IBM Maximo | Interloc | #Predictive Maintenance | OpenShift | IBM Maximo Application Suite | two-phase image mirroring | OpenShift offline deployment | disconnected OpenShift deployment | Red Hat OpenShift registry mirroring | air-gapped OpenShift cluster
We are continuing our series of Blog Entries to cover some MAS deployment scenarios either left out or not appropriately covered on the IBM Ansible scripts. We are going to also discuss considerations and tips and hints around these deployments. This time we are installing an offline OpenShift Cluster and Mirroring the required Image Registries. This is Part 2 of 3, to cover actual mirroring, both direct and 2-phase. In case you missed the first blog you can click here and read that one as well.
Pre-requisites to mirroring the RedHat OCP Images
Before we start mirroring the RedHat OCP Images, we need to setup the proper RedHat Pull Secret as a file (we tried using an escaped literal string but that got mangled by the shell, so using a file looks like a better alternative that worked in our case.
Therefore, ensure in the filesystem there is proper RedHat Pull Secret in JSON format like in our case named:
~/MAS/mirror/redhat-pullsecret-jamestkirk.json
With that, we are going to set an environment variable and file mapping to use the file as source for the Pull Secret instead of a literal string.
Considerations applicable to all cases
Use the intended Catalog version, in our case, “v9-260430-amd64”. See: https://ibm-mas.github.io/cli/catalogs/ and corresponding channel.
The list of components to mirror is fully described at https://ibm-mas.github.io/cli/guides/image-mirroring/. We have chosen the most common ones below, but the selection should be made probably case by case to save on bandwidth and disk space.
Direct Mirroring
To mirror the images to the registry, on the external workstation, use (feel free to substitute with the right values for your case, like the value for OCP_RELEASE):
export LOCAL_TRANSFER_DIR="/mnt/images/transfer"
export IBM_ENTITLEMENT_KEY="<not-shown-here>"
export REDHAT_PULLSECRET_FILEPATH="~/MAS/mirror/redhat-pullsecret-jamestkirk.json"
export OCP_RELEASE="4.20"
export REGISTRY_HOST="dcr.local02.mas.interloc.cloud"
export REGISTRY_PORT="5000"
export REGISTRY_USERNAME="registry"
export REGISTRY_PASSWORD="registry-password"
export CATALOG_VERSION="v9-260430-amd64"
export CATALOG_CHANNEL="9.1.x"
export MIRROR_SINGLE_ARCH="amd64"
# for the RedHat portion
mkdir -p $LOCAL_TRANSFER_DIR/process/redhat
podman run -ti --rm --tls-verify=false \
-v $REDHAT_PULLSECRET_FILEPATH:/tmp/redhat-pull-secret.json:Z \
-v $LOCAL_TRANSFER_DIR/process/redhat:/mnt/logs:Z \
-e MIRROR_SINGLE_ARCH="${MIRROR_SINGLE_ARCH}" \
$REGISTRY_HOST:$REGISTRY_PORT/ibmmas/cli:latest \
mas mirror-redhat-images -m direct --no-confirm -d /mnt/logs \
-H $REGISTRY_HOST -P $REGISTRY_PORT \
-u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD \
--mirror-platform --mirror-operators \
--release $OCP_RELEASE \
--pullsecret /tmp/redhat-pull-secret.json
# In our case, as the pod produces almost no output while the process is ongoing, we could see how the mirroring process was going by (in another terminal) using the command:
# "tail -F $LOCAL_TRANSFER_DIR/process/redhat/logs/mirror-direct-ocp4.20.log"
# That file should also serve as a catalog (index) of the images that were mirrored, which should be useful later when setting up the install-config.yaml file.
# for the CORE and dependencies portion
mkdir -p $LOCAL_TRANSFER_DIR/process/mas-core
podman run -ti --rm --tls-verify=false \
-v $LOCAL_TRANSFER_DIR/process/mas-core:/mnt/logs:Z \
-e MIRROR_SINGLE_ARCH="${MIRROR_SINGLE_ARCH}" \
$REGISTRY_HOST:$REGISTRY_PORT/ibmmas/cli:latest \
mas mirror-images -m direct --no-confirm -d /mnt/logs \
-H $REGISTRY_HOST -P $REGISTRY_PORT -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD \
--mirror-catalog --mirror-core --mirror-mongo --mirror-tsm --mirror-sls --mirror-db2 \
-c $CATALOG_VERSION -C $CATALOG_CHANNEL \
--ibm-entitlement $IBM_ENTITLEMENT_KEY
# The index of images that were mirrored could be found in our case in the folder: /mnt/images/transfer/process/mas-core/manifests/direct and there will be a series of .txt files in there that should contain the list of images that were mirrored.
# for the MAS applications
mkdir -p $LOCAL_TRANSFER_DIR/process/mas-apps
podman run -ti --rm --tls-verify=false \
-v $LOCAL_TRANSFER_DIR/process/mas-apps:/mnt/logs:Z \
-e MIRROR_SINGLE_ARCH="${MIRROR_SINGLE_ARCH}" \
$REGISTRY_HOST:$REGISTRY_PORT/ibmmas/cli:latest \
mas mirror-images -m direct --no-confirm -d /mnt/logs \
-H $REGISTRY_HOST -P $REGISTRY_PORT -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD \
--mirror-manage \
-c $CATALOG_VERSION -C $CATALOG_CHANNEL \
--ibm-entitlement $IBM_ENTITLEMENT_KEY
# The index of images that were mirrored could be found in our case in the folder: /mnt/images/transfer/process/mas-apps/manifests/direct and there will be a series of .txt files in there that should contain the list of images that were mirrored.
2-phase Image Mirroring
For 2-phase mirroring we need 2 workstations (one with Internet Access and another in the “disconnected/airgapped” network that will not have Internet Access. Both can be installed using the instructions above.
Also, a portable hard drive with space enough (like 1TB) to be mounted on the “/mnt/images/transfer” path on both workstations and to move it from the “public” to the “private” workstation once all images have been downloaded.
Once we have the Image Registry running on the disconnected workstation (all included above), we can both clone the images to the External Storage on the Connected Workstation and restore the Images we stored in the external storage on the Disconnected Workstation, as shown below.
To mirror the RedHat OCP Images to disk, run the following command to export the OpenShift images to the portable drive:
export LOCAL_TRANSFER_DIR="/mnt/images/transfer"
export IBM_ENTITLEMENT_KEY="<not-shown-here>"
export REDHAT_PULLSECRET_FILEPATH="/root/MAS/mirror/redhat-pullsecret-jamestkirk.json"
export OCP_RELEASE="4.20"
export REGISTRY_HOST="dcr.local02.mas.interloc.cloud"
export REGISTRY_PORT="5000"
export REGISTRY_USERNAME="registry"
export REGISTRY_PASSWORD="registry-password"
export CATALOG_VERSION="v9-260430-amd64"
export CATALOG_CHANNEL="9.1.x"
export MIRROR_SINGLE_ARCH="amd64"
# for the RedHat portion
mkdir -p $LOCAL_TRANSFER_DIR/images/redhat
podman run -ti --rm --tls-verify=false \
-v $REDHAT_PULLSECRET_FILEPATH:/tmp/redhat-pull-secret.json:Z \
-v $LOCAL_TRANSFER_DIR/images/redhat:/mnt/images:Z \
-e MIRROR_SINGLE_ARCH="${MIRROR_SINGLE_ARCH}" \
$REGISTRY_HOST:$REGISTRY_PORT/ibmmas/cli:latest \
mas mirror-redhat-images -m to-filesystem --no-confirm -d /mnt/images \
-H $REGISTRY_HOST -P $REGISTRY_PORT \
-u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD \
--mirror-platform --mirror-operators \
--release $OCP_RELEASE \
--pullsecret /tmp/redhat-pull-secret.json
# In our case, as the pod produces almost no output while the process is ongoing, we could see how the mirroring process was going by (in another terminal) using the command:
# "tail -F $LOCAL_TRANSFER_DIR/images/redhat/logs/mirror-to-filesystem-ocp4.20.log"
# That file should also serve as a catalog (index) of the images that were mirrored, which should be useful later when setting up the install-config.yaml file.
# for the CORE and dependencies portion
mkdir -p $LOCAL_TRANSFER_DIR/images/mas-core
podman run -ti --rm --tls-verify=false \
-v $LOCAL_TRANSFER_DIR/images/mas-core:/mnt/images:Z \
-e MIRROR_SINGLE_ARCH="${MIRROR_SINGLE_ARCH}" \
$REGISTRY_HOST:$REGISTRY_PORT/ibmmas/cli:latest \
mas mirror-images -m to-filesystem --no-confirm -d /mnt/images \
-H $REGISTRY_HOST -P $REGISTRY_PORT -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD \
--mirror-catalog --mirror-core --mirror-mongo --mirror-tsm --mirror-sls --mirror-db2 \
-c $CATALOG_VERSION -C $CATALOG_CHANNEL \
--ibm-entitlement $IBM_ENTITLEMENT_KEY
# The index of images that were mirrored could be found in our case in the folder: /mnt/images/transfer/images/mas-core/manifests/to-filesystem and there will be a series of .txt files in there that should contain the list of images that were mirrored.
# for the MAS applications
mkdir -p $LOCAL_TRANSFER_DIR/images/mas-apps
podman run -ti --rm --tls-verify=false \
-v $LOCAL_TRANSFER_DIR/images/mas-apps:/mnt/images:Z \
-e MIRROR_SINGLE_ARCH="${MIRROR_SINGLE_ARCH}" \
$REGISTRY_HOST:$REGISTRY_PORT/ibmmas/cli:latest \
mas mirror-images -m to-filesystem --no-confirm -d /mnt/images \
-H $REGISTRY_HOST -P $REGISTRY_PORT -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD \
--mirror-manage \
-c $CATALOG_VERSION -C $CATALOG_CHANNEL \
--ibm-entitlement $IBM_ENTITLEMENT_KEY
# The index of images that were mirrored could be found in our case in the folder: /mnt/images/transfer/images/mas-apps/manifests/to-filesystem and there will be a series of .txt files in there that should contain the list of images that were mirrored.
Note: The “-m to-filesystem” flag is used to export images to the disk instead of a registry.
Now we should dismount the drive with the images from the Connected/Source Image Registry workstation and move it to the Disconnected/Air Gapped/Destination Image Registry workstation. As shown below:
On the Connected/Source Image Registry workstation:
export LOCAL_TRANSFER_DIR="/mnt/images/transfer"
umount $LOCAL_TRANSFER_DIR
Then after moving the actual USB disk into the Disconnected/Air Gapped/Destination Image Registry workstation and having it connected to the USB port:
export LOCAL_TRANSFER_DIR="/mnt/images/transfer"
mkdir -p $LOCAL_TRANSFER_DIR
mount /dev/sdb1 /mnt/images/transfer
Then execute the following commands to populate the registry with the offline files:
export LOCAL_TRANSFER_DIR="/mnt/images/transfer"
export IBM_ENTITLEMENT_KEY="<not-shown-here>"
export REDHAT_PULLSECRET_FILEPATH="/root/MAS/mirror/redhat-pullsecret-jamestkirk.json"
export OCP_RELEASE="4.20"
export REGISTRY_HOST="dcr.local02.mas.interloc.cloud"
export REGISTRY_PORT="5000"
export REGISTRY_USERNAME="registry"
export REGISTRY_PASSWORD="registry-password"
export CATALOG_VERSION="v9-260430-amd64"
export CATALOG_CHANNEL="9.1.x"
export MIRROR_SINGLE_ARCH="amd64"
# for the RedHat portion
# This next move is to avoid an error we got stating that "mirror_[0..9]\.tar could not be found inside mirror_seq1_000000.tar" when running the command, it may not be needed in future versions or even cause issues.
mv $LOCAL_TRANSFER_DIR/images/redhat/mirror_000001.tar $LOCAL_TRANSFER_DIR/images/redhat/mirror_seq1_000000.tar/mirror_000001.tar
podman run -ti --rm --tls-verify=false \
-v $REDHAT_PULLSECRET_FILEPATH:/tmp/redhat-pull-secret.json:Z \
-v $LOCAL_TRANSFER_DIR/images/redhat:/mnt/images:Z \
-e MIRROR_SINGLE_ARCH="${MIRROR_SINGLE_ARCH}" \
$REGISTRY_HOST:$REGISTRY_PORT/ibmmas/cli:latest \
mas mirror-redhat-images -m from-filesystem --no-confirm -d /mnt/images \
-H $REGISTRY_HOST -P $REGISTRY_PORT \
-u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD \
--mirror-platform --mirror-operators \
--release $OCP_RELEASE
# In our case, as the pod produces almost no output while the process is ongoing, we could see how the mirroring process was going by (in another terminal) using the command:
# "tail -F $LOCAL_TRANSFER_DIR/images/redhat/logs/mirror-from-filesystem-ocp4.20.log"
# That file should also serve as a catalog (index) of the images that were mirrored, which should be useful later when setting up the install-config.yaml file.
# for the CORE and dependencies portion
podman run -ti --rm --tls-verify=false \
-v $LOCAL_TRANSFER_DIR/images/mas-core:/mnt/images:Z \
-e MIRROR_SINGLE_ARCH="${MIRROR_SINGLE_ARCH}" \
$REGISTRY_HOST:$REGISTRY_PORT/ibmmas/cli:latest \
mas mirror-images -m from-filesystem --no-confirm -d /mnt/images \
-H $REGISTRY_HOST -P $REGISTRY_PORT -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD \
--mirror-catalog --mirror-core --mirror-mongo --mirror-tsm --mirror-sls --mirror-db2 \
-c $CATALOG_VERSION -C $CATALOG_CHANNEL \
--ibm-entitlement $IBM_ENTITLEMENT_KEY
# The index of images that were mirrored could be found in our case in the folder: /mnt/images/transfer/images/mas-core/manifests/from-filesystem and there will be a series of .txt files in there that should contain the list of images that were mirrored.
# for the MAS applications
podman run -ti --rm --tls-verify=false \
-v $LOCAL_TRANSFER_DIR/images/mas-apps:/mnt/images:Z \
-e MIRROR_SINGLE_ARCH="${MIRROR_SINGLE_ARCH}" \
$REGISTRY_HOST:$REGISTRY_PORT/ibmmas/cli:latest \
mas mirror-images -m from-filesystem --no-confirm -d /mnt/images \
-H $REGISTRY_HOST -P $REGISTRY_PORT -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD \
--mirror-manage \
-c $CATALOG_VERSION -C $CATALOG_CHANNEL \
--ibm-entitlement $IBM_ENTITLEMENT_KEY
# The index of images that were mirrored could be found in our case in the folder: /mnt/images/transfer/images/mas-apps/manifests/from-filesystem and there will be a series of .txt files in there that should contain the list of images that were mirrored.
Note: The “-m from-filesystem” flag is used to export images to the disk instead of a registry.
You've now completed the image mirroring phase of your disconnected OpenShift deployment. Next, we'll bring everything together in Part 3 by covering final deployment steps, validation procedures, and troubleshooting considerations to help ensure a successful IBM Maximo Application Suite implementation.
Don't miss the final installment of this series. Subscribe to our blog for the latest IBM Maximo, OpenShift, and MAS deployment insights, or contact Interloc Solutions to discuss your disconnected deployment strategy with our experts.
-3.png?width=476&height=135&name=Interloc%20White%20BG%20(1)-3.png)