1. Manuals
  2. Tumbleweed
  3. oc
  4. oc-adm-release-mirror(1)

Scroll to navigation

OC ADM RELEASE(1) June 2016 OC ADM RELEASE(1)

NAME

oc adm release mirror - Mirror a release to a different image registry location

SYNOPSIS

oc adm release mirror [OPTIONS]

DESCRIPTION

Mirror an OpenShift release image to another registry and produce a configuration manifest containing the release image signature.

Copies the images and update payload for a given release from one registry to another. By default this command will not alter the payload and will print out the configuration that must be applied to a cluster to use the mirror, but you may opt to rewrite the update to point to the new location and lose the cryptographic integrity of the update.

Creates a release image signature config map that can be saved to a directory, applied directly to a connected cluster, or both.

The common use for this command is to mirror a specific OpenShift release version to a private registry and create a signature config map for use in a disconnected or offline context. The command copies all images that are part of a release into the target repository and then prints the correct information to give to OpenShift to use that content offline. An alternate mode is to specify --to-image-stream, which imports the images directly into an OpenShift image stream.

You may use --to-dir to specify a directory to download release content into, and add the file:// prefix to the --to flag. The command will print the 'oc image mirror' command that can be used to upload the release to another registry.

You may use --apply-release-image-signature, --release-image-signature-to-dir, or both to control the handling of the signature config map. Option --apply-release-image-signature will apply the config map directly to a connected cluster while --release-image-signature-to-dir specifies an export target directory. If --release-image-signature-to-dir is not specified but --to-dir is, --release-image-signature-to-dir defaults to a 'config' subdirectory of --to-dir. The --overwrite option only applies when --apply-release-image-signature is specified and indicates to update an exisiting config map if one is found. A config map written to a directory will always replace onethat already exists.

OPTIONS

--apply-release-image-signature=false
Apply release image signature to connected cluster.

--dry-run=false
Display information about the mirror without actually executing it.

--from=""
Image containing the release payload.

--from-dir=""
A directory to import images from.

--insecure=false
Allow push and pull operations to registries to be made over HTTP

--keep-manifest-list=false
If an image is part of a manifest list, always mirror the list even if only one image is found.

--max-per-registry=6
Number of concurrent requests allowed per registry.

--overwrite=false
Used with --apply-release-image-signature to update an existing signature configmap.

--print-mirror-instructions=""
Print instructions of ImageContentSourcePolicy or ImageDigestMirrorSet for using images from mirror registries. The valid values are 'icsp', 'idms' and 'none'. Default value is icsp.

-a, --registry-config=""
Path to your registry credentials. Alternatively REGISTRY_AUTH_FILE env variable can be also specified. Defaults to ${XDG_RUNTIME_DIR}/containers/auth.json, /run/containers/${UID}/auth.json, ${XDG_CONFIG_HOME}/containers/auth.json, ${DOCKER_CONFIG},  /.docker/config.json,  /.dockercfg. The order can be changed via the REGISTRY_AUTH_PREFERENCE env variable (deprecated) to a "docker" value to prioritizes Docker credentials over Podman's.

--release-image-signature-to-dir=""
A directory to export release image signature to.

--skip-release-image=false
Do not push the release image.

--skip-verification=false
Skip verifying the integrity of the retrieved content. This is not recommended, but may be necessary when importing images from older image registries. Only bypass verification if the registry is known to be trustworthy.

--to=""
An image repository to push to.

--to-dir=""
A directory to export images to.

--to-image-stream=""
An image stream to tag images into.

--to-mirror=false
Output the mirror mappings instead of mirroring.

--to-release-image=""
Specify an alternate locations for the release image instead as tag 'release' in --to.

OPTIONS INHERITED FROM PARENT COMMANDS

--as=""
Username to impersonate for the operation. User could be a regular user or a service account in a namespace.

--as-group=[]
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.

--as-uid=""
UID to impersonate for the operation.

--cache-dir="/home/abuild/.kube/cache"
Default cache directory

--certificate-authority=""
Path to a cert file for the certificate authority

--client-certificate=""
Path to a client certificate file for TLS

--client-key=""
Path to a client key file for TLS

--cluster=""
The name of the kubeconfig cluster to use

--context=""
The name of the kubeconfig context to use

--disable-compression=false
If true, opt-out of response compression for all requests to the server

--insecure-skip-tls-verify=false
If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure

--kubeconfig=""
Path to the kubeconfig file to use for CLI requests.

--match-server-version=false
Require server version to match client version

-n, --namespace=""
If present, the namespace scope for this CLI request

--profile="none"
Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex)

--profile-output="profile.pprof"
Name of the file to write the profile to

--request-timeout="0"
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests.

-s, --server=""
The address and port of the Kubernetes API server

--tls-server-name=""
Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used

--token=""
Bearer token for authentication to the API server

--user=""
The name of the kubeconfig user to use

--warnings-as-errors=false
Treat warnings received from the server as errors and exit with a non-zero exit code

EXAMPLE



  # Perform a dry run showing what would be mirrored, including the mirror objects


  oc adm release mirror 4.11.0 --to myregistry.local/openshift/release \


  --release-image-signature-to-dir /tmp/releases --dry-run


  


  # Mirror a release into the current directory


  oc adm release mirror 4.11.0 --to file://openshift/release \


  --release-image-signature-to-dir /tmp/releases


  


  # Mirror a release to another directory in the default location


  oc adm release mirror 4.11.0 --to-dir /tmp/releases


  


  # Upload a release from the current directory to another server


  oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \


  --release-image-signature-to-dir /tmp/releases


  


  # Mirror the 4.11.0 release to repository registry.example.com and apply signatures to connected cluster


  oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.11.0-x86_64 \


  --to=registry.example.com/your/repository --apply-release-image-signature

SEE ALSO

oc-adm-release(1),

HISTORY

June 2016, Ported from the Kubernetes man-doc generator

Openshift CLI User Manuals Openshift