Before running the setup Ansible scripts, upload the required resources, make the airgap server accessible to the Internet, and install the required packages for running the scripts. NOTE: If you are setting up the airgap server on an IPv6 network, see the instructions for setting up the airgap server on IPv6 network first.
Procedure
- Upload the resources airgap script tarball.
After the virtual machine is powered on, set up the eth0 network and set up either DHCP or static IP address in the guest operating system. This procedure ensures that the virtual machine is accessible from the system downloading the airgap tarball. The network settings depend on your network topology and environment settings.
Download the airgap tarball file from VMware website on an Internet accessible machine. Extract the downloaded airgap tarball file and upload the uncompressed scripts to the airgap server virtual machine through a secured channel such as the SCP command with Putty for Windows or Terminal for Linux or Mac operating systems.
example to extract the tarball using tar command and upload it to the powered on airgap server. Note, if the host does not have tar command installed then need to install before extract the airgap tar package. For Photon VM, tar can be intalled by
tdnf install tar -y
, for other Linux hosts please refer to system approaches to install tar command.[~]$ ls VMware-Telco-Cloud-Automation-airgap-files-<release number>-<build-number>.tar.gz [~]$ tar xfz VMware-Telco-Cloud-Automation-airgap-files-<release number>-<build-number>.tar.gz [~]$ ls airgap VMware-Telco-Cloud-Automation-airgap-files-<release number>-<build-number>.tar.gz [~]$ scp -r airgap/ root@<airgap-server-ip>:/root/
You can now log in to the airgap server through SSH and extract the contents to its root folder. For example:
[~]$ ssh root@<airgap server ip> Welcome to Photon 3.0 (x86_64) - Kernel \r (\l) root@<airgap server ip>'s password: Last login: Fri Nov 19 06:51:50 2021 from 10.117.182.43 06:41:01 up 24 days, 6:22, 2 users, load average: 0.00, 0.00, 0.00 182 Security notice(s) Run 'tdnf updateinfo info' to see the details. root@photon-machine [ ~ ]# ls airgap root@photon-machine [ ~ ]# ls airgap bom scripts
The BOM folder contains all the BOM files for describing the container images. The Scripts folder contains scripts used for setting up and deploying the airgap server.
Certificates: (Optional) If you use your own certificate, upload its relevant files into the /roots/certs folder. You can also use scripts for generating the certificate at runtime.
- Set up the network for Internet.
Ensure that your airgap virtual machine is accessible to the Internet. If you use a proxy server, run the following script:
root@photon-machine [ ~ ]# . airgap/scripts/bin/setup-proxy.sh <http-proxy-sever-url> <https-proxy-server-url> <airgap-server-fqdn>,<local-subnet>
For example:
root@photon-machine [ ~ ]# . airgap/scripts/bin/setup-proxy.sh http://proxy.example.com:3128 http://proxy.example.com:3128 tca-ag-tmp.example.com,192.168.0.0/24
The script contains three parameters:
http proxy server url - The proxy server that handles proxy HTTP traffic.
https proxy server url - The proxy server that handles proxy HTTPS traffic.
airgap-server-fqdn, local-subnet - Comma-separated exclusion list of networks for bypassing proxy.
Note:To avoid Harbor image publishing failure, ensure that airgap server FQDN and local network are added to the no_proxy list.
If the proxy server uses HTTPS port and has configured a private CA-signed certificate or self-signed certificate, you must upload and add the private root CA or self-signed certificate to airgap server root CA certifidate bundle.
Ensure that the proxy CA certificate is named with surfix
.pem
, and avoid naming it withcacert.pem
, which is usually reserved for autogenerated CA certificate.If your environment uses other approaches to access the Internet, configure your network infrastructure to ensure that Internet is accessible.
Upload private root CA or self-signed certificate to airgap server.
[~]$ scp <proxy-ca>.pem root@<airgap-server-ip>:/root/
On airgap server VM, run following commands:
root@photon-machine [ ~ ]# cp <proxy-ca>.pem /etc/ssl/certs/ root@photon-machine [ ~ ]# cat <proxy-ca>.pem >> /etc/pki/tls/certs/ca-bundle.crt root@photon-machine [ ~ ]# tdnf update root@photon-machine [ ~ ]# tdnf install openssl-c_rehash -y root@photon-machine [ ~ ]# rehash_ca_certificates.sh
To verify that the airgap virtual machine can access the required Internet resources, run the following commands:
# curl https://projects.registry.vmware.com --head # curl https://vmwaresaas.jfrog.io --head # curl https://packages.vmware.com --head # curl https://github.com --head # tdnf update
These commands must return
200 OK
, which ensures that your network is ready. - Prepare the user-inputs.yml file.
Set the airgap server up as a template and then deploy a customized airgap server using this template. The setup YAML files are available at airgap/scripts/vars/. The airgap/scripts/vars/user-inputs.yml file contains user-defined variables that specify the parameters for setting up the airgap server. Two examples are provided in the vars folder for this purpose. Use the setup-user-inputs.yml as a template and add your variables.
root@photon-machine [ ~/airgap/scripts/vars ]# ls deploy-user-inputs.yml setup-user-inputs.yml root@photon-machine [ ~/airgap/scripts/vars ]# cp setup-user-inputs.yml user-inputs.yml root@photon-machine [ ~/airgap/scripts/vars ]# vi user-inputs.yml
The user-inputs.yml file contains input parameter descriptions. You can change these values according to your environment.
Note:In
setup-user-inputs.yml
, the default disk configuration is multiple disks. If you need a single disk setup, change the value ofsingle_disk
tosingle_disk: True
.If you want to deploy the airgap server in IPv6 setup, change the value of
ip_family
toip_family: ipv6
.If you want the airgap server to hold multiple versions of VMware Telco Cloud Automation for the purpose of upgrading, change the
products
setting to specify all the required versions, separated by_
. For example, the following configuration indicates that the airgap server syncs with both TCA 2.0.0 and 2.1.0 images.products: - name: "tca" versions: "2.0.0_2.1.0"
- Run the setup.yml Ansible Playbook.
After you have updated the
user-inputs.yml
file, you can trigger ansible playbooks to setup the airgap server template:root@photon-machine [ ~/airgap ]# scripts/bin/run.sh setup
Note:If installation fails, verify whether the airgap server can access the Internet.
Ansible Playbook takes around three hours to run, depending on your network speed, and you can view the log file to monitor progress. If there is an error, run Ansible Playbook again with the same command.