Setting up a host to mirror images to a private registry

You can store everything that you need to install Cloud Pak for Business Automation on a host that can be connected to the internet and use this host in an air gap environment.

Before you begin

You can use a bastion server, a portable compute device, or two compute devices with portable storage as your host.

Bastion host: A bastion host is a server that is provisioned with a public IP address that is accessible through remote access Secure Shell (SSH). When configured, the bastion server acts as an intermediate server that allows a secure connection to the instances made available without a public IP address.
Portable compute device: A portable compute device, such as a laptop, can be used to download images from the entitled registry to a portable image registry that is running locally on the device. You can then bring the device behind your firewall and copy the images from your portable registry on the device to the local private registry.
Portable storage device: A portable storage device, such as a hard disk drive, can be connected to a compute device external to your firewall to download the images. The portable storage can then be connected to a device behind the firewall so that the images can be loaded to the local private registry.

No matter what medium you choose for your air-gapped installation, the host must satisfy the following prerequisites.

The host must be able to access the OpenShift Container Platform (OCP) cluster, an internal image registry, and the internet.
The host must be on a Linux® x86_64 or Mac platform with any operating system that the IBM Cloud Pak® CLI and the OCP CLI support. If you are on a Windows platform, you must run the actions in a Linux® x86_64 VM or from a Windows Subsystem for Linux (WSL) terminal.

Procedure

Install the oc OCP CLI tool 4.12.xx or later. For more information, see OCP CLI tools.
Install Podman on an RHEL machine. For more information, see Podman installation instructions.
Download and install the most recent version (v1.11.0 or later) of the IBM Catalog Management Plug-in.
Option 1
1. Download IBM Catalog Management Plug-in based on the host operating system from here.
2. Extract the binary file by entering the following command.
```
tar -xf oc-ibm_pak-linux-amd64.tar.gz
```
3. Run the following commands to move the file to the /usr/local/bin directory.
```
mv oc-ibm_pak-linux-amd64 /usr/local/bin/oc-ibm_pak
chmod 755 /usr/local/bin/oc-ibm_pak
```
  Note: If you are installing as a non-root user, you must use sudo.
4. You can confirm that oc ibm-pak -h is installed by running the following command.
```
oc ibm-pak --help
```
  The plug-in usage is displayed.
Option 2
The plug-in is also provided in a container image cp.icr.io/cpopen/cpfs/ibm-pak:TAG where TAG must be replaced with the corresponding plug-in version. For example cp.icr.io/cpopen/cpfs/ibm-pak:v1.11.0 for the v1.11.0 of the plug-in.

The following command creates a container and copies the plug-ins for all the supported platforms in a directory (plugin-dir).

Note: The command requires that you have Docker installed. For more information about how to install Docker on an RHEL machine, see How to Install Docker CE.
```
id=$(podman create cp.icr.io/cpopen/cpfs/ibm-pak:TAG - )
podman cp $id:/ibm-pak-plugin plugin-dir
podman rm -v $id
cd plugin-dir
```
You can specify any directory name. After it copied the plug-ins, it deletes the temporary container, and the target directory contains all the binaries and artifacts in the IBM/ibm-pak-plugin GitHub repository.
Download and install oc mirror with version 4.14.x to mirror images using oc mirror
1. Download the oc mirror based on the OpenShift cluster version from here.
2. Extract the binary file by entering the following command.
```
tar -xf oc-mirror.tar.gz
```
3. Run the following commands to move the file to the /usr/local/bin directory.
```
mv oc-mirror /usr/local/bin/oc-mirror
chmod 755 /usr/local/bin/oc-mirror
```
  Note: If you are installing as a non-root user, you must use sudo.
4. You can confirm that oc mirror is installed by running the following command.
```
oc mirror help
```
  The command usage is displayed.
Make sure that the following network ports are available on the host.
- *.icr.io:443 for the IBM Entitled Registry.
- *.quay.io:443 for foundational services. For more information, see Important firewall changes for customers pulling container images.
- github.com for CASE and tools.
- redhat.com for OpenShift upgrades.
Tip: If the bastion host is unable to retrieve the source images from the public registries, you might need to allow specific access to these sites. A HTTP 403 response is an indication of such a parsing error. Docker and quay image registries might use proxies or mirror sites, so if you see images blocked check whether it is related to one of these image registries. If one of the registries is blocked, you must add that URL to the website allowlist. The following websites can be added to the allowlist to prevent pulling image errors.
```
cp.icr.io/cp
*.quay.io/opencloudio
*.icr.io/cpopen
```

What to do next

You can now download the CASE files. For more information, see Setting up a private registry.