Full procedure for creating a registry

Creating the registry

Connect to the server that is going to host the registry and follow the instructions.

1. Open the firewall port on the server that is going to hold the registry:

   firewall-cmd --zone=public --add-port=5000/tcp --permanent
   
   firewall-cmd --reload
   

2. Create the following directories

   mkdir -p /opt/registry/{auth,certs,data}
   

3. Generate the self-singed certificate for the registry and put it in /opt/registry/certs/ directory

   cd /opt/registry/certs/
   
   vim csr_answer.txt
    
   [req]
   defaults = 4096
   prompt = no
   default_md = sha256
   x509_extensions = req_ext
   req_extensions = req_ext
   distinguished_name = dn
   [ dn ]
   C=US
   ST=New York
   L=New York
   O=MyOrg
   OU=MyOU
   emailAddress=me@working.me
   CN=rubicone-foreman.ocp4.local
   [ req_ext ]
   subjectAltName = @alt_names
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   [ alt_names ]
   DNS.1 = rubicone-foreman.ocp4.local
   DNS.2 = rubicone-foreman
   
   openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 3650 -out domain.crt -config <(cat csr_answer.txt)
   

4. Update the registry certificates with the new created cetificate

   cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
   update-ca-trust extract
   

5. Create an htpasswd file in /opt/registry/auth/ for the container to use

   htpasswd -bBc /opt/registry/auth/htpasswd regi regi
   

6. Create and start the registry container

   podman run --name mirror-registry -d -p 5000:5000 -v /opt/registry/data:/var/lib/registry:z -v /opt/registry/auth:/auth:z -v /opt/registry/certs:/certs:z -e "REGISTRY_AUTH=htpasswd"  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key  docker.io/library/registry:2
   

7. Confirm that the registry is available - from the registry host and from the installer

   curl -u regi:regi -k https://rubicone-foreman.ocp4.local:5000/v2/ocp4/openshift4/tags/list
   

Adding the registry to your pull secret

1. Connect to your installer server

2. Download the pull secret.txt file from Red Hat Openshift site

3. Generate the base64-encoded username and password and save the output

   echo -n 'regi:regi' | base64 -w0
   cmVnaTpyZWdp
   

4. Make a copy of your pull secret in JSON format

   cat pull-secret.txt | jq . > pull-secret.json 
   

5. Edit the pull-secret.json file and add a section of your newly created registry at the top of the file as shown here

   {
    "auths": {
        "rubicone-foreman.ocp4.local": {
      "auth": "cmVnaTpyZWdp",
     "email": "yonatangolick@rubicone.co.il"
     },
        "cloud.openshift.com": {
          "auth": "b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K29jbV9hY2Nlc3NfYzM4YWEzODdiZGRiNDhhNTg3YmQ0OGE1MGZhZDQ5ZWM6RlFLTVBPUUVTSjhOWVNRWDZYQThJWDJRQTdRWTRSV1JWU05RVzZYVjRBT0E5R1FEWTIwMFU5MFNIU1QwME9SSg==",
          "email": "yonatangolick@rubicone.co.il"
        },
        "quay.io": {
          "auth": "b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K29jbV9hY2Nlc3NfYzM4YWEzODdiZGRiNDhhNTg3YmQ0OGE1MGZhZDQ5ZWM6RlFLTVBPUUVTSjhOWVNRWDZYQThJWDJRQTdRWTRSV1JWU05RVzZYVjRBT0E5R1FEWTIwMFU5MFNIU1QwME9SSg==",
          "email": "yonatangolick@rubicone.co.il"
        },
        "registry.connect.redhat.com": {
          "auth": "NTM1MjcxNjV8dWhjLTFnMlFqVHZNRnRNTlAzR2pWdng0Um1VYWJ6RzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTNOelprTkRJeFptTXlPVGMwTVRRNVlXUXpNV1U1T1daaFpEZGhZekprTUNKOS51YV9WYUdaR0xXYWpBdzRwMU1CbWdXdkVmYUFzc1dWc1FYNzNTWlVGa0Y1N1QzckloTG1vbm9WUE96N1l0dlI3bmVNODg2WTJtanpPb0haMC14OTlyYkxJNnpXNXFFT0wxX1NsSDBPNG1WR3BXYVVJWXhsM2g1N1lwcERkTmcyOGVDSWNWcVE0OGRhZVZDamtybjJHci1ScU84NDgzMkc3dThna2xDRVRSamxzbnVSa2JiSGRpd05TYXBrWEFERWVsWm90Si1MbHJmN1FJOEhTbUwtXzZIOEd2b3dabTdudW9OTS03ZEVSelNHazE1ay00SHpvYWYyTldER010cEVNSnQta2ZJbk1QMWZlbUIwVG5lRXdXbTNkWElxMkQySi1CUnpxazJuQS1XeENmanZEdEFMQTJ0c3owTUxqZnZOcElhYjZ4WEMzcHpjQjZMVnM3UTBUYTF4bGlXZnpFOV82N1d4WEFtUjdjNDdGTGJwVkxnVzZQMmNhTmVzbFJfZjBZWk9VMUJVUXB3Y3l3eVJpUUtpYWtGLXpLM2RyRGlDLUx6SjlxWDJ4Qml6clpaZDQ1LTJwaEw4Rjg3UmxobVJrZ1l4aFNDY3gxRVRjY2p5cWhhQXpEdVYySmo2d0JINXBiUDZCR2xVRm5nNUk3b2VBUHV4M1lWTGNNSFVNRzBnTVBWdkpfRnpnUnprNzUwWnNLYTU5UVJySTM4R2Jhc2lYR2haMVlEWjJjWldhbEttSW1IaEpqemNSWXVSa3NFOVBzeGJjRmNmT0pCTGRQZWZhMzVxVzJsX3k4RU5nZi11d21GNVpEZzFHY2NVY0xsSUZXNVFKS3RmXzRVejZ0aUFDUUxnVTFYcW9PdVlFZG1xRWQtVVpjdUJYZW93aVVBY18xNEhJMmtZeGpNSQ==",
          "email": "yonatangolick@rubicone.co.il"
        },
        "registry.redhat.io": {
          "auth": "NTM1MjcxNjV8dWhjLTFnMlFqVHZNRnRNTlAzR2pWdng0Um1VYWJ6RzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTNOelprTkRJeFptTXlPVGMwTVRRNVlXUXpNV1U1T1daaFpEZGhZekprTUNKOS51YV9WYUdaR0xXYWpBdzRwMU1CbWdXdkVmYUFzc1dWc1FYNzNTWlVGa0Y1N1QzckloTG1vbm9WUE96N1l0dlI3bmVNODg2WTJtanpPb0haMC14OTlyYkxJNnpXNXFFT0wxX1NsSDBPNG1WR3BXYVVJWXhsM2g1N1lwcERkTmcyOGVDSWNWcVE0OGRhZVZDamtybjJHci1ScU84NDgzMkc3dThna2xDRVRSamxzbnVSa2JiSGRpd05TYXBrWEFERWVsWm90Si1MbHJmN1FJOEhTbUwtXzZIOEd2b3dabTdudW9OTS03ZEVSelNHazE1ay00SHpvYWYyTldER010cEVNSnQta2ZJbk1QMWZlbUIwVG5lRXdXbTNkWElxMkQySi1CUnpxazJuQS1XeENmanZEdEFMQTJ0c3owTUxqZnZOcElhYjZ4WEMzcHpjQjZMVnM3UTBUYTF4bGlXZnpFOV82N1d4WEFtUjdjNDdGTGJwVkxnVzZQMmNhTmVzbFJfZjBZWk9VMUJVUXB3Y3l3eVJpUUtpYWtGLXpLM2RyRGlDLUx6SjlxWDJ4Qml6clpaZDQ1LTJwaEw4Rjg3UmxobVJrZ1l4aFNDY3gxRVRjY2p5cWhhQXpEdVYySmo2d0JINXBiUDZCR2xVRm5nNUk3b2VBUHV4M1lWTGNNSFVNRzBnTVBWdkpfRnpnUnprNzUwWnNLYTU5UVJySTM4R2Jhc2lYR2haMVlEWjJjWldhbEttSW1IaEpqemNSWXVSa3NFOVBzeGJjRmNmT0pCTGRQZWZhMzVxVzJsX3k4RU5nZi11d21GNVpEZzFHY2NVY0xsSUZXNVFKS3RmXzRVejZ0aUFDUUxnVTFYcW9PdVlFZG1xRWQtVVpjdUJYZW93aVVBY18xNEhJMmtZeGpNSQ==",
          "email": "yonatangolick@rubicone.co.il"
        }
      }
    }
   

Mirroring the Openshift image repository

1. Set the required environment variables

   export OCP_RELEASE=4.6.2
   export LOCAL_REGISTRY='rubicone-foreman.ocp4.local:5000'
   export LOCAL_REPOSITORY='ocp4/openshift4'
   export PRODUCT_REPO='openshift-release-dev'
   export RELEASE_NAME="ocp-release"
   export ARCHITECTURE='ppc64le'
   export LOCAL_SECRET_JSON='/root/install/pull-secret.json'
   

2. Mirror the images to the internal container registry

   oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}