...
DPOD Cloud Agent images are currently only available for download from Passport Advantage (PPA) and need to be loaded to a container registry, so they can be pulled by your the Kubernetes cluster. The container registry may be any a private registry which is accessible to the cluster, or the cluster’s OCP’s internal container registry (if using OCP). In the future, the images will be available via IBM’s icr.io/cpopen
and cp.icr.io/cp/dpod
container registryregistries.
Download the images from PPA and save them locally.
This is the list of the image file names (as available on PPA) and their corresponding images names and tags:. See Cloud Agent Overview for a list of available versions.
Image File Name | Image Name and Tag |
---|---|
dpod-ca-operator-catalog-<DPOD-VERSION>.tgz | dpod-cloud-agent-operator-catalog:<OPERATOR-VERSION>-amd64 |
dpod-ca-operator-bundle-<DPOD-VERSION>.tgz | dpod-cloud-agent-operator-bundle:<OPERATOR-VERSION>-amd64 |
dpod-ca-operator-<DPOD-VERSION>.tgz | dpod-cloud-agent-operator:<OPERATOR-VERSION>-amd64 |
dpod-ca-api-proxy-<DPOD-VERSION>.tgz | dpod-cloud-agent-api-proxy:<DPOD-VERSION>-amd64 |
dpod-ca-http-ingester-<DPOD-VERSION>.tgz | dpod-cloud-agent-http-ingester:<DPOD-VERSION>-amd64 |
dpod-ca-manager-<DPOD-VERSION>.tgz | dpod-cloud-agent-manager:<DPOD-VERSION>-amd64 |
dpod-ca-messaging-broker-<DPOD-VERSION>.tgz | dpod-cloud-agent-messaging-broker:<DPOD-VERSION>-amd64 |
dpod-ca-syslog-ingester-<DPOD-VERSION>.tgz | dpod-cloud-agent-syslog-ingester:<DPOD-VERSION>-amd64 |
In order to preserve the images digests in the container registry, we recommend copying the downloaded images into the container registry using a recent version the skopeo
utility (available as a package for most distributions: Installing Skopeo).
...
Code Block |
---|
skopeo copy --all --dest-preserve-digests --dest-creds=<destination container registry credentials if needed> docker-archive:<image file full path> \ docker://<destination container registry path>/<image name>:<image tag> |
Example 1: Loading Downloaded Images to a Private Container Registry
Consider the following example for loading the images to a private container registry.
Note: It is assumed that the authentication is by a user ID and a password. If the authentication is by a token, replace --dest-creds
with --dest-registry-token
along with the authentication token in the commands below.
Set variables with the source, destination, versions, etc. according to your environment:
Code Block CONTAINER_REGISTRY_PATH="my-container-registry.example.com/dpod-cloud-agent" DPOD_CLOUD_AGENT_VERSION="1.0.19.0" DPOD_CLOUD_AGENT_OPERATOR_VERSION="0.1.0" DPOD_CLOUD_AGENT_IMAGE_TAG="${DPOD_CLOUD_AGENT_VERSION}-amd64" DPOD_CLOUD_AGENT_OPERATOR_IMAGE_TAG="${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64" IMAGES_DIR="/tmp" USER_ID="user" USER_PASSWORD="password"
Load the images to the container registry:
Code Block skopeo copy --all --dest-preserve-digests --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_IMAGE_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-operator-bundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-operator-bundle:${DPOD_CLOUD_AGENT_OPERATOR_IMAGE_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-operator-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-operator:${DPOD_CLOUD_AGENT_OPERATOR_IMAGE_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-api-proxy-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-api-proxy:${DPOD_CLOUD_AGENT_IMAGE_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-http-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-http-ingester:${DPOD_CLOUD_AGENT_IMAGE_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-manager-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-manager:${DPOD_CLOUD_AGENT_IMAGE_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-messaging-broker-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-messaging-broker:${DPOD_CLOUD_AGENT_IMAGE_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:${USER_PASSWORD} docker-archive:${IMAGES_DIR}/dpod-ca-syslog-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY_PATH}/dpod-cloud-agent-syslog-ingester:${DPOD_CLOUD_AGENT_IMAGE_TAGVERSION}-amd64
Example 2: Loading Downloaded Images to the OCP Internal Container Registry
Status | ||||
---|---|---|---|---|
|
Consider the following example for loading the images to the OpenShift OpenShift’s (OCP) internal container registry.
In this example the operator catalog and bundle images are loaded into the openshift-marketplace
namespace, the operator image is loaded into the openshift-operators
namespace (assuming this is a cluster scope deployment), and the operand images are loaded into the dpod-cloud-agent
application namespace.
Set variables with the source, destination, versions, etc.:
...
Note: It is assumed that the authentication is by a user ID and a password. If the authentication is by a token, replace --dest-creds
with --dest-registry-token
along with the authentication token in the commands below.
Make sure OCP’s internal container registry can be accessed from outside the cluster via a
Route
. If not, consider adding the followingRoute
:
Note: Change thehost
value according to your environment.Code Block kind: Route apiVersion: route.openshift.io/v1 metadata: name: default-route namespace: openshift-image-registry spec: host: default-route-openshift-image-registry.apps.ocp4.mycluster.com" DPOD_CLOUD_AGENT_NAMESPACE="dpod-cloud-agent" DPOD_CLOUD_AGENT_VERSION="1.0.19.0" DPOD_CLOUD_AGENT_OPERATOR_VERSION="0.1.0" DPOD_CLOUD_AGENT_IMAGE_TAG=${DPOD_CLOUD_AGENT_VERSION}-amd64" DPOD_CLOUD_AGENT_OPERATOR_IMAGE_TAG="${DPOD_CLOUD_AGENT_OPERATOR_VERSION}-amd64" IMAGES_DIR="/tmp" USER_ID="admin"
Load the images to the various namespaces:
Code Block skopeo copy --all --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/openshift-marketplace/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_IMAGE_TAG} skopeo copy --all to: kind: Service name: image-registry weight: 100 tls: termination: reencrypt wildcardPolicy: None
Set variables with the source, destination, versions, etc. according to your environment:
Code Block CONTAINER_REGISTRY="default-route-openshift-image-registry.apps.ocp4.mycluster.com" DPOD_CLOUD_AGENT_NAMESPACE="dpod-cloud-agent" DPOD_CLOUD_AGENT_VERSION="1.0.19.0" DPOD_CLOUD_AGENT_OPERATOR_VERSION="0.1.0" IMAGES_DIR="/tmp" USER_ID="user"
Load the images to the various namespaces (both for cluster scope and namespace scope):
Code Block skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-bundlecatalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/openshift-marketplace/dpod-cloud-agent-operator-bundlecatalog:${DPOD_CLOUD_AGENT_OPERATOR_IMAGE_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-operator-catalog-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/openshift-operators${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-operator-catalog:${DPOD_CLOUD_AGENT_OPERATOR_IMAGE_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-apioperator-proxybundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}openshift-marketplace/dpod-cloud-agent-apioperator-proxybundle:${DPOD_CLOUD_AGENT_IMAGEOPERATOR_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-httpoperator-ingesterbundle-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-httpoperator-ingesterbundle:${DPOD_CLOUD_AGENT_IMAGEOPERATOR_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-manageroperator-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}openshift-operators/dpod-cloud-agent-manageroperator:${DPOD_CLOUD_AGENT_IMAGEOPERATOR_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-messagingoperator-broker-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-messaging-brokeroperator:${DPOD_CLOUD_AGENT_IMAGEOPERATOR_TAGVERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-syslogapi-ingesterproxy-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-syslogapi-ingesterproxy:${DPOD_CLOUD_AGENT_IMAGE_TAG}
Mirroring Images from the Container Registry
The DPOD Cloud Agent operator will deploy containers with images referencing to IBM’s cp.icr.io/cp/dpod
container registry. Since the images are currently loaded into a different container registry (a private one or OpenShift’s internal container registry instead of the IBM’s container registry), a mirroring needs to be configured so the Kubernetes cluster can fetch the images.
Without a proper mirroring the pods will fail on ImagePullBackOff
error when trying to pull the images.
...
VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-http-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-http-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-manager-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-manager:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-messaging-broker-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-messaging-broker:${DPOD_CLOUD_AGENT_VERSION}-amd64 skopeo copy --all --preserve-digests --dest-creds=${USER_ID}:$(oc whoami -t) docker-archive:${IMAGES_DIR}/dpod-ca-syslog-ingester-${DPOD_CLOUD_AGENT_VERSION}.tgz \ docker://${CONTAINER_REGISTRY}/${DPOD_CLOUD_AGENT_NAMESPACE}/dpod-cloud-agent-syslog-ingester:${DPOD_CLOUD_AGENT_VERSION}-amd64
Mirroring Images
The DPOD Cloud Agent will deploy containers with images referencing to IBM’s icr.io/cpopen
and cp.icr.io/cp/dpod
container registries. Since the images are currently not available in these registries, a mirroring needs to be configured so the Kubernetes cluster can fetch the images.
Without a proper mirroring the pods will fail on ImagePullBackOff
error when trying to pull the images.
Example 1: Configuring Mirroring with OCP’s ImageContentSourcePolicy to a Private Container Registry
Status | ||||
---|---|---|---|---|
|
Consider the following example which configures mirroring of icr.io/cpopen
and cp.icr.io/cp/dpod
to a private container registry.
Note: Change the mirrors
entries according to the container registry path that the images were loaded into (the value of CONTAINER_REGISTRY_PATH
used above).
Code Block |
---|
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: dpod-cloud-agent-registry-mirror
spec:
repositoryDigestMirrors:
- mirrors:
- my-container-registry.example.com/dpod-cloud-agent
source: cp.icr.io/cp/dpod
- mirrors:
- my-container-registry.example.com/dpod-cloud-agent
source: icr.io/cpopen |
Example 2: Configuring Mirroring with OCP’s ImageContentSourcePolicy to the OCP Internal Container Registry
Status | ||||
---|---|---|---|---|
|
Consider the following example which configures mirroring of icr.io/cpopen
and cp.icr.io/cp/dpod
to OCP’s internal container registry.
Note: Change the mirrors
entries according to your environment (replace the namespace dpod-cloud-agent
with the namespace DPOD_CLOUD_AGENT_NAMESPACE
used above).
Code Block |
---|
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: dpod-cloud-agent-registry-mirror
spec:
repositoryDigestMirrors:
- mirrors:
- image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent
source: cp.icr.io/cp/dpod
- mirrors:
- image-registry.openshift-image-registry.svc:5000/openshift-marketplace
- image-registry.openshift-image-registry.svc:5000/openshift-operators
- image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent
source: icr.io/cpopen |
Example 3: Configuring Mirroring by Manually Editing the Nodes Configuration File
Status | ||||
---|---|---|---|---|
|
In OCP, mirroring is achieved by configuring the ImageContentSourcePolicy
resource.
Consider the following example which mirrors cp.icr.io/cp/dpod
by the internal OCP registry namespace dpod-cloud-agent
and by a private external registry my-container-registry.example.com/dpod-cloud-agent
. Please adjust the mirrors
entries according to the container registry that the images were loaded into.
...
Some OCP environments are not running the Machine Config Operator that allows modifying the nodes configuration files using K8S resources.
For such environments, manually add the mirroring configuration for each one of the worker nodes in /etc/containers/registries.conf
and add the following entries.
Note: Change the registry.mirror
entries according to your environment (see notes of the examples above).
Code Block |
---|
[[registry]] prefix = "" location = "cp.icr.io/cp/dpod" mirror-by-digest-only = true [[registry.mirror]] location = "image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent" [[registry]] prefix = "" location = "icr.io/cpopen" mirror-by-digest-only = true [[registry.mirror]] location = "image-registry.openshift-image-registry.svc:5000/dpod-cloud-agentopenshift-marketplace" [[registry.mirror]] location - my-container= "image-registry.example.com/dpod-cloud-agent source: cp.icr.io/cp/dpod - mirrors: openshift-image-registry.svc:5000/openshift-operators" [[registry.mirror]] location = - "image-registry.openshift-image-registry.svc:5000/dpod-cloud-agent - my-container-registry.example.com/dpod-cloud-agent source: cp.icr.io/cpopen " |
Reboot the worker nodes by issuing systemctl reboot
on each one of them.
Authenticating to a Container Registry
In order to pull images from the container registry, it is often required to authenticate with credentials.
Create the necessary pull secret and add it to the default service account in the appropriate namespaces, or alternatively update the global pull secret with the credentials.