In the previous article, “Configuring your private register for z/OS Container Platform”, you configured and started a secured private container register, using IBM® z/OS® Container Extensions (zCX). If you have not done so, you should start with that article before continuing.
In this article, you will learn how the private container registry can now be used for pulling and pushing container images for IBM® z/OS® Container Platform (zOSCP). You start by copying zOSCP container images to your private registry and making them available to your users building their own container images and eventually for your Kubernetes deployments.
Copying z/OS Container Platform images
To enable users to containerize their own z/OS UNIX applications, a growing catalog of IBM-built images is available on the IBM® Cloud Container Registry (ICR). For example, IBM z/OS base, IBM Open Enterprise SDK for Go, IBM SDK Java Technology Edition for z/OS (Java 8), IBM z/OS Connect, and IBM Open Enterprise Foundation for z/OS container images are available to use as the starting point for building your own container images.
zOSCP provides IBM z/OS for Skopeo (Skopeo) to copy container images from IBM Cloud Container Registry to your private container registry. Use an SSH client to access the z/OS UNIX environment where Skopeo is installed. The zOSCP container images on ICR are accessed by using an API key. The instructions for obtaining the API key are included in an entitlement memo when the z/OS Container Platform product is ordered.
Once the API key is obtained, you will need to transfer the certificate, created for your private container registry in the previous article, to the system where you are issuing the Skopeo command. Otherwise, any Skopeo commands against your private container registry will fail because Skopeo is unable to verify the signee of the certificate provided by the private registry.
Certificates for container registries are stored in /etc/containers/cert.d. Referring to the previous article, you created a private container registry within a zCX instance called my-zcx.my-company.com that was listening on port 1443. Issue the following commands to create the subdirectory to store the private registry certificate and provide permission to your users to access it.
Skopeo looks in this subdirectory, by default, for the certificate when communicating with your private container registry. So, the next step is to copy the certificate for the private container registry to this subdirectory. Referring to the previous article, you created a certificate for the private registry, and saved it as /tmp/creds/domain.crt. Use an SSH client to access the zCX Docker CLI environment, and then use sftp to transfer the certificate from /tmp/creds/domain.crt to /etc/containers/cert.d/zcx.my-company.com:1443/ca.crt.
Next, you must log into the private container registry. Otherwise, any Skopeo commands against the private registry will fail indicating authentication is required. In the previous article, you started the private register with registry authentication configured. Using the same username and password you supplied to the htpasswd utility in the previous article, log into the private registry.
You are now ready to copy any z/OS Container Platform images from ICR to your private container registry. For example, use the following command to copy the base z/OS container image, passing in the API key you received from ICR.
Once you have successfully copied the images you want from ICR, you should log off your private container registry.
Your environment should now look like Figure 1, where z/OS container images from ICR have been copied to your private container registry using Skopeo.
Figure 1 – Copying container images to private registry
Using private registry with Podman for IBM z/OS
As a first step, you will need to transfer the private container registry certificate to all z/OS systems where your users plan to access the private registry via Podman for IBM z/OS (Podman). See the previous steps performed to copy the certificate for Skopeo.
Once that is completed, your users need to log into the private registry before pulling or pushing container images, using the same username and password as used by Skopeo for authenticating with the private registry.
Users are now able to run or pull images from the private container registry using Podman. Any customized container images that are built using Podman can be pushed back to the private registry for others to use. For example, after building a customized container image called my-image from the z/OS base image, it can be pushed directly to the private registry.
Your environment should now look like Figure 2, where, using Podman, you pulled the IBM-built image from your private container registry, built your customized z/OS container image, and pushed it back to your private container registry to make it available for other users.
Figure 2 – Building container images and pushing to private registry
Using private registry with Kubernetes on z/OS
As like for Podman, you need to copy the private container registry certificate to the necessary z/OS systems, in this case, the z/OS systems configured as worker nodes in your Kubernetes cluster. See the previous steps performed to copy the certificate for Skopeo.
Unlike with Skopeo and Podman where you can log into your private container registry to authenticate, Kubernetes does not provide this type of authentication. Instead, a Kubernetes secret needs to be configured and referenced in any deployment yaml pulling images from the private registry.
To do this, you use the credentials created when logging into the private container registry via Podman. By default, these credentials are stored as /var/run/user/<uid>/containers/auth.json, where <uid> is the z/OS UNIX identifier assigned to the user. The identifier can be determined by using the id command from z/OS UNIX. If the environment variable, XDG_RUNTIME_DIR, is set, then the credentials will instead be found in $ XDG_RUNTIME_DIR/containers/auth.json.
Assuming XDG_RUNTIME_DIR is not set, issue the following commands to create a Kubernetes secret, called registry-creds, from the Podman login credentials.
Once the Kubernetes secret is generated, add the imagePullSecrets label, pointing to the secret we created, to your deployment yamls that are pulling images from your private container registry.
You should now be able to successfully pull any container images from your private container registry for a Kubernetes deployment!
Figure 3 shows what your environment looks like when you deploy your customized z/OS container image in your Kubernetes cluster.
Figure 3 – Deploying container images from private registry
To summarize, in this article, you should now understand how to use Skopeo to copy container images from IBM Cloud Container Registry to your private container registry, used Podman to pull, build, and push customized container images back to your private registry, and created Kubernetes secrets for accessing the container images in your private registry for your deployments.