Preparing to install IBM Cloud Pak for Watson AIOps Infrastructure Automation in an air-gapped environment (offline) using a portable compute device

If your cluster is not connected to the internet, you can deploy a production install of IBM Cloud Pak® for Watson AIOps Infrastructure Automation on your cluster by using a portable compute device.

In this scenario, your air-gapped (offline) environment has a target registry, and a Red Hat® OpenShift® Container Platform cluster on which Infrastructure Automation is to be installed. Infrastructure Automation images are mirrored from the internet to a file system on a portable compute device. The portable device is then disconnected from the internet and connected in the offline environment, where the images are loaded to the target registry. Infrastructure Automation can then be installed in the offline environment by using the target registry.

Notes: The following procedure is based on a Red Hat® OpenShift® Container Platform 4.10 environment and includes links for that version. If your environment uses a different supported version of Red Hat® OpenShift® Container Platform, ensure that you follow the Red Hat OpenShift documentation for that version.

Before you begin

Review the Planning section. Your environment must meet the system requirements.

Important: The storageClass and storageClassLargeBlock that are used for creating the IBM Cloud Pak for Watson AIOps custom resource must have the same value as the storageClass and storageClassLargeBlock that are used for creating the Infrastructure Automation custom resource.

Procedure

From a high level, an air-gapped installation of Infrastructure Automation consists of five steps:

Set up your mirroring environment
Set environment variables and download CASE files
Mirror images to portable registry
Configure storage
Install Infrastructure Automation by way of Red Hat OpenShift Container Platform

1. Set up your mirroring environment

Before you install any IBM Cloud Pak® on an air-gapped environment, you must set up a host that can be connected to the internet to complete configuring your mirroring environment. To set up your mirroring environment, complete the following steps:

Prerequisites

You must satisfy the following prerequisites:

Red Hat® OpenShift® Container Platform requires you to have cluster admin access to run the configure-cluster-airgap and install-operator commands.

Access to the following sites and ports:
- *.icr.io:443 for IBM Entitled Registry and Infrastructure Automation catalog source
- *.quay.io:443 for Infrastructure Automation catalog and images. For more information, see Important firewall changes for customers pulling container images.
- github.com for CASEs and tools
- redhat.com for Red Hat OpenShift Container Platform upgrades

1.1 Install and configure Red Hat OpenShift

Infrastructure Automation requires Red Hat OpenShift to be installed and running on your target cluster. You must have administrative access to your Red Hat OpenShift cluster.

For more information about the supported versions of Red Hat OpenShift, see Supported Red Hat OpenShift Container Platform versions.

Install Red Hat OpenShift by using the instructions in the Red Hat OpenShift documentation . Information about installing a cluster in a restricted network is given in Mirroring images for a disconnected installation .
Install the Red Hat OpenShift command line interface (oc) on your cluster's boot node and run oc login. For more information, see the instructions in Getting started with the Red Hat OpenShift CLI.
Optionally configure a custom certificate for Infrastructure Automation to use. You can use either of the following methods:
- Configure a custom certificate for the Red Hat OpenShift cluster. Follow the instructions in the Red Hat OpenShift documentation Replacing the default ingress certificate. Then, deploy the signing CA certificate into the cluster by following the instructions in the Red Hat OpenShift documentation Replacing the CA Bundle certificate.
- If you would like to use a custom certificate for Infrastructure Automation only, then after installation is complete follow the instructions in Using a custom certificate.

1.2 Set up a target registry

You must have a local Docker type production-grade registry available in the air-gapped environment to store the Infrastructure Automation images in. The registry must meet the following requirements:

supports Docker Manifest V2, Schema 2.
supports multi-architecture images.
is accessible from the Red Hat OpenShift cluster nodes.
allows path separators in the image name.
you have the username and password for a user who can read from and write to the registry.
must have 59 GB of storage to hold all of the software that is to be transferred to the target registry.

If you do not already have a suitable production-grade registry available, then you must install and configure one. For more information, see About the mirror registry Opens in a new tab in the Red Hat OpenShift documentation.

Important: Do not use the Red Hat OpenShift image registry as your target registry. The Red Hat OpenShift registry does not support multi-architecture images or path separators in the image name.

1.3 Prepare a host

Regardless of which type of host you're using, you must be able to connect it to the internet and to the air-gapped network with access to the Red Hat® OpenShift® Container Platform cluster and the local, intranet Docker type registry. Your host must be on a Linux® x86_64 or Mac platform with any operating system that the IBM Cloud Pak® CLI and the Red Hat® OpenShift® Container Platform CLI support. If you are on a Windows platform, you must run the actions in a Linux® x86_64 VM or from a Windows Subsystem for Linux (WSL) terminal.

Your host must have 59 GB of storage to hold all of the software that is to be transferred to the local, intranet Docker type registry.

The following table explains the software requirements for installing Infrastructure Automation in an air-gapped environment:

Table 2. Software requirements and purpose
Software	Purpose
OpenSSL	Validating certificates when you run the air-gapped install scripts
Docker	Container management
Podman	Container management
Apache httpd-tools	Creating an account when you run the air-gapped install scripts
Red Hat® OpenShift® Container Platform CLI (oc)	Red Hat OpenShift Container Platform administration
IBM Catalog Management Plug-in for IBM Cloud Pak	Running CASE commands

Complete the following steps on your host:

Install OpenSSL version 1.11.1 or higher.
Install Docker or Podman.
- To install Docker (for example, on Red Hat® Enterprise Linux®), run the following commands:
```
yum check-update
yum install docker
```
  Note: Docker is not shipped or supported by Red Hat for Red Hat Enterprise Linux (RHEL) 8. The podman container engine replaced docker as the preferred, maintained, and supported container runtime of choice for Red Hat Enterprise Linux 8 systems. For more information, see the Red Hat documentation Running containers without Docker .
- To install Podman, see Podman Installation Instructions .
Install httpd-tools.
```
yum install httpd-tools
```
Install the oc Red Hat® OpenShift® Container Platform CLI tool. For more information, see Install the OpenShift CLI.
Create a directory that serves as the offline store.

Following is an example directory, which is used in the subsequent steps.
```
mkdir $HOME/offline
```
Note: This offline store must be persistent to avoid transferring data more than once. The persistence also helps to run the mirroring process multiple times or on a schedule.

The portable device must be configured such that it can independently connect to the internet and to the air-gapped network.

1.4 Install the IBM Catalog Management Plug-in for IBM Cloud Pak®

The IBM Catalog Management Plug-in for IBM Cloud Pak (ibm-pak-plugin) is used for the deployment of IBM Cloud Paks® in a disconnected environment. It simplifies the process for discovering required IBM product images and uses standard tools for registry and cluster access. The ibm-pak-plugin also extends the Red Hat OpenShift CLI (oc) capability to streamline the process of delivering installation images to the IBM Cloud Pak in an air-gapped environment.

Download and install the most recent version of the ibm-pak-plugin for your host operating system from github.com/IBM.
Run the following command to extract the files.
```
tar -xf oc-ibm_pak-linux-amd64.tar.gz
```
Run the following command to move the file to the /usr/local/bin directory.
```
mv oc-ibm_pak-linux-amd64 /usr/local/bin/oc-ibm_pak
```
Note: If you are installing as a non-root user, you must use sudo.
Confirm that the ibm-pak-plugin is installed by running the following command.
```
oc ibm-pak --help
```
Expected result: The ibm-pak-plugin usage is displayed.

1.5 Download documentation and scripts for offline access

Download the following documents and scripts that you will need to be able to access offline during your Infrastructure Automation installation or uninstallation, and copy them to your air-gapped environment.

Cloud Pak for Watson AIOps 4.1.2 documentation

Download the Cloud Pak for Watson AIOps 4.1.2 documentation (this documentation) so that you can access it offline. You can download a PDF of the Cloud Pak for Watson AIOps Infrastructure Automation documentation from PDF documentation.

Red Hat OpenShift Container Platform documentation

The Red Hat OpenShift documentation can be downloaded for offline access from Red Hat Opens in a new tab . The CLI tools, Images, Operators, and Networking sections are referenced by this documentation.

IBM Cloud Paks® documentation

Download the IBM Cloud Paks® documentation so that you can access it offline. You can download a PDF of the documentation from PDF documentation.

2. Set environment variables and download CASE files

Before mirroring your images, you can set the environment variables on your mirroring device, and connect to the internet so that you can download the corresponding CASE files. To finish preparing your host, complete the following steps:

Note: Save a copy of your environment variable values to a text editor. You can use that file as a reference to cut and paste from when completing your air-gapped installation tasks.

Create the following environment variables with the installer image name and the image inventory on your host.

export IA_CASE_NAME=ibm-ia-installer
export IA_CASE_VERSION=1.5.2
export IA_CASE_ARCHIVE=$IA_CASE_NAME-$IA_CASE_VERSION.tgz
export IA_CASE_INVENTORY_SETUP=ibmInfrastructureAutomationOperatorSetup
export OFFLINEDIR_ARCHIVE=offline.tgz
export IA_CASE_REPO_PATH=https://github.com/IBM/cloud-pak/raw/master/repo/case
export TARGET_REGISTRY_HOST=<IP_or_FQDN_of_target_registry>
export TARGET_REGISTRY_PORT=<port_number_of_target_registry>
export TARGET_REGISTRY=$TARGET_REGISTRY_HOST:$TARGET_REGISTRY_PORT
export TARGET_REGISTRY_USER=<username>
export TARGET_REGISTRY_PASSWORD=<password>
export TARGET_REGISTRY_PATH=$OFFLINEDIR/imageregistry

The target registry is the registry where the Infrastructure Automation images will be mirrored to, and accessed from by the Red Hat OpenShift cluster, as setup in 1.2 Set up a target registry

Connect your host to the internet and disconnect it from the local air-gapped network.
Download the Infrastructure Automation installer and image inventory to your host.
```
oc ibm-pak get $IA_CASE_NAME --version $IA_CASE_VERSION
```
The CASE is downloaded to ~/.ibm-pak/data/cases/$IA_CASE_NAME/$IA_CASE_VERSION. The logs files are available at ~/.ibm-pak/logs/oc-ibm_pak.log.

Note: If you do not specify the CASE version, then the latest CASE is downloaded. The root directory that is used by ibm-pak-plugin is ~/.ibm-pak. If required, the root directory can be configured by setting the IBMPAK_HOME environment variable.
Verify that the images are downloaded by running ls against your offline directory.
```
ls ~/.ibm-pak/data/cases/${IA_CASE_NAME}/${IA_CASE_VERSION}
```

Your host is now configured and you are ready to mirror your images.

3. Mirror images to portable registry

The process of mirroring images takes the image from the internet to your host, then effectively copies that image on to your air-gapped environment. After you mirror your images, you can configure your cluster and complete an air-gapped installation.

Notes:

If you want to install subsequent updates to your air-gapped environment, you must do a CASE save to get the image list when performing those updates.
For details on ensuring you do not introduce changes to multiple environments, see Setting up a repeatable air-gap process.
For your mirror registry certs, include a SAN entry. In addition, configure your cluster with the certs or mark the registry as insecure. For more information about how to complete the configuration, see the Red Hat OpenShift documentation Setting up additional trusted certificate authorities for builds .

Complete the following steps to mirror your images from your host to your air-gapped environment:

3.1. Generate mirror manifests

Run the following command to generate mirror manifests to be used when mirroring the images to the target registry.

oc ibm-pak generate mirror-manifests $IA_CASE_NAME file://cpfs --version $IA_CASE_VERSION --final-registry $TARGET_REGISTRY/cpfs

A new directory named ~/.ibm-pak/mirror is created when you issue the oc ibm-pak generate mirror-manifests command. The files images-mapping.txt and image-content-source-policy.yaml are generated at ~/.ibm-pak/data/mirror/$IA_CASE_NAME/$IA_CASE_VERSION.

Table 1. Parameter description
Argument	Description
`file://cpfs`	Specifies the path extension where images will be mirrored to. Images are mirrored to `$IMAGE_PATH/cpfs` when the `oc image mirror` command is run with `images-mapping-to-filesystem.txt`. For more information, see Mirror the images to the file system.
`$TARGET_REGISTRY/cpfs`	This argument generates an image-mapping file that is used by the `oc image mirror` commands to mirror images to the `TARGET_REGISTRY` at namespace `cpfs`. For example, if the CASE you are installing needs the image, `quay.io/opencloudio/ibm-events-kafka-2.6.0@sha256:10d422dddd29ff19c87066fc6510eee05f5fa4ff608b87a06e898b3b6a3a13c7`, then its final URL in your target registry will be `$TARGET_REGISTRY/cpfs/opencloudio/ibm-events-kafka-2.6.0`. Note the new namespace of `cpfs` in the URL. The namespace path can be multi level if your target registry supports it.

The command will generate the following files at ~/.ibm-pak/data/mirror/$IA_CASE_NAME/$IA_CASE_VERSION:

images-mapping-to-filesystem.txt
images-mapping-from-filesystem.txt
image-content-source-policy.yaml

3.2. Authenticate with the registries

Log in to the registries to generate an authentication file containing the registry credentials, and then create an environment variable that has the location of the authentication file. This file is used later to enable the oc image mirror command to pull the images from the IBM Entitled Registry, and push them to the target registry.

Get the authentication credentials for the IBM Entitled Registry.
1. To obtain the entitlement key that is assigned to your IBMid, log in to MyIBM Container Software Library with the IBMid and password details that are associated with the entitled software.
2. In the Entitlement keys section, select Copy key to copy the entitlement key.
Run the following command to create an environment variable containing your entitlement key.
```
export ENTITLED_REGISTRY_PASSWORD=<key>
```
Where <key> is the entitlement key that you copied in the previous step.

Store the authentication credentials for the IBM Entitled Registry and the target registry.

If you are using Podman, run the following commands:

podman login cp.icr.io -u cp -p $ENTITLED_REGISTRY_PASSWORD
podman login $TARGET_REGISTRY -u $TARGET_REGISTRY_USER -p $TARGET_REGISTRY_PASSWORD
export REGISTRY_AUTH_FILE=${XDG_RUNTIME_DIR}/containers/auth.json
unset ENTITLED_REGISTRY_PASSWORD

Note: The authentication file is usually at ${XDG_RUNTIME_DIR}/containers/auth.json. For more information, see the Options section in the Podman documentation Opens in a new tab .

If you are using Docker, run the following commands:

docker login cp.icr.io -u cp -p $ENTITLED_REGISTRY_PASSWORD
docker login $TARGET_REGISTRY -u $TARGET_REGISTRY_USER -p $TARGET_REGISTRY_PASSWORD
export REGISTRY_AUTH_FILE=$HOME/.docker/config.json
unset ENTITLED_REGISTRY_PASSWORD

Note: The authentication file is usually at $HOME/.docker/config.json. For more information, see the Docker documentation Opens in a new tab

3.3. Mirror the images to the file system

Complete these steps to mirror the images from the internet to a file system on your portable device.

Create an environment variable to store the location of the file system where the images are to be stored.
```
export IMAGE_PATH=<image-path>
```
Where <image-path> is the directory where you want the images to be stored.
Run the following command to mirror the images from the IBM Entitled Registry to the file system.
```
nohup oc image mirror \
-f ~/.ibm-pak/data/mirror/$IA_CASE_NAME/$IA_CASE_VERSION/images-mapping-to-filesystem.txt \
-a $REGISTRY_AUTH_FILE \
--filter-by-os '.*' \
--insecure \
--skip-multiple-scopes \
--dir "$IMAGE_PATH" \
--max-per-registry=1 > my-mirror-progress.txt 2>&1 &
```
The UNIX command nohup is used to ensure that the mirroring process continues even if there is a loss of network connection, and redirection of output to a file provides improved monitoring and error visibilty.

Run the following command if you want to see the progress of the mirroring:
```
tail -f my-mirror-progress.txt
```
Note: If an error occurs during mirroring, the mirror command can be re-run.

3.4 Setup the file system in the air-gapped environment

Disconnect the device which has your file system, (the portable compute device or the local compute device) from the internet and connect it to the air-gapped environment.
Ensure that environment variables are set on the device in the air-gapped environment that has access to the target registry.

If you are using a portable storage device, then set the following environment variables on your local compute device within the air-gapped environment.

If you are using a portable compute device which you have restarted since mirroring the images, then your environment variables will have been lost and you will need to set the following environment variables on your portable compute device again.
```
export CASE_NAME=ibm-cp-waiops
export CASE_VERSION=1.5.2
export TARGET_REGISTRY_HOST=<IP_or_FQDN_of_target_registry>
export TARGET_REGISTRY_PORT=<port_number_of_target_registry>
export TARGET_REGISTRY=$TARGET_REGISTRY_HOST:$TARGET_REGISTRY_PORT
export TARGET_REGISTRY_USER=<username>
export TARGET_REGISTRY_PASSWORD=<password>
export IMAGE_PATH=<image_path>
```

3.5 Authenticate with the target registry

Authenticate with the target registry in the air-gapped environment that you will be mirroring the images into.

If you are using Podman, run the following command:

podman login $TARGET_REGISTRY -u $TARGET_REGISTRY_USER -p $
export REGISTRY_AUTH_FILE=${XDG_RUNTIME_DIR}/containers/auth.json

Note: The authentication file is usually at ${XDG_RUNTIME_DIR}/containers/auth.json. For more information, see the Options section in the Podman documentation Opens in a new tab .

If you are using Docker, run the following command:

docker login $TARGET_REGISTRY -u $TARGET_REGISTRY_USER -p $TARGET_REGISTRY_PASSWORD
export REGISTRY_AUTH_FILE=$HOME/.docker/config.json

Note: The authentication file is usually at $HOME/.docker/config.json. For more information, see the Docker documentation Opens in a new tab

3.6 Mirror the images to the target registry from the file system

Complete the steps in this section on the device which has your file system (the portable compute device or the local compute device) to copy the images from the file system to the $TARGET_REGISTRY. Your device with the file system must be connected to both the target registry and the Red Hat OpenShift cluster.

Run the following command to copy the images referenced in the images-mapping-from-filesystem.txt from the $IMAGE_PATH file system to the final target registry.

nohup oc image mirror \
-f ~/.ibm-pak/data/mirror/$IA_CASE_NAME/$IA_CASE_VERSION/images-mapping-from-filesystem.txt \
--from-dir "$IMAGE_PATH" \
-a $REGISTRY_AUTH_FILE \
--filter-by-os '.*' \
--insecure  \
--skip-multiple-scopes \
--max-per-registry=1 > my-mirror-progress2.txt 2>&1 &

The UNIX command nohup is used to ensure that the mirroring process continues even if there is a loss of network connection, and redirection of output to a file provides improved monitoring and error visibilty.

Run the following command if you want to see the progress of the mirroring:

tail -f my-mirror-progress2.txt

Note: If an error occurs during mirroring, the mirror command can be re-run.

3.7 Configure the cluster

Log in to your OpenShift cluster.

You can identify your specific oc login command by clicking the user menu in the upper left corner of the Red Hat OpenShift console, and then clicking Copy Login Command.

Example:
```
oc login <server> -u <cluster username> -p <cluster pass>
```
Update the global image pull secret for your Red Hat OpenShift cluster.

Follow the steps in the Red Hat OpenShift documentation topic Updating the global cluster pull secret .

These steps enable your cluster to have authentication credentials in place to pull images from your TARGET_REGISTRY as specified in the image-content-source-policy.yaml, which you will apply to your cluster in the next step.
Create the ImageContentSourcePolicy.

Run the following command to create an ImageContentSourcePolicy (ICSP).
```
oc apply -f  ~/.ibm-pak/data/mirror/$IA_CASE_NAME/$IA_CASE_VERSION/image-content-source-policy.yaml
```
Verify that the ImageContentSourcePolicy resource is created.
```
oc get imagecontentsourcepolicy
```
Verify your cluster node status.
```
oc get MachineConfigPool -w
```
Important: After the ImageContentsourcePolicy and global image pull secret are applied, the configuration of your nodes will be updated sequentially. Wait until all of the MachineConfigPools are updated before proceeding to the next step.

(Optional) If you use an insecure registry, you must add the target registry to the cluster's insecureRegistries list.

oc patch image.config.openshift.io/cluster --type=merge \
-p '{"spec":{"registrySources":{"insecureRegistries":["'${TARGET_REGISTRY}'"]}}}'

4. Configure storage

The storage configuration must satisfy your sizing requirements. Two storage classes are needed for installing Infrastructure Automation. For more information, see Storage.

5. Install Infrastructure Automation by way of Red Hat OpenShift Container Platform

Now that your images are mirrored to your air-gapped environment, you can deploy Infrastructure Automation to that environment. When you mirrored your environment, you created a parallel offline version of everything that you needed to install an operator into Red Hat® OpenShift® Container Platform. To install Infrastructure Automation, complete the following steps:

5.1 Create a custom project (namespace)

Create a project (namespace) called cp4waiops for your Infrastructure Automation deployment, by running the following command:

oc create namespace cp4waiops

5.2 Create the catalog source

Set the project (namespace) to install the catalog:
```
export CATALOG_NAMESPACE=openshift-marketplace
```

Create the catalog source.

oc ibm-pak launch \
  $IA_CASE_NAME \
  --version $IA_CASE_VERSION \
  --action install-catalog \
  --inventory $IA_CASE_INVENTORY_SETUP \
  --namespace $CATALOG_NAMESPACE \
  --args "--registry $TARGET_REGISTRY --recursive \
  --inputDir ~/.ibm-pak/data/cases/$IA_CASE_NAME/$IA_CASE_VERSION"

5.3 Create an air-gapped instance of Infrastructure Automation

Follow the instructions in Online production install of IBM Cloud Pak for Watson AIOps Infrastructure Automation from step 6, Install the Infrastructure Automation operator onwards.