Apps only virtual appliance in an air gap environment

This procedure applies only if you are installing the virtual appliance (.ova file) in an air gap environment to deploy IBM® Security QRadar® SOAR apps.

About this task

Before proceeding, you must access the Internet to download files and access images for your private repository as follows:
  • This procedure assumes you have a private repository as described in Apps only private repository.
  • Download the Edge Gateway virtual appliance file from IBM® Passport Advantage or IBM Support Fix Central. For example, from IBM Support Fix Central, the V1.12 Edge Gateway .ova file is available from the apphost-1.12.1.run package and the file name is signed_apphost_redhat8_1.12.ova.If you are downloading from IBM Passport Advantage, you must download the security updates file, apphost-appliance-security-update-<version>.run, from IBM Fix Central.
  • Download the appropriate k3s-airgap-images tar file for your repository from the Rancher releases page.
  • Tag and push the coredns image to your private repository. Make sure the repository uses the meta-repo, rancher.
    The following example assumes you are using docker and that coredns is at version 1.6.3.
    docker pull rancher/coredns-coredns:1.6.3
docker tag rancher/coredns-coredns:1.6.3 <registry_domain_name>/rancher/coredns-coredns:1.6.3
docker push <registry_domain_name>/rancher/coredns-coredns:1.6.3
    Note: in some environments, you might need to use <domain_name>:<port> instead of <registry_domain_name>.
  • Tag and push the Edge Gateway images to your private repository. Make sure the repository name is ibmresilient. The following example assumes that you are using Docker:
    docker pull quay.io/ibmresilient/apps-synchronizer:<app_host_version>
docker pull quay.io/ibmresilient/apps-operator:<app_host_version>

docker tag quay.io/ibmresilient/apps-synchronizer:<app_host_version> <registry_domain_name>/ibmresilient/apps-synchronizer:<app_host_version>
docker tag quay.io/ibmresilient/apps-operator:<app_host_version> <registry_domain_name>/ibmresilient/apps-operator:<app_host_version>

docker push <registry-domain-name>/ibmresilient/apps-synchronizer:<app_host_version>
docker push <registry-domain-name>/ibmresilient/apps-operator:<app_host_version>

Log in as a privileged user to the system that is to host the Edge Gateway software and complete the following steps.

Procedure

  1. Copy the downloaded Edge Gateway and k3s-airgap-images files to this system.
  2. Install the virtual appliance using the procedure in Installing the virtual application.
  3. Add the private repository self-signed cert (domain.crt) to the trust certificates. 
    cp <path_to_certificate> /etc/pki/ca-trust/source/anchors &&
update-ca-trust extract
    Note: If it is a certificate chain, add the root certificate to trusted certs.
  4. If the private repository DNS name cannot be resolved, add the domain to /etc/hosts: 
    192.168.xxx.1 <registry_domain_name>
  5. Run the following commands to install the k3s-airgap-images, where <file_name> is the name of the k3s-airgap-images tar file: 
    sudo mkdir -p /var/lib/rancher/k3s/agent/images/ &&
sudo cp <file_name> /var/lib/rancher/k3s/agent/images/
  6. Create the registries.yaml file: 
    sudo vi /etc/rancher/k3s/registries.yaml
    Make sure one mirror in the registries.yaml file is docker.io and its endpoint is the private repository URL. For example:
    mirrors:
  docker.io:
    endpoint:
      - "<private_registry_URL>"
configs:
  "<private_registry_URL>":
    auth:
      username: <username> # this is the registry username
      password: <password> # this is the registry password
    tls: # if needed
      cert_file: # path to the cert file used in the registry
      key_file: # path to the key file used in the registry
      ca_file: # path to the ca file used in the registry
  7. Restart the K3s Kubernetes: 
    sudo systemctl restart k3s
  8. Verify that all pods are in the running state: 
    sudo kubectl get pods -A
  9. Deploy the Edge Gateway containers as described in Pairing the IBM Security QRadar Suite Software account with Edge Gateway.
  10. Configure the Edge Gateway registry to use the private repository. You need to enter the URL to the repository, also called a registry. If the private repository requires authentication, use the --user option to enter the account user name; you are prompted for the password. 
    sudo manageAppHost registry --registry <private_registry_URL> --user <username>
  11. Again, verify that all pods are in the running state: 
    sudo kubectl get pods -A

Results

The Edge Gateway image is successfully installed and configured to use a private repository.

What to do next

Deploy Edge Gateway instances as described in Pairing the IBM Security QRadar Suite Software account with Edge Gateway.