Login to the TCA Airgap Appliance using SSH admin account then switch to root with su to use agctl command.

Prerequisites

  • The network the TCA Airgap Appliance is wiring to is reachable to the Proxy Server.

  • The Proxy Server allows anonymous access.

Procedure

  1. (Optional) Upload untrusted Root CA certificate or self-signed certificate of proxy server.

    This step is only required if the Proxy Server in your organization is HTTPS and configured with an untrusted self-signed certificate or private CA signed certificate.

    1. Copy the untrusted Root CA certificate file or self-signed certificate to some directory of the TCA Airgap Appliance. For example, on the TCA Airgap Appliance console, users create and edit proxy-ca.crt file with the editor, copy the certificate content to it, then save it with :wq

      vi /tmp/proxy-ca.crt
    2. Verify the proxy-ca.crt.

      openssl s_client -connect <proxy address>:<proxy https port> -CAfile /tmp/proxy-ca.crt

      It is expected the output of above command contains “Verification: OK”.

  2. Edit /usr/local/airgap/scripts/vars/user-inputs.yml using the following commmand:
    vi /usr/local/airgap/scripts/vars/user-inputs.yml

    Update following settings in the file:

    enable_proxy: True
    http_proxy: <proxy url>
    https_proxy: <proxy url>
    no_proxy: <network list sperated by comma by passing the proxy>
    proxy_ca_cert_path: <optional, file path prepared in Step 1>

    Examples:

    The Proxy opens HTTP port on 3128

    enable_proxy: True
    http_proxy: http://proxy.example.com:3128
    https_proxy: http://proxy.example.com:3128
    no_proxy: 192.168.0.0/15,.example.com
    #proxy_ca_cert_path: /tmp/proxy-ca.crt

    Proxy opens HTTPS port on 3443

    enable_proxy: True
    http_proxy: https://proxy.example.com:3128
    https_proxy: https://proxy.example.com:3128
    no_proxy: 192.168.0.0/15,.example.com
    proxy_ca_cert_path: /tmp/proxy-ca.crt
  3. Apply the configuration using the agctl deploy command.
  4. Log out the console then log in again to ensure your shell takes the latest proxy environment variable. Check the connectivities to remote repositories by running agctl selfcheck remote command. It is expected all repository sites in the output are reachable.

    For example:

    root@airgap320 [ /home/admin ]# agctl selfcheck remoteCheck Remote Repositories Connectivities
    Environment Proxy settings:
        http_proxy  : http://proxy.ipv6.eng.vmware:3128    
        https_proxy :http://proxy.ipv6.eng.vmware.com:3128    
        no_proxy    :localhost,192.168.0.0/16,172.16,0.0/16,
                    .ipv6.eng.vmware.com
    Docker proxy settings:    
        http_proxy  :http://proxy.ipv6.eng.vmware:3128    
        https_proxy : http://proxy.ipv6.eng.vmware.com:3128    
        no_proxy    : localhost,192.168.0.0/16,172.16,0.0/16,
                     .ipv6.eng.vmware.com
    projects.registry.vmware.com : reachable
    packages.vmware.com/photon   : reachable
    vmwaresaas.jfrog.io          : reachable
    s3.amazonaws.com             : reachable