Setting up a Harbor repository to synchronize container images

The container images required to deploy BMC Helix Innovation Suite are hosted on BMC Docker Trusted Registry (DTR). BMC DTR is available at  https://containers.bmc.com. Synchronize the container images in BMC DTR to a local container Harbor repository and configure the deployment pipeline to use the container images from the local repository. This method allows you to perform a secure or air-gapped deployment that does not require a direct connection to the internet.

Important

To synchronize the container images with BMC DTR, BMC validates using the open-source Harbor repository. You can choose any container repository solution that is compatible with the BMC Helix Service Management deployment. BMC does not anticipate any issues with alternative repositories. However, BMC does not provide support for alternative container repositories.

Related topic

Preparing-for-installation

 The following video (2:53) provides a summary of how to set up a Harbor repository in BMC Helix Service Management.
 

icon_play.pnghttps://youtu.be/yp72f3Vayxw 

Repository content

The images required for BMC Helix Service Management installation are located in the following repositories in BMC DTR:

BMC Repository

Repository content

bmc

BMC Helix Service Management images.

This repository includes all components of BMC Helix Service Management such as AR System server, BMC Helix Innovation Studio, Mid Tier, BMC Helix ITSM: Smart IT, BMC Digital Workplace, BMC Digital Workplace Catalog, and BMC Helix Innovation Suite applications.

Important:

Each component has a separate repository such as ars, midtier, cmdb, and virtualchat. These repositories contain the images for the respective component, such as the AR System images are located in the ars repository and the Mid Tier images are located in the midtier repository.
For example, containers.bmc.com/bmc/ars:23303HF2-RTM1 and containers.bmc.com/bmc/midtier:23303HF2-RTM1

bmc/lp0lz

BMC Helix Platform images.
The BMC Helix platform is required for all installations of BMC containerized software. This repository includes BMC Helix Platform services, data lake, BMC Helix Dashboards, AI Service Management, and other essential services.

Important

Update your firewall policies to enable access to BMC DTR. Use the following fully qualified domain names:

Process to access container images from a local Harbor repository

Set up a Harbor repository and synchronize your Harbor repository with BMC DTR by using the access key. The following images shows the actions to synchronize your Harbor repository with BMC DTR.

Set up Harbor.png

Before you begin

These files contain the list of images that are synchronized from BMC DTR. You can use these files to verify your Harbor repository after you synchronize it with BMC DTR.

This file contains the Docker image digests for verification.

  • Make sure that you have downloaded the key to access the container images, image_pull_push.sh, image_sync_to_private_registry.sh, and image_sha_digest.sh files from the BMC Electronic Product Distribution (EPD) site.
    See Downloading-the-installation-files.
  • Make sure that you meet the Harbor repository requirements.
  • Install the JQ command tool.

Task 1: To create a Harbor registry

  1. In your local system, download the latest version of Harbor by using the following command:

    wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v<version>.tgz

    Example:

    wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v2.1.4.tgz

  2. Unzip the TAR file by using the following command:

    tar xvzf harbor-offline-installer*.tgz

  3. Navigate to the harbor directory by using the following command:

    cd harbor

  4. Copy the configuration template by using the following command:

    cp harbor.yml.tmpl harbor.yml

  5. Edit the harbor.yml file and add the values for the following parameters:

    Best practice
    We recommend that you use the HTTPS configuration and install Harbor by using self signed SSL certificates. See Configure HTTPS Access to Harbor .

    Parameter

    Description

    hostname

    Name of the host where you want to install Harbor.

    harbor_admin_password

    Password for the Harbor application admin username.

    In the harbor.yml file, uncomment the https related config section, and add the values for parameters such as port, certificate, and  private_key.
    For example:

    # https related config
    https:
      # https port for harbor, default is 443
     port: 443
      # The path of cert and key files for nginx
     certificate: /data/cert/dsmlab.bmc.com.crt
     private_key: /data/cert/dsmlab.bmc.com.key

  6. Run the following command:

     sudo ./install.sh
  7. Verify that you can access the Harbor registry by using the admin username and password to log in.

Task 2: To create a project

  1. In the Harbor admin UI, navigate to the Administration menu, and click Projects.

  2. Create a new project and specify the project name as bmc.
    This project is used to synchronize the container images.

Task 3: To synchronize a Harbor repository with BMC DTR

You must synchronize your Harbor repository with BMC Helix Innovation Suite and BMC Helix Platform Common Services container images in BMC DTR.

  1. Log in to a Linux system.
  2. Copy the image_pull_push.sh, image_sync_to_private_registry.sh, 25201_ITSM_Platform_Images.txt, 25201_ITSM_SmartApps_Images.txt, 25201_ITSM_Pipeline_Images.txt, and 25201_SupportAssistTool_Images.txt.
  3. Based on the BMC Helix Platform Common Services version you are using, copy the 252_Helix_Platform_Images.txt or 251_Helix_Platform_Images.txt files to the system.
  4. Copy the file to the system.
  5. Create a new file named images.txt.
  6. Synchronize the BMC Helix Service Management platform container images:
    1. Copy the 25201_ITSM_Platform_Images.txt to the images.txt file.

    2. Open the image_sync_to_private_registry.sh file and update the following parameter values:

      Parameter

      Description

      SOURCE_REGISTRY_HOST

      Specify the value as containers.bmc.com

      SOURCE_REGISTRY_USER

      Support user ID that you use to login to EPD.

      SOURCE_REGISTRY_PASSWORD

      The container image access key specified in the container-token.bmc file that you downloaded from EPD.

      IMAGE_REGISTRY_HOST

      Host name of your local registry.

      IMAGE_REGISTRY_USERNAME

      Specify the user name to log in to your local registry.

      IMAGE_REGISTRY_PASSWORD

      Specify the password to log in to your local registry.

      IMAGE_REGISTRY_PROJECT

      Specify the value as bmc

    3. Convert the images.txt file to UNIX format by using the following command:

      dos2unix images.txt

    4. Run the image_sync_to_private_registry.sh file by using the following command:

      Important

      Before you run the image_sync_to_private_registry.sh file, make sure that you have installed the Docker Engine. For more information, see Harbor repository requirements.

      ./image_sync_to_private_registry.sh
  7. Synchronize the smart application, pipeline, BMC Helix Platform services, and Support Assistant tool container images by performing the following steps:
    1. Copy the file to the images.txt file.

    2. Run the image_sync_to_private_registry.sh file by using the following command:

      ./image_sync_to_private_registry.sh

Task 4: To verify image digest in the Harbor registry

Verify the integrity of container images in your Harbor registry by validating the digests. This verification ensures that only trusted, untampered images are used for BMC Helix Service Management installation. Verifying image integrity helps prevent pod startup issues that may arise due to synchronization discrepancies between the BMC DTR and your local registry.

Perform the following steps:

  1. To verify the image digest in your Harbor registry for the BMC Helix Service Management images, run the following command:
  2. ./image_sha_digest.sh <Harbor_registry_location> 25201_ITSM_Images_Digest.txt 

    Example command:
    ./verify_image_digest.sh harbor.customer.org/repo 252_ITSM_Images_Digest.txt

    This command automates the validation of container image digests by taking the following actions:

    1. Registry replacement—Replaces all instances of containers.bmc.com/bmc/ in image references with the specified Harbor registry location.
    2. Digest retrieval—Uses docker manifest inspect verbose to fetch the digest of each updated image.
    3. Digest comparison—Compares the actual digest with the expected digest for each image.
    4. Logging—Logs the result of each comparison as either match or mismatch.
    5. Exit status—Terminates with exit code 1 if any mismatches are detected; otherwise, exits with code 0.

    Example command output:
    Starting digest verification using registry: harbor.customer.org/repo

    Checking image:attach:xwiki:Service-Management.On-Premises-Deployment.BMC-Helix-Service-Management-Deployment.brid25201.Installing.Preparing-for-installation.Setting-up-a-Harbor-repository-to-synchronize-container-images.WebHome@filename harbor.customer.org/repo/adeops-util:567-25201-RTM
    Match: harbor.customer.org/repo/adeops-util:567-25201-RTM

    Checking image:attach:xwiki:Service-Management.On-Premises-Deployment.BMC-Helix-Service-Management-Deployment.brid25201.Installing.Preparing-for-installation.Setting-up-a-Harbor-repository-to-synchronize-container-images.WebHome@filename harbor.customer.org/repo/cmdb-core:25201-RTM
    Mismatch: harbor.customer.org/repo/cmdb-core:25201-RTM
       Expected: sha256:xxxx...
       Found   : sha256:yyyy...

    Failed: The following images failed digest verification:
     - harbor.customer.org/repo/cmdb-core:25201-RTM

     

  3. To verify the image digest in your Harbor registry for the BMC Helix Platform Common Services images, run the following command:./image_sha_digest.sh <Harbor_registry_location> 252_Helix_Platform_Images_Digest.txt 

  4. If you encounter a mismatch for an image, resynchronize the image.

To access images from an air-gapped environment

The following image describes the process to access the BMC Helix Innovation Suite platform and application container images from an air-gapped environment:

Access container images from air gaped env.png

Perform the following steps to access images from an air-gapped environment:

  1. Create and configure a local Harbor registry in your network.
  2. Create and configure a Harbor registry in a demilitarized zone (DMZ).
  3. Set up a proxy to enable communication between the local Harbor registry in your network and the Harbor registry in a DMZ.
  4. Synchronize your local Harbor repository in your network with BMC DTR.
  5. Synchronize your Harbor repository in a DMZ with your local Harbor repository in your network.
    Perform the steps in To synchronize a Harbor repository with BMC DTR by modifying the following fields:
    • Source registry—Name of the DMZ Harbor registry that you configured to synchronize with your local Harbor repository.
    • Source resource filter: Name—Path of the image in your local Harbor repository that you want to synchronize to your DMZ Harbor repository.

Where to go from here

Next task

Proceed with preparing a database based on the database that you want to use:

Back to process

If you are finished preparing the database, return to the appropriate installation, update, or upgrade process:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*