[WIP]Agent-249: disconnected install through Agent-based Installer #53132
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| :_content-type: ASSEMBLY | ||
| [id="understanding-disconnected-installation-mirroring"] | ||
| = Understanding disconnected installation mirroring | ||
| include::_attributes/common-attributes.adoc[] | ||
| :context: understanding-disconnected-installation-mirroring | ||
|
|
||
| toc::[] | ||
| // Reusing applicable content from Disconnected installation mirroring assembly | ||
|
|
||
| You can use a mirror registry to ensure that your clusters only use container images that satisfy your organizational controls on external content. Before you install a cluster on infrastructure that you provision in a disconnected environment, you must mirror the required container images into that environment. To mirror container images, you must have a registry for mirroring. | ||
|
|
||
| [id="agent-install-mirroring-images-disconnected"] | ||
| == Mirroring images for a disconnected installation through the Agent-based Installer | ||
|
|
||
| You can use one of the following procedures to mirror your {product-title} image repository to your mirror registry: | ||
|
|
||
| * xref:../../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[Mirroring images for a disconnected installation] | ||
| * xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation using the oc-mirror plug-in] | ||
|
|
||
| You can ensure your clusters only use container images that satisfy your organizational controls on external content. Before you install a cluster on infrastructure that you provision in a disconnected environment, you must mirror the required container images into that environment. To mirror container images, you must have a registry for mirroring. | ||
|
|
||
|
|
||
| [id="agent-install-prerequisites-installation-images"] | ||
| == Prerequisites | ||
| * You read the documentation on xref:../../installing/disconnected_install/installing-mirroring-installation-images.adoc#installing-mirroring-installation-images[Mirroring images for a disconnected installation] | ||
| * You must have a container image registry that supports link:https://docs.docker.com/registry/spec/manifest-v2-2[Docker v2-2] in the location that will host the {product-title} cluster | ||
| * You have a configured mirror registry that is disconnected and can access the certificate and credentials. | ||
| * If you use self-signed certificates, you have specified a Subject Alternative Name in the certificates. | ||
| * You have downloaded the {product-title} CLI (oc) binary]. | ||
| * You downloaded the {cluster-manager-url-pull} and modified it to include authentication to your mirror repository. | ||
|
|
||
|
|
||
| include::modules/agent-install-mirroring-for-disconnected-registry.adoc[leveloffset=+1] | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,253 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * list of assemblies where this module is included | ||
| // * installing/installing_with_agent_based_installer/understanding-disconnected-installation-mirroring.adoc | ||
| // re-use of applicable content from disconnected install mirroring | ||
|
|
||
| :_content-type: PROCEDURE | ||
| [id="agent-install-mirroring-for-disconnected-registry_{context}"] | ||
| = Mirroring the {product-title} image repository for a disconnected registry | ||
|
|
||
| Mirror the {product-title} image repository to your registry to use during cluster installation. | ||
|
|
||
| .Procedure | ||
|
|
||
| . Review the | ||
| link:https://access.redhat.com/downloads/content/290/[{product-title} downloads page] | ||
| to determine the version of {product-title} that you want to install and determine the corresponding tag on the link:https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags[Repository Tags] page. | ||
|
|
||
| . Set the required environment variables: | ||
| .. Export the release version: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ OCP_RELEASE=<release_version> | ||
Amrita42 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| ---- | ||
| + | ||
| For `<release_version>`, specify the tag that corresponds to the version of {product-title} to | ||
| install, such as `4.5.4`. | ||
Amrita42 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| .. Export the local registry name and host port: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>' | ||
| ---- | ||
| + | ||
| For `<local_registry_host_name>`, specify the registry domain name for your mirror | ||
| repository, and for `<local_registry_host_port>`, specify the port that it | ||
| serves content on. | ||
|
|
||
| .. Export the local repository name: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ LOCAL_REPOSITORY='<local_repository_name>' | ||
| ---- | ||
| + | ||
| For `<local_repository_name>`, specify the name of the repository to create in your | ||
| registry, such as `ocp4/openshift4`. | ||
|
|
||
| .. Export the name of the repository to mirror: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ PRODUCT_REPO='openshift-release-dev' | ||
| ---- | ||
| + | ||
| For a production release, you must specify `openshift-release-dev`. | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ PRODUCT_REPO='openshift' | ||
| ---- | ||
|
|
||
|
|
||
| .. Export the path to your registry pull secret: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ LOCAL_SECRET_JSON='<path_to_pull_secret>' | ||
| ---- | ||
| + | ||
| For `<path_to_pull_secret>`, specify the absolute path to the file name of the pull secret for your mirror registry that you created. | ||
|
|
||
| .. Export the release mirror: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ RELEASE_NAME="ocp-release" | ||
| ---- | ||
| + | ||
| For a production release, you must specify `ocp-release`. | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ RELEASE_NAME="okd" | ||
| ---- | ||
|
|
||
| .. Export the type of architecture for your server, such as `x86_64`: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ ARCHITECTURE=<server_architecture> | ||
| ---- | ||
|
|
||
| .. Export the path to the directory to host the mirrored images: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ REMOVABLE_MEDIA_PATH=<path> <1> | ||
|
||
| ---- | ||
| <1> Specify the full path, including the initial forward slash (/) character. | ||
|
|
||
| . Because your mirror host does not have internet access, perform the following actions: | ||
| .. Connect the removable media to a system that is connected to the internet. | ||
| .. Review the images and configuration manifests to mirror, by running the following command: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ | ||
| --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \ | ||
| --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ | ||
| --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE} --dry-run | ||
|
||
| ---- | ||
| . In the `install-config.yaml` file, set the following parameters: | ||
Amrita42 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| + | ||
| [source,yaml] | ||
| ---- | ||
| pullSecret: "<pull_secret>" <1> | ||
| sshKey: 'ssh-rsa <ssh_pub_key>' | ||
| imageContentSources: <2> | ||
| - mirrors: | ||
| - my-registry:443/ocp4-release/openshift | ||
| source: quay.io/openshift-release-dev/ocp-v4.0-art-dev | ||
| - mirrors: | ||
| - my-registry:443/ocp4-release/openshift | ||
| source: quay.io/openshift-release-dev/ocp-release | ||
| additionalTrustBundle: | <3> | ||
| -----BEGIN CERTIFICATE----- | ||
| <MY_TRUSTED_CA_CERT> | ||
| -----END CERTIFICATE----- | ||
| ---- | ||
| <1> A pull secret for the mirror registry. | ||
| <2> Mirrors for sources and repositories for the release-image content. The certificate file can be an existing, trusted certificate authority, | ||
| or the self-signed certificate that you generated for the mirror registry. | ||
| <3> The certificate file used for the mirror registry. | ||
|
|
||
| . Create the `agent-config.yaml` file: | ||
Amrita42 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| + | ||
| [source,yaml] | ||
| ---- | ||
| cat > agent-config.yaml << EOF | ||
| apiVersion: v1alpha1 | ||
| kind: AgentConfig | ||
| metadata: | ||
| name: sno-cluster | ||
| rendezvousIP: 192.168.111.80 <1> | ||
| hosts: <2> | ||
| - hostname: master-0 | ||
| interfaces: | ||
| - name: eno1 | ||
| macAddress: 00:ef:44:21:e6:a5 | ||
| networkConfig: | ||
| interfaces: | ||
| - name: eno1 | ||
| type: ethernet | ||
| state: up | ||
| mac-address: 00:ef:44:21:e6:a5 | ||
| ipv4: | ||
| enabled: true | ||
| address: | ||
| - ip: 192.168.111.80 | ||
| prefix-length: 23 | ||
| dhcp: false | ||
| dns-resolver: | ||
| config: | ||
| server: | ||
| - 192.168.111.1 | ||
| routes: | ||
| config: | ||
| - destination: 0.0.0.0/0 | ||
| next-hop-address: 192.168.111.2 | ||
| next-hop-interface: eno1 | ||
| table-id: 254 | ||
| EOF | ||
| ---- | ||
| + | ||
| <1> This IP address is used to determine which node performs the bootstrapping process as well as running the `assisted-service` component. | ||
| You must provide the IP address when you do not specify the node's IP addresses in the `networkConfig` parameter. If this address is not provided, one IP address is selected from the provided nodes's `networkConfig`. | ||
| <2> The number of hosts defined must match the total number of hosts defined in the `install-config.yaml` file, which is the sum of the values of the `compute.replicas` and `controlPlane.replicas` parameters. When 3 master nodes and 0 worker nodes are defined in the `install-config.yaml` file, | ||
| the number of hosts defined is 3. When 3 master nodes and 2 worker nodes are defined in the `install-config.yaml` file, the number of hosts defined is 5. | ||
|
|
||
| . Mirror the images to a directory on the removable media: | ||
|
||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} | ||
| ---- | ||
|
|
||
| . Upload the images to the local container registry from the removable media: | ||
|
||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} <1> | ||
| ---- | ||
| + | ||
| <1> For `REMOVABLE_MEDIA_PATH`, you must use the same path that you specified when you mirrored the images. | ||
|
||
|
|
||
| . Create the Agent image by running the following command: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ openshift-install agent create image | ||
| ---- | ||
|
|
||
| . Boot the `agent.iso` image on the bare metal machines. You can run the image on any Linux distribution. | ||
|
|
||
| . To track the progress and verify sucessful installation, run the following command: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| $ openshift-install agent wait-for install-complete | ||
| ---- | ||
| + | ||
| .Example output | ||
| [source,terminal] | ||
| ---- | ||
| ................................................................... | ||
| ................................................................... | ||
| INFO Cluster is installed | ||
| INFO Install complete! | ||
| INFO To access the cluster as the system:admin user when using 'oc', run | ||
| INFO export KUBECONFIG=/home/core/installer/auth/kubeconfig | ||
| INFO Access the OpenShift web-console here: https://console-openshift-console.apps.sno-cluster.test.example.com | ||
| ---- | ||
|
|
||
| + | ||
| [IMPORTANT] | ||
| ==== | ||
| If you are using the optional method of the ZTP manifests, there are two mirror configuration files: `registries.conf` and `ca-bundle.crt` file. The `registries.conf` file must be added to `mirror/ directory` for the subcommand `openshift-install create-image command` to execute sucessfully. | ||
|
|
||
Amrita42 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
Amrita42 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| .Sample `registries.conf` file | ||
| [source,yaml] | ||
| ---- | ||
| [[registry]] | ||
| location = "registry.ci.openshift.org/ocp/release" | ||
| mirror-by-digest-only = false | ||
Amrita42 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
|
|
||
| [[registry.mirror]] | ||
| location = "virthost.ostest.test.metalkube.org:5000/localimages/local-release-image" | ||
|
|
||
|
|
||
| [[registry]] | ||
| location = "quay.io/openshift-release-dev/ocp-v4.0-art-dev" | ||
| mirror-by-digest-only = false | ||
Amrita42 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
|
|
||
| [[registry.mirror]] | ||
| location = "virthost.ostest.test.metalkube.org:5000/localimages/local-release-image" | ||
| ---- | ||
| ==== | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if the statement "ensure that your clusters only use container images that satisfy your organizational controls on external content" is correct, as the container images started out external, they were just mirrored and stored locally. Does that mean they are no longer "external" content?