Skip to content

BZ1907755: Use image digest instead of image tag name #38381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

BZ1907755: Use image digest instead of image tag name #38381

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0069e39
changed tag name to digest
snarayan-redhat Nov 3, 2021
ecf54bd
changed tag name to digest
snarayan-redhat Nov 3, 2021
0f499c3
Implemented review comments
snarayan-redhat Nov 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 37 additions & 45 deletions modules/installation-mirror-repository.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,20 +33,36 @@ x509: certificate relies on legacy Common Name field, use SANs or temporarily en

Complete the following steps on the mirror host:

[NOTE]
====
Optionally, you can use image tag name instead of image digest in the following commands.
====

. Review the
link:https://access.redhat.com/downloads/content/290/[{product-title} downloads page]
to determine the version of {product-title} that you want to install and determine the corresponding tag on the link:https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags[Repository Tags] page.
to determine the version of {product-title} that you want to install.
The image release advisory includes the pullspec repository and digest. For example, link:https://access.redhat.com/downloads/content/290/ver={product-version}/rhel---8/[In the errata tab here],
uses `quay.io/openshift-release-dev/ocp-release` for the pullspec repository.

. Set the required environment variables:
.. Export the release version:
.. Export the image repository from the image release advisory:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Preexisting wording, so feel free to ignore, but OCP_RELEASE_REPOSITORY=... is setting a variable, not exporting it (which would be export OCP_RELEASE_REPOSITORY=...). I'd use "Declare the image repository..." or something else to avoid saying "export" and risking confusion with export. Also in this space here and discussion in #22008.

+
[source,terminal]
----
$ OCP_RELEASE_REPOSITORY=quay.io/openshift-release-dev/ocp-release
----

.. Export the release digest from the image release advisory:
+
[source,terminal]
----
$ OCP_RELEASE=<release_version>
$ OCP_RELEASE_DIGEST=<release_digest>
----
+
For `<release_version>`, specify the tag that corresponds to the version of {product-title} to
install, such as `4.5.4`.
For `<release_digest>`, specify the digest from the release image advisory, such as
`sha256:4d048ae1274d11c49f9b7e70713a072315431598b2ddbb512aee4027c422fe3e`.
+
If you want to inspect a particular release image, use `oc adm release info "${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}`.

.. Export the local registry name and host port:
+
Expand All @@ -69,15 +85,17 @@ $ LOCAL_REPOSITORY='<local_repository_name>'
For `<local_repository_name>`, specify the name of the repository to create in your
registry, such as `ocp4/openshift4`.

.. Export the name of the repository to mirror:
.. Export a tag name for the mirrored release image:
+
ifndef::openshift-origin[]
[source,terminal]
----
$ PRODUCT_REPO='openshift-release-dev'
$ LOCAL_TAG=<local_tag>
----
+
For a production release, you must specify `openshift-release-dev`.
For `<local_tag>`, you may specify any tag name compatible with your local registry.
To avoid conflicts, a safe pattern includes both the version of {product-title} to
install, and the architecture for the release image, such as `x86_64`.
endif::[]
ifdef::openshift-origin[]
[source,terminal]
Expand All @@ -95,32 +113,6 @@ $ LOCAL_SECRET_JSON='<path_to_pull_secret>'
+
For `<path_to_pull_secret>`, specify the absolute path to and file name of the pull secret for your mirror registry that you created.

.. Export the release mirror:
+
ifndef::openshift-origin[]
[source,terminal]
----
$ RELEASE_NAME="ocp-release"
----
+
For a production release, you must specify `ocp-release`.
endif::[]
ifdef::openshift-origin[]
[source,terminal]
----
$ RELEASE_NAME="okd"
----
endif::[]

ifndef::openshift-origin[]
.. Export the type of architecture for your server, such as `x86_64`:
+
[source,terminal]
----
$ ARCHITECTURE=<server_architecture>
----
endif::[]

.. Export the path to the directory to host the mirrored images:
+
[source,terminal]
Expand All @@ -147,9 +139,9 @@ ifndef::openshift-origin[]
[source,terminal]
----
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \
--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
--from=${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run
--to-release-image=${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST} --dry-run
----
endif::[]

Expand All @@ -160,13 +152,13 @@ command. The information about your mirrors is unique to your mirrored repositor
ifdef::openshift-origin[]
[source,terminal]
----
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror ${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}
----
endif::[]
ifndef::openshift-origin[]
[source,terminal]
----
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror ${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}
----
endif::[]

Expand All @@ -186,18 +178,18 @@ ifdef::openshift-origin[]
[source,terminal]
----
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \
--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \
--from=${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
--to-release-image=${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}
----
endif::[]
ifndef::openshift-origin[]
[source,terminal]
----
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \
--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
--from=${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}
--to-release-image=${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}
----
endif::[]
+
Expand All @@ -218,20 +210,20 @@ mirrored, extract it and pin it to the release:
+
[source,terminal]
----
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}"
----
** If the local container registry is connected to the mirror host, run the following command:
+
ifdef::openshift-origin[]
[source,terminal]
----
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}"
----
endif::[]
ifndef::openshift-origin[]
[source,terminal]
----
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-install "${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}"
----
endif::[]
+
Expand Down
78 changes: 41 additions & 37 deletions modules/update-mirror-repository.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,17 +9,29 @@ Before you upgrade a cluster on infrastructure that you provision in a restricte

.Procedure



. Use the link:https://access.redhat.com/labs/ocpupgradegraph/update_channel[Red Hat {product-title} Upgrade Graph visualizer and update planner] to plan an upgrade from one version to another. The OpenShift Upgrade Graph provides channel graphs and a way to confirm that there is an update path between your current and intended cluster versions.

. Set the required environment variables:
.. Export the release version:
.. Export the image repository from the image release advisory:
+
[source,terminal]
----
$ export OCP_RELEASE=<release_version>
$ OCP_RELEASE_REPOSITORY=quay.io/openshift-release-dev/ocp-release
----

.. Export the release digest from the image release advisory:
+
For `<release_version>`, specify the tag that corresponds to the version of {product-title} to which you want to upgrade, such as `4.5.4`.
[source,terminal]
----
$ OCP_RELEASE_DIGEST=<release_digest>
----
+
For `<release_digest>`, specify the digest from the release image advisory, such as
`sha256:4d048ae1274d11c49f9b7e70713a072315431598b2ddbb512aee4027c422fe3e`.
+
If you want to inspect a particular release image, use `oc adm release info "${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}`.

.. Export the local registry name and host port:
+
Expand All @@ -42,15 +54,6 @@ $ LOCAL_REPOSITORY='<local_repository_name>'
For `<local_repository_name>`, specify the name of the repository to create in your
registry, such as `ocp4/openshift4`.

.. Export the name of the repository to mirror:
+
[source,terminal]
----
$ PRODUCT_REPO='openshift-release-dev'
----
+
For a production release, you must specify `openshift-release-dev`.

.. Export the path to your registry pull secret:
+
[source,terminal]
Expand All @@ -65,22 +68,6 @@ For `<path_to_pull_secret>`, specify the absolute path to and file name of the p
If your cluster uses an `ImageContentSourcePolicy` object to configure repository mirroring, you can use only global pull secrets for mirrored registries. You cannot add a pull secret to a project.
====

.. Export the release mirror:
+
[source,terminal]
----
$ RELEASE_NAME="ocp-release"
----
+
For a production release, you must specify `ocp-release`.

.. Export the type of architecture for your server, such as `x86_64`.:
+
[source,terminal]
----
$ ARCHITECTURE=<server_architecture>
----

.. Export the path to the directory to host the mirrored images:
+
[source,terminal]
Expand All @@ -89,26 +76,33 @@ $ REMOVABLE_MEDIA_PATH=<path> <1>
----
<1> Specify the full path, including the initial forward slash (/) character.

. Review the images and configuration manifests to mirror:
. Mirror the version images to the internal container registry:
** If your mirror host does not have internet access, take the following actions:
... Connect the removable media to a system that is connected to the internet.
... Review the images and configuration manifests to mirror:
+
[source,terminal]
----
$ oc adm -a ${LOCAL_SECRET_JSON} release mirror \
--from=${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-image=${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST} --dry-run
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mirroring to removable media is useful if you can't mirror directly to the local registry and need to sneakernet the data in. So when you add the direct-to-local-registry command above while keeping the to-disk command here, it seems like it's conflicted about the network environment. Maybe these need to get split into restricted-network and connected-network cases, with one command in each case?

----
. Mirror the version images to the internal container registry.
** If your mirror host does not have internet access, take the following actions:
... Connect the removable media to a system that is connected to the internet.
... Mirror the images and configuration manifests to a directory on the removable media:

... Record the entire `ImageContentSourcePolicy` section from the output of the previous
command. The information about your mirrors is unique to your mirrored repository, and you must ensure your in-cluster `ImageContentSourcePolicy` includes the entries needed for the mirrored release.
... Mirror the images to a directory on the removable media:
+
[source,terminal]
----
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror ${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}
----
... Take the media to the restricted network environment and upload the images to the local container registry.
+
[source,terminal]
----
$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} <1>
$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:4.*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}
Copy link

@jianlinliu jianlinliu Nov 8, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'4.*' ? Is there a more accurate way to get the desired loale files? Actually the detailed command can be referenced from the the output of oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror ${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wking Need your inputs here.

Copy link
Member

@wking wking Dec 14, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to mirror all the images from the removable media, not just the release image. These docs use {OCP_RELEASE}*, in case that helps. You might be fine with a bare * too, if you document the assumption that removable media didn't have other content under mirror before the start of this mirror flow.

----
+
<1> For `REMOVABLE_MEDIA_PATH`, you must use the same path that you specified when you mirrored the images.
Expand All @@ -117,11 +111,21 @@ $ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mi
+
[source,terminal]
----
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --apply-release-image-signature
$ oc adm -a ${LOCAL_SECRET_JSON} release mirror \
--from=${OCP_RELEASE_REPOSITORY}@${OCP_RELEASE_DIGEST} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--apply-release-image-signature
----
+
... Record the entire `ImageContentSourcePolicy` section from the output of the previous
command. The information about your mirrors is unique to your mirrored repository, and you must ensure your in-cluster `ImageContentSourcePolicy` includes the entries needed for the mirrored release.
+
[NOTE]
====
If you include the `--apply-release-image-signature` option, do not create the config map for image signature verification.
====

[NOTE]
====
Optionally, you can use image tag name instead of image digest in the previous commands.
====