Apps only virtual appliance in an air gap environment
This procedure applies only if you are installing the virtual appliance
.ova file) in an air gap environment to deploy IBM® Security QRadar® SOAR apps.
About this task
- This procedure assumes you have a private repository as described in Apps only private repository.
- Download the Edge Gateway virtual appliance
file from IBM® Passport Advantage or IBM Support Fix Central. For example, from IBM Support Fix Central, the V1.12 Edge Gateway
.ovafile is available from the
apphost-1.12.1.runpackage and the file name is
signed_apphost_redhat8_1.12.ova.If you are downloading from IBM Passport Advantage, you must download the security updates file,
apphost-appliance-security-update-<version>.run, from IBM Fix Central.
- Download the appropriate
k3s-airgap-imagestar file for your repository from the Rancher releases page.
- Tag and push the
corednsimage to your private repository. Make sure the repository uses the meta-repo,
rancher.The following example assumes you are using docker and that
corednsis at version 1.6.3.
docker pull rancher/coredns-coredns:1.6.3 docker tag rancher/coredns-coredns:1.6.3 <registry_domain_name>/rancher/coredns-coredns:1.6.3 docker push <registry_domain_name>/rancher/coredns-coredns:1.6.3Note: in some environments, you might need to use <domain_name>:<port> instead of <registry_domain_name>.
- Tag and push the Edge Gateway images to your
private repository. Make sure the repository name is
ibmresilient. The following example assumes that you are using Docker:
docker pull quay.io/ibmresilient/apps-synchronizer:<app_host_version> docker pull quay.io/ibmresilient/apps-operator:<app_host_version> docker tag quay.io/ibmresilient/apps-synchronizer:<app_host_version> <registry_domain_name>/ibmresilient/apps-synchronizer:<app_host_version> docker tag quay.io/ibmresilient/apps-operator:<app_host_version> <registry_domain_name>/ibmresilient/apps-operator:<app_host_version> docker push <registry-domain-name>/ibmresilient/apps-synchronizer:<app_host_version> docker push <registry-domain-name>/ibmresilient/apps-operator:<app_host_version>
Log in as a privileged user to the system that is to host the Edge Gateway software and complete the following steps.
- Copy the downloaded Edge Gateway and
k3s-airgap-imagesfiles to this system.
- Install the virtual appliance using the procedure in Installing the virtual application.
- Add the private repository self-signed cert
(domain.crt) to the trust certificates.
cp <path_to_certificate> /etc/pki/ca-trust/source/anchors && update-ca-trust extractNote: If it is a certificate chain, add the root certificate to trusted certs.
- If the private repository DNS name cannot be
resolved, add the domain to /etc/hosts:
- Run the following commands to install the
k3s-airgap-images, where <file_name> is the name of the k3s-airgap-images tar file:
sudo mkdir -p /var/lib/rancher/k3s/agent/images/ && sudo cp <file_name> /var/lib/rancher/k3s/agent/images/
- Create the registries.yaml file:
sudo vi /etc/rancher/k3s/registries.yamlMake sure one mirror in the
docker.ioand its endpoint is the private repository URL. For example:
mirrors: docker.io: endpoint: - "<private_registry_URL>" configs: "<private_registry_URL>": auth: username: <username> # this is the registry username password: <password> # this is the registry password tls: # if needed cert_file: # path to the cert file used in the registry key_file: # path to the key file used in the registry ca_file: # path to the ca file used in the registry
- Restart the K3s Kubernetes:
sudo systemctl restart k3s
- Verify that all pods are in the
sudo kubectl get pods -A
- Deploy the Edge Gateway containers as described in Pairing the IBM Security QRadar Suite Software account with Edge Gateway.
- Configure the Edge Gateway registry to
use the private repository. You need to enter the URL to the repository, also called a registry. If
the private repository requires authentication, use the
--useroption to enter the account user name; you are prompted for the password.
sudo manageAppHost registry --registry <private_registry_URL> --user <username>
- Again, verify that all pods are in the running state:
sudo kubectl get pods -A
The Edge Gateway image is successfully installed and configured to use a private repository.
What to do next
Deploy Edge Gateway instances as described in Pairing the IBM Security QRadar Suite Software account with Edge Gateway.