasticsearch-operator`
`delete.operators.packages.channels`	Operator package channel configuration	Object
`delete.operators.packages.channels.name`	The Operator channel name, unique within a package, to include in the delete image set.	String Example: `fast` or `stable-v4.15`
`delete.operators.packages.channels.maxVersion`	The highest version of the Operator to delete within the selected channel.	String Example: `5.2.3-31`
`delete.operators.packages.channels.minVersion`	The lowest version of the Operator to delete within the selection in which it exists.	String Example: `5.2.3-31`
`delete.operators.packages.maxVersion`	The highest version of the Operator to delete across all channels in which it exists.	String Example: `5.2.3-31`
`delete.operators.packages.minVersion`	The lowest version of the Operator to delete across all channels in which it exists.	String Example: `5.2.3-31`
`delete.platform`	The platform configuration of the image set	Object
`delete.platform.architectures`	The architecture of the platform release payload to delete.	Array of strings Example: `architectures: - amd64 - arm64 - multi - ppc64le - s390x` The default value is `amd64`
`delete.platform.channels`	The platform channel configuration of the image set.	Array of objects Example: `channels: - name: stable-4.12 - name: stable-4.18`
`delete.platform.channels.full`	When `true`, sets the `minVersion` to the first release in the channel and the `maxVersion` to the last release in the channel.	Boolean The default value is `false`
`delete.platform.channels.name`	Name of the release channel	String Example: `stable-4.15`
`delete.platform.channels.minVersion`	The minimum version of the referenced platform to be deleted.	String Example: `4.12.6`
`delete.platform.channels.maxVersion`	The highest version of the referenced platform to be deleted.	String Example: `4.15.1`
`delete.platform.channels.shortestPath`	Toggles between deleting the shortest path and deleting the full range.	Boolean The default value is `false`
`delete.platform.channels.type`	Type of the platform to be deleted	String Example: `ocp` or `okd` The default is `ocp`
`delete.platform.graph`	Determines whether the OSUS graph is deleted as well on the mirror registry as well.	Boolean The default value is `false`

Command reference for oc-mirror plugin v2

The following tables describe the oc mirror subcommands and flags for oc-mirror plugin v2:

Table 4. Subcommands and flags for the oc-mirror plugin v2
Subcommand	Description
`help`	Show help about any subcommand
`version`	Output the oc-mirror version
`delete`	Deletes images in remote registry and local cache.

Table 5. oc mirror flags
Flag	Description
`--authfile`	Displays the string path of the authentication file. Default is `${XDG_RUNTIME_DIR}/containers/auth.json`.
`-c`, `--config` `<string>`	Specifies the path to an image set configuration file.
`--cache-dir <string>`	oc-mirror cache directory location. The default value is `$HOME`.
`--dest-tls-verify`	Requires HTTPS and verifies certificates when accessing the container registry or daemon. The default value is `true`.
`--dry-run`	Prints actions without mirroring images.
`--from <string>`	Specifies the path to an image set archive that was generated by executing oc-mirror plugin v2 to load a target registry.
`-h`, `--help`	Displays help
`--image-timeout duration`	Timeout for mirroring an image. The default is 10m0s. Valid time units are `ns`, `us` or `µs`, `ms`, `s`, `m`, and `h`.
`--log-level <string>`	Displays string log levels. Supported values include info, debug, trace, error. The default value is `info`.
`-p`, `--port`	Determines the HTTP port used by oc-mirror plugin v2 local storage instance. The default value is `55000`.
`--parallel-images <unit>`	Specifies the number of images mirrored in parallel. The default value is `8`.
`--parallel-layers <unit>`	Specifies the number of image layers mirrored in parallel. The default value is `10`.
`--max-nested-paths <int>`	Specifies the maximum number of nested paths for destination registries that limit nested paths. The default value is `0`.
`--secure-policy`	The default value is `false`. If you set a non-default value, the command enables signature verification, which is the secure policy for signature verification.
`--since`	Includes all new content since a specified date (format: `yyyy-mm-dd`). When not provided, new content since previous mirroring is mirrored.
`--src-tls-verify`	Requires HTTPS and verifies certificates when accessing the container registry or daemon.
`--strict-archive`	The default value is `false`. If you set a value, the command generates archives that are strictly less than the `archiveSize` that was set in the `imageSetConfig` custom resource (CR). Mirroring exist in error if a file being archived exceeds `archiveSize` (GB).
`-v`, `--version`	Displays the version for oc-mirror plugin v2.
`--workspace`	Determines string oc-mirror plugin v2 workspace where resources and internal artifacts are generated.
`--retry-delay duration`	Delay between 2 retries. The default value is `1s`.
`--retry-times <int>`	The number of times to retry. The default value is `2`.
`--rootless-storage-path <string>`	Overrides the default container rootless storage path (usually in `etc/containers/storage.conf`).

Command reference for deleting images

The following tables describe the oc mirror subcommands and flags for deleting images:

Table 6. Subcommands and flags for the deleting images
Subcommand	Description
`--authfile <string>`	Path of the authentication file. The default value is `${XDG_RUNTIME_DIR}/containers/auth.json`.
`--cache-dir <string>`	oc-mirror cache directory location. The default is `$HOME`.
`-c <string>`, `--config <string>`	Path to the delete imageset configuration file.
`--delete-id <string>`	Used to differentiate between versions for files created by the delete functionality.
`--delete-v1-images`	Used during the migration, along with `--generate`, in order to target images previously mirrored with oc-mirror plugin v1.
`--delete-yaml-file <string>`	If set, uses the generated or updated yaml file to delete contents.
`--dest-tls-verify`	Require HTTPS and verify certificates when talking to the container registry or daemon. TThe default value is `true`.
`--force-cache-delete`	Used to force delete the local cache manifests and blobs.
`--generate`	Used to generate the delete yaml for the list of manifests and blobs, used when deleting from local cache and remote registry.
`-h`, `--help`	Displays help.
`--log-level <string>`	Log level one of `info`, `debug`, `trace`, and `error`. The default value is `info`.
`--parallel-images <unit>`	Indicates the number of images deleted in parallel. The default value is `8`.
`--parallel-layers <unit>`	Indicates the number of image layers mirrored in parallel. The default value is `10`.
`-p <unit>`, `--port <unit>`	HTTP port used by oc-mirror’s local storage instance. The default value is `55000`.
`--retry-delay`	Duration delay between 2 retries. The default value is `1s`.
`--retry-times <int>`	The number of times to retry. The default value is `2`.
`--src-tls-verify`	Require HTTPS and verify certificates when talking to the container registry or daemon. The default value is `true`.
`--workspace <string>`	oc-mirror workspace where resources and internal artifacts are generated.

Additional resources

Configuring your cluster to use the resources generated by oc-mirror

Next steps

After you mirror images to your disconnected environment using oc-mirror plugin v2, you can perform any of the following actions:

Mirroring images for a disconnected installation by using the oc-mirror plugin v2

About oc-mirror plugin v2

High level workflow

oc-mirror plugin v2 compatibility and support

Prerequisites

Preparing your mirror hosts

Installing the oc-mirror OpenShift CLI plugin

Configuring credentials that allow images to be mirrored

Mirroring an image set to a mirror registry

Creating the image set configuration

Mirroring an image set in a partially disconnected environment

Mirroring an image set in a fully disconnected environment

Mirroring from mirror to disk

Mirroring from disk to mirror

About custom resources generated by oc-mirror plugin v2

Configuring your cluster to use the resources generated by oc-mirror plugin v2

Deletion of images from your disconnected environment

Resolving storage cleanup issues in the distribution registry

Deleting images from a disconnected environment

Verifying your selected images for mirroring

Performing a dry run for oc-mirror plugin v2

Troubleshooting oc-mirror plugin v2 errors

Benefits of enclave support

Enclave mirroring workflow

Mirroring to an enclave

oc-mirror plugin v2 support proxy setting

How filtering works in the operator catalog

ImageSet configuration parameters for oc-mirror plugin v2

Delete ImageSet Configuration parameters

Command reference for oc-mirror plugin v2

Command reference for deleting images

Next steps

`ImageSet` configuration parameters for oc-mirror plugin v2

Delete `ImageSet` Configuration parameters