This document addresses common issues in using the airgap appliance and related solutions.
Issues and solutions
- Issue: Resize appliance disks
Cause: While using the airgap server, there might be chances that disk can go low on available space.
Solution: Follow the steps below to increase the disk size:- Open VM
Edit settings
wizard. - Specify a new size for the selected disk and click
OK
. - Open VM
Edit settings
wizard again. - Take note of total provisioned disk size in line
Hard disks
. - Expand
Hard disks
list, resize theHard disk 7
with value of the provisioned disk size in step 4 multiplied by 15%.For example, if the provisioned disk size is 1000GB, then the size for Hard disk 7 is 150GB (1000 * 15%).
- SSH login airgap appliance console.
- Check the list of disks by running the command
fdisk -l
. - Rescan the extended disk:
echo 1 > /sys/class/block/<disk-name>/device/rescan
.For example:
echo 1 > /sys/class/block/sdc/device/rescan
. - Perform pvresize to resize physical volume: pvresize /dev/<disk-name>.
For example:
pvresize /dev/sdc
. - Check mount points and logic volume mapping by
df -h |grep ^/dev
, find out the logic volume to extend size. - Extend logical volume:
lvextend -l +100%FREE <LV-name>
.For example:
lvextend -l +100%FREE /dev/VGOS/LV_OS
. - Perform a filesystem resize of logical volume:
resize2fs <LV-name>
. For example:resize2fs /dev/VGOS/LV_OS
. - Execute
df -h |grep ^/dev
to validate the disk resize is completed. - Scan the snapshot disk
echo 1 > /sys/class/block/sdg/device/rescan
. - Perform pvresize to the snapshot disk:
pvresize /dev/sdg
. - Extend snapshot logical volume:
lvextend -l +100%FREE /dev/mapper/vg_lvm_snapshot-lv_lvm_snapshot
. - Perform a filesystem resize of snapshot volume:
resize2fs /dev/mapper/vg_lvm_snapshot-lv_lvm_snapshot
. - Execute
df -h |grep ^/dev
to validate the disk resize is completed.
- Open VM
- Issue:
Failed to execute rsync operation when airgap appliance configured with proxy
Cause: This is a known issue that the source host and target host should be within the same network which can connect to each other directly. Access to the remote airgap server via proxy is not supported.
Solution: Follow the steps below to resolve this issue:- SSH to target airgap host.
- Clear proxy info:
bash /usr/local/airgap/scripts/bin/clear-proxy.sh
. - Logout from ssh connection.
- Login to target host again via SSH.
- Start rsync
agctl rsync
.
- Issue: Base64 encoding via command line. In some environments, the online Base64 encode/decode tool, https://www.base64encode.org/, may not be accessible.
Solution: When user wants to encode or decode certificates for deploying airgap OVA or for proxy server, following steps can be performed from command line:
- Encode certificate:
#base64 -w0 <certificate>
- Decode certificate:
#base64 -d <encoded-certificate>
- Encode certificate:
- Issue: Using chained certificates in airgap server.
Solution: When user has chained certificate which includes server cert, intermediate CA and root CA, user can follow the below steps to correctly apply the certificates on airgap server:
- Create a folder,
certificate
, on airgap server. - Copy the 3 certificates in the above folder.
- Merge the certificates into chained certificate:
cat <server-certificate> <intermediate-CA> <global-root-CA> > <new-chaine-certificate>
. - After the new chained certificate is created, convert it into Base64 format and apply when deploying airgap appliance OVA. Apply chained cert in server cert field and intermediate CA cert in CA cert field.
- Create a folder,
- Issue: Configure proxy in Day 1.
Solution: To configure proxy on airgap appliance, it requires three parameters:
- http proxy server URL– The proxy server that handles proxy HTTP traffic.
- https proxy server URL– The proxy server that handles proxy HTTPS traffic.
- no proxy list – Comma-separated exclusion list of networks for bypassing proxy.
Then run the script:/usr/local/airgap/scripts/bin/setup-proxy.sh <http-proxy-sever-url> <https-proxy-server-url> <no-proxy-list>
Example:/usr/local/airgap/scripts/bin/setup-proxy.sh http://proxy.example.com:3128 https://proxy.example.com:3443 tca-ag-tmp.example.com,192.168.0.0/24
Note: To avoid Harbor image publishing failure, ensure that the airgap server FQDN and the local network are added to the no_proxy list.If the proxy server uses HTTPS port and has configured a private CA-signed certificate or self-signed certificate, the user must upload and add the private root CA or self-signed certificate to airgap server root CA certificate bundle.
Ensure that the proxy CA certificate is named with surfix
.pem
, and avoid naming it withcacert.pem
, which is usually reserved for auto-generated CA certificates.If the environment uses other approaches to access the internet, configure your network infrastructure to ensure that the internet is accessible.
Upload private root CA or self-signed certificate to the airgap server and run the following steps to activate it:cp <proxy-ca>.pem /etc/ssl/certs/ cat <proxy-ca>.pem >> /etc/pki/tls/certs/ca-bundle.crt tdnf update tdnf install openssl-c_rehash -y rehash_ca_certificates.sh
To verify that the airgap virtual machine can access the required internet resources, run the following commands:curl https://projects.registry.vmware.com --head curl https://vmwaresaas.jfrog.io --head curl https://packages.vmware.com/photon/ --head curl https://github.com --head tdnf update
These commands must return 200 OK, which ensures that your network is ready.
- Issue: Cannot login airgap VM via SSH due to PAM authentication issue.
Cause: Sometimes users cannot login to the airgap server through SSH which might be caused by PAM authentication failure.
Solution: Below steps can be used to disable PAM authentication in SSH service to enable user login:- Login to vCenter server.
- Open the airgap appliance VM console.
- Login to the VM with root user in the VM console.
- Check SSHD service status
systemctl status sshd
. - Edit sshd_config file:
vi /etc/ssh/sshd_config
. - Change line
UsePAM yes
to# UsePAM yes
. - Save the config file.
- Restart SSHD service:
systemctl restart sshd
. - Try to login to the airgap appliance via SSH.
- Issue: Airgap Server upgrade and troubleshooting.
If the upgrade log ends with the error message
Airgap appliance upgrade failed! Please check log /var/log/vmware/capengine/cap-update/workflow.log for more details
, refer to the specified log to investigate the causes of the failure.Here are a few common errors encountered in the workflow.log along with their solutions:- Issue:
Build version mismatch
Cause: There are source and target build numbers in the log. This issue might occur if the target build number is smaller than the source build number.
Solution: Cancel upgrade as the existing build is newer than the target build.
- Issue:
Failed to execute command: umount -l /storage/alt_root/boot/efi
Cause: This is a temporary file system issue.
Solution: Redo
agctl upgrade
. - Issue:
One of the mandatory disks (lvm_snapshot) required for update is not present
Cause: This might occur if the snapshot volume does not automatically mount after reboot/power on.
Solution:
-
Check
/etc/fstab
iflvm_snapshot
is available:grep lvm_snapshot /etc/fstab
. -
If the mount point is available, run command
mount -a
. -
Check if the volume is mounted:
mount |grep lvm_snapshot
. -
If the mount point is not available in
/etc/fstab
and the volume is not mounted, run commandmount /dev/mapper/vg_lvm_snapshot-lv_lvm_snapshot /storage/lvm_snapshot/
to mount the volume manually. -
Rerun upgrade:
agctl upgrade
.
-
- Issue:
agctl upgrade
fails at times with erroriso does not exist
even if correct ISO path is provided especially when actual ISO name is used as is which contains version numbering.Cause: This is a known issue caused by combining source and target user-inputs.yml files during upgrade.
Solution:
-
Modify the upgraded ISO file name to a simple text like
update.iso
. -
Edit
/usr/local/airgap/scripts/vars/user-inputs.yml
, go to the fieldlocal_iso_path:
and revise the value of it.For example, if the ISO is located under the /tmp folder, then the value should be
/tmp/update.iso
. -
Save the user-inputs.yml and rerun
agctl upgrade
.
-
- Issue:
Best Practices
-
Encoding certificate using command line interface
In some environments, the online Base64 encode/decode tool https://www.base64encode.org/ may not be accessible. When user wants to encode or decode certificates for deploying airgap ova or for proxy server following steps can be performed from command line:
Encode certificate:#base64 -w0 <certificate>
Decode certificate:
#base64 -d <encoded-certificate>
-
Correct way of using chained certificates in airgap server
When user has chained certificate which includes server cert, intermediate CA, and root CA, user can follow the below steps to correctly apply the certificates on airgap server:
- Create a folder
certificate
on airgap server. - Copy the 3 certificates into above folder.
- Merge the server certificate and intermediate CA certificate into one file:
cat <server-certificate> <intermediate-CA> > <new-chaine-certificate>
- After the new chained certificate was created, convert it into Base64 format and apply in the following way:
- While deploying the OVA, provide the merged certificate as server certificate and Root CA certificate as CA certificate.
- While registering the airgap server in the TCA partner system, provide the root CA certificate in the certificate field.
- Create a folder