 Hello, this is Pawan Bheman from the CNF integration team. In this demo, we will be taking a look at installing and configuring the Artifactory as a disconnected registry and also as an image store for root FS images and ARCOS images. As Artifactory can host Docker registry, ISO images, Git repos, this becomes really useful as we can host multiple repositories on a single host and Artifactory can be a single point of contact for hosting multiple repositories. So even before we take a look at installing Artifactory, first thing is to have a server which has around at least bare minimum of 400 GB of free space. I have already mirrored the contents, so you can see the available GBs are really less. But essentially we would at least need 400 GB of free space to mirror the registry contents. The rule of thumb for selecting the amount of free space is that it is always better to have more free space in order to accommodate for the future growth of the registry. And here I am using a trial version of Artifactory as we do not have any licenses purchased by our company yet for Artifactory. And once we register for a trial license, we get a link which has the contents of the installer along with the steps to install it. So essentially all we have to do is to go to the link download the turbo image and then follow the steps to install the Artifactory application. So this is the link that I got and then all it does is it downloads the turbo, extracts it and then runs the install command on it. And then we would have to start the Artifactory service on it. We do not need XRA as of now and we do not need to start that. The only thing that we would need to start is the Artifactory service. So let me go over to a new machine and then download the tar ball. We will wait until the download has completed. Now that the tar ball is downloaded, we would need to extract it. Go to the extracted directory and then just run the install script. We will wait for the installation to complete. So the installation has now completed. So now we would need to start the Artifactory service and check its status. Now let us take a look at the status to make sure it is running. So now Artifactory service is running. So now our installation has succeeded. The next thing that we would have to do is to disable the firewall rules to the ports used by Artifactory. We would need to disable firewall rules for port 8080, 8081 and 8082. We would also let us also disable firewall rules for port 80 and 443 as we would be using it later for either HTTP or HTTPS Docker registry that we will be setting up. So let us go ahead and do that. Let us reload it and now we can check if the UI for Artifactory is accessible or not. Basically the UI will be running on port 8082 and the API runs on port 8081. So let us take a look at it. So right now this is the host IP address on which we just installed Artifactory on and this is port 8082 where it is hosting its web service and the username and password are by default created for when we create a trial license and then we can go ahead and change it on our first try. Okay so I guess it was still coming up so it was not taking my password. So that is for setting up a new password and then the next step it will ask for the license key. I have already set up the license on another server and I have mirrored all the images there. In interest of this demo I will be showing the setup for that particular Artifactory server because mirroring everything from scratch might take a few hours. Okay now we can see the UI after applying the trial license. So essentially it has two tabs, one is administration and one is application. So we can see the artifacts and the packages here and in administration we can set IAM security and then take a look at the system blocks and things of that nature which we can see later. And after doing this next thing that we would have to do is to set up CNAME records for the Docker registry and the image store that will be creating that will be creating later. So these CNAME records have to point to the host record that it is pointed on. One thing to note is that it has to be in the same domain as the server host name. So this is important as when creating the registry name it has to match the DNS records that we are creating now. So here I am using the same A record as the one that is configured for the host on which Artifactory is installed. So right here please do not do this. Please create a CNAME record, please create two CNAME records, one for the Docker registry and one for the image store. So once we have done that we would need to install a reverse proxy. So the reason for installing reverse proxy is that on Artifactory there are multiple ways to set up a Docker registry such as direct access, port bindings and subdomain. The prescribed method that Artifactory gives for on-prem environments is to use a reverse proxy and use a subdomain method for creating a Docker registry and hence we would need to install reverse proxy. I have installed Nginx here as a reverse proxy. So here Nginx is already running and one more thing is that we do not have these two directories sites enabled and sites available by default when we installed Nginx. Please go ahead and create these two directories. We would later need these directories in order to set up Artifactory config in them and after we have created these two directories the next thing that we would have to do is to generate certificate. So this certificate is for the Docker registry that we will be creating. One important thing to note here is that we will be creating a wildcard DNS name for the common name while creating the certificate. So this is because we will be using the subdomain method to create the registry. So here you know the DNS thing might be a little confusing at this point but once I show you the HTTP settings for the Docker registry this might get clearer. So I have created the certificate and if we take a look at the CNAME you can see that it is a wildcard DNS entry. So once we have created it we would need to copy it to Etsy Nginx certs and also we would need to copy it to the Provisionary node from which we will be installing the HUB cluster and then we would need to update the address so that this certificate gets updated. So once this step is done the next thing we would be doing is to finally create the Docker registry. So let's go to the Artifactory GUI again and then if we take a look at repositories. So here we have, I have already created two repositories, one for the Docker and one for generic but if I were to create a new registry we need to go to add the repository and click on local repository. So here it has a lot of repository types and for now let's click on the Docker repository and here while giving the repository key which is essentially the name of the local Docker repository that we will be creating. So this part is, the name of the repository key is really important. So this has to be the name preceding the wildcard DNS entry name. So here when I said that I'm using the host name for creating the Docker repository. So this has to be this name service node and that is why we are creating the wildcard DNS entry. So this will be a service node. It says that the repository already exists but essentially we would have to just click on create a repository and once we have done that we would need to have the reverse properties settings accordingly in order to access the repository. So we have to go to the administration tab, Artifactory, click on HTTP settings and then here we have the three methods that I was mentioning about the repository path port and subdomain. So basically I will be clicking on subdomain and the server name expression is automatically filled with the wildcard DNS entry that I was talking about and that is the reason why I was telling you that the domain name of the CNAME and the host name on which it is hosting on should be matching. And here in the reverse proxy settings we have a list of reverse proxy providers and here I selected NGINX and the internal host name gets pre-populated as the IP address of the host on which Artifactory is hosted on and these are the two ports that Artifactory will be using and we already disabled the firewall rules on. And while setting the public server name we would need to set up only the domain name part of this and while accessing the registry the way the Artifactory accesses the registry is the repository name that we gave which is service node and the dot the public server name and again so this is the same as what we gave here for the domain name. And then we can have two options one is to use HTTP and HTTPS ports. So we need to enable both and then for the SLKEY path and SL certificate path so this is where we created our certificate and this is where and we will be giving essentially the path of that particular key and cert file here and we need to click on save and once we have done that Artifactory creates the reverse proxy configuration for this particular settings that we gave so the NGINX config that we need is already created here so all we need to do is copy it and then once we have copied it we need to go to our database host and then create this configuration and sites available so I have already configured this this is based on what we copied and the other thing is we need to enable it so basically in sites enabled we need to create a soft link pointing to sites available and once we have done that we need to restart NGINX service and once it is restarted let us look at the status alright so now NGINX is running without any issues so essentially once we have done this we can check if the registry is working or not so we can check by logging into the registry and see if we are able to log in into it or not so let us do podman login and this is the registry name and please note that it is not 5000 it is 443 that is because in the HTTPS settings that we saw we are using port 443 alright so now we can log in to the registry that we created so we have successfully set up the Docker registry repo for Artifactory so now the next thing that we can do is to mirror the images the OLM images and the OCP release images there are two issues while doing this with Artifactory so one issue is that while using the auth file which has the authentication JSON file for the registries that we are mirroring from that is registry.redact.io or query.io Artifactory somewhat does not like using the pull secret JSON file for that and the other thing is even to authenticate to Artifactory the pull secret does not work by mentioning the login credentials there so while specifying the authentication for Artifactory in the command itself it seems to work and I have seen multiple bugs raised on that and they are opened I will show you what I mean by that so basically while mirroring the images for instance while using a podman push we would need to specify the credentials for Artifactory here as a part of the command itself rather than using a pull secret JSON file in order to do that and the pull secret for accessing query.io or registry.io it is better to put it as a part of the Docker config.json file and because it does not seem to take the pull secret file so by pre loading it here and then using the mirror it seems to work and one more thing that I faced as an issue with Artifactory is that while doing the mirroring after some time Artifactory shows another message as 403 forbidden and does not allow me to log into Artifactory to push the images. One thing that we can work around for that for commands such as OCADM is to specify max per registry as one so basically this is the number of concurrent corrections that OCADM will be using in order to connect to the local registry and the same thing can be done for the same these two things can be done for essentially a scope.io or even OC image mirror so I will show you an example here so I have done the same thing on OC image mirror meaning I gave maximum per registry as one and then while using scope.io there is a way to give the destination credentials here so essentially which is admin password which is the default one while we install the trial version of the Artifactory application. So after adding this I had no issues mirroring the images for Artifactory but even with this I have done the same thing on OC image there was an issue with pulling the images once I installed the hub cluster and that was the same thing in which there were multiple connections to the Artifactory repo and then that prevented the download of images for the hub and the SNO node while taking a look at that I realized that Artifactory is a little buggy in which while having multiple concurrent connections or pulling multiple images there is an issue with the Artifactory cache and then this issue causes a cascading failure in which it considers authentication request as a false authentication request meaning that even with the current authentication credentials the Artifactory considers as a wrong authentication credentials and hence login is denied and this is a very serious issue because essentially the hub or the worker cluster cannot pull images from this registry there are a couple of mitigations for it one way to mitigate it is to just restart Artifactory and it will flush the cache and then once the cache is flushed it works fine so we would need to trigger the mirror again and then do it each time there is an issue with the cache the next step is to have these mitigations already the one for the credentials that we are specifying both for part manage copio and also for catalog mirror or OC image mirror where we are specifying the max per registry as one and along with that we would also need to specify one configuration so which is to essentially not to block the login on in terms of failures of authentication so this is the configuration which is max login block delay as 0 and we would need to set it on Artifactory system properties and there are two places in which the Artifactory system properties are present one is on the wire of the JFrog directory and the other one is on the JFrog directory so the reason why we are doing it is very simple so because we are getting disabled temporarily to login by Artifactory and the caching issue is causing this cascading issue so we can as well you know disable temporary login suspension and that should not block us essentially and this particular mitigation work for me and I have been able to pull the images without any issues after having all these mitigations and these are bugs that are open in Artifactory as of now and it might be fixed by Artifactory in the future but as of now we will be seeing this particular issue and once we have done that I have already mirrored the content of the Docker registry into Artifactory and let us go ahead and take a look at that so if we take a look at the repositories so if we take a look at the artifacts this is the Docker repo so here I have mirrored OLM and then ACM and then the REST and then installer images so this is the repository so right now so we are all good to go with the Docker registry setup the reason I am showing the already mirrored repo is because this will take a few hours to remirror all of this and in interest of this demo this makes it a shorter demo in order to remirror all of this onto Artifactory so now that we have created the Docker registry successfully and we have mirrored the images the next thing to do is to create registry for storing the root fs images for the small iso and also the orcos images for the bootstrap OS image and cluster OS image during the that is needed for the hub cluster installation so in order to do that we will go to repositories again and then we need to add repository and then select local repo and in this we need to select the repository as generic type and here again we would need the repository key to match with the CNAME record that we have created and in my case it is service node 2 as I have already created it it does not take the creation of the new one so essentially once it is created it has to show the repo key and these fields are automatically populated all we need to do is to just create the repository key and once we have created the repository key I mean once we have created this repo it does not allow for download of the iso images or the image without specifying the username password which is problematic while installation because we would need a repo which serves images without the need for username and password so in order to do that we would need to go to the security tab and inside settings we would need to select allow anonymous access and this allows anonymous downloads for the iso and dot image root fs files that we would need to download during the installation process so once we have done that the next thing that we would need to do is to download the root fs image and then push it into the registry so it is something like this after we have pushed it so in order to push it all we need to do is to have a curl post command and then give the particular repository name and it has to push the image so I would like to show an example for this so in order to say push this particular image we would need to just post it we just need to use the put command with the appropriate generic repo name and then the image name that we would need that to be uploaded as all right so in order to do that we would need to so we would need to do the same thing for all of the images that we would need to upload to the generic repository and once we have done that we would essentially be seeing the images like as shown here essentially I have put in the root fs image the arcos live image and the bootstrap and cluster image files for the cluster so now that we have done all of these steps we have successfully set up the artifact repository for both Docker registry and then the generic repository for the root fs store so now all we have to do is just to install the hub cluster and the sno so the procedure for doing that is similar to the procedure for installing the hub cluster and single node openshift for any generic disconnected registry so if we take a look at the install config so we are providing the bootstrap os image and the cluster os image from artifact these are the ones that I just showed you as the uploaded files there and then for image content sources we need to provide the path on artifactory and keep in mind again this is 443 and not 5000 and the same thing pull secret file and the additional test bundle so I have already installed the hub cluster and this has to and this worked fine without any issues so the hub cluster got installed from the registry again I am not installing the hub cluster just in interest of time in order to in order not to make this a really long demo and once the hub cluster is installed again configuring and installing assisted installer is also in a similar way in which you just need to give the appropriate mirror registry for the cluster image set and also for the agent service while giving the url in the root of this url you need to give for the generic repository that we created as a part of the generic repository image upload and that would be it so once we have created the assisted service and then if we go ahead and deploy the sno it should get deployed successfully and let us take a look at the pre-installed sno that I have installed already so that would be all for this demo I hope this has been really useful to you and thank you.