Setting up a host to mirror images to a private registry
You can store everything that you need to install Cloud Pak for Business Automation on a host that can be connected to the internet and use this host in an air gap environment.
Before you begin
You can use a bastion server, a portable compute device, or two compute devices with portable storage as your host.
- Bastion host
-
A bastion host is a server that is provisioned with a public IP address that is accessible through remote access Secure Shell (SSH). When configured, the bastion server acts as an intermediate server that allows a secure connection to the instances made available without a public IP address.
- Portable compute device
-
A portable compute device, such as a laptop, can be used to download images from the entitled registry to a portable image registry that is running locally on the device. You can then bring the device behind your firewall and copy the images from your portable registry on the device to the local private registry.
- Portable storage device
-
A portable storage device, such as a hard disk drive, can be connected to a compute device external to your firewall to download the images. The portable storage can then be connected to a device behind the firewall so that the images can be loaded to the local private registry.
No matter what medium you choose for your air-gapped installation, the host must satisfy the following prerequisites.
- An OpenShift Container Platform (OCP) 4.6+ cluster must be installed. For more information, see Preparing for a production deployment.
- The host must be able to access the OCP cluster, an internal image registry, and the internet.
- The host must be on a Linux® x86_64 or Mac platform with any operating system that the IBM Cloud Pak® CLI and the OpenShift Container Platform CLI support. If you are on a Windows platform, you must run the actions in a Linux® x86_64 VM or from a Windows Subsystem for Linux (WSL) terminal.
Procedure
Results
The following network ports must be available on the host:
*.icr.io:443
for the IBM Entitled Registry.*.quay.io:443
for foundational services. For more information, see Important firewall changes for customers pulling container images.github.com
for CASE and tools.redhat.com
for OpenShift upgrades.
cp.icr.io/cp
*.quay.io/opencloudio
*.icr.io/cpopen
What to do next
You can now set up the local image registry. For more information, see Setting up the private registry.