How to mirror images between Redhat Openshift registries ?

Solution Verified - Updated 13 Jun 2024

Environment

Redhat Openshift Container Platform (RHOCP)
- v4.x

Issue

Unable to mirror images between OCP cluster registry.
The oc mirror image command fails with authentication error.

Resolution

To pull the image from the registry image stream the default service account authentication of the respective namespace is required.
To push the image to the registry image stream the builder service account authentication of the respective namespace is required..
Retrieve the token of service account from the respective cluster and namespace

$ oc sa get-token deployer

$ oc sa get-token default

Create a base64 string with username as Serviceaccount name and password as its respective token

$ echo -n '<user_name>:<password>' | base64 -w0

On the host machine where oc-client and a docker is installed, append the following content

[user ~]$ cat  .docker/config.json
{
  "auths" : {
    "https://openshift-container-registry-url-from-cluster1" : {
      "auth" : "<base64 content for default Service Account from Cluster1 namespace>"
    },
    "https://openshift-container-registry-url-from-cluster2" : {
      "auth" : "<base64 content for builder  Service Account from Cluster2  namespace>"
    }
  }
}

Restart the container engine.
Run the oc mirror image command.

oc image mirror openshift-container-registry-url-from-cluster1/<namepsace-name>/<imagename>:latest openshift-container-registry-url-from-cluster2/<namepsace-name>/<imagename>:latest

The oc mirror will copy the image from cluster 1 image stream to cluster 2 image stream.

Diagnostic Steps

The authentication messages can be observed in the oc mirror command with a higher loglevel
- oc image mirror --loglevel=8

I1116 22:45:26.706120   12981 round_trippers.go:449] Response Headers:
I1116 22:45:26.706124   12981 round_trippers.go:452]     X-Registry-Supports-Signatures: 1
I1116 22:45:26.706127   12981 round_trippers.go:452]     Date: Tue, 17 Nov 2020 03:45:26 GMT
I1116 22:45:26.706130   12981 round_trippers.go:452]     Content-Length: 177
I1116 22:4526.706132   12981 round_trippers.go:452]     Set-Cookie: 34727b825x78145223; path=/; HttpOnly; Secure
I1116 22:45:26.706142   12981 round_trippers.go:452]     Content-Type: application/json; charset=utf-8
I1116 22:45:26.706149   12981 round_trippers.go:452]     Docker-Distribution-Api-Version: registry/2.0
I1116 22:45:26.706155   12981 round_trippers.go:452]     Www-Authenticate: Basic realm=openshift,error="access denied"

error: unable to retrieve source image cluster1.registry.com/image by tag latest: unauthorized: authentication required
I1116 22:45:26.706361   12981 workqueue.go:54] worker 5 stopping
I1116 22:45:26.706371   12981 workqueue.go:54] worker 1 stopping
I1116 22:45:26.706377   12981 workqueue.go:54] worker 2 stopping
F1116 22:45:26.706382   12981 helpers.go:114] error: an error occurred during planning

SBR

Product(s)

Red Hat OpenShift Container Platform

Components

Category

Customize or extend

Tags

shift_registry

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.