$ tar xvzf <file>
×
Updating a restricted network cluster
You can upgrade a restricted network OpenShift Container Platform cluster by using the oc command-line interface (CLI).
A restricted network environment is the one in which your cluster nodes cannot access the internet. For this reason, you must populate a registry with the installation images. If your registry host cannot access both the internet and the cluster, you can mirror the images to a file system that disconnected from that environment and then bring that host or removable media across that gap. If the local container registry is connected to the mirror registry’s host, you can directly push the release images to the local registry.
If multiple clusters are present within the restricted network, mirror the required release images to a single container image registry and use that registry to update all the clusters.
Prerequisites
-
Have access to the internet to obtain the necessary container images.
-
Have write access to a container registry in the restricted-network environment to push and pull images. The container registry must be compatible with Docker registry API v2.
-
You must have the
occommand-line interface (CLI) tool installed. -
Have access to the cluster as a user with
adminprivileges. See Using RBAC to define and apply permissions. -
Have a recent etcd backup in case your upgrade fails and you must restore your cluster to a previous state.
Preparing your mirror host
Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.
Installing the CLI by downloading the binary
You can install the OpenShift CLI (oc) in order to interact with OpenShift Container Platform from a
command-line interface. You can install oc on Linux, Windows, or macOS.
|
If you installed an earlier version of |
Installing the CLI on Linux
You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
Procedure
-
Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
-
Select your infrastructure provider, and, if applicable, your installation type.
-
In the Command-line interface section, select Linux from the drop-down menu and click Download command-line tools.
-
Unpack the archive:
-
Place the
ocbinary in a directory that is on yourPATH.To check your
PATH, execute the following command:$ echo $PATH
After you install the CLI, it is available using the oc command:
$ oc <command>
Installing the CLI on Windows
You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
Procedure
-
Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
-
Select your infrastructure provider, and, if applicable, your installation type.
-
In the Command-line interface section, select Windows from the drop-down menu and click Download command-line tools.
-
Unzip the archive with a ZIP program.
-
Move the
ocbinary to a directory that is on yourPATH.To check your
PATH, open the command prompt and execute the following command:C:\> path
After you install the CLI, it is available using the oc command:
C:\> oc <command>
Installing the CLI on macOS
You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
Procedure
-
Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.
-
Select your infrastructure provider, and, if applicable, your installation type.
-
In the Command-line interface section, select MacOS from the drop-down menu and click Download command-line tools.
-
Unpack and unzip the archive.
-
Move the
ocbinary to a directory on your PATH.To check your
PATH, open a terminal and execute the following command:$ echo $PATH
After you install the CLI, it is available using the oc command:
$ oc <command>
Configuring credentials that allow images to be mirrored
Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.
|
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry. |
|
This process requires that you have write access to a container image registry on the mirror registry and adds the credentials to a registry pull secret. |
|
Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry. |
Prerequisites
-
You configured a mirror registry to use in your restricted network.
-
You identified an image repository location on your mirror registry to mirror images into.
-
You provisioned a mirror registry account that allows images to be uploaded to that image repository.
Procedure
Complete the following steps on the installation host:
-
Download your
registry.redhat.iopull secret from the Pull Secret page on the Red Hat OpenShift Cluster Manager site and save it to a.jsonfile. -
Generate the base64-encoded user name and password or token for your mirror registry:
$ echo -n '<user_name>:<password>' | base64 -w0 (1) BGVtbYk3ZHAtqXs=1 For <user_name>and<password>, specify the user name and password that you configured for your registry. -
Make a copy of your pull secret in JSON format:
$ cat ./pull-secret.text | jq . > <path>/<pull-secret-file>(1)1 Specify the path to the folder to store the pull secret in and a name for the JSON file that you create. The contents of the file resemble the following example:
{ "auths": { "cloud.openshift.com": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "quay.io": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "registry.connect.redhat.com": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" }, "registry.redhat.io": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" } } } -
Edit the new file and add a section that describes your registry to it:
"auths": { "<mirror_registry>": { (1) "auth": "<credentials>", (2) "email": "you@example.com" },1 For <mirror_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example,registry.example.comorregistry.example.com:50002 For <credentials>, specify the base64-encoded user name and password for the mirror registry.The file resembles the following example:
{ "auths": { "<mirror_registry>": { "auth": "<credentials>", "email": "you@example.com" }, "cloud.openshift.com": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "quay.io": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "registry.connect.redhat.com": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" }, "registry.redhat.io": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" } } }
-
Edit the new file and add a section that describes your registry to it:
"auths": { ... "<mirror_registry>": { (1) "auth": "<credentials>", (2) "email": "you@example.com" }, ...1 For <mirror_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example,registry.example.comorregistry.example.com:50002 For <credentials>, specify the base64-encoded user name and password for the mirror registry.The file resembles the following example:
{ "auths": { "cloud.openshift.com": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "quay.io": { "auth": "b3BlbnNo...", "email": "you@example.com" }, "registry.connect.redhat.com": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" }, "<mirror_registry>": { "auth": "<credentials>", "email": "you@example.com" }, "registry.redhat.io": { "auth": "NTE3Njg5Nj...", "email": "you@example.com" } } }
Mirroring the OpenShift Container Platform image repository
Before you upgrade a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.
Procedure
-
Review the OpenShift Container Platform upgrade paths to confirm that there is an upgrade path between your current and intended cluster versions.
-
Set the required environment variables:
$ OCP_RELEASE=<release_version> (1) $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' (2) $ LOCAL_REPOSITORY='<repository_name>' (3) $ PRODUCT_REPO='openshift-release-dev' (4) $ LOCAL_SECRET_JSON='<path_to_pull_secret>' (5) $ RELEASE_NAME='ocp-release' (6) $ ARCHITECTURE=<server_architecture> (7) $ REMOVABLE_MEDIA_PATH=<path> (8)
1 For <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform to which you want to upgrade, such as4.5.0.2 For <local_registry_host_name>, specify the registry domain name for your mirror repository, and for<local_registry_host_port>, specify the port that it serves content on.3 For <repository_name>, specify the name of the repository to create in your registry, such asocp4/openshift4.4 The repository to mirror. For a production release, you must specify openshift-release-dev.5 For <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.6 For a production release, you must specify ocp-release.7 For <server_architecture>, specify the architecture of the server, such asx86_64.8 For <path>, specify the path to the directory to host the mirrored images. -
Review the images and configuration manifests to mirror:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run -
Mirror the version images to the internal container registry.
-
If your mirror host does not have internet access, take the following actions:
-
Connect the removable media to a system that is connected to the internet.
-
Mirror the images and configuration manifests to a directory on the removable media:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} -
Take the media to the restricted network environment and upload the images to the local container registry.
$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror 'file://openshift/release:${OCP_RELEASE}*' ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}
-
-
If the local container registry is connected to the mirror host, directly push the release images to the local registry:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}
-
Creating the image ConfigMap
Before you update your cluster, you must manually create a ConfigMap that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.
Creating the ConfigMap for image signature verification by using the oc CLI
Before you update your cluster, you must manually create a ConfigMap that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.
|
If you are upgrading from a release prior to version 4.4.8, you must use the manual method for creating the ConfigMap instead of this procedure. The commands that this procedure uses are not in earlier versions of the |
Prerequisites
-
Install the OpenShift Command-line Interface (CLI), commonly known as
oc, version 4.4.8 or later.
Procedure
-
Obtain the image signature for the version that you are upgrading to from either mirror.openshift.com or Google Cloud Storage (GCS).
-
Use
occommand-line interface (CLI) to log into the cluster that you are upgrading. -
Apply the mirrored release image signature ConfigMap to the connected cluster:
$ oc apply -f <image_signature_file> (1)
1 For <image_signature_file>, specify the path and name of the file, for example,mirror/config/signature-sha256-81154f5c03294534.yaml.
Creating an image signature ConfigMap manually
Create and apply the image signature ConfigMap to the cluster that you want to update.
|
You must perform following steps each time that you update a cluster. |
Procedure
-
Review the OpenShift Container Platform upgrade paths knowledge base article to determine a valid upgrade path for your cluster.
-
Add the version to the
OCP_RELEASE_NUMBERenvironment variable:$ OCP_RELEASE_NUMBER=<release_version> (1)
1 For <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform you want to update the cluster, such as4.4.0. -
Add the system architecture for your cluster to
ARCHITECTUREenvironment variable:$ ARCHITECTURE=<server_architecture> (11)
1 For server_architecture, specify the architecture of the server, such asx86_64. -
Get the release image digest from Quay:
$ DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')" -
Set the digest algorithm:
$ DIGEST_ALGO="${DIGEST%%:*}" -
Set the digest signature:
$ DIGEST_ENCODED="${DIGEST#*:}" -
Get the image signature from mirror.openshift.com website.
$ SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo) -
Create the ConfigMap:
$ cat >checksum-${OCP_RELEASE_NUMBER}.yaml <<EOF apiVersion: v1 kind: ConfigMap metadata: name: release-image-${OCP_RELEASE_NUMBER} namespace: openshift-config-managed labels: release.openshift.io/verification-signatures: "" binaryData: ${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64} EOF -
Apply the ConfigMap to the cluster to update:
$ oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml
Upgrading the restricted network cluster
Update the restricted network cluster to the OpenShift Container Platform version that you downloaded the release images for.
Prerequisites
-
You mirrored the images for the new release to your registry.
-
You applied the release image signature ConfigMap for the new release to your cluster.
-
You obtained the sha256 sum value for the release from the image signature ConfigMap.
-
Install the OpenShift Command-line Interface (CLI), commonly known as
oc, version 4.4.8 or later.
Procedure
-
Update the cluster:
$ oc adm upgrade --allow-explicit-upgrade --to-image ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}<sha256_sum_value> (1)1 The <sha256_sum_value>value is the sha256 sum value for the release from the image signature ConfigMap, for example,@sha256:81154f5c03294534e1eaf0319bef7a601134f891689ccede5d705ef659aa8c92If you use an
ImageContentSourcePolicyfor the mirror registry, you can use the canonical registry name instead ofLOCAL_REGISTRY.
Configuring image registry repository mirroring
Setting up container registry repository mirroring lets you:
-
Configure your OpenShift Container Platform cluster to redirect requests to pull images from a repository on a source image registry and have it resolved by a repository on a mirrored image registry.
-
Identify multiple mirrored repositories for each target repository, to make sure that if one mirror is down, another can be used.
Here are some of the attributes of repository mirroring in OpenShift Container Platform:
-
Image pulls are resilient to registry downtimes
-
Clusters in restricted networks can request to pull images from critical locations (such as quay.io) and have registries behind a company firewall provide the requested images.
-
A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried.
-
The mirror information you enter is added to the
/etc/containers/registries.conffile on every node in the OpenShift Container Platform cluster. -
When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. Upon success, the image is pulled to the node.
Setting up repository mirroring can be done in the following ways:
-
At OpenShift Container Platform installation time: By pulling container images needed by OpenShift Container Platform and then bringing those images behind your company’s firewall, you can install OpenShift Container Platform into a datacenter that is in a restricted network. See Mirroring the OpenShift Container Platform image repository for details.
-
After OpenShift Container Platform installation time: Even if you don’t configure mirroring during OpenShift Container Platform installation, you can do so later using the
ImageContentSourcePolicyobject.
The following procedure provides a post-installation mirror configuration, where you create an ImageContentSourcePolicy object that identifies:
-
The source of the container image repository you want to mirror
-
A separate entry for each mirror repository you want to offer the content requested from the source repository.
Prerequisites
-
Access to the cluster as a user with the
cluster-adminrole.
Procedure
-
Configure mirrored repositories. To do that, you can either:
-
Set up a mirrored repository with Red Hat Quay, as described in Red Hat Quay Repository Mirroring. Using Red Hat Quay allows you to copy images from one repository to another and also automatically sync those repositories repeatedly over time.
-
Use a tool such as
skopeoto copy images manually from the source directory to the mirrored repository.For example, after installing the skopeo RPM package on a Red Hat Enterprise Linux (RHEL 7 or RHEL 8) system, use the
skopeocommand as shown in this example:$ skopeo copy \ docker://registry.access.redhat.com/ubi8/ubi-minimal@sha256:5cfbaf45ca96806917830c183e9f37df2e913b187adb32e89fd83fa455ebaa6 \ docker://example.io/ubi8/ubi-minimalIn this example, you have a container image registry that is named
example.iowith an image repository namedexampleto which you want to copy theubi8/ubi-minimalimage fromregistry.access.redhat.com. After you create the registry, you can configure your OpenShift Container Platform cluster to redirect requests made of the source repository to the mirrored repository.
-
-
Log in to your OpenShift Container Platform cluster.
-
Create an
ImageContentSourcePolicyfile (for example,registryrepomirror.yaml), replacing the source and mirrors with those of your own registry and repository pairs and images:apiVersion: operator.openshift.io/v1alpha1 kind: ImageContentSourcePolicy metadata: name: ubi8repo spec: repositoryDigestMirrors: - mirrors: - example.io/example/ubi-minimal(1) source: registry.access.redhat.com/ubi8/ubi-minimal(2) - mirrors: - example.com/example/ubi-minimal source: registry.access.redhat.com/ubi8/ubi-minimal1 Indicates the name of the image registry and repository 2 Indicates the registry and repository containing the content that is mirrored -
Create the new
ImageContentSourcePolicy:$ oc create -f registryrepomirror.yamlAfter the
ImageContentSourcePolicyis created, the new settings are deployed to each node and shortly start using the mirrored repository for requests to the source repository. -
To check that the mirrored configuration worked, go to one of your nodes. For example:
-
List your nodes:
$ oc get nodeExample outputNAME STATUS ROLES AGE VERSION ip-10-0-137-44.ec2.internal Ready worker 7m v1.16.2 ip-10-0-138-148.ec2.internal Ready master 11m v1.16.2 ip-10-0-139-122.ec2.internal Ready master 11m v1.16.2 ip-10-0-147-35.ec2.internal Ready,SchedulingDisabled worker 7m v1.16.2 ip-10-0-153-12.ec2.internal Ready worker 7m v1.16.2 ip-10-0-154-10.ec2.internal Ready master 11m v1.16.2You can see that scheduling on each worker node is disabled as the change is being applied.
-
Start the debugging process:
$ oc debug node/ip-10-0-147-35.ec2.internalExample outputStarting pod/ip-10-0-147-35ec2internal-debug ... To use host binaries, run `chroot /host` -
Access the node’s files:
sh-4.2# chroot /host -
Check the
/etc/containers/registries.conffile to make sure the changes were made:unqualified-search-registries = ["registry.access.redhat.com", "docker.io"] [[registry]] location = "registry.access.redhat.com/ubi8/" insecure = false blocked = false mirror-by-digest-only = true prefix = "" [[registry.mirror]] location = "example.io/example/ubi8-minimal" insecure = false [[registry.mirror]] location = "example.com/example/ubi8-minimal" insecure = false -
Pull an image digest to the node from the source and check if it is actually resolved by the mirror. The
ImageContentSourcePolicysupports image digests only, not image tags.sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi8/ubi-minimal@sha256:5cfbaf45ca96806917830c183e9f37df2e913b187adb32e89fd83fa455ebaa6
-
Troubleshooting repository mirroring
If the repository mirroring procedure does not work as described, use the following information about how repository mirroring works to help troubleshoot the problem.
-
The first working mirror is used to supply the pulled image.
-
The main registry will only be used if no other mirror works.
-
From the system context, the
Insecureflags are used as fallback. -
The format of the
/etc/containers/registriesfile has changed recently. It is now version 2 and in TOML format.