diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 1f8be20d126b..461076beb45e 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -430,15 +430,17 @@ Topics: - Name: Updating a cluster that includes RHEL compute machines File: updating-cluster-rhel-compute Distros: openshift-enterprise -- Name: Updating a disconnected environment +- Name: Updating a cluster in a disconnected environment Dir: updating-restricted-network-cluster Distros: openshift-enterprise Topics: - - Name: About disconnected environment updates + - Name: About cluster updates in a disconnected environment File: index - - Name: Updating disconnected environments using OSUS + - Name: Mirroring the OpenShift Container Platform image repository + File: mirroring-image-repository + - Name: Updating a cluster in a disconnected environment using OSUS File: restricted-network-update-osus - - Name: Updating disconnected environments without OSUS + - Name: Updating a cluster in a disconnected environment without OSUS File: restricted-network-update # - Name: Troubleshooting an update # File: updating-troubleshooting diff --git a/modules/cli-installing-cli.adoc b/modules/cli-installing-cli.adoc index d382b985e5e6..a53d67f1938d 100644 --- a/modules/cli-installing-cli.adoc +++ b/modules/cli-installing-cli.adoc @@ -37,11 +37,11 @@ // * openshift_images/samples-operator-alt-registry.adoc // * installing/installing_rhv/installing-rhv-customizations.adoc // * installing/installing_rhv/installing-rhv-default.adoc -// * updating/updating-restricted-network-cluster/restricted-network-update.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc // // AMQ docs link to this; do not change anchor -ifeval::["{context}" == "updating-restricted-network-cluster"] +ifeval::["{context}" == "mirroring-ocp-image-repository"] :restricted: endif::[] @@ -167,6 +167,6 @@ $ oc ---- -ifeval::["{context}" == "updating-restricted-network-cluster"] +ifeval::["{context}" == "mirroring-ocp-image-repository"] :!restricted: endif::[] diff --git a/modules/installation-adding-registry-pull-secret.adoc b/modules/installation-adding-registry-pull-secret.adoc index 94a5a8d03e7a..989afe973b1d 100644 --- a/modules/installation-adding-registry-pull-secret.adoc +++ b/modules/installation-adding-registry-pull-secret.adoc @@ -2,9 +2,9 @@ // // * installing/installing_restricted_networks/installing-restricted-networks-preparations.adoc // * openshift_images/samples-operator-alt-registry.adoc -// * updating/updating-restricted-network-cluster/restricted-network-update.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc -ifeval::["{context}" == "updating-restricted-network-cluster"] +ifeval::["{context}" == "mirroring-ocp-image-repository"] :restricted: endif::[] @@ -114,6 +114,7 @@ ifndef::openshift-origin[] "": { <1> "auth": "", <2> "email": "you@example.com" + } }, endif::[] ifdef::openshift-origin[] @@ -181,6 +182,6 @@ ifeval::["{context}" == "installing-mirroring-installation-images"] :!restricted: endif::[] -ifeval::["{context}" == "updating-restricted-network-cluster"] +ifeval::["{context}" == "mirroring-ocp-image-repository"] :!restricted: endif::[] diff --git a/modules/update-mirror-repository.adoc b/modules/update-mirror-repository.adoc index 385726120dad..326bd61e142b 100644 --- a/modules/update-mirror-repository.adoc +++ b/modules/update-mirror-repository.adoc @@ -1,12 +1,21 @@ // Module included in the following assemblies: // -// * updating/updating-restricted-network-cluster/restricted-network-update.adoc +// * updating/updating-restricted-network-cluster/mirroring-image-repository.adoc :_content-type: PROCEDURE [id="update-mirror-repository_{context}"] = Mirroring the {product-title} image repository -Before you update a cluster on infrastructure that you provision in a disconnected environment, you must mirror the required container images into that environment. You can also use this procedure in connected environments to ensure your clusters only use container images that have satisfied your organizational controls on external content. +.Prerequisites + +* You configured a mirror registry to use in your disconnected environment and can access the certificate and credentials that you configured. +ifndef::openshift-origin[] +* You downloaded the {cluster-manager-url-pull} and modified it to include authentication to your mirror repository. +endif::[] +ifdef::openshift-origin[] +* You have created a pull secret for your mirror repository. +endif::[] +* If you use self-signed certificates, you have specified a Subject Alternative Name in the certificates. .Procedure diff --git a/modules/update-service-mirror-release.adoc b/modules/update-service-mirror-release.adoc deleted file mode 100644 index b19bf19723a6..000000000000 --- a/modules/update-service-mirror-release.adoc +++ /dev/null @@ -1,177 +0,0 @@ -// Module included in the following assemblies: -// *updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc - -:_content-type: PROCEDURE -[id="update-service-mirror-release_{context}"] -= Mirroring the {product-title} image repository - -The OpenShift Update Service requires a locally accessible registry containing update release payloads. - -[IMPORTANT] -==== -To avoid excessive memory usage by the OpenShift Update Service application, it is recommended that you mirror release images to a separate repository, as described in the following procedure. -==== - -.Prerequisites - -* You reviewed and completed the steps from "Mirroring images for a disconnected installation" up to but not including the section entitled *Mirroring the {product-title} image repository*. -//TODO: Add xref to preceding step when allowed. -* You configured a mirror registry to use in your disconnected environment and can access the certificate and credentials that you configured. -ifndef::openshift-origin[] -* You downloaded the {cluster-manager-url-pull} and modified it to include authentication to your mirror repository. -endif::[] -ifdef::openshift-origin[] -* You have created a pull secret for your mirror repository. -endif::[] -* If you use self-signed certificates that do not set a Subject Alternative Name, you must precede the `oc` commands in this procedure with `GODEBUG=x509ignoreCN=0`. If you do not set this variable, the `oc` commands will fail with the following error: -+ -[source,terminal] ----- -x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0 ----- - -.Procedure - -Complete the following steps on the mirror host: - -. Review the -link:https://access.redhat.com/downloads/content/290/[{product-title} downloads page] -to determine the version of {product-title} to which you want to update and determine the corresponding tag on the link:https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags[Repository Tags] page. - -. Set the required environment variables: -.. Export the release version: -+ -[source,terminal] ----- -$ OCP_RELEASE= ----- -+ -For ``, specify the tag that corresponds to the version of {product-title} to -install, such as `4.6.4`. - -.. Export the local registry name and host port: -+ -[source,terminal] ----- -$ LOCAL_REGISTRY=':' ----- -+ -For ``, specify the registry domain name for your mirror -repository, and for ``, specify the port that it -serves content on. - -.. Export the local repository name: -+ -[source,terminal] ----- -$ LOCAL_REPOSITORY='' ----- -+ -For ``, specify the name of the repository to create in your -registry, such as `ocp4/openshift4`. - -.. Export an additional local repository name to contain the release images: -+ -[source,terminal] ----- -$ LOCAL_RELEASE_IMAGES_REPOSITORY='' ----- -+ -For ``, specify the name of the repository to -create in your registry, such as `ocp4/openshift4-release-images`. - -.. Export the name of the repository to mirror: -+ -[source,terminal] ----- -$ PRODUCT_REPO='openshift-release-dev' ----- -+ -For a production release, you must specify `openshift-release-dev`. - -.. Export the path to your registry pull secret: -+ -[source,terminal] ----- -$ LOCAL_SECRET_JSON='' ----- -+ -For ``, specify the absolute path to and file name of the pull secret for your mirror registry that you created. - -.. Export the release mirror: -+ -[source,terminal] ----- -$ RELEASE_NAME="ocp-release" ----- -+ -For a production release, you must specify `ocp-release`. - -.. Export the type of architecture for your server, such as `x86_64`: -+ -[source,terminal] ----- -$ ARCHITECTURE= ----- - -.. Export the path to the directory to host the mirrored images: -+ -[source,terminal] ----- -$ REMOVABLE_MEDIA_PATH= <1> ----- -<1> Specify the full path, including the initial forward slash (`/`) character. - -. Mirror the version images to the mirror registry: -** If your mirror host does not have internet access, take the following actions: -... Connect the removable media to a system that is connected to the internet. -... Review the images and configuration manifests to mirror: -+ -[source,terminal] ----- -$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ - --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ - --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ - --to-release-image=${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run ----- -... Mirror the images to a directory on the removable media: -+ -[source,terminal] ----- -$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} ----- -... Take the media to the disconnected environment and upload the images to the local container registry: -+ -[source,terminal] ----- -$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} <1> ----- -+ -<1> For `REMOVABLE_MEDIA_PATH`, you must use the path where you mounted the removable media. -+ -... Use `oc` command-line interface (CLI) to log in to the cluster that you are upgrading. - -... Apply the mirrored release image signature config map to the disconnected cluster: -+ -[source,terminal] ----- -$ oc apply -f ${REMOVABLE_MEDIA_PATH}/mirror/config/ <1> ----- -<1> For ``, specify the path and name of the file, for example, `signature-sha256-81154f5c03294534.yaml`. -+ -... Mirror the release image to a separate repository: -+ -[source,terminal] ----- -$ oc image mirror -a ${LOCAL_SECRET_JSON} ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ----- - -** If the local container registry is connected to the mirror host, push the release images directly to the local registry: -+ -[source,terminal] ----- -$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ - --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \ - --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ - --to-release-image=${LOCAL_REGISTRY}/${LOCAL_RELEASE_IMAGES_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} ----- diff --git a/updating/index.adoc b/updating/index.adoc index ca68486654f8..536741f8a1fc 100644 --- a/updating/index.adoc +++ b/updating/index.adoc @@ -62,12 +62,12 @@ xref:../updating/updating-cluster-rhel-compute.adoc#updating-cluster-rhel-comput * xref:../updating/updating-cluster-rhel-compute.adoc#rhel-compute-updating-minor_updating-cluster-rhel-compute[Updating RHEL compute machines in your cluster] [id="updating-clusters-overview-update-restricted-network-cluster"] -== Updating a disconnected cluster -xref:../updating/updating-restricted-network-cluster/index.adoc#about-restricted-network-updates[Updating a disconnected cluster]: If your mirror host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment. You can then bring that host or removable media across that gap. If the local container registry and the cluster are connected to the mirror host of a registry, you can directly push the release images to the local registry. +== Updating a cluster in a disconnected environment +xref:../updating/updating-restricted-network-cluster/index.adoc#about-restricted-network-updates[About cluster updates in a disconnected environment]: If your mirror host cannot access both the internet and the cluster, you can mirror the images to a file system that is disconnected from that environment. You can then bring that host or removable media across that gap. If the local container registry and the cluster are connected to the mirror host of a registry, you can directly push the release images to the local registry. -* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#updating-restricted-network-mirror-host[Preparing your mirror host] -* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#installation-adding-registry-pull-secret_updating-restricted-network-cluster[Configuring credentials that allow images to be mirrored] -* xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#updating-restricted-network-mirror-host[Mirroring the {product-title} image repository] +* xref:../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#updating-restricted-network-mirror-host[Preparing your mirror host] +* xref:../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#installation-adding-registry-pull-secret_mirroring-ocp-image-repository[Configuring credentials that allow images to be mirrored] +* xref:../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#update-mirror-repository_mirroring-ocp-image-repository[Mirroring the {product-title} image repository] * xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#update-restricted_updating-restricted-network-cluster[Updating the disconnected cluster] * xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#images-configuration-registry-mirror_updating-restricted-network-cluster[Configuring image registry repository mirroring] * xref:../updating/updating-restricted-network-cluster/restricted-network-update.adoc#generating-icsp-object-scoped-to-a-registry_updating-restricted-network-cluster[Widening the scope of the mirror image catalog to reduce the frequency of cluster node reboots] diff --git a/updating/updating-restricted-network-cluster/index.adoc b/updating/updating-restricted-network-cluster/index.adoc index e4dc80832135..33fa9a6d528c 100644 --- a/updating/updating-restricted-network-cluster/index.adoc +++ b/updating/updating-restricted-network-cluster/index.adoc @@ -1,6 +1,6 @@ :_content-type: ASSEMBLY [id="about-restricted-network-updates"] -= About disconnected environment updates += About cluster updates in a disconnected environment include::_attributes/common-attributes.adoc[] :context: about-restricted-network-updates @@ -13,11 +13,18 @@ If the local container registry and the cluster are connected to the mirror regi A single container image registry is sufficient to host mirrored images for several clusters in the disconnected network. -== Performing a disconnected environment update +[id="about-disconnected-updates-mirroring"] +== Mirroring the {product-title} image repository +To update a cluster in a disconnected environment, your cluster environment must have access to a mirror registry that has the necessary images and resources for your targeted update. The following page has instructions for mirroring images onto a repository in your disconnected cluster: + +* xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-ocp-image-repository[Mirroring the {product-title} image repository] + +[id="about-disconnected-updates-update"] +== Performing a cluster update in a disconnected environment You can use one of the following procedures to update a disconnected {product-title} cluster: -* xref:../../updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc#updating-restricted-network-cluster-OSUS[Updating disconnected environments using the OpenShift Update Service] +* xref:../../updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc#updating-restricted-network-cluster-OSUS[Updating a cluster in a disconnected environment using the OpenShift Update Service] -* xref:../../updating/updating-restricted-network-cluster/restricted-network-update.adoc#updating-restricted-network-cluster[Updating disconnected environments without the OpenShift Update Service] +* xref:../../updating/updating-restricted-network-cluster/restricted-network-update.adoc#updating-restricted-network-cluster[Updating a cluster in a disconnected environment without the OpenShift Update Service] diff --git a/updating/updating-restricted-network-cluster/mirroring-image-repository.adoc b/updating/updating-restricted-network-cluster/mirroring-image-repository.adoc new file mode 100644 index 000000000000..2c39baf3435d --- /dev/null +++ b/updating/updating-restricted-network-cluster/mirroring-image-repository.adoc @@ -0,0 +1,27 @@ +:_content-type: ASSEMBLY +[id="mirroring-ocp-image-repository"] += Mirroring the {product-title} image repository +include::_attributes/common-attributes.adoc[] +:context: mirroring-ocp-image-repository + +toc::[] + +You must mirror container images onto a mirror registry before you can update a cluster in a disconnected environment. You can also use this procedure in connected environments to ensure your clusters run only approved container images that have satisfied your organizational controls for external content. + +[id="prerequisites_mirroring-ocp-image-repository"] +== Prerequisites + +* You must have a container image registry that supports link:https://docs.docker.com/registry/spec/manifest-v2-2[Docker v2-2] in the location that will host the {product-title} cluster, such as Red Hat Quay. + +[id="updating-restricted-network-mirror-host"] +== Preparing your mirror host + +Before you perform the mirror procedure, you must prepare the host to retrieve content and push it to the remote location. + +include::modules/cli-installing-cli.adoc[leveloffset=+2] + +// this file doesn't exist, so I'm including the one that should pick up more changes from Clayton's PR - modules/installation-adding-mirror-registry-pull-secret.adoc[leveloffset=+1] + +include::modules/installation-adding-registry-pull-secret.adoc[leveloffset=+2] + +include::modules/update-mirror-repository.adoc[leveloffset=+1] \ No newline at end of file diff --git a/updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc b/updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc index aaec85cb6070..6f00ef214bd5 100644 --- a/updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc +++ b/updating/updating-restricted-network-cluster/restricted-network-update-osus.adoc @@ -1,6 +1,6 @@ :_content-type: ASSEMBLY [id="updating-restricted-network-cluster-OSUS"] -= Updating disconnected environments using the OpenShift Update Service += Updating a cluster in a disconnected environment using the OpenShift Update Service include::_attributes/common-attributes.adoc[] :context: updating-restricted-network-cluster-osus @@ -23,10 +23,8 @@ The following sections describe how to provide updates for your disconnected clu [id="update-service-prereqs"] == Prerequisites -* Have access to the internet to obtain the necessary container images. -* Have write access to a container registry in the disconnected environment to push and pull images. The container registry must be compatible with Docker registry API v2. * You must have the `oc` command-line interface (CLI) tool installed. -* For more information on installing Operators, see xref:../../operators/user/olm-installing-operators-in-namespace.adoc#olm-installing-operators-in-namespace[Installing Operators in your namespace]. +* You must provision a local container image registry with the container images for your update, as described in xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-ocp-image-repository[Mirroring the {product-title} image repository]. [id="registry-configuration-for-update-service"] == Configuring access to a secured registry for the OpenShift Update Service @@ -71,9 +69,12 @@ include::modules/update-service-install-web-console.adoc[leveloffset=+2] include::modules/update-service-install-cli.adoc[leveloffset=+2] -include::modules/update-service-graph-data.adoc[leveloffset=+1] +[role="_additional-resources"] +.Additional resources -include::modules/update-service-mirror-release.adoc[leveloffset=+1] +* xref:../../operators/user/olm-installing-operators-in-namespace.adoc#olm-installing-operators-in-namespace[Installing Operators in your namespace]. + +include::modules/update-service-graph-data.adoc[leveloffset=+1] [id="update-service-create-service"] == Creating an OpenShift Update Service application diff --git a/updating/updating-restricted-network-cluster/restricted-network-update.adoc b/updating/updating-restricted-network-cluster/restricted-network-update.adoc index 9674dd79e368..f468ac11cfb1 100644 --- a/updating/updating-restricted-network-cluster/restricted-network-update.adoc +++ b/updating/updating-restricted-network-cluster/restricted-network-update.adoc @@ -1,6 +1,6 @@ :_content-type: ASSEMBLY [id="updating-restricted-network-cluster"] -= Updating disconnected environments without the OpenShift Update Service += Updating a cluster in a disconnected environment without the OpenShift Update Service include::_attributes/common-attributes.adoc[] :context: updating-restricted-network-cluster @@ -8,30 +8,15 @@ toc::[] == Prerequisites -* Have access to the internet to obtain the necessary container images. -* Have write access to a container registry in the disconnected environment to push and pull images. The container registry must be compatible with Docker registry API v2. * You must have the `oc` command-line interface (CLI) tool installed. -* Have access to the cluster as a user with `admin` privileges. +* You must provision a local container image registry with the container images for your update, as described in xref:../../updating/updating-restricted-network-cluster/mirroring-image-repository.adoc#mirroring-ocp-image-repository[Mirroring the {product-title} image repository]. +* You must have access to the cluster as a user with `admin` privileges. See xref:../../authentication/using-rbac.adoc#using-rbac[Using RBAC to define and apply permissions]. -* Have a recent xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[etcd backup] in case your update fails and you must xref:../../backup_and_restore/control_plane_backup_and_restore/disaster_recovery/scenario-2-restoring-cluster-state.adoc#dr-restoring-cluster-state[restore your cluster to a previous state]. -* Ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy. -* If your cluster uses manually maintained credentials, ensure that the Cloud Credential Operator (CCO) is in an upgradeable state. For more information, see _Upgrading clusters with manually maintained credentials_ for xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-aws[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-gcp[GCP]. +* You must have a recent xref:../../backup_and_restore/control_plane_backup_and_restore/backing-up-etcd.adoc#backup-etcd[etcd backup] in case your update fails and you must xref:../../backup_and_restore/control_plane_backup_and_restore/disaster_recovery/scenario-2-restoring-cluster-state.adoc#dr-restoring-cluster-state[restore your cluster to a previous state]. +* You must ensure that all machine config pools (MCPs) are running and not paused. Nodes associated with a paused MCP are skipped during the update process. You can pause the MCPs if you are performing a canary rollout update strategy. +* If your cluster uses manually maintained credentials, you must ensure that the Cloud Credential Operator (CCO) is in an upgradeable state. For more information, see _Upgrading clusters with manually maintained credentials_ for xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-aws[AWS], xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-azure[Azure], or xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-maintained-credentials-upgrade_manually-creating-iam-gcp[GCP]. * If you run an Operator or you have configured any application with the pod disruption budget, you might experience an interruption during the upgrade process. If `minAvailable` is set to 1 in `PodDisruptionBudget`, the nodes are drained to apply pending machine configs which might block the eviction process. If several nodes are rebooted, all the pods might run on only one node, and the `PodDisruptionBudget` field can prevent the node drain. -[id="updating-restricted-network-mirror-host"] -== Preparing your mirror host - -Before you perform the mirror procedure, you must prepare the host to retrieve content -and push it to the remote location. - -include::modules/cli-installing-cli.adoc[leveloffset=+2] - -// this file doesn't exist, so I'm including the one that should pick up more changes from Clayton's PR - modules/installation-adding-mirror-registry-pull-secret.adoc[leveloffset=+1] - -include::modules/installation-adding-registry-pull-secret.adoc[leveloffset=+2] - -include::modules/update-mirror-repository.adoc[leveloffset=+1] - include::modules/update-restricted.adoc[leveloffset=+1] include::modules/images-configuration-registry-mirror.adoc[leveloffset=+1]