jmhbnz/workshops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b67cf47b4611f5355e8766ac917876181977d194
workshops/data/workshop/exercise2.mdx
James Blair b67cf47b46 Progress on exercise 4.
2024-08-31 20:39:58 +12:00

220 lines
9.4 KiB
Plaintext
Raw Blame History

---
title: Mirror required content
exercise: 2
date: '2024-08-23'
tags: ['openshift','containers','kubernetes','disconnected']
draft: false
authors: ['default']
summary: "You want features? Mirror them in!🪞"
---
The disconnected OpenShift cluster you have been allocated is the result of a standard installation using the IPI install method, and does not have any post installation features added.
During this workshop we want to secure the cluster with Red Hat Advanced Cluster Security, understand our compliance posture against [NIST 800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) with the OpenShift Compliance Operator and then make it easy for our Developers to do the right thing with Red Hat Developer Hub.
To install and configure these features we first need to mirror some additional content into our disconnected environment, let's get started.
## 2.1 - Open a terminal on your low side
Our first step to prepare to mirror content is to get connected to our low side jump host via `ssh`. You can use the web terminal link in your browser or alternatively your own local terminal with the command below (replacing the placeholder ip with the one you have been allocated).
```bash
ssh lab-user@<ip address>
```
You'll be prompted to enter a password which you can find in your allocated environment details.
After connecting change directory to the low side workspace where the intial cluster installation was already completed for you and review the folder contents:
```bash
cd /mnt/low-side-data
ls -lah
```
Your workspace will look similar to the one below:
```bash
[lab-user@jump low-side-data]$ ls -lah
total 25G
drwxr-xr-x. 4 lab-user lab-user 4.0K Aug 22 00:22 .
drwxr-xr-x. 3 root root 27 Aug 19 04:10 ..
-rw-r--r--. 1 lab-user lab-user 473 Aug 22 00:10 imageset-config.yaml
-rw-r--r--. 1 lab-user lab-user 696M Aug 21 23:57 mirror-registry.tar.gz
-rw-r--r--. 1 lab-user lab-user 24G Aug 22 00:22 mirror_seq1_000000.tar
-rwxr-xr-x. 1 lab-user lab-user 146M Mar 26 22:17 oc
-rwxr-x--x. 1 lab-user lab-user 144M Mar 22 18:34 oc-mirror
-rw-------. 1 lab-user lab-user 183K Aug 22 00:16 .oc-mirror.log
drwxr-xr-x. 3 lab-user lab-user 17 Aug 22 00:13 oc-mirror-workspace
-rwxr-xr-x. 1 lab-user lab-user 630M Mar 22 19:32 openshift-install
drwxr-x---. 2 lab-user lab-user 28 Aug 22 00:22 publish
```
## 2.2 - Get familiar with oc-mirror
To mirror content into our disconnected environment we will be using the [`oc-mirror`](https://github.com/openshift/oc-mirror) openshift client utility.
To configure what content `oc-mirror` will download and mirror for us we use a YAML formatted file called an `ImageSetConfiguration`. This file declares:
1. **What to download** which can include (OpenShift itself, operator bundles, helm charts, or specific container images)
2. **What versions of each item to download**
3. **Where to store the downloaded content**
The `oc-mirror` utility also has some features for listing available content for mirroring, let's try that now! Run the following commands in your ssh terminal:
```bash
# List available openshift release versions
oc-mirror list releases
# List operator catalogs for a specific openshift release
oc-mirror list operators --catalogs --version=4.14
# List all operators in a specific catalogs
oc-mirror list operators --catalog registry.redhat.io/redhat/redhat-operator-index:v4.14
```
We can also use the `oc-mirror` utility to understand the state of any existing mirror content bundles. We have a content bundle called `mirror_seq1_000000.tar` available from the initial installation of your OpenShift cluster, let's inspect that now.
```bash
oc-mirror describe mirror_seq1_000000.tar | more
```
This bundle archive was created by the `oc-mirror` utility using the configuration file called `imageset-config.yaml` which is also in the same directory. Let's review that file:
```bash
cat imageset-config.yaml
```
Your file should look something like the example below, we can see the two versions of OpenShift `4.14.19` and `4.14.20` that are specified to be downloaded, along with the `registry.redhat.io/rhel8/support-tools` additional standalone container image.
```yaml
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
local:
path: ./
mirror:
platform:
channels:
- name: stable-4.14
type: ocp
minVersion: 4.14.19
maxVersion: 4.14.20
additionalImages:
- name: registry.redhat.io/rhel8/support-tools
```
## 2.3 - Confirm local cache is up to date
A local cache of content already exists from when the cluster installation was initially performed in advance of this workshop. Let's confirm everything is still up to date by re-running the `oc-mirror` command specifying our configuration file and the location on our disk.
```bash
oc-mirror --config imageset-config.yaml file:///mnt/low-side-data --verbose 3
```
> Note: This command may take several minutes to complete but should complete with `No new images detected, process stopping` to confirm the existing cache is up to date.
## 2.4 - Add new mirror content
For our workshop exercises today we need to mirror some additional operators, namely the **OpenShift Compliance Operator**, **Red Hat Advanced Cluster Security**, and **Red Hat Developer Hub**. Run the command below to update your `imageset-config.yaml` file to match the example below
```bash
cat << EOF > /mnt/low-side-data/imageset-config.yaml
kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
local:
path: ./
mirror:
platform:
channels:
- name: stable-4.14
type: ocp
minVersion: 4.14.19
maxVersion: 4.14.20
operators:
- catalog: registry.redhat.io/redhat/redhat-operator-index:v4.14
packages:
- name: rhdh
channels:
- name: fast
minVersion: '1.1.1'
maxVersion: '1.1.1'
- name: compliance-operator
channels:
- name: stable
- name: rhacs-operator
channels:
- name: stable
additionalImages:
- name: registry.redhat.io/rhel8/support-tools
helm: {}
EOF
```
After updating the configuration file we can re-run our `oc-mirror` command to bring the new content into our local collection on disk in `/mnt/low-side-data`.
```bash
oc-mirror --config imageset-config.yaml file:///mnt/low-side-data --verbose 3
```
> Note: This command may take up to 10 minutes to complete depending on connection speeds.
## 2.5 - Mirror updated content to high side registry
Once the local mirror update has completed we now need to transfer this content to our high side and mirror it from disk into the OpenShift Mirror Registry running in our disconnected high side.
In this workshop we will use `rsync` to copy our content to our high side system, let's do that now:
```bash
rsync -avP /mnt/low-side-data/ highside:/mnt/high-side-data/
```
> Note: `oc-mirror` creates incremental mirror content files in order to prevent duplicating content. You will notice your low side mirror workspace includes a new file `mirror_seq2_000000.tar` which is significantly smaller than the original mirror archive.
Once the transfer has completed we need to log into our high side disconnected system and run `oc-mirror` from that side to upload the content from the new archive into our disconnected container registry
```bash
ssh highside
```
```bash
cd /mnt/high-side-data
podman login -u init -p discopass $(hostname):8443
oc-mirror --from=/mnt/high-side-data/mirror_seq2_000000.tar docker://$(hostname):8443
```
## 2.6 - Verify new operators are available
After a couple of minutes the mirror process will complete. We then need to tell OpenShift about the new content that is available by running the commands below.
```bash
for file in $(find ./oc-mirror-workspace -type f -name '*.yaml'); do oc apply -f $file; done
```
> Note: In our `oc-mirror-workspace` directory each time we mirror new content a new `results-<id>` directory will be created which may contain `imageContentSourcePolicy.yaml` or `catalogSource-cs-<index>.yaml` files which we need to apply to our cluster to tell it about the new content that is available.
Once the updates are applied we can then check that our new operators are available in the OpenShift Web Console using our browser based vnc session:
1. Open your vnc browser tab
2. Use the left menu panel, click **Settings** and then select **Remote Resizing** as the scaling mode to improve viewing experience.
3. Click **Connect** and when prompted enter the password in your environment spreadsheet row, then click **Send credentials**.
4. A Firefox browser window should already be open, you can manually start if using the top left applications menu if needed.
5. Click the bookmark toolbar option for **DISCO - OpenShift**.
6. Log in when prompted with the username **kubeadmin** and the kubeadmin password listed in your environment spreadsheet (you can also find this password in your highside bastion ssh session by running `cat /mnt/high-side-data/auth/kubeadmin-password`).
7. Navigate to **Operators** on the left menu, and then click **OperatorHub**, you should see the newly mirrored operators are now available in your disconnected cluster!
<Zoom>
|![workshop](/static/images/compliance/check-operators.gif) |
|:-----------------------------------------------------------------------------:|
| *Check disconnected operator hub* |
</Zoom>
If your mirroring has completed successfully you are ready to move on to exercise 3 and install the three new operators 🎉
Reference in New Issue View Git Blame Copy Permalink