《OpenShift 4.x HOL教程汇总》
文章目录
- 什么是 oc-mirror
- 获取 oc-mirror
- 获取镜像信息
- 下载离线 Image
- 准备 pull-secret
- 创建 ImageSet 配置定义下载离线的镜像
- 将离线镜像直接复制到内部 Registry
- 将离线镜像间接复制到内部 Registry
- 参考
说明:
- 本文需要本地有一个容器 Registry 环境,可以先完成《Quay(0) - 安装一个单实例 Quay 环境》或《容器入门(1) - 安装和使用Docker Registry》以便获得一个容器 Registry 环境。
- 本文使用的是以上第一个文档创建的本地 Quay 环境。
什么是 oc-mirror
oc-mirror 是一个工具,用来为互联网断开的 openshift 环境的提供镜像管理。oc-mirror 使用容器镜像聚合文件 imageset 定义下载哪些Image。通过 oc-mirror 命令可以下载或更新 OpenShift 发行版、Kubernetes Opeartor 和 Helm Chart 镜像。
获取 oc-mirror
$ curl -O https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/oc-mirror.tar.gz
$ tar -xvf oc-mirror.tar.gz
$ chmod +x ./oc-mirror
$ sudo mv ./oc-mirror /usr/local/bin/.
获取镜像信息
查看所有版本为 4.10 的 OpenShift 镜像发行渠道(Channel)。
$ oc-mirror list releases --channels --version=4.10
Listing channels for version 4.10.
stable-4.10
candidate-4.11
candidate-4.10
eus-4.10
fast-4.10
查看发型渠道为 stable-4.10 的所有可用发行版本。
$ oc-mirror list releases --channel=stable-4.10
Listing stable channels. Use --channel=<channel-name> to filter.
Use oc-mirror list release --channels to discover other channels.
Channel: stable-4.10
4.10.3
4.10.4
4.10.5
4.10.6
查看 OpenShift 版本为 4.10 的所有 Operator 目录。
$ oc-mirror list operators --catalogs --version=4.10
Available OpenShift OperatorHub catalogs:
OpenShift 4.10:
registry.redhat.io/redhat/redhat-operator-index:v4.10
registry.redhat.io/redhat/certified-operator-index:v4.10
registry.redhat.io/redhat/community-operator-index:v4.10
查看 registry.redhat.io/redhat/redhat-operator-index:v4.10 目录中的所有 Operator。
$ oc-mirror list operators --catalog=registry.redhat.io/redhat/redhat-operator-index:v4.10
WARN[0278] DEPRECATION NOTICE:
Sqlite-based catalogs and their related subcommands are deprecated. Support for
them will be removed in a future release. Please migrate your catalog workflows
to the new file-based catalog format.
NAME DISPLAY NAME DEFAULT CHANNEL
3scale-operator Red Hat Integration - 3scale threescale-2.11
advanced-cluster-management Advanced Cluster Management for Kubernetes release-2.4
amq-online Red Hat Integration - AMQ Online stable
amq-streams Red Hat Integration - AMQ Streams stable
amq7-interconnect-operator Red Hat Integration - AMQ Interconnect 1.10.x
ansible-automation-platform-operator Ansible Automation Platform stable-2.1
ansible-cloud-addons-operator Ansible Cloud Addons stable-cluster-scoped
apicast-operator Red Hat Integration - 3scale APIcast gateway threescale-2.11
aws-efs-csi-driver-operator AWS EFS CSI Driver Operator stable
businessautomation-operator Business Automation stable
cincinnati-operator OpenShift Update Service v1
cluster-kube-descheduler-operator Kube Descheduler Operator stable
cluster-logging Red Hat OpenShift Logging stable
clusterresourceoverride ClusterResourceOverride Operator stable
codeready-workspaces Red Hat CodeReady Workspaces latest
codeready-workspaces2 Red Hat CodeReady Workspaces - Technical Preview tech-preview-latest-all-namespaces
compliance-operator Compliance Operator release-0.1
container-security-operator Quay Container Security stable-3.6
costmanagement-metrics-operator Cost Management Metrics Operator stable
cryostat-operator Cryostat stable-2.0
datagrid Data Grid 8.3.x
devworkspace-operator DevWorkspace Operator fast
dpu-network-operator DPU Network Operator stable
eap JBoss EAP stable
elasticsearch-operator OpenShift Elasticsearch Operator stable
external-dns-operator ExternalDNS Operator alpha
file-integrity-operator File Integrity Operator release-0.1
fuse-apicurito Red Hat Integration - API Designer fuse-apicurito-7.10.x
fuse-console Red Hat Integration - Fuse Console 7.10.x
fuse-online Red Hat Integration - Fuse Online 7.10.x
gatekeeper-operator-product Gatekeeper Operator stable
idp-mgmt-operator-product identity configuration management for Kubernetes alpha
integration-operator Red Hat Integration 1.x
jaeger-product Red Hat OpenShift distributed tracing platform stable
jws-operator JBoss Web Server Operator alpha
kiali-ossm Kiali Operator stable
klusterlet-product Klusterlet release-2.4
kubernetes-nmstate-operator Kubernetes NMState Operator stable
kubevirt-hyperconverged OpenShift Virtualization stable
local-storage-operator Local Storage stable
mcg-operator NooBaa Operator stable-4.9
metallb-operator MetalLB Operator stable
mtc-operator Migration Toolkit for Containers Operator release-v1.7
mtv-operator Migration Toolkit for Virtualization Operator release-v2.3.0
nfd Node Feature Discovery Operator stable
node-healthcheck-operator Node Health Check Operator candidate
node-maintenance-operator Node Maintenance Operator stable
numaresources-operator numaresources-operator 4.10
ocs-operator OpenShift Container Storage stable-4.9
odf-multicluster-orchestrator ODF Multicluster Orchestrator stable-4.9
odf-operator OpenShift Data Foundation stable-4.9
odr-cluster-operator Openshift DR Cluster Operator stable-4.9
odr-hub-operator Openshift DR Hub Operator stable-4.9
openshift-cert-manager-operator cert-manager Operator for Red Hat OpenShift tech-preview
openshift-gitops-operator Red Hat OpenShift GitOps stable
openshift-pipelines-operator-rh Red Hat OpenShift Pipelines stable
openshift-special-resource-operator Special Resource Operator stable
opentelemetry-product Red Hat OpenShift distributed tracing data collection stable
performance-addon-operator Performance Addon Operator 4.10
poison-pill-manager Poison Pill Operator stable
ptp-operator PTP Operator stable
quay-bridge-operator Quay Bridge Operator stable-3.6
quay-operator Red Hat Quay stable-3.6
red-hat-camel-k Red Hat Integration - Camel K 1.6.x
redhat-oadp-operator OADP Operator stable-1.0
rh-service-binding-operator Service Binding Operator stable
rhacs-operator Advanced Cluster Security for Kubernetes latest
rhpam-kogito-operator RHPAM Kogito Operator 7.x
rhsso-operator Red Hat Single Sign-On Operator stable
sandboxed-containers-operator OpenShift sandboxed containers Operator stable-1.2
serverless-operator Red Hat OpenShift Serverless stable
service-registry-operator Red Hat Integration - Service Registry Operator 2.0.x
servicemeshoperator Red Hat OpenShift Service Mesh stable
skupper-operator Skupper alpha
sriov-network-operator SR-IOV Network Operator stable
submariner Submariner alpha-0.11
vertical-pod-autoscaler VerticalPodAutoscaler stable
web-terminal Web Terminal fast
windows-machine-config-operator Windows Machine Config Operator stable
查看 registry.redhat.io/redhat/redhat-operator-index:v4.10 目录中的名为 odf-operator 的 package。
$ oc-mirror list operators --catalog registry.redhat.io/redhat/redhat-operator-index:v4.10 --package=odf-operator
PACKAGE CHANNEL HEAD
odf-operator stable-4.9 odf-operator.v4.9.5
下载离线 Image
准备 pull-secret
由于所有 OpenShift 离线镜像都来自 RedHat 官方,因此需要先获得从 RedHat 官网下载镜像的 Token。另外还需要准备本地离线 Image Registry 的访问 Token。
- 访问网页 https://console.redhat.com/openshift/install/pull-secret,下载 pull-secret.txt 文件。
- 准备访问本地 Image Registry 的认证信息。
$ MIRROR_REGISTRY=${QUAY_HOSTNAME}:8443
$ MIRROR_REGISTRY_USERNAME=XXXX
$ MIRROR_REGISTRY_PASWORD=YYYY
$ MIRROR_REGISTRY_AUTH=$(echo -n ${MIRROR_REGISTRY_USERNAME}:${MIRROR_REGISTRY_PASWORD} | base64)
$ echo ${MIRROR_REGISTRY_AUTH}
aW5pdDpyM2RoNHQxIQ==
$ echo \"${MIRROR_REGISTRY}\":\{\"auth\":\"${MIRROR_REGISTRY_AUTH}\",\"email\":\"you@example.com\"},
"quay.local:8443":{"auth":"aW5pdDpyM2RoNHQxIQ==","email":"you@example.com"},
- 将上一步的输出结果加入到 pull-secret.txt 文件的 “auths”:{ 的后面。
{"auths":{"quay.local:8443":{"auth":"aW5pdDpyM2RoNHQxIQ==","email":"you@example.com"},"cloud.openshift.com":。。。。
- 将 Token 信息格式化后保存到指定目录。
$ mkdir ~/.docker
$ cat ./pull-secret.txt | jq . > ~/.docker/config.json
$ cat ~/.docker/config.json
{
"auths": {
"quay.local:8443": {
"auth": "aW5pdDpyM2RoNHQxIQ==",
"email": "your@example.com"
},
"cloud.openshift.com": {
"auth": "xxxxx",
"email": "your@email.com"
},
"quay.io": {
"auth": "xxxxx",
"email": "your@email.com"
},
。。。
创建 ImageSet 配置定义下载离线的镜像
创建 ImageSet 配置文件,它定义了从 stable-4.10 渠道下载版本为 4.10.6 的所有 OpenShift 镜像。
$ cat > imageset-config-ocp.yaml << EOF
apiVersion: mirror.openshift.io/v1alpha1
kind: ImageSetConfiguration
storageConfig:
local:
path: metadata
mirror:
ocp:
channels:
- name: stable-4.10
versions:
- "4.10.6"
EOF
将离线镜像直接复制到内部 Registry
执行以下命令可以将 ImageSet 配置文件中的镜像复制到内部 Quay 中。
$ oc-mirror --config=imageset-config-ocp.yaml docker://${MIRROR_REGISTRY}:8443 --dest-skip-tls
整个过程会针对 openshift/release 和 operator-framework/opm 这两部分所包含的 Image 分别进行以下操作过程:
- 创建本地临时目录
INFO Checking push permissions for quay.local:8443
workspace: ./mirrortmp3694974780
INFO Found: oc-mirror-workspace/src/publish
INFO Found: oc-mirror-workspace/src/v2
INFO Found: oc-mirror-workspace/src/charts
- 下载 openshift/release 对应的镜像(注意提示有 164 个镜像)到本地。
INFO Downloading requested release 4.10.6
info: Mirroring 164 images to file://openshift/release ...
<dir>
openshift/release
blobs:
quay.io/openshift-release-dev/ocp-v4.0-art-dev sha256:39382676eb30fabb7a0616b064e142f6ef58d45216a9124e9358d14b12dedd65 1.428KiB
quay.io/openshift-release-dev/ocp-v4.0-art-dev sha256:130cbce0a84105310b3350bac14ab4f94bf920e4015f280d4f5151feffa67e83 1.491KiB
。。。
blobs:
quay.io/openshift-release-dev/ocp-release sha256:39382676eb30fabb7a0616b064e142f6ef58d45216a9124e9358d14b12dedd65 1.428KiB
quay.io/openshift-release-dev/ocp-release sha256:3a80fedd81d63cd4cc627e37a54f09c47b1cd1d4e4960d58f53ee9bb5775bda3 1.729KiB
。。。
manifests:
sha256:00f1cd21a4bdd41106474f6fb56c1b6ca586301edc452afd7f4503fbaef10f7e -> 4.10.6-x86_64-telemeter
sha256:01c2ae74ca80d055a3b4e92a59d754b89be049fe6849b75b3b4c60d8b0c43a24 -> 4.10.6-x86_64-deployer
。。。
stats: shared=5 unique=331 size=11.76GiB ratio=0.99
phase 0:
openshift/release blobs=336 mounts=0 manifests=164 shared=5
info: Planning completed in 34s
uploading: file://openshift/release sha256:f7b283b14e0d90a79c496a7e35a95deb52c33ab589736d0f3bfc99bdb1bcd709 9.581MiB
uploading: file://openshift/release sha256:1031394b5be427babfec49ec81981e25f86dd120556332968b461a64247a0f4e 30.76MiB
。。。
sha256:d321168bb9dd3d41ac5707ef0f948f5cda9e9c3593431a820fac2195da722a2d file://openshift/release:4.10.6-x86_64-ibm-vpc-block-csi-driver-operator
sha256:f8a8cb59910e2b12a57c8bd2cd991443a02000adab920248449680faf70df997 file://openshift/release:4.10.6-x86_64-machine-config-operator
info: Mirroring completed in 16m45.47s (12.56MB/s)
Success
Update image: openshift/release:4.10.6-x86_64
To upload local images to a registry, run:
oc image mirror --from-dir=oc-mirror-workspace/src 'file://openshift/release:4.10.6-x86_64*' REGISTRY/REPOSITORY
- 下载 operator-framework/opm 对应的镜像到本地(显示内容略)。
- 对下载的两类 Image 打包成 tar 文件,然后再将镜像传到目标 Image Registry 中。
INFO Creating archive /root/mirrortmp2818597809/mirror_seq1_000000.tar
INFO Publishing image set from archive "./mirrortmp2818597809" to registry "quay.local:8443"
INFO No existing metadata found. Setting up new workspace
info: Mirroring 164 images to quay.local:8443/openshift/release ...
quay.local:8443/
openshift/release
blobs:
file://openshift/release sha256:39382676eb30fabb7a0616b064e142f6ef58d45216a9124e9358d14b12dedd65 1.428KiB
file://openshift/release sha256:130cbce0a84105310b3350bac14ab4f94bf920e4015f280d4f5151feffa67e83 1.491Ki
。。。
manifests:
sha256:00f1cd21a4bdd41106474f6fb56c1b6ca586301edc452afd7f4503fbaef10f7e -> 4.10.6-x86_64-telemeter
sha256:01c2ae74ca80d055a3b4e92a59d754b89be049fe6849b75b3b4c60d8b0c43a24 -> 4.10.6-x86_64-deployer
。。。
stats: shared=0 unique=336 size=11.76GiB ratio=1.00
phase 0:
quay.local:8443 openshift/release blobs=336 mounts=0 manifests=164 shared=0
info: Planning completed in 15.1s
uploading: quay.local:8443/openshift/release sha256:873d8a227fc5206e4058f636e5b971bd44a7d3cede249391c34ca2798b1ff7d1 30.83MiB
uploading: quay.local:8443/openshift/release sha256:55e2f4ff76b14c8d3901a5dbf040bbd0851e91bd7fe0929aa15b6c8d39802737 18.54MiB
。。。
sha256:88b394e633e09dc23aa1f1a61ededd8e52478edf34b51a7dbbb21d9abde2511a quay.local:8443/openshift/release:4.10.6-x86_64
sha256:3714e0dc44bd42fd268fd7b01f0df4dce5a726d7315b3cdc52231d8b308f2bfc quay.local:8443/openshift/release:4.10.6-x86_64-prometheus-alertmanager
。。。
info: Mirroring completed in 16m45.47s (12.56MB/s)
Success
Update image: quay.local:8443/openshift/release:4.10.6-x86_64
Mirror prefix: quay.local:8443/openshift/release
quay.local:8443/
operator-framework/opm
blobs:
file://operator-framework/opm sha256:f0fd5be261dfd2e36d01069a387a3e5125f5fd5adfec90f3cb190d1d5f1d1ad9 156B
file://operator-framework/opm sha256:2e48a47edb47715fb8a4e7b3730f2fc4debf5c04cf620d1aff12db4495ed8ac1 159B
info: Mirroring completed in 13.44s (5.273MB/s)
INFO Wrote ICSP manifests to oc-mirror-workspace/results-1649856736
INFO CatalogSource and ICSP install not implemented
- 最后删除本地的临时数据。
cleaning up workspace
- 完成后可以在本地 Quay 中查看镜像,其中 openshift/release 中包含了 164 个 Image。
将离线镜像间接复制到内部 Registry
间接镜像复制更适合完全隔离的环境。它将前一节的一个“下载+推送”过程分为 2 个独立步骤,即使用以下 2 次 oc-mirror 命令先将镜像下载到本地,然后在推送到本地 Image Registry。
- 执行命令,先下载镜像到 MIRROR_IMAGE_PATH 指定的本地文件目录中,并打包成 tar 文件。
$ MIRROR_IMAGE_PATH=/root/mirror-images
$ oc-mirror --config imageset-config-ocp.yaml file://${MIRROR_IMAGE_PATH}
- 查看下载的离线镜像文件。
$ ls ${MIRROR_IMAGE_PATH}
mirror_seq1_000000.tar
- 再将本地镜像文件推送到内部的 Image Registry 中。
$ oc-mirror --from ${MIRROR_IMAGE_PATH}/mirror_seq1_000000.tar docker://${MIRROR_REGISTRY}:8443 --dest-skip-tls
$ cat > imageset-config-operator-odf.yaml << EOF
apiVersion: mirror.openshift.io/v1alpha1
kind: ImageSetConfiguration
storageConfig:
local:
path: metadata
mirror:
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.10
headsonly: false
packages:
- name: odf-operator
startingVersion: '4.9.4'
EOF
参考
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html-single/installing/index#installing-mirroring-disconnected
- https://cloud.redhat.com/blog/how-oc-mirror-will-help-you-reduce-container-management-complexity
- https://shonpaz.medium.com/dealing-with-air-gapped-environments-just-got-much-easier-bab6b76e44f2
- https://github.com/openshift/oc-mirror/tree/main/docs/examples
- https://github.com/openshift/oc-mirror/blob/main/docs/imageset-config-ref.yaml
- https://access.redhat.com/documentation/zh-cn/openshift_container_platform/4.10/html-single/installing#oc-mirror-imageset-config-params_installing-mirroring-disconnected