Many IBM customers run IBM Power workloads in secure environment, where the convenience of a direct internet connection for the workload is restricted or strictly prohibited.

For OpenShift Container Platform clusters in these Disconnected environments, the clusters are configured to retrieve release images from a registry or retrieve update paths and recommendations for the cluster from a secure location. To configure the cluster without a direct internet connection, you configure your cluster to access the secure location in the disconnected environment.

There are two levels of disconnected environments, Disconnected (Restricted Network) and Air-Gapped (Fully Isolated). Air Gapped further restricts access with no physical or logical connection to any outside network, where as restircited has limited access to the network, and passes connections through a jumpbox.

The OpenShift team has updated their support for Disconnected environments with a release of oc-mirror version 2. Customers are encouraged to change from the prior standard oc adm release mirror to the new oc-mirror --v2 to get the best disconnected experience (signatures,attestations,performance).

oc adm mirror: Manual, script-heavy, and struggles with Operator Lifecycle Manager (OLM). You often ended up mirroring thousands of images you didn’t need just to get one Operator working.
oc-mirror (v2): A declarative, plugin-based approach. You define an ImageSetConfiguration file (YAML), and the tool calculates exactly which versions and dependencies are needed.

This article shows how to mirror a ppc64le payload (release).

Download the latest oc-mirror binary from the OpenShift mirror site and ensure it’s in your $PATH. You can download from https://mirror.openshift.com/pub/openshift-v4/ppc64le/clients/ocp/4.21.2/oc-mirror.tar.gz

Note: As of OpenShift 4.18+, v1 is officially deprecated.

Define Your ImageSet and call it imageset-config.yaml. You can mirror the multi payload by switching from ppc64le to multi.

apiVersion: mirror.openshift.io/v2alpha1
kind: ImageSetConfiguration
mirror:
  platform:
    architectures:
      - "ppc64le"
    channels:
      - name: stable-4.21
        minVersion: 4.21.0
        maxVersion: 4.21.1

Run the Mirroring

a. For Disconnected (Mirror-to-Mirror):

oc mirror --config imageset-config.yaml docker://local-registry.internal:5000 --v2

b. For Air-Gapped (Mirror-to-Disk):

On the Internet-connected machine:

oc mirror --config imageset-config.yaml file://my-mirror-bundle --v2

Move the my-mirror-bundle folder to your isolated environment.
On the Air-gapped machine:

oc mirror --from file://my-mirror-bundle docker://local-registry.internal:5000 --v2

Summary

To support IBM Power workloads in high-security environments, oc-mirror v2 replaces manual, script-heavy mirroring with a declarative, YAML-based approach that automatically calculates required dependencies for Disconnected or Air-Gapped clusters. This transition to a plugin-based architecture (v2) ensures better performance, security, and reproducibility for maintaining ppc64le payloads without a direct internet connection.

We encourage you to switch to using oc-mirror --v2 as soon as possible.

Mirroring for OpenShift on IBM Power in Disconnected Environments

Summary

Comments

Leave a Reply Cancel reply

More posts

Bridging the Gap: Shared NFS Storage Between VMs and OpenShift

Introducing OpenShift Installer Provisioned Infrastructure (IPI) for IBM PowerVC (TechPreview)

Quick Fix: Resolving tmpfs Space Constraints on IBM Power (ppc64le)

Yet more Images on the IBM Container Registry for Caching on Power