Generating openshift-install binary in a Disconnected environment

Why this Document ?

When working in a disconnected environment more then once a multiple set of clusters are required to be installed by the organization.
In order to deploy Openshift 4 we need to create the “openshift-install” command and point it to our internal registry.
the official document stat that you need to be connected to the internet to be able to generate the “openshift-install” binary but this is incorrect.
we can extract the “openshift-install” binary in a disconnected (Air Gaped) environment but this will require us to do a little bit of trickerring.

prerequisites

This document assume that you are running in a disconnected environment and you have already synced the image registry and it is already running on port 5000 (or any port other then 443).
(the registry structure is based on a document I wrote about OpenShift installation in a disconnected environment that can be found here)

  1. oc
  2. skopeo

The Steps

For the first step of this tutorial we will setup our environment variables :
(we are using version 4.6.1 as our example)

# export OCP_RELEASE=4.6.1-x86_64# export OCP_REGISTRY=registry:5000# export OCP_REPOSITORY=ocp4# export REGISTRY_BASE="/opt/registry"

Now let’s generate a secret file (this is usful for ongoing work as well).
First we need to setup another environment variable :

# export REGISTRY_AUTH_FILE="~/.registries/auths.json"

Now we need to create the file :

# mkdir ~/.registries/
# echo '{"auths":{}}' > ~/.registries/auths.json

And login to our internal registry with podman :

# podman login $OCP_REGISTRY
Username: myuser
Password:
Login Succeeded!

Note!
(you can examine the file to see that a new object of our internal registry has been added)

Next run the command (don’t worry it will fail) in order it to output the image (by digest) it is trying to pull

# oc adm -a $REGISTRY_AUTH_FILE --insecure=true release extract --command=openshift-install ${OCP_REGISTRY}/${OCP_REPOSITORY}:${OCP_RELEASE}
error: unable to read image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3f206c2ca0472d318ed03d164c7c1502796974da881136060677154bc5432415: unauthorized: access to the requested resource is not authorized

you may get a different error message but the reason is the same (unable to reach quay.io …)

Temporary quay.io registry

In order to solve our issue we need setup a temporary registry on port 443 and point quay.io to it !

will we create a new start_registry file based on the existing one with port 443

# cat > start_registry_443.sh << EOF
podman run --name my-registry_443 --rm -d -p 443:5000 \
-v ${REGISTRY_BASE}/data:/var/lib/registry:z \
-v ${REGISTRY_BASE}/auth:/auth:z -e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
-e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v ${REGISTRY_BASE}/certs:/certs:z \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
docker.io/library/registry:2
EOF

make sure it executable and run it :

# chmod a+x start_registry_443.sh# ./start_registry_443.sh

now let’s get our server ip address and point quay.io to it in the /etc/hosts file (in our example the IP address is 192.168.1.2)

# vi /etc/hosts
192.168.1.2 quay.io

for our last step with the registry we need to login to quay.io with our internal registry credentials :

# podman login --tls-verify=false quay.io 
Username: myuser
Password:
Login Succeeded!

As you can see the error message also contains the digest we need from our mirrored registry so we will copy it to our skopeo command as the source and the destination will be the image the command is looking for

we will now use the skopeo copy to direct our image to our “new” quay.io registry.
(this is an example for OCP 4.6.1)

# skopeo copy --all docker://${OCP_REGISTRY}/${OCP_REPOSITORY}@sha256:3f206c2ca0472d318ed03d164c7c1502796974da881136060677154bc5432415 --dest-tls-verify=false docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3f206c2ca0472d318ed03d164c7c1502796974da881136060677154bc5432415

Note!
we are using dest-tls-verify=false because the SSL certificate point to our registry real name

Running the command

We can now safely (and internally) run the command that will generate our openshift-install binary with the required registry:

# oc adm -a $REGISTRY_AUTH_FILE --insecure=true release extract --command=openshift-install ${OCP_REGISTRY}/${OCP_REPOSITORY}:${OCP_RELEASE}# echo $?

Now that the binary has been created we can go ahead and test it :

# ./openshift-install version
./openshift-install 4.6.1
built from commit ebdbda57fc18d3b73e69f0f2cc499ddfca7e6593
release image registry:5000/ocp4@sha256:d78292e9730dd387ff6198197c8b0598da340be7678e8e1e4810b557a926c2b9

Sense we don’t need it anymore , we can go ahead and stop the registry :

# podman stop my-registry_443

Do not forget to remove the quay.io line from /etc/hosts once we completed!

# vi /etc/hosts
192.168.1.2 quay.io <-- delete it!!!

That is it
Have Fun

If you have any question feel free to responed/ leave a comment.
You can find on linkedin at : https://www.linkedin.com/in/orenoichman
Or twitter at : https://twitter.com/ooichman

Open Source contributer for the past 15 years