×

You can upgrade a restricted network OpenShift Container Platform cluster by using the oc command-line interface (CLI).

A restricted network environment is the one in which your cluster nodes cannot access the internet. For this reason, you must populate a registry with the installation images. If your registry host cannot access both the internet and the cluster, you can mirror the images to a file system that disconnected from that environment and then bring that host or removable media across that gap. If the local container registry is connected to the mirror registry’s host, you can directly push the release images to the local registry.

If multiple clusters are present within the restricted network, mirror the required release images to a single container image registry and use that registry to update all the clusters.

Prerequisites
  • Have access to the internet to obtain the necessary container images.

  • Have write access to a container registry in the restricted-network environment to push and pull images. The container registry must be compatible with Docker registry API v2.

  • You must have the oc command-line interface (CLI) tool installed.

  • Have access to the cluster as a user with admin privileges. See Using RBAC to define and apply permissions.

  • Have a recent etcd backup in case your upgrade fails and you must restore your cluster to a previous state.

Preparing your mirror host

Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location.

Installing the CLI by downloading the binary

You can install the OpenShift CLI (oc) in order to interact with OpenShift Container Platform from a command-line interface. You can install oc on Linux, Windows, or macOS.

If you installed an earlier version of oc, you cannot use it to complete all of the commands in OpenShift Container Platform 4.3. Download and install the new version of oc. If you are upgrading a cluster in a restricted network, install the oc version that you plan to upgrade to.

Installing the CLI on Linux

You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.

Procedure
  1. Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.

  2. Select your infrastructure provider, and, if applicable, your installation type.

  3. In the Command-line interface section, select Linux from the drop-down menu and click Download command-line tools.

  4. Unpack the archive:

    $ tar xvzf <file>
  5. Place the oc binary in a directory that is on your PATH.

    To check your PATH, execute the following command:

    $ echo $PATH

After you install the CLI, it is available using the oc command:

$ oc <command>

Installing the CLI on Windows

You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.

Procedure
  1. Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.

  2. Select your infrastructure provider, and, if applicable, your installation type.

  3. In the Command-line interface section, select Windows from the drop-down menu and click Download command-line tools.

  4. Unzip the archive with a ZIP program.

  5. Move the oc binary to a directory that is on your PATH.

    To check your PATH, open the command prompt and execute the following command:

    C:\> path

After you install the CLI, it is available using the oc command:

C:\> oc <command>

Installing the CLI on macOS

You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.

Procedure
  1. Navigate to the Infrastructure Provider page on the Red Hat OpenShift Cluster Manager site.

  2. Select your infrastructure provider, and, if applicable, your installation type.

  3. In the Command-line interface section, select MacOS from the drop-down menu and click Download command-line tools.

  4. Unpack and unzip the archive.

  5. Move the oc binary to a directory on your PATH.

    To check your PATH, open a terminal and execute the following command:

    $ echo $PATH

After you install the CLI, it is available using the oc command:

$ oc <command>

Configuring credentials that allow images to be mirrored

Create a container image registry credentials file that allows mirroring images from Red Hat to your mirror.

Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.

This process requires that you have write access to a container image registry on the mirror registry and adds the credentials to a registry pull secret.

Do not use this image registry credentials file as the pull secret when you install a cluster. If you provide this file when you install cluster, all of the machines in the cluster will have write access to your mirror registry.

Prerequisites
  • You configured a mirror registry to use in your restricted network.

  • You identified an image repository location on your mirror registry to mirror images into.

  • You provisioned a mirror registry account that allows images to be uploaded to that image repository.

Procedure

Complete the following steps on the installation host:

  1. Download your registry.redhat.io pull secret from the Pull Secret page on the Red Hat OpenShift Cluster Manager site and save it to a .json file.

  2. Generate the base64-encoded user name and password or token for your mirror registry:

    $ echo -n '<user_name>:<password>' | base64 -w0 (1)
    BGVtbYk3ZHAtqXs=
    1 For <user_name> and <password>, specify the user name and password that you configured for your registry.
  3. Make a copy of your pull secret in JSON format:

    $ cat ./pull-secret.text | jq .  > <path>/<pull-secret-file>(1)
    1 Specify the path to the folder to store the pull secret in and a name for the JSON file that you create.

    The contents of the file resemble the following example:

    {
      "auths": {
        "cloud.openshift.com": {
          "auth": "b3BlbnNo...",
          "email": "you@example.com"
        },
        "quay.io": {
          "auth": "b3BlbnNo...",
          "email": "you@example.com"
        },
        "registry.connect.redhat.com": {
          "auth": "NTE3Njg5Nj...",
          "email": "you@example.com"
        },
        "registry.redhat.io": {
          "auth": "NTE3Njg5Nj...",
          "email": "you@example.com"
        }
      }
    }
  4. Edit the new file and add a section that describes your registry to it:

      "auths": {
        "<mirror_registry>": { (1)
          "auth": "<credentials>", (2)
          "email": "you@example.com"
      },
    1 For <mirror_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example, registry.example.com or registry.example.com:5000
    2 For <credentials>, specify the base64-encoded user name and password for the mirror registry.

    The file resembles the following example:

    {
      "auths": {
        "<mirror_registry>": {
          "auth": "<credentials>",
          "email": "you@example.com"
        },
        "cloud.openshift.com": {
          "auth": "b3BlbnNo...",
          "email": "you@example.com"
        },
        "quay.io": {
          "auth": "b3BlbnNo...",
          "email": "you@example.com"
        },
        "registry.connect.redhat.com": {
          "auth": "NTE3Njg5Nj...",
          "email": "you@example.com"
        },
        "registry.redhat.io": {
          "auth": "NTE3Njg5Nj...",
          "email": "you@example.com"
        }
      }
    }
  1. Edit the new file and add a section that describes your registry to it:

      "auths": {
    ...
        "<mirror_registry>": { (1)
          "auth": "<credentials>", (2)
          "email": "you@example.com"
      },
    ...
    1 For <mirror_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example, registry.example.com or registry.example.com:5000
    2 For <credentials>, specify the base64-encoded user name and password for the mirror registry.

    The file resembles the following example:

    {
      "auths": {
        "cloud.openshift.com": {
          "auth": "b3BlbnNo...",
          "email": "you@example.com"
        },
        "quay.io": {
          "auth": "b3BlbnNo...",
          "email": "you@example.com"
        },
        "registry.connect.redhat.com": {
          "auth": "NTE3Njg5Nj...",
          "email": "you@example.com"
        },
        "<mirror_registry>": {
          "auth": "<credentials>",
          "email": "you@example.com"
        },
        "registry.redhat.io": {
          "auth": "NTE3Njg5Nj...",
          "email": "you@example.com"
        }
      }
    }

Mirroring the OpenShift Container Platform image repository

Before you upgrade a cluster on infrastructure that you provision in a restricted network, you must mirror the required container images into that environment. You can also use this procedure in unrestricted networks to ensure your clusters only use container images that have satisfied your organizational controls on external content.

Procedure
  1. Review the OpenShift Container Platform upgrade paths to confirm that there is an upgrade path between your current and intended cluster versions.

  2. Set the required environment variables:

    $ OCP_RELEASE=<release_version> (1)
    $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' (2)
    $ LOCAL_REPOSITORY='<repository_name>' (3)
    $ PRODUCT_REPO='openshift-release-dev' (4)
    $ LOCAL_SECRET_JSON='<path_to_pull_secret>' (5)
    $ RELEASE_NAME='ocp-release' (6)
    $ ARCHITECTURE=<server_architecture> (7)
    $ REMOVABLE_MEDIA_PATH=<path> (8)
    1 For <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform to which you want to upgrade, such as 4.5.0.
    2 For <local_registry_host_name>, specify the registry domain name for your mirror repository, and for <local_registry_host_port>, specify the port that it serves content on.
    3 For <repository_name>, specify the name of the repository to create in your registry, such as ocp4/openshift4.
    4 The repository to mirror. For a production release, you must specify openshift-release-dev.
    5 For <path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created.
    6 For a production release, you must specify ocp-release.
    7 For <server_architecture>, specify the architecture of the server, such as x86_64.
    8 For <path>, specify the path to the directory to host the mirrored images.
  3. Review the images and configuration manifests to mirror:

    $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run
  4. Mirror the version images to the internal container registry.

    • If your mirror host does not have internet access, take the following actions:

      1. Connect the removable media to a system that is connected to the internet.

      2. Mirror the images and configuration manifests to a directory on the removable media:

        $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
      3. Take the media to the restricted network environment and upload the images to the local container registry.

        $ oc image mirror  -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror 'file://openshift/release:${OCP_RELEASE}*' ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}
    • If the local container registry is connected to the mirror host, directly push the release images to the local registry:

      $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
        --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}

Creating the image ConfigMap

Before you update your cluster, you must manually create a ConfigMap that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.

Creating the ConfigMap for image signature verification by using the oc CLI

Before you update your cluster, you must manually create a ConfigMap that contains the signatures of the release images that you use. This signature allows the Cluster Version Operator (CVO) to verify that the release images have not been modified by comparing the expected and actual image signatures.

If you are upgrading from a release prior to version 4.4.8, you must use the manual method for creating the ConfigMap instead of this procedure. The commands that this procedure uses are not in earlier versions of the oc command-line interface (CLI).

Prerequisites
  • Install the OpenShift Command-line Interface (CLI), commonly known as oc, version 4.4.8 or later.

Procedure
  1. Obtain the image signature for the version that you are upgrading to from either mirror.openshift.com or Google Cloud Storage (GCS).

  2. Use oc command-line interface (CLI) to log into the cluster that you are upgrading.

  3. Apply the mirrored release image signature ConfigMap to the connected cluster:

    $ oc apply -f <image_signature_file> (1)
    1 For <image_signature_file>, specify the path and name of the file, for example, mirror/config/signature-sha256-81154f5c03294534.yaml.

Creating an image signature ConfigMap manually

Create and apply the image signature ConfigMap to the cluster that you want to update.

You must perform following steps each time that you update a cluster.

Procedure
  1. Review the OpenShift Container Platform upgrade paths knowledge base article to determine a valid upgrade path for your cluster.

  2. Add the version to the OCP_RELEASE_NUMBER environment variable:

    $ OCP_RELEASE_NUMBER=<release_version> (1)
    1 For <release_version>, specify the tag that corresponds to the version of OpenShift Container Platform you want to update the cluster, such as 4.4.0.
  3. Add the system architecture for your cluster to ARCHITECTURE environment variable:

    $ ARCHITECTURE=<server_architecture> (11)
    1 For server_architecture, specify the architecture of the server, such as x86_64.
  4. Get the release image digest from Quay:

    $ DIGEST="$(oc adm release info quay.io/openshift-release-dev/ocp-release:${OCP_RELEASE_NUMBER}-${ARCHITECTURE} | sed -n 's/Pull From: .*@//p')"
  5. Set the digest algorithm:

    $ DIGEST_ALGO="${DIGEST%%:*}"
  6. Set the digest signature:

    $ DIGEST_ENCODED="${DIGEST#*:}"
  7. Get the image signature from mirror.openshift.com website.

    $ SIGNATURE_BASE64=$(curl -s "https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release/${DIGEST_ALGO}=${DIGEST_ENCODED}/signature-1" | base64 -w0 && echo)
  8. Create the ConfigMap:

    $ cat >checksum-${OCP_RELEASE_NUMBER}.yaml <<EOF
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: release-image-${OCP_RELEASE_NUMBER}
      namespace: openshift-config-managed
      labels:
        release.openshift.io/verification-signatures: ""
    binaryData:
      ${DIGEST_ALGO}-${DIGEST_ENCODED}: ${SIGNATURE_BASE64}
    EOF
  9. Apply the ConfigMap to the cluster to update:

    $ oc apply -f checksum-${OCP_RELEASE_NUMBER}.yaml

Upgrading the restricted network cluster

Update the restricted network cluster to the OpenShift Container Platform version that you downloaded the release images for.

Prerequisites
  • You mirrored the images for the new release to your registry.

  • You applied the release image signature ConfigMap for the new release to your cluster.

  • You obtained the sha256 sum value for the release from the image signature ConfigMap.

  • Install the OpenShift Command-line Interface (CLI), commonly known as oc, version 4.4.8 or later.

Procedure
  • Update the cluster:

    $ oc adm upgrade --allow-explicit-upgrade --to-image ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}<sha256_sum_value> (1)
    1 The <sha256_sum_value> value is the sha256 sum value for the release from the image signature ConfigMap, for example, @sha256:81154f5c03294534e1eaf0319bef7a601134f891689ccede5d705ef659aa8c92

    If you use an ImageContentSourcePolicy for the mirror registry, you can use the canonical registry name instead of LOCAL_REGISTRY.

Configuring image registry repository mirroring

Setting up container registry repository mirroring lets you:

  • Configure your OpenShift Container Platform cluster to redirect requests to pull images from a repository on a source image registry and have it resolved by a repository on a mirrored image registry.

  • Identify multiple mirrored repositories for each target repository, to make sure that if one mirror is down, another can be used.

Here are some of the attributes of repository mirroring in OpenShift Container Platform:

  • Image pulls are resilient to registry downtimes

  • Clusters in restricted networks can request to pull images from critical locations (such as quay.io) and have registries behind a company firewall provide the requested images.

  • A particular order of registries is tried when an image pull request is made, with the permanent registry typically being the last one tried.

  • The mirror information you enter is added to the /etc/containers/registries.conf file on every node in the OpenShift Container Platform cluster.

  • When a node makes a request for an image from the source repository, it tries each mirrored repository in turn until it finds the requested content. If all mirrors fail, the cluster tries the source repository. Upon success, the image is pulled to the node.

Setting up repository mirroring can be done in the following ways:

  • At OpenShift Container Platform installation time: By pulling container images needed by OpenShift Container Platform and then bringing those images behind your company’s firewall, you can install OpenShift Container Platform into a datacenter that is in a restricted network. See Mirroring the OpenShift Container Platform image repository for details.

  • After OpenShift Container Platform installation time: Even if you don’t configure mirroring during OpenShift Container Platform installation, you can do so later using the ImageContentSourcePolicy object.

The following procedure provides a post-installation mirror configuration, where you create an ImageContentSourcePolicy object that identifies:

  • The source of the container image repository you want to mirror

  • A separate entry for each mirror repository you want to offer the content requested from the source repository.

Prerequisites
  • Access to the cluster as a user with the cluster-admin role.

Procedure
  1. Configure mirrored repositories. To do that, you can either:

    • Set up a mirrored repository with Red Hat Quay, as described in Red Hat Quay Repository Mirroring. Using Red Hat Quay allows you to copy images from one repository to another and also automatically sync those repositories repeatedly over time.

    • Use a tool such as skopeo to copy images manually from the source directory to the mirrored repository.

      For example, after installing the skopeo RPM package on a Red Hat Enterprise Linux (RHEL 7 or RHEL 8) system, use the skopeo command as shown in this example:

      $ skopeo copy \
         docker://registry.access.redhat.com/ubi8/ubi-minimal@sha256:5cfbaf45ca96806917830c183e9f37df2e913b187adb32e89fd83fa455ebaa6 \
         docker://example.io/ubi8/ubi-minimal

      In this example, you have a container image registry that is named example.io with an image repository named example to which you want to copy the ubi8/ubi-minimal image from registry.access.redhat.com. After you create the registry, you can configure your OpenShift Container Platform cluster to redirect requests made of the source repository to the mirrored repository.

  2. Log in to your OpenShift Container Platform cluster.

  3. Create an ImageContentSourcePolicy file (for example, registryrepomirror.yaml), replacing the source and mirrors with those of your own registry and repository pairs and images:

    apiVersion: operator.openshift.io/v1alpha1
    kind: ImageContentSourcePolicy
    metadata:
      name: ubi8repo
    spec:
      repositoryDigestMirrors:
      - mirrors:
        - example.io/example/ubi-minimal(1)
        source: registry.access.redhat.com/ubi8/ubi-minimal(2)
      - mirrors:
        - example.com/example/ubi-minimal
        source: registry.access.redhat.com/ubi8/ubi-minimal
    1 Indicates the name of the image registry and repository
    2 Indicates the registry and repository containing the content that is mirrored
  4. Create the new ImageContentSourcePolicy:

    $ oc create -f registryrepomirror.yaml

    After the ImageContentSourcePolicy is created, the new settings are deployed to each node and shortly start using the mirrored repository for requests to the source repository.

  5. To check that the mirrored configuration worked, go to one of your nodes. For example:

    1. List your nodes:

      $ oc get node
      Example output
      NAME                           STATUS                     ROLES    AGE  VERSION
      ip-10-0-137-44.ec2.internal    Ready                      worker   7m   v1.16.2
      ip-10-0-138-148.ec2.internal   Ready                      master   11m  v1.16.2
      ip-10-0-139-122.ec2.internal   Ready                      master   11m  v1.16.2
      ip-10-0-147-35.ec2.internal    Ready,SchedulingDisabled   worker   7m   v1.16.2
      ip-10-0-153-12.ec2.internal    Ready                      worker   7m   v1.16.2
      ip-10-0-154-10.ec2.internal    Ready                      master   11m  v1.16.2

      You can see that scheduling on each worker node is disabled as the change is being applied.

    2. Start the debugging process:

      $ oc debug node/ip-10-0-147-35.ec2.internal
      Example output
      Starting pod/ip-10-0-147-35ec2internal-debug ...
      To use host binaries, run `chroot /host`
    3. Access the node’s files:

      sh-4.2# chroot /host
    4. Check the /etc/containers/registries.conf file to make sure the changes were made:

      unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
      [[registry]]
        location = "registry.access.redhat.com/ubi8/"
        insecure = false
        blocked = false
        mirror-by-digest-only = true
        prefix = ""
      
        [[registry.mirror]]
          location = "example.io/example/ubi8-minimal"
          insecure = false
      
        [[registry.mirror]]
          location = "example.com/example/ubi8-minimal"
          insecure = false
    5. Pull an image digest to the node from the source and check if it is actually resolved by the mirror. The ImageContentSourcePolicy supports image digests only, not image tags.

      sh-4.2# podman pull --log-level=debug registry.access.redhat.com/ubi8/ubi-minimal@sha256:5cfbaf45ca96806917830c183e9f37df2e913b187adb32e89fd83fa455ebaa6
Troubleshooting repository mirroring

If the repository mirroring procedure does not work as described, use the following information about how repository mirroring works to help troubleshoot the problem.

  • The first working mirror is used to supply the pulled image.

  • The main registry will only be used if no other mirror works.

  • From the system context, the Insecure flags are used as fallback.

  • The format of the /etc/containers/registries file has changed recently. It is now version 2 and in TOML format.