Configuring a local private registry server


This procedure is only applicable if the mode of installation is offline.

The user must create a private registry server to deploy OpenShift Container Platform in a restricted environment (also termed as Air Gap (disconnected) environment). This registry server runs as a container and serves as the content provider for RHOCP 4.3.x. In order for the registry server to serve content for deployment, you must first mirror all the required content (images) to this registry server.

The private registry can be a VM or a physical server. You must fill all details in the input_vars.yaml file before triggering the ansible-playbook command, which helps in the creation of the registry. On successful completion of the ansible-playbook command, the automation creates the openshift-install binary and a text file mirrorimage.txt in the /root directory on the same server where this script is executed. You must transfer these files to the NPS node in directory /var/nps/ISO/.

Hardware requirements
  • Red Hat Enterprise Linux 7.x server (this can be a Virtual Machine or a physical server)

    The recommended minimum resource requirements are as follows:
    • RAM: 4096 GB

    • vCPU: 2

    • Disk: 300 GB ( in /root partition)


      125 GB (in /root partition ) is sufficient to store deployment images, OpenShift-Samples operator images and Red Hat operators images. As this is a disconnected environment, you may need to mirror images from other operator hubs and application images on this registry server. Therefore, enough storage is required on the node from where this script is executed.

Software requirements
  • Ansible 2.8 or greater

  • Download the OpenShift client oc binary and pull secret from the Red Hat OpenShift portal. To download pull secret, see Downloading the installation pull secret.

  • Ensure that the node where you will execute the registry script has access to the internet.

  • Ensure that you have a valid Red Hat subscription credentials with OpenShift entitlements.

  • Ensure that the hostname of the registry server is FQDN and the entry is updated in the DNS server.

  • Ensure that no proxy is set for localhost, <Registry_VM_IP>, OAM Network CIDR, and domain name.

  1. Copy the cloud.tar.gz file to the /root/ directory of the registry server and navigate to /root/nps-rhocp/registry-utils/offline-registry.
  2. Enter the user input in the input_vars.yaml file.
            proxy_port: "<proxy port number>"
            proxy_user: "proxy username"
            proxy_password: "proxy password"
            proxy_ip: < proxy ip used for connecting to internet >
            username: "<username>"
            password: "<password>"
            registry_host_fqdn: "<fqdn of registry host>"
            C: "<country name>"
            ST: "<state or province name>"
            L: "<locality name>"
            O: "<organization name>"
            OU: "<organizational unit name>"
            duration: "<number of days>"
            email_address: ""
            username: "<username>"
            password: "<password>"
            poolid: "<pool id>"
            openshift_client_path: "<path to oc binary .gz>"
            pull_secret_path: "<path to pull-secret.txt>"
    track_folder: /var/run/rhocp/
    openshift_version: <openshift image tag version>
    registry_on_nps: false

    For detailed description of the input parameters in the input_vars.yaml file, see Parameter descriptions in input_vars.yaml file.

  3. Configure the private registry by executing the create_registry_server.yaml playbook with root permission:
    ansible-playbook create_registry_server.yaml
    The create_registry_server.yaml playbook is located in the nps-rhocp/registry-utils/offline-registry directory. The playbook configures the private registry in the following three steps:
    1. Registers the server where this script is being executed to Red Hat CDN.

    2. Configures the private registry and mirrors the content from

    3. Validates the registry creation on the server.

    Use the following commands for executing individual steps of the private registry configuration process:
    • Configure the registry with subscription as the supported tag by executing the following command:

      ansible-playbook create_registry_server.yaml --tags "subscription"
    • If the subscription is done and re-subscription is not needed, only registry creation play can be executed. Configure the registry with configure as the supported tag by executing the following command:

      ansible-playbook create_registry_server.yaml --tags "configure"
    • If the registry is configured and only validation check is to be performed, configure the registry with validate as the supported tag by executing the following command:

      ansible-playbook create_registry_server.yaml --tags "validate"

    If the private registry creation fails, see Private registry creation failed to fix the issue.

  4. Validate if a registry is installed successfully by executing any of the following procedures:
    • Automated

      Execute the following command (as root user) from the registry server:
      ansible-playbook create_registry_server.yaml --tags "validate"
    • Manual

      Execute the following commands (as root user) from the registry server:
      1. curl -u <registry-username>:<registry-password> -k https://<registry-fqdn>:<user provided port>/v2/_catalog

        The registry-username and registry-password is the same as the username and password under registry_info in the input_vars.yaml file.

        Desired output on console:
      2. docker login -u <registry-username> -p <registry-password> <registry-fqdn>:<user provided port>
        Desired output on console:
        Login Succeeded