Apps only Virtual appliance in an air gap environment

This procedure applies only if you are installing the virtual appliance (.ova file) in an air gap environment to deploy IBM® Security QRadar® SOAR apps.

About this task

Before proceeding, you must access the internet to download files and access images for your private repository as follows:
  • This procedure assumes you have a private repository as described in Apps only private repository.
  • Download the package for the Edge Gateway virtual application from IBM Support Fix Central. The Edge Gateway .ova installation file is available from the apphost-<version>.run package, and the file name is apphost_<Red_Hat_OS_version>_<version>.ova. It is recommended to install the latest version to get newest features and security updates.
  • Download the appropriate k3s-airgap-images .tar file for your repository from the Rancher releases page:
    1. Log in to your Edge Gateway system and check the k3s version using the following command:
      rpm -q k3s
      This returns output similar to the following:
      apphost>rpm -q k3s
k3s-v1.26.14+k3s1-1.x86_64
apphost>
      where 1.26.14+k3s1 is the k3s version and x86_64 is the CPU architecture.
    2. Go to https://github.com/k3s-io/k3s/releases and select the correct k3s release version.
    3. From the various k3s-airgap-images.tar files, choose the one that is required by your repository.
  • Tag and push the coredns image to your private repository. Make sure the repository uses the meta-repo, rancher.
    The following example assumes you are using docker and that coredns is at version 1.6.3.
    docker pull rancher/coredns-coredns:1.6.3
docker tag rancher/coredns-coredns:1.6.3 <registry_domain_name>/rancher/coredns-coredns:1.6.3
docker push <registry_domain_name>/rancher/coredns-coredns:1.6.3
    Note: in some environments, you might need to use <domain_name>:<port> instead of <registry_domain_name>.
  • Tag and push the Edge Gateway images to your private repository. Make sure the repository name is ibmresilient. The following example assumes that you are using Docker:
    docker pull quay.io/ibmresilient/apps-synchronizer:<app_host_version>
docker pull quay.io/ibmresilient/apps-operator:<app_host_version>

docker tag quay.io/ibmresilient/apps-synchronizer:<app_host_version> <registry_domain_name>/ibmresilient/apps-synchronizer:<app_host_version>
docker tag quay.io/ibmresilient/apps-operator:<app_host_version> <registry_domain_name>/ibmresilient/apps-operator:<app_host_version>

docker push <registry-domain-name>/ibmresilient/apps-synchronizer:<app_host_version>
docker push <registry-domain-name>/ibmresilient/apps-operator:<app_host_version>

Log in as a privileged user to the system that is to host the Edge Gateway software and complete the following steps.

Procedure


    1. Log in to your Edge Gateway system and check the k3s version using the following command:
      rpm -q k3s
      This returns output similar to the following:
      apphost>rpm -q k3s
k3s-v1.26.14+k3s1-1.x86_64
apphost>
      where 1.26.14 is the k3s version and x86_64 is the CPU architecture.
    2. Go to https://github.com/k3s-io/k3s/releases and select the correct k3s release version.
    3. From the various k3s-airgap-images .tar files, choose the one that is required by your repository.
  2. Copy the downloaded Edge Gateway and k3s-airgap-images files to this system.
  3. Install the virtual appliance using the procedure in Installing the virtual application.
  4. Add the private repository self-signed cert (domain.crt) to the trust certificates. 
    cp <path_to_certificate> /etc/pki/ca-trust/source/anchors &&
update-ca-trust extract
    Note: If it is a certificate chain, add the root certificate to trusted certs.
  5. If the private repository DNS name cannot be resolved, add the domain to /etc/hosts: 
    192.168.xxx.1 <registry_domain_name>
  6. Run the following commands to install the k3s-airgap-images, where <file_name> is the name of the k3s-airgap-images tar file: 
    sudo mkdir -p /var/lib/rancher/k3s/agent/images/ &&
sudo cp <file_name> /var/lib/rancher/k3s/agent/images/
  7. Create the registries.yaml file: 
    sudo vi /etc/rancher/k3s/registries.yaml
    Make sure one mirror in the registries.yaml file is docker.io and its endpoint is the private repository URL. For example:
    mirrors:
  docker.io:
    endpoint:
      - "<private_registry_URL>"
configs:
  "<private_registry_URL>":
    auth:
      username: <username> # this is the registry username
      password: <password> # this is the registry password
    tls: # if needed
      cert_file: # path to the cert file used in the registry
      key_file: # path to the key file used in the registry
      ca_file: # path to the ca file used in the registry
  8. Restart the K3s Kubernetes: 
    sudo systemctl restart k3s
  9. Verify that all pods are in the running state: 
    sudo kubectl get pods -A
  10. Deploy the Edge Gateway containers with the configured private registry as described in Pairing the IBM Security QRadar Suite Software account with Edge Gateway: 
    sudo manageAppHost install -p <pairing information.json> --registry <registry_URL> --user <username>
  11. Verify that all pods are in the running state: 
    sudo kubectl get pods -A

Results

The Edge Gateway image is successfully installed and configured to use a private repository.

What to do next

Deploy Edge Gateway instances as described in Pairing the IBM Security QRadar Suite Software account with Edge Gateway.