Containerized Proxy Deployment Using Internal Registry

It is possible to deploy containerized images in an environment without an internet connection. In such case, the images can be copied from SUSE registry to an internal registry, or saved to a tar file.

1. Image Copying from SUSE Registry to Internal Registry

Machines must have access to registry.suse.com.

Procedure: Deploying Proxy from an Internal Image Registry
  1. On a machine with access to registry.suse.com install skopeo:

    zypper in skopeo

    This can be SUSE Manager Server.

  2. Copy images between registries:

    for image in httpd salt-broker squid ssh tftpd; do
        skopeo copy docker://registry.suse.com/suse/manager/5.0/proxy-$image:latest docker://<your_server>/registry.suse.com/suse/manager/5.0/proxy-$image
    done
    skopeo copy docker://k8s.gcr.io/pause:latest docker://<your_server>/k8s.gcr.io/pause:latest

    For every skopeo command add --dest-tls-verify=false if the registry is not secured.

  3. If the registry is unsecured, for example not configured with SSL, add the registry domain to the section registries.insecure on the containerized proxy virtual machine by editing:

    /etc/containers/registries.conf
  4. Before starting the pod, point the Podman where to get the pause image from on the internal registry:

    echo -e '[engine]\ninfra_image = "<your_server>/pause:latest"'>>/etc/containers/containers.conf
  5. To start using the images from the internal registry please adapt the NAMESPACE value in file /etc/sysconfig/uyuni-proxy-systemd-services.config.

    For the k3s deployment, add --set repository=<your_server> to the helm install command line.

2. Air-gapped Solution for Podman

This example illustrates deployment of containerized image on a machine with no access to internet.

Procedure: Deploying Air-gapped Proxy
  1. Before starting the pod, point the Podman where to get the pause image from on the internal registry:

    echo -e '[engine]\ninfra_image = "<your_server>/pause:latest"'>>/etc/containers/containers.conf

    This command does not work on SLE 15 SP3 and earlier container hosts.

  2. On a machine with internet access run:

    for image in httpd salt-broker squid ssh tftpd; do
        podman pull registry.suse.com/suse/manager/5.0/proxy-$image
    done
    podman pull k8s.gcr.io/pause
    
    podman save -m -o proxy-images.tar \
        k8s.gcr.io/pause \
        registry.suse.com/suse/manager/5.0/proxy-httpd \
        registry.suse.com/suse/manager/5.0/proxy-salt-broker \
        registry.suse.com/suse/manager/5.0/proxy-squid \
        registry.suse.com/suse/manager/5.0/proxy-ssh \
        registry.suse.com/suse/manager/5.0/proxy-tftpd

    For the k3s deployment, add --set repository=<your_server> to the helm install command line.

  3. Transfer the proxy-images.tar to the air-gapped proxy.

  4. To make images available to be started when needed, run the command:

    podman load -i proxy-images.tar