Setting up a host to mirror images to a private registry

Edit online

You can store everything that you need to install Cloud Pak for Business Automation on a host that can be connected to the internet and use this host in an air gap environment.

Before you begin

You can use a bastion server, a portable compute device, or two compute devices with portable storage as your host.

Bastion host: A bastion host is a server that is provisioned with a public IP address that is accessible through remote access Secure Shell (SSH). When configured, the bastion server acts as an intermediate server that allows a secure connection to the instances made available without a public IP address.
Portable compute device: A portable compute device, such as a laptop, can be used to download images from the entitled registry to a portable image registry that is running locally on the device. You can then bring the device behind your firewall and copy the images from your portable registry on the device to the local private registry.
Portable storage device: A portable storage device, such as a hard disk drive, can be connected to a compute device external to your firewall to download the images. The portable storage can then be connected to a device behind the firewall so that the images can be loaded to the local private registry.

No matter what medium you choose for your air-gapped installation, the host must satisfy the following prerequisites.

An OpenShift Container Platform (OCP) 4.6+ cluster must be installed. For more information, see Preparing for a production deployment.
The host must be able to access the OCP cluster, an internal image registry, and the internet.
The host must be on a Linux® x86_64 or Mac platform with any operating system that the IBM Cloud Pak® CLI and the OpenShift Container Platform CLI support. If you are on a Windows platform, you must run the actions in a Linux® x86_64 VM or from a Windows Subsystem for Linux (WSL) terminal.

Procedure

Install the oc OCP CLI tool. For more information, see OCP CLI tools.
Install OpenSSL version 1.1.1 or higher.
Install Docker and Podman on an RHEL machine.
The Docker CE runc engine conflicts with the RHEL 8 native runc package that is needed by Podman. To install both on the same machine, install the Docker containerd.io package manually, excluding the problematic runc, and then install Docker CE. Docker then uses the runc from the RHEL 8 platform and does not conflict with any package that is needed by Podman. For more information, see How to install Docker and Podman on RHEL 8.

Install the skopeo CLI version 1.x. For more information, see Installing skopeo from packages.

To install skopeo 1.2.x, run the following commands.

cd /etc/yum.repos.d/
wget https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_7/devel:kubic:libcontainers:stable.repo
yum install skopeo

Install httpd-tools.
```
yum install httpd-tools
```
Install the IBM Cloud Pak® CLI. Install at least the 3.10.0 version of the binary file for your platform. For more information, see cloud-pak-cli.
1. Download the binary file.
```
wget https://github.com/IBM/cloud-pak-cli/releases/latest/download/<binary-file-name>
```
  For example:
```
wget https://github.com/IBM/cloud-pak-cli/releases/latest/download/cloudctl-linux-amd64.tar.gz
```
2. Extract the binary file.
```
tar -xf <binary-file-name>
```
3. Run the following commands to modify and move the file.
```
chmod 755 <file-name>
mv <file-name> /usr/local/bin/cloudctl
```
4. Confirm that the cloudctl is installed.
```
cloudctl --help
```
  The cloudctl usage is displayed.

Results

The following network ports must be available on the host:

*.icr.io:443 for the IBM Entitled Registry.
*.quay.io:443 for foundational services. For more information, see Important firewall changes for customers pulling container images.
github.com for CASE and tools.
redhat.com for OpenShift upgrades.

Tip: If the bastion host is unable to retrieve the source images from the public registries, you might need to allow specific access to these sites. A HTTP 403 response is an indication of such a parsing error. Docker and quay image registries might use proxies or mirror sites, so if you see images blocked check whether it is related to one of these image registries. If one of the registries is blocked, you must add that URL to the website allowlist. The following websites can be added to the allowlist to prevent pulling image errors.

cp.icr.io/cp
*.quay.io/opencloudio
*.icr.io/cpopen

What to do next

You can now set up the local image registry. For more information, see Setting up the private registry.