Apps only Standalone software in an air gap environment

This procedure applies only if you are installing the standalone software (run file) in an air gap environment for the purpose of deploying IBM® Security QRadar® SOAR apps.

About this task

Before completing this procedure, you must access the Internet to download files and access images for your private repository, as follows:
  • This procedure assumes you have a private repository as described in Apps only private repository.
  • Download the Edge Gateway standalone file (name-<version>.run) from IBM Support Fix Central to a system of your choice.
  • Download the appropriate k3s-airgap-images .tar file for your repository from the Rancher releases page:
    1. Log in to your Edge Gateway system and check the k3s version using the following command:
      rpm -q k3s
      This returns output similar to the following:
      apphost>rpm -q k3s
k3s-v1.26.14+k3s1-1.x86_64
apphost>
      where 1.26.14+k3s1 is the k3s version and x86_64 is the CPU architecture.
    2. Go to https://github.com/k3s-io/k3s/releases and select the correct k3s release version.
    3. From the various k3s-airgap-images .tar files, choose the one that is required by your repository.
  • Tag and push the coredns image to your private repository. Make sure the repository uses the meta-repo, rancher.
    The following example assumes that you are using docker and that coredns is version 1.6.3:
    docker pull rancher/coredns-coredns:1.6.3
docker tag rancher/coredns-coredns:1.6.3 <registry_domain_name>/rancher/coredns-coredns:1.6.3
docker push <registry_domain_name>/rancher/coredns-coredns:1.6.3
    Note: In some environments, you might need to use <domain_name>:<port> instead of <registry_domain_name>.
  • Tag and push the Edge Gateway images to your private repository. Make sure the repository name is ibmresilient. The following example assumes you are using docker.
    docker pull quay.io/ibmresilient/apps-synchronizer:<app_host_version>
docker pull quay.io/ibmresilient/apps-operator:<app_host_version>

docker tag quay.io/ibmresilient/apps-synchronizer:<app_host_version> <registry_domain_name>/ibmresilient/apps-synchronizer:<app_host_version>
docker tag quay.io/ibmresilient/apps-operator:<app_host_version> <registry_domain_name>/ibmresilient/apps-operator:<app_host_version>

docker push <registry-domain-name>/ibmresilient/apps-synchronizer:<app_host_version>
docker push <registry-domain-name>/ibmresilient/apps-operator:<app_host_version>
Note: Do not install the Edge Gateway software before completing this procedure.

Log in as a privileged user to the system that is to host the Edge Gateway software and complete the following procedure.

Procedure

  1. Copy the downloaded Edge Gateway and k3s-airgap-images files to this system.
  2. Add the private repository self-signed cert (domain.crt) to the trust certificates. 
    cp <path_to_certificate> /etc/pki/ca-trust/source/anchors &&
update-ca-trust extract
    Note: If it is a certificate chain, add the root certificate to trusted certs.
  3. If the private repository DNS name cannot be resolved, add the domain to /etc/hosts: 
    192.168.xxx.1 <registry_domain_name>
  4. Run the following commands to install the k3s-airgap-images, where <file_name> is the name of the k3s-airgap-images tar file: 
    sudo mkdir -p /var/lib/rancher/k3s/agent/images/ &&
sudo cp <file_name> /var/lib/rancher/k3s/agent/images/
  5. Create the registries.yaml file: 
    sudo mkdir -p /etc/rancher/k3s &&
sudo vi /etc/rancher/k3s/registries.yaml
    Make sure one mirror in the registries.yaml file is docker.io and its endpoint is the private repository URL. For example:
    mirrors:
  docker.io:
    endpoint:
      - "<private_registry_URL>"
configs:
  "<private_registry_URL>":
    auth:
      username: <username> # this is the registry username
      password: <password> # this is the registry password
    tls: # if needed
      cert_file: # path to the cert file used in the registry
      key_file: # path to the key file used in the registry
      ca_file: # path to the ca file used in the registry
  6. Install the standalone software using the procedure in Installing the standalone software.
  7. Check that all the pods are in the running state: 
    sudo kubectl get pods -A
  8. Deploy the Edge Gateway containers with the configured private registry as described in Pairing the IBM Security QRadar Suite Software account with Edge Gateway: 
    sudo manageAppHost install -p <pairing information.json> --registry <registry_URL> --user <username>
  9. Verify that all pods are in the running state: 
    sudo kubectl get pods -A

Results

The Edge Gateway image is successfully installed and configured to use a private repository.

The next step is to deploy Edge Gateway instances as described in Pairing the IBM Security QRadar Suite Software account with Edge Gateway.