Full procedure for creating a registry - CCI-MOC/rubicon-issues GitHub Wiki
Creating the registry
Connect to the server that is going to host the registry and follow the instructions.
-
Open the firewall port on the server that is going to hold the registry:
firewall-cmd --zone=public --add-port=5000/tcp --permanent firewall-cmd --reload -
Create the following directories
mkdir -p /opt/registry/{auth,certs,data} -
Generate the self-singed certificate for the registry and put it in /opt/registry/certs/ directory
cd /opt/registry/certs/ vim csr_answer.txt [req] defaults = 4096 prompt = no default_md = sha256 x509_extensions = req_ext req_extensions = req_ext distinguished_name = dn [ dn ] C=US ST=New York L=New York O=MyOrg OU=MyOU [email protected] CN=rubicone-foreman.ocp4.local [ req_ext ] subjectAltName = @alt_names subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ alt_names ] DNS.1 = rubicone-foreman.ocp4.local DNS.2 = rubicone-foreman openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 3650 -out domain.crt -config <(cat csr_answer.txt) -
Update the registry certificates with the new created cetificate
cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/ update-ca-trust extract -
Create an htpasswd file in /opt/registry/auth/ for the container to use
htpasswd -bBc /opt/registry/auth/htpasswd regi regi -
Create and start the registry container
podman run --name mirror-registry -d -p 5000:5000 -v /opt/registry/data:/var/lib/registry:z -v /opt/registry/auth:/auth:z -v /opt/registry/certs:/certs:z -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key docker.io/library/registry:2 -
Confirm that the registry is available - from the registry host and from the installer
curl -u regi:regi -k https://rubicone-foreman.ocp4.local:5000/v2/ocp4/openshift4/tags/list
Adding the registry to your pull secret
-
Connect to your installer server
-
Download the pull secret.txt file from Red Hat Openshift site
-
Generate the base64-encoded username and password and save the output
echo -n 'regi:regi' | base64 -w0 cmVnaTpyZWdp -
Make a copy of your pull secret in JSON format
cat pull-secret.txt | jq . > pull-secret.json -
Edit the pull-secret.json file and add a section of your newly created registry at the top of the file as shown here
{ "auths": { "rubicone-foreman.ocp4.local": { "auth": "cmVnaTpyZWdp", "email": "[email protected]" }, "cloud.openshift.com": { "auth": "b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K29jbV9hY2Nlc3NfYzM4YWEzODdiZGRiNDhhNTg3YmQ0OGE1MGZhZDQ5ZWM6RlFLTVBPUUVTSjhOWVNRWDZYQThJWDJRQTdRWTRSV1JWU05RVzZYVjRBT0E5R1FEWTIwMFU5MFNIU1QwME9SSg==", "email": "[email protected]" }, "quay.io": { "auth": "b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K29jbV9hY2Nlc3NfYzM4YWEzODdiZGRiNDhhNTg3YmQ0OGE1MGZhZDQ5ZWM6RlFLTVBPUUVTSjhOWVNRWDZYQThJWDJRQTdRWTRSV1JWU05RVzZYVjRBT0E5R1FEWTIwMFU5MFNIU1QwME9SSg==", "email": "[email protected]" }, "registry.connect.redhat.com": { "auth": "NTM1MjcxNjV8dWhjLTFnMlFqVHZNRnRNTlAzR2pWdng0Um1VYWJ6RzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTNOelprTkRJeFptTXlPVGMwTVRRNVlXUXpNV1U1T1daaFpEZGhZekprTUNKOS51YV9WYUdaR0xXYWpBdzRwMU1CbWdXdkVmYUFzc1dWc1FYNzNTWlVGa0Y1N1QzckloTG1vbm9WUE96N1l0dlI3bmVNODg2WTJtanpPb0haMC14OTlyYkxJNnpXNXFFT0wxX1NsSDBPNG1WR3BXYVVJWXhsM2g1N1lwcERkTmcyOGVDSWNWcVE0OGRhZVZDamtybjJHci1ScU84NDgzMkc3dThna2xDRVRSamxzbnVSa2JiSGRpd05TYXBrWEFERWVsWm90Si1MbHJmN1FJOEhTbUwtXzZIOEd2b3dabTdudW9OTS03ZEVSelNHazE1ay00SHpvYWYyTldER010cEVNSnQta2ZJbk1QMWZlbUIwVG5lRXdXbTNkWElxMkQySi1CUnpxazJuQS1XeENmanZEdEFMQTJ0c3owTUxqZnZOcElhYjZ4WEMzcHpjQjZMVnM3UTBUYTF4bGlXZnpFOV82N1d4WEFtUjdjNDdGTGJwVkxnVzZQMmNhTmVzbFJfZjBZWk9VMUJVUXB3Y3l3eVJpUUtpYWtGLXpLM2RyRGlDLUx6SjlxWDJ4Qml6clpaZDQ1LTJwaEw4Rjg3UmxobVJrZ1l4aFNDY3gxRVRjY2p5cWhhQXpEdVYySmo2d0JINXBiUDZCR2xVRm5nNUk3b2VBUHV4M1lWTGNNSFVNRzBnTVBWdkpfRnpnUnprNzUwWnNLYTU5UVJySTM4R2Jhc2lYR2haMVlEWjJjWldhbEttSW1IaEpqemNSWXVSa3NFOVBzeGJjRmNmT0pCTGRQZWZhMzVxVzJsX3k4RU5nZi11d21GNVpEZzFHY2NVY0xsSUZXNVFKS3RmXzRVejZ0aUFDUUxnVTFYcW9PdVlFZG1xRWQtVVpjdUJYZW93aVVBY18xNEhJMmtZeGpNSQ==", "email": "[email protected]" }, "registry.redhat.io": { "auth": "NTM1MjcxNjV8dWhjLTFnMlFqVHZNRnRNTlAzR2pWdng0Um1VYWJ6RzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTNOelprTkRJeFptTXlPVGMwTVRRNVlXUXpNV1U1T1daaFpEZGhZekprTUNKOS51YV9WYUdaR0xXYWpBdzRwMU1CbWdXdkVmYUFzc1dWc1FYNzNTWlVGa0Y1N1QzckloTG1vbm9WUE96N1l0dlI3bmVNODg2WTJtanpPb0haMC14OTlyYkxJNnpXNXFFT0wxX1NsSDBPNG1WR3BXYVVJWXhsM2g1N1lwcERkTmcyOGVDSWNWcVE0OGRhZVZDamtybjJHci1ScU84NDgzMkc3dThna2xDRVRSamxzbnVSa2JiSGRpd05TYXBrWEFERWVsWm90Si1MbHJmN1FJOEhTbUwtXzZIOEd2b3dabTdudW9OTS03ZEVSelNHazE1ay00SHpvYWYyTldER010cEVNSnQta2ZJbk1QMWZlbUIwVG5lRXdXbTNkWElxMkQySi1CUnpxazJuQS1XeENmanZEdEFMQTJ0c3owTUxqZnZOcElhYjZ4WEMzcHpjQjZMVnM3UTBUYTF4bGlXZnpFOV82N1d4WEFtUjdjNDdGTGJwVkxnVzZQMmNhTmVzbFJfZjBZWk9VMUJVUXB3Y3l3eVJpUUtpYWtGLXpLM2RyRGlDLUx6SjlxWDJ4Qml6clpaZDQ1LTJwaEw4Rjg3UmxobVJrZ1l4aFNDY3gxRVRjY2p5cWhhQXpEdVYySmo2d0JINXBiUDZCR2xVRm5nNUk3b2VBUHV4M1lWTGNNSFVNRzBnTVBWdkpfRnpnUnprNzUwWnNLYTU5UVJySTM4R2Jhc2lYR2haMVlEWjJjWldhbEttSW1IaEpqemNSWXVSa3NFOVBzeGJjRmNmT0pCTGRQZWZhMzVxVzJsX3k4RU5nZi11d21GNVpEZzFHY2NVY0xsSUZXNVFKS3RmXzRVejZ0aUFDUUxnVTFYcW9PdVlFZG1xRWQtVVpjdUJYZW93aVVBY18xNEhJMmtZeGpNSQ==", "email": "[email protected]" } } }
Mirroring the Openshift image repository
-
Set the required environment variables
export OCP_RELEASE=4.6.2 export LOCAL_REGISTRY='rubicone-foreman.ocp4.local:5000' export LOCAL_REPOSITORY='ocp4/openshift4' export PRODUCT_REPO='openshift-release-dev' export RELEASE_NAME="ocp-release" export ARCHITECTURE='ppc64le' export LOCAL_SECRET_JSON='/root/install/pull-secret.json' -
Mirror the images to the internal container registry
oc adm release mirror -a ${LOCAL_SECRET_JSON} --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}