diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 9ae1bc6a8a54..3c28f31d1643 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -587,15 +587,17 @@ Topics: - Name: Updating a cluster that includes RHEL compute machines File: updating-cluster-rhel-compute Distros: openshift-enterprise -- Name: Updating a disconnected environment +- Name: Updating a cluster in a disconnected environment Dir: updating-restricted-network-cluster Distros: openshift-enterprise Topics: - - Name: About disconnected environment updates + - Name: About cluster updates in a disconnected environment File: index - - Name: Updating disconnected environments using OSUS + - Name: Mirroring the OpenShift Container Platform image repository + File: mirroring-image-repository + - Name: Updating a cluster in a disconnected environment using OSUS File: restricted-network-update-osus - - Name: Updating disconnected environments without OSUS + - Name: Updating a cluster in a disconnected environment without OSUS File: restricted-network-update - Name: Updating hardware on nodes running on vSphere File: updating-hardware-on-nodes-running-on-vsphere diff --git a/installing/disconnected_install/installing-mirroring-disconnected.adoc b/installing/disconnected_install/installing-mirroring-disconnected.adoc index 27d8bd76d3da..7f153a09670a 100644 --- a/installing/disconnected_install/installing-mirroring-disconnected.adoc +++ b/installing/disconnected_install/installing-mirroring-disconnected.adoc @@ -140,3 +140,9 @@ include::modules/oc-mirror-image-set-config-examples.adoc[leveloffset=+1] // Command reference for oc-mirror include::modules/oc-mirror-command-reference.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_installing-mirroring-disconnected"] +== Additional resources + +* xref:../../updating/updating-restricted-network-cluster/index.adoc#about-restricted-network-updates[About cluster updates in a disconnected environment] \ No newline at end of file diff --git a/modules/cli-installing-cli.adoc b/modules/cli-installing-cli.adoc index 7c5f5b88338b..7f6c9613eef9 100644 --- a/modules/cli-installing-cli.adoc +++ b/modules/cli-installing-cli.adoc @@ -48,14 +48,14 @@ // * openshift_images/samples-operator-alt-registry.adoc // * installing/installing_rhv/installing-rhv-customizations.adoc // * installing/installing_rhv/installing-rhv-default.adoc -// * updating/updating-restricted-network-cluster/restricted-network-update.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc // * microshift_cli_ref/microshift-oc-cli-install.adoc // * updating/updating-restricted-network-cluster.adoc // * installing/installing-nutanix-installer-provisioned.adoc // * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc // AMQ docs link to this; do not change anchor -ifeval::["{context}" == "updating-restricted-network-cluster"] +ifeval::["{context}" == "mirroring-ocp-image-repository"] :restricted: endif::[] @@ -200,6 +200,6 @@ After you install the OpenShift CLI, it is available using the `oc` command: $ oc ---- -ifeval::["{context}" == "updating-restricted-network-cluster"] +ifeval::["{context}" == "mirroring-ocp-image-repository"] :!restricted: endif::[] diff --git a/modules/installation-about-mirror-registry.adoc b/modules/installation-about-mirror-registry.adoc index 9f690ac8e1fb..a56178b2d685 100644 --- a/modules/installation-about-mirror-registry.adoc +++ b/modules/installation-about-mirror-registry.adoc @@ -3,11 +3,16 @@ // * installing/disconnected_install/installing-mirroring-installation-images.adoc // * openshift_images/samples-operator-alt-registry.adoc // * scalability_and_performance/ztp-deploying-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc ifeval::["{context}" == "installing-mirroring-disconnected"] :oc-mirror: endif::[] +ifeval::["{context}" == "mirroring-ocp-image-repository"] +:oc-mirror: +endif::[] + :_content-type: CONCEPT [id="installation-about-mirror-registry_{context}"] = About the mirror registry @@ -42,3 +47,7 @@ Red Hat does not test third party registries with {product-title}. ifeval::["{context}" == "installing-mirroring-disconnected"] :!oc-mirror: endif::[] + +ifeval::["{context}" == "mirroring-ocp-image-repository"] +:!oc-mirror: +endif::[] \ No newline at end of file diff --git a/modules/installation-adding-registry-pull-secret.adoc b/modules/installation-adding-registry-pull-secret.adoc index 2916f044ca28..d8459ad3388f 100644 --- a/modules/installation-adding-registry-pull-secret.adoc +++ b/modules/installation-adding-registry-pull-secret.adoc @@ -4,10 +4,11 @@ // * installing/disconnected_install/installing-mirroring-disconnected.adoc // * openshift_images/samples-operator-alt-registry.adoc // * scalability_and_performance/ztp_far_edge/ztp-deploying-far-edge-clusters-at-scale.adoc -// * updating/updating-restricted-network-cluster/restricted-network-update.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc -ifeval::["{context}" == "updating-restricted-network-cluster"] +ifeval::["{context}" == "mirroring-ocp-image-repository"] :restricted: +:update-oc-mirror: endif::[] ifeval::["{context}" == "installing-mirroring-installation-images"] @@ -62,14 +63,7 @@ ifndef::openshift-origin[] ---- $ cat ./pull-secret | jq . > / <1> ---- -ifndef::oc-mirror[] <1> Specify the path to the folder to store the pull secret in and a name for the JSON file that you create. -endif::[] -ifdef::oc-mirror[] -<1> Specify the path to the folder to store the pull secret in and a name for the JSON file that you create. - -. Save the file either as `~/.docker/config.json` or `$XDG_RUNTIME_DIR/containers/auth.json`. -endif::[] + The contents of the file resemble the following example: + @@ -96,6 +90,14 @@ The contents of the file resemble the following example: } } ---- +// An additional step for following this procedure when using oc-mirror as part of the disconnected install process. +ifdef::oc-mirror[] +. Save the file either as `~/.docker/config.json` or `$XDG_RUNTIME_DIR/containers/auth.json`. +endif::[] +// Similar to the additional step above, except it is framed as optional because it is included in a disconnected update page (where users may or may not use oc-mirror for their process) +ifdef::update-oc-mirror[] +. Optional: If using the oc-mirror plugin, save the file either as `~/.docker/config.json` or `$XDG_RUNTIME_DIR/containers/auth.json`. +endif::[] endif::[] . Generate the base64-encoded user name and password or token for your mirror registry: @@ -122,6 +124,7 @@ ifndef::openshift-origin[] "": { <1> "auth": "", <2> "email": "you@example.com" + } }, endif::[] ifdef::openshift-origin[] @@ -189,8 +192,9 @@ ifeval::["{context}" == "installing-mirroring-installation-images"] :!restricted: endif::[] -ifeval::["{context}" == "updating-restricted-network-cluster"] +ifeval::["{context}" == "mirroring-ocp-image-repository"] :!restricted: +:!update-oc-mirror: endif::[] ifeval::["{context}" == "installing-mirroring-disconnected"] diff --git a/modules/oc-mirror-about.adoc b/modules/oc-mirror-about.adoc index 9ac465912619..348c1ba13bbf 100644 --- a/modules/oc-mirror-about.adoc +++ b/modules/oc-mirror-about.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: CONCEPT [id="installation-oc-mirror-about_{context}"] @@ -17,7 +18,7 @@ You can use the oc-mirror OpenShift CLI (`oc`) plugin to mirror all required {pr When using the oc-mirror plugin, you specify which content to mirror in an image set configuration file. In this YAML file, you can fine-tune the configuration to only include the {product-title} releases and Operators that your cluster needs. This reduces the amount of data that you need to download and transfer. The oc-mirror plugin can also mirror arbitrary helm charts and additional container images to assist users in seamlessly synchronizing their workloads onto mirror registries. -The first time you run the oc-mirror plugin, it populates your mirror registry with the required content to perform your disconnected cluster installation. In order for your disconnected cluster to continue receiving updates, you must keep your mirror registry updated. To update your mirror registry, you run the oc-mirror plugin using the same configuration as the first time you ran it. The oc-mirror plugin references the metadata from the storage backend and only downloads what has been released since the last time you ran the tool. This provides update paths for {product-title} and Operators and performs dependency resolution as required. +The first time you run the oc-mirror plugin, it populates your mirror registry with the required content to perform your disconnected cluster installation or update. In order for your disconnected cluster to continue receiving updates, you must keep your mirror registry updated. To update your mirror registry, you run the oc-mirror plugin using the same configuration as the first time you ran it. The oc-mirror plugin references the metadata from the storage backend and only downloads what has been released since the last time you ran the tool. This provides update paths for {product-title} and Operators and performs dependency resolution as required. [IMPORTANT] ==== diff --git a/modules/oc-mirror-command-reference.adoc b/modules/oc-mirror-command-reference.adoc index 5c446120940d..27b000aaa5ca 100644 --- a/modules/oc-mirror-command-reference.adoc +++ b/modules/oc-mirror-command-reference.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: REFERENCE [id="oc-mirror-command-reference_{context}"] diff --git a/modules/oc-mirror-creating-image-set-config.adoc b/modules/oc-mirror-creating-image-set-config.adoc index b94b74207604..eb41eecf8575 100644 --- a/modules/oc-mirror-creating-image-set-config.adoc +++ b/modules/oc-mirror-creating-image-set-config.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="oc-mirror-creating-image-set-config_{context}"] diff --git a/modules/oc-mirror-differential-updates.adoc b/modules/oc-mirror-differential-updates.adoc index 2106bbac1482..ea08d8a2d0ff 100644 --- a/modules/oc-mirror-differential-updates.adoc +++ b/modules/oc-mirror-differential-updates.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="oc-mirror-differential-updates_{context}"] diff --git a/modules/oc-mirror-disk-to-mirror.adoc b/modules/oc-mirror-disk-to-mirror.adoc index d0c616619a4a..b7a89322a59f 100644 --- a/modules/oc-mirror-disk-to-mirror.adoc +++ b/modules/oc-mirror-disk-to-mirror.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="oc-mirror-disk-to-mirror_{context}"] diff --git a/modules/oc-mirror-dry-run.adoc b/modules/oc-mirror-dry-run.adoc index aa49407a6312..af159838d3ef 100644 --- a/modules/oc-mirror-dry-run.adoc +++ b/modules/oc-mirror-dry-run.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="oc-mirror-dry-run_{context}"] diff --git a/modules/oc-mirror-image-set-config-examples.adoc b/modules/oc-mirror-image-set-config-examples.adoc index 6629c3f0a3d5..be63e96ce715 100644 --- a/modules/oc-mirror-image-set-config-examples.adoc +++ b/modules/oc-mirror-image-set-config-examples.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: REFERENCE [id="oc-mirror-image-set-examples_{context}"] diff --git a/modules/oc-mirror-imageset-config-params.adoc b/modules/oc-mirror-imageset-config-params.adoc index 624074b2bb76..e619e7245970 100644 --- a/modules/oc-mirror-imageset-config-params.adoc +++ b/modules/oc-mirror-imageset-config-params.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: REFERENCE [id="oc-mirror-imageset-config-params_{context}"] diff --git a/modules/oc-mirror-installing-plugin.adoc b/modules/oc-mirror-installing-plugin.adoc index 95095386f35c..ba4cb13a7cc5 100644 --- a/modules/oc-mirror-installing-plugin.adoc +++ b/modules/oc-mirror-installing-plugin.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="installation-oc-mirror-installing-plugin_{context}"] diff --git a/modules/oc-mirror-mirror-to-disk.adoc b/modules/oc-mirror-mirror-to-disk.adoc index 51fec086370b..0af7e2678620 100644 --- a/modules/oc-mirror-mirror-to-disk.adoc +++ b/modules/oc-mirror-mirror-to-disk.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="oc-mirror-mirror-to-disk_{context}"] diff --git a/modules/oc-mirror-mirror-to-mirror.adoc b/modules/oc-mirror-mirror-to-mirror.adoc index 65515751b759..cf14c91fb434 100644 --- a/modules/oc-mirror-mirror-to-mirror.adoc +++ b/modules/oc-mirror-mirror-to-mirror.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="oc-mirror-mirror-to-mirror_{context}"] diff --git a/modules/oc-mirror-oci-format.adoc b/modules/oc-mirror-oci-format.adoc index abae4aaa4836..8ed7b643d54a 100644 --- a/modules/oc-mirror-oci-format.adoc +++ b/modules/oc-mirror-oci-format.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="oc-mirror-oci-format_{context}"] diff --git a/modules/oc-mirror-support.adoc b/modules/oc-mirror-support.adoc index e8ba194be6d8..6a85a27e8cea 100644 --- a/modules/oc-mirror-support.adoc +++ b/modules/oc-mirror-support.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: CONCEPT [id="oc-mirror-support_{context}"] diff --git a/modules/oc-mirror-updating-cluster-manifests.adoc b/modules/oc-mirror-updating-cluster-manifests.adoc index 744ad99167b3..efd306395963 100644 --- a/modules/oc-mirror-updating-cluster-manifests.adoc +++ b/modules/oc-mirror-updating-cluster-manifests.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="oc-mirror-updating-cluster-manifests_{context}"] diff --git a/modules/oc-mirror-updating-registry-about.adoc b/modules/oc-mirror-updating-registry-about.adoc index d06e2451775b..394cbc563117 100644 --- a/modules/oc-mirror-updating-registry-about.adoc +++ b/modules/oc-mirror-updating-registry-about.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * installing/disconnected_install/installing-mirroring-disconnected.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: CONCEPT [id="oc-mirror-updating-registry-about_{context}"] diff --git a/modules/update-mirror-repository-oc-mirror.adoc b/modules/update-mirror-repository-oc-mirror.adoc deleted file mode 100644 index 26e5445cb249..000000000000 --- a/modules/update-mirror-repository-oc-mirror.adoc +++ /dev/null @@ -1,25 +0,0 @@ -// Module included in the following assemblies: -// * updating/updating-restricted-network-cluster/restricted-network-update.adoc -// * updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc - -:_content-type: PROCEDURE -[id="update-mirror-repository-oc-mirror_{context}"] -= Mirroring resources using the oc-mirror plugin - -Use the oc-mirror OpenShift CLI (`oc`) plugin to mirror images onto a mirror registry. Compared to using `oc adm release mirror`, the oc-mirror plugin has the following advantages: - -* It is simpler to use. - -* It can mirror content other than container images. - -* After mirroring images for the first time, it is easier to update images in the registry. - -.Procedure - -. Navigate to the _Mirroring images for a disconnected installation using the oc-mirror plugin_ page of the documentation. - -. Follow the instructions on that page to mirror resources onto a mirror registry. - -** If you are using oc-mirror for the first time, follow the instructions on that page up until and including the section titled _Installing the ImageContentSourcePolicy and CatalogSource resources into the cluster_. - -** If you have already used oc-mirror to mirror resources onto a registry, follow the instructions in the section titled _Keeping your mirror registry content updated_. diff --git a/modules/update-mirror-repository.adoc b/modules/update-mirror-repository.adoc index 8b7abbf2d7e9..34506a54941f 100644 --- a/modules/update-mirror-repository.adoc +++ b/modules/update-mirror-repository.adoc @@ -1,11 +1,22 @@ // Module included in the following assemblies: // -// * updating/updating-restricted-network-cluster/restricted-network-update.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="update-mirror-repository-adm-release-mirror_{context}"] = Mirroring images using the oc adm release mirror command +.Prerequisites + +* You configured a mirror registry to use in your disconnected environment and can access the certificate and credentials that you configured. +ifndef::openshift-origin[] +* You downloaded the {cluster-manager-url-pull} and modified it to include authentication to your mirror repository. +endif::[] +ifdef::openshift-origin[] +* You have created a pull secret for your mirror repository. +endif::[] +* If you use self-signed certificates, you have specified a Subject Alternative Name in the certificates. + .Procedure . Use the link:https://access.redhat.com/labs/ocpupgradegraph/update_channel[Red Hat {product-title} Upgrade Graph visualizer and update planner] to plan an update from one version to another. The OpenShift Upgrade Graph provides channel graphs and a way to confirm that there is an update path between your current and intended cluster versions. diff --git a/modules/update-service-mirror-release.adoc b/modules/update-service-mirror-release.adoc deleted file mode 100644 index bd9bd70bd383..000000000000 --- a/modules/update-service-mirror-release.adoc +++ /dev/null @@ -1,171 +0,0 @@ -// Module included in the following assemblies: -// *updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc - -:_content-type: PROCEDURE -[id="update-service-mirror-release-adm-release-mirror_{context}"] -= Mirroring images using the oc adm release mirror command - -[IMPORTANT] -==== -To avoid excessive memory usage by the OpenShift Update Service application, it is required that you mirror release images to a separate repository, as described in the following procedure. -==== - -.Prerequisites - -* You reviewed and completed the steps from "Mirroring images for a disconnected installation" up to but not including the section entitled *Mirroring the {product-title} image repository*. -//TODO: Add xref to preceding step when allowed. -* You configured a mirror registry to use in your disconnected environment and can access the certificate and credentials that you configured. -ifndef::openshift-origin[] -* You downloaded the {cluster-manager-url-pull} and modified it to include authentication to your mirror repository. -endif::[] -ifdef::openshift-origin[] -* You have created a pull secret for your mirror repository. -endif::[] -* If you use self-signed certificates, you have specified a Subject Alternative Name in the certificates. - -.Procedure - -Complete the following steps on the mirror host: - -. Review the -link:https://access.redhat.com/downloads/content/290/[{product-title} downloads page] -to determine the version of {product-title} to which you want to update and determine the corresponding tag on the link:https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags[Repository Tags] page. - -. Set the required environment variables: -.. Export the release version: -+ -[source,terminal] ----- -$ OCP_RELEASE= ----- -+ -For ``, specify the tag that corresponds to the version of {product-title} to -install, such as `4.6.4`. - -.. Export the local registry name and host port: -+ -[source,terminal] ----- -$ LOCAL_REGISTRY=':' ----- -+ -For ``, specify the registry domain name for your mirror -repository, and for ``, specify the port that it -serves content on. - -.. Export the local repository name: -+ -[source,terminal] ----- -$ LOCAL_REPOSITORY='' ----- -+ -For ``, specify the name of the repository to create in your -registry, such as `ocp4/openshift4`. - -.. Export an additional local repository name to contain the release images: -+ -[source,terminal] ----- -$ LOCAL_RELEASE_IMAGES_REPOSITORY='' ----- -+ -For ``, specify the name of the repository to -create in your registry, such as `ocp4/openshift4-release-images`. - -.. Export the name of the repository to mirror: -+ -[source,terminal] ----- -$ PRODUCT_REPO='openshift-release-dev' ----- -+ -For a production release, you must specify `openshift-release-dev`. - -.. Export the path to your registry pull secret: -+ -[source,terminal] ----- -$ LOCAL_SECRET_JSON='' ----- -+ -For ``, specify the absolute path to and file name of the pull secret for your mirror registry that you created. - -.. Export the release mirror: -+ -[source,terminal] ----- -$ RELEASE_NAME="ocp-release" ----- -+ -For a production release, you must specify `ocp-release`. - -.. Export the type of architecture for your cluster: -+ -[source,terminal] ----- -$ ARCHITECTURE= <1> ----- -<1> Specify the architecture of the cluster, such as `x86_64`, `aarch64`, `s390x`, `ppc64le`, or `multi`. - -.. Export the path to the directory to host the mirrored images: -+ -[source,terminal] ----- -$ REMOVABLE_MEDIA_PATH= <1> ----- -<1> Specify the full path, including the initial forward slash (`/`) character. - -. Mirror the version images to the mirror registry: -** If your mirror host does not have internet access, take the following actions: -... Connect the removable media to a system that is connected to the internet. -... Review the images and configuration manifests to mirror: -+ -[source,terminal] ----- -$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ - --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ - --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ - --to-release-image=${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run ----- -... Mirror the images to a directory on the removable media: -+ -[source,terminal] ----- -$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} ----- -... Take the media to the disconnected environment and upload the images to the local container registry: -+ -[source,terminal] ----- -$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} <1> ----- -+ -<1> For `REMOVABLE_MEDIA_PATH`, you must use the path where you mounted the removable media. -+ -... Use `oc` command-line interface (CLI) to log in to the cluster that you are upgrading. - -... Apply the mirrored release image signature config map to the disconnected cluster: -+ -[source,terminal] ----- -$ oc apply -f ${REMOVABLE_MEDIA_PATH}/mirror/config/ <1> ----- -<1> For ``, specify the path and name of the file, for example, `signature-sha256-81154f5c03294534.yaml`. - -... Mirror the release image to a separate repository: -+ -[source,terminal] ----- -$ oc image mirror -a ${LOCAL_SECRET_JSON} ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ----- - -** If the local container registry is connected to the mirror host, push the release images directly to the local registry: -+ -[source,terminal] ----- -$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ - --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ - --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ - --to-release-image=${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ----- diff --git a/updating/index.adoc b/updating/index.adoc index 54d22cd5a4b6..8c290156c4a7 100644 --- a/updating/index.adoc +++ b/updating/index.adoc @@ -68,12 +68,12 @@ xref:../updating/updating-cluster-rhel-compute.adoc#updating-cluster-rhel-comput * xref:../updating/updating-cluster-rhel-compute.adoc#rhel-compute-updating-minor_updating-cluster-rhel-compute[Updating {op-system-base} compute machines in your cluster] [id="updating-clusters-overview-update-restricted-network-cluster"] -== Updating a disconnected cluster -xref:../updating/updating-restricted-network-cluster/index.adoc#about-restricted-network-updates[Updating a disconnected cluster]: If your mirror host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment. You can then bring that host or removable media across that gap. If the local container registry and the cluster are connected to the mirror host of a registry, you can directly push the release images to the local registry. +== Updating a cluster in a disconnected environment +xref:../updating/updating-restricted-network-cluster/index.adoc#about-restricted-network-updates[About cluster updates in a disconnected environment]: If your mirror host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment. You can then bring that host or removable media across that gap. If the local container registry and the cluster are connected to the mirror host of a registry, you can directly push the release images to the local registry. -* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#updating-restricted-network-mirror-host[Preparing your mirror host] -* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#installation-adding-registry-pull-secret_updating-restricted-network-cluster[Configuring credentials that allow images to be mirrored] -* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#update-mirror-repository[Mirroring the {product-title} image repository] +* xref:../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#updating-restricted-network-mirror-host[Preparing your mirror host] +* xref:../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#installation-adding-registry-pull-secret_mirroring-ocp-image-repository[Configuring credentials that allow images to be mirrored] +* xref:../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-ocp-image-repository[Mirroring the {product-title} image repository] * xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#update-restricted_updating-restricted-network-cluster[Updating the disconnected cluster] * xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#images-configuration-registry-mirror_updating-restricted-network-cluster[Configuring image registry repository mirroring] * xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#generating-icsp-object-scoped-to-a-registry_updating-restricted-network-cluster[Widening the scope of the mirror image catalog to reduce the frequency of cluster node reboots] diff --git a/updating/updating-restricted-network-cluster/index.adoc b/updating/updating-restricted-network-cluster/index.adoc index e4dc80832135..3acaf30d49f7 100644 --- a/updating/updating-restricted-network-cluster/index.adoc +++ b/updating/updating-restricted-network-cluster/index.adoc @@ -1,6 +1,6 @@ :_content-type: ASSEMBLY [id="about-restricted-network-updates"] -= About disconnected environment updates += About cluster updates in a disconnected environment include::_attributes/common-attributes.adoc[] :context: about-restricted-network-updates @@ -13,11 +13,18 @@ If the local container registry and the cluster are connected to the mirror regi A single container image registry is sufficient to host mirrored images for several clusters in the disconnected network. -== Performing a disconnected environment update +[id="about-disconnected-updates-mirroring"] +== Mirroring the {product-title} image repository +To update your cluster in a disconnected environment, your cluster environment must have access to a mirror registry that has the necessary images and resources for your targeted update. The following page has instructions for mirroring images onto a repository in your disconnected cluster: + +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-ocp-image-repository[Mirroring the {product-title} image repository] + +[id="about-disconnected-updates-update"] +== Performing a cluster update in a disconnected environment You can use one of the following procedures to update a disconnected {product-title} cluster: -* xref:../../updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc#updating-restricted-network-cluster-OSUS[Updating disconnected environments using the OpenShift Update Service] +* xref:../../updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc#updating-restricted-network-cluster-OSUS[Updating a cluster in a disconnected environment using the OpenShift Update Service] -* xref:../../updating/updating-restricted-network-cluster/restricted-network-update.adoc#updating-restricted-network-cluster[Updating disconnected environments without the OpenShift Update Service] +* xref:../../updating/updating-restricted-network-cluster/restricted-network-update.adoc#updating-restricted-network-cluster[Updating a cluster in a disconnected environment without the OpenShift Update Service] diff --git a/updating/updating-restricted-network-cluster/mirroring-image-repository.adoc b/updating/updating-restricted-network-cluster/mirroring-image-repository.adoc new file mode 100644 index 000000000000..da3027a52fa5 --- /dev/null +++ b/updating/updating-restricted-network-cluster/mirroring-image-repository.adoc @@ -0,0 +1,169 @@ +:_content-type: ASSEMBLY +[id="mirroring-ocp-image-repository"] += Mirroring the {product-title} image repository +include::_attributes/common-attributes.adoc[] +:context: mirroring-ocp-image-repository + +toc::[] + +You must mirror container images onto a mirror registry before you can update a cluster in a disconnected environment. You can also use this procedure in connected environments to ensure your clusters run only approved container images that have satisfied your organizational controls for external content. + +[NOTE] +==== +Your mirror registry must be running at all times while the cluster is running. +==== + +There are two methods for mirroring images onto a mirror registry: + +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-ocp-resources-ocmirror[Using the oc-mirror OpenShift CLI (`oc`) plugin] + +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#update-mirror-repository-adm-release-mirror_mirroring-ocp-image-repository[Using the `oc adm release mirror` command] + +Compared to using the `oc adm release mirror`command, the oc-mirror plugin has the following advantages: + +* It can mirror content other than container images. + +* After mirroring images for the first time, it is easier to update images in the registry. + +* The oc-mirror plugin provides an automated way to mirror the release payload from Quay, and also builds the latest graph-data image for the OpenShift Update Service running in the disconnected environment. + +[id="prerequisites_updating-mirroring-disconnected"] +== Prerequisites + +* You must have a container image registry that supports link:https://docs.docker.com/registry/spec/manifest-v2-2[Docker v2-2] in the location that will host the {product-title} cluster, such as Red Hat Quay. ++ +[NOTE] +==== +If you use Red Hat Quay, you must use version 3.6 or later with the oc-mirror plugin. If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay link:https://access.redhat.com/documentation/en-us/red_hat_quay/3.6/html/deploy_red_hat_quay_for_proof-of-concept_non-production_purposes/[for proof-of-concept purposes] or link:https://access.redhat.com/documentation/en-us/red_hat_quay/3.6/html/deploy_red_hat_quay_on_openshift_with_the_quay_operator/[by using the Quay Operator]. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support. +==== ++ +If you do not have an existing solution for a container image registry, the xref:../../installing/disconnected_install/installing-mirroring-creating-registry.adoc#installing-mirroring-creating-registry[mirror registry for Red Hat OpenShift] is included in {product-title} subscriptions. The _mirror registry for Red Hat OpenShift_ is a small-scale container registry that you can use to mirror {product-title} container images in disconnected installations and updates. + +[id="updating-restricted-network-mirror-host"] +== Preparing your mirror host + +Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location. + +include::modules/cli-installing-cli.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../cli_reference/openshift_cli/extending-cli-plugins.adoc#cli-installing-plugins_cli-extend-plugins[Installing and using CLI plugins] + +// this file doesn't exist, so I'm including the one that should pick up more changes from Clayton's PR - modules/installation-adding-mirror-registry-pull-secret.adoc[leveloffset=+1] + +include::modules/installation-adding-registry-pull-secret.adoc[leveloffset=+2] + +[id=mirroring-ocp-resources-ocmirror] +== Mirroring resources using the oc-mirror plugin + +You can use the oc-mirror OpenShift CLI (`oc`) plugin to mirror images to a mirror registry in your fully or partially disconnected environments. You must run oc-mirror from a system with internet connectivity to download the required images from the official Red Hat registries. + +The following steps outline the high-level workflow on how to use the oc-mirror plugin to mirror images to a mirror registry: + +. Create an image set configuration file. +. Mirror the image set to the mirror registry by using one of the following methods: +** Mirror an image set directly to the mirror registry. +** Mirror an image set to disk, transfer the image set to the target environment, and then upload the image set to the target mirror registry. +. Install the `ImageContentSourcePolicy` and `CatalogSource` resources that were generated by oc-mirror into the cluster. +. Repeat these steps to update your mirror registry as necessary. + +// About the oc-mirror plugin +include::modules/oc-mirror-about.adoc[leveloffset=+2] + +// oc-mirror compatibility and support +include::modules/oc-mirror-support.adoc[leveloffset=+2] + +// About the mirror registry +include::modules/installation-about-mirror-registry.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* For information about viewing the CRI-O logs to view the image source, see xref:../../installing/validating-an-installation.adoc#viewing-the-image-pull-source_validating-an-installation[Viewing the image pull source]. + +// Installing the oc-mirror OpenShift CLI plugin +include::modules/oc-mirror-installing-plugin.adoc[leveloffset=+2] + +// Creating the image set configuration +include::modules/oc-mirror-creating-image-set-config.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#oc-mirror-imageset-config-params_mirroring-ocp-image-repository[Image set configuration parameters] +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#oc-mirror-image-set-examples_mirroring-ocp-image-repository[Image set configuration examples] +* xref:../../updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc#update-service-overview_updating-restricted-network-cluster-osus[About the OpenShift Update Service] + +[id="mirroring-image-set"] +=== Mirroring an image set to a mirror registry + +You can use the oc-mirror CLI plugin to mirror images to a mirror registry in a xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-image-set-partial[partially disconnected environment] or in a xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-image-set-full[fully disconnected environment]. + +The following procedures assume that you already have your mirror registry set up. + +[id="mirroring-image-set-partial"] +==== Mirroring an image set in a partially disconnected environment + +In a partially disconnected environment, you can mirror an image set directly to the target mirror registry. + +// Mirroring from mirror to mirror +include::modules/oc-mirror-mirror-to-mirror.adoc[leveloffset=+4] + +[id="mirroring-image-set-full"] +==== Mirroring an image set in a fully disconnected environment + +To mirror an image set in a fully disconnected environment, you must first xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#oc-mirror-mirror-to-disk_mirroring-ocp-image-repository[mirror the image set to disk], then xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#oc-mirror-disk-to-mirror_mirroring-ocp-image-repository[mirror the image set file on disk to a mirror]. + +// Mirroring from mirror to disk +include::modules/oc-mirror-mirror-to-disk.adoc[leveloffset=+4] + +// Mirroring from disk to mirror in a disconnected environment +include::modules/oc-mirror-disk-to-mirror.adoc[leveloffset=+4] + +// Installing the ImageContentSourcePolicy and CatalogSource resources into the cluster +include::modules/oc-mirror-updating-cluster-manifests.adoc[leveloffset=+2] + +[id="updating-mirror-registry-content"] +=== Keeping your mirror registry content updated + +After you populate your target mirror registry with the initial image set, you must update it regularly so that it has the latest content. If possible, you can set up a cron job to update the mirror registry on a regular basis. + +Update your image set configuration to add or remove {product-title} and Operator releases as necessary. Removed images are pruned from the mirror registry. + +// About updating your mirror registry content +include::modules/oc-mirror-updating-registry-about.adoc[leveloffset=+3] + +// Updating your mirror registry content +include::modules/oc-mirror-differential-updates.adoc[leveloffset=+3] + +[role="_additional-resources"] +.Additional resources + +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#oc-mirror-image-set-examples_mirroring-ocp-image-repository[Image set configuration examples] +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-image-set-partial[Mirroring an image set in a partially disconnected environment] +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-image-set-full[Mirroring an image set in a fully disconnected environment] +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#oc-mirror-updating-cluster-manifests_mirroring-ocp-image-repository[Installing the ImageContentSourcePolicy and CatalogSource resources into the cluster] + +// Performing a dry run +include::modules/oc-mirror-dry-run.adoc[leveloffset=+2] + +// Mirroring Operator images in OCI format +include::modules/oc-mirror-oci-format.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../operators/admin/olm-managing-custom-catalogs.adoc#olm-managing-custom-catalogs-fb[File-based catalogs] + +// Image set configuration parameters +include::modules/oc-mirror-imageset-config-params.adoc[leveloffset=+2] + +// Image set configuration examples +include::modules/oc-mirror-image-set-config-examples.adoc[leveloffset=+2] + +// Command reference for oc-mirror +include::modules/oc-mirror-command-reference.adoc[leveloffset=+2] + +include::modules/update-mirror-repository.adoc[leveloffset=+1] \ No newline at end of file diff --git a/updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc b/updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc index 966b94977e6a..a2816cddf8f9 100644 --- a/updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc +++ b/updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc @@ -1,6 +1,6 @@ :_content-type: ASSEMBLY [id="updating-restricted-network-cluster-OSUS"] -= Updating disconnected environments using the OpenShift Update Service += Updating a cluster in a disconnected environment using the OpenShift Update Service include::_attributes/common-attributes.adoc[] :context: updating-restricted-network-cluster-osus @@ -23,10 +23,8 @@ The following sections describe how to provide updates for your disconnected clu [id="update-service-prereqs"] == Prerequisites -* Have access to the internet to obtain the necessary container images. -* Have write access to a container registry in the disconnected environment to push and pull images. The container registry must be compatible with Docker registry API v2. * You must have the `oc` command-line interface (CLI) tool installed. -* For more information on installing Operators, see xref:../../operators/user/olm-installing-operators-in-namespace.adoc#olm-installing-operators-in-namespace[Installing Operators in your namespace]. +* You must provision a local container image registry with the container images for your update, as described in xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-ocp-image-repository[Mirroring the {product-title} image repository]. [id="registry-configuration-for-update-service"] == Configuring access to a secured registry for the OpenShift Update Service @@ -71,31 +69,12 @@ include::modules/update-service-install-web-console.adoc[leveloffset=+2] include::modules/update-service-install-cli.adoc[leveloffset=+2] -include::modules/update-service-graph-data.adoc[leveloffset=+1] - -[id="update-service-mirror-release-osus"] -== Mirroring the {product-title} image repository - -The OpenShift Update Service requires a locally accessible registry containing update release payloads. - -You must mirror container images onto a mirror registry before you can update a cluster in a disconnected environment. You can also use this procedure in connected environment to ensure your clusters only use container images that have satisfied your organizational controls on external content. - -There are two supported methods for mirroring images onto a mirror registry: - -* Using the oc-mirror OpenShift CLI (`oc`) plugin - -* Using the oc adm release mirror command - -Choose one of the following supported options. - -include::modules/update-mirror-repository-oc-mirror.adoc[leveloffset=+2] - [role="_additional-resources"] .Additional resources -* xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation using the oc-mirror plugin] +* xref:../../operators/user/olm-installing-operators-in-namespace.adoc#olm-installing-operators-in-namespace[Installing Operators in your namespace]. -include::modules/update-service-mirror-release.adoc[leveloffset=+2] +include::modules/update-service-graph-data.adoc[leveloffset=+1] [id="update-service-create-service"] == Creating an OpenShift Update Service application diff --git a/updating/updating-restricted-network-cluster/restricted-network-update.adoc b/updating/updating-restricted-network-cluster/restricted-network-update.adoc index d4ffcf0d785e..4869a80c1d8a 100644 --- a/updating/updating-restricted-network-cluster/restricted-network-update.adoc +++ b/updating/updating-restricted-network-cluster/restricted-network-update.adoc @@ -1,6 +1,6 @@ :_content-type: ASSEMBLY [id="updating-restricted-network-cluster"] -= Updating disconnected environments without the OpenShift Update Service += Updating a cluster in a disconnected environment without the OpenShift Update Service include::_attributes/common-attributes.adoc[] :context: updating-restricted-network-cluster @@ -8,52 +8,17 @@ toc::[] == Prerequisites -* Have access to the internet to obtain the necessary container images. -* Have write access to a container registry in the disconnected environment to push and pull images. The container registry must be compatible with Docker registry API v2. * You must have the `oc` command-line interface (CLI) tool installed. -* Have access to the cluster as a user with `admin` privileges. +* You must provision a local container image registry with the container images for your update, as described in xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-ocp-image-repository[Mirroring the {product-title} image repository]. +* You must have access to the cluster as a user with `admin` privileges. See xref:../../authentication/using-rbac.adoc#using-rbac[Using RBAC to define and apply permissions]. -* Have a recent xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[etcd backup] in case your update fails and you must xref:../../backup_and_restore/control_plane_backup_and_restore/disaster_recovery/scenario-2-restoring-cluster-state.adoc#dr-restoring-cluster-state[restore your cluster to a previous state]. -* Ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy. -* If your cluster uses manually maintained credentials, ensure that the Cloud Credential Operator (CCO) is in an upgradeable state. For more information, see _Upgrading clusters with manually maintained credentials_ for xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-aws[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-gcp[GCP]. +* You must have a recent xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[etcd backup] in case your update fails and you must xref:../../backup_and_restore/control_plane_backup_and_restore/disaster_recovery/scenario-2-restoring-cluster-state.adoc#dr-restoring-cluster-state[restore your cluster to a previous state]. +* You must ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy. +* If your cluster uses manually maintained credentials, you must ensure that the Cloud Credential Operator (CCO) is in an upgradeable state. For more information, see _Upgrading clusters with manually maintained credentials_ for xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-aws[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-gcp[GCP]. //STS is not currently supported in a disconnected environment, but the following bullet can be uncommented when that changes. //* If your cluster uses manually maintained credentials with the AWS Security Token Service (STS), obtain a copy of the `ccoctl` utility from the release image being upgraded to and use it to process any updated credentials. For more information, see xref:../../authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc#sts-mode-upgrading[_Upgrading an OpenShift Container Platform cluster configured for manual mode with STS_]. * If you run an Operator or you have configured any application with the pod disruption budget, you might experience an interruption during the upgrade process. If `minAvailable` is set to 1 in `PodDisruptionBudget`, the nodes are drained to apply pending machine configs which might block the eviction process. If several nodes are rebooted, all the pods might run on only one node, and the `PodDisruptionBudget` field can prevent the node drain. -[id="updating-restricted-network-mirror-host"] -== Preparing your mirror host - -Before you perform the mirror procedure, you must prepare the host to retrieve content -and push it to the remote location. - -include::modules/cli-installing-cli.adoc[leveloffset=+2] - -// this file doesn't exist, so I'm including the one that should pick up more changes from Clayton's PR - modules/installation-adding-mirror-registry-pull-secret.adoc[leveloffset=+1] - -include::modules/installation-adding-registry-pull-secret.adoc[leveloffset=+2] - -[id="update-mirror-repository"] -== Mirroring the {product-title} image repository - -You must mirror container images onto a mirror registry before you can update a cluster in a disconnected environment. You can also use this procedure in connected environment to ensure your clusters only use container images that have satisfied your organizational controls on external content. - -There are two supported methods for mirroring images onto a mirror registry: - -* Using the oc-mirror OpenShift CLI (`oc`) plugin - -* Using the oc adm release mirror command - -Choose one of the following supported options. - -include::modules/update-mirror-repository-oc-mirror.adoc[leveloffset=+2] - -[role="_additional-resources"] -.Additional resources - -* xref:../../installing/disconnected_install/installing-mirroring-disconnected.adoc#installing-mirroring-disconnected[Mirroring images for a disconnected installation using the oc-mirror plugin] - -include::modules/update-mirror-repository.adoc[leveloffset=+2] - include::modules/machine-health-checks-pausing.adoc[leveloffset=+1] include::modules/update-restricted.adoc[leveloffset=+1]