Setting up a bastion compute device

You can store everything that you need to install Cloud Pak for Business Automation on a bastion host and use this server in an air gap environment.

Before you begin

A bastion host is a server that is provisioned with a public IP address that is accessible through remote access Secure Shell (SSH). When configured, the bastion server acts as an intermediate server that allows a secure connection to the instances made available without a public IP address. For more information, see Create a bastion host.

Note: The bastion host must be on a Linux® x86_64 platform with any operating system that the IBM Cloud Pak® CLI and the OCP CLI support.

The following prerequisites are also needed.

An OpenShift Container Platform (OCP) 4.6+ cluster must be installed. For more information, see Preparing for an Enterprise deployment.
The bastion host must be able to access the OCP cluster, an internal image registry, and the internet.

Procedure

Install the oc OCP CLI tool. For more information, see OCP CLI tools.
Install OpenSSL version 1.1.1 or higher.
Install Podman or Docker on a Red Hat machine. For more information, see Podman installation instructions.
To install Docker, run the following commands.
```
yum check-update
yum install docker
```

Install the skopeo CLI version 1.x. For more information, see Installing skopeo from packages.

To install skopeo 1.2.x, run the following commands.

cd /etc/yum.repos.d/
wget https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_7/devel:kubic:libcontainers:stable.repo
yum install skopeo

Install httpd-tools.
```
yum install httpd-tools
```
Install the IBM Cloud Pak® CLI. Install the version of the binary file for your platform. For more information, see cloud-pak-cli.
1. Download the binary file.
```
wget https://github.com/IBM/cloud-pak-cli/releases/latest/download/<binary-file-name>
```
  For example:
```
wget https://github.com/IBM/cloud-pak-cli/releases/latest/download/cloudctl-linux-amd64.tar.gz
```
2. Extract the binary file.
```
tar -xf <binary-file-name>
```
3. Run the following commands to modify and move the file.
```
chmod 755 <file-name>
mv <file-name> /usr/local/bin/cloudctl
```
4. Confirm that the cloudctl is installed.
```
cloudctl --help
```
  The cloudctl usage is displayed.

Results

The following network ports must be available on the bastion server:

For docker, see Whitelisting Docker Hub Hosts for Firewalls and HTTP Proxy Servers.
icr.io:443 for the IBM Entitled Registry.
quay.io:443 for foundational services.
github.com for CASE and tools.
redhat.com for OpenShift upgrades.

If the bastion host is unable to retrieve the source images from the public registries, you might need to allow specific access to these sites. A HTTP 403 response is an indication of such a parsing error. Docker and quay image registries might use proxies or mirror sites, so if you see images blocked check whether it is related to one of these image registries. If one of the registries is blocked, you must add that URL to the website allowlist. The following websites can be added to the allowlist to prevent pulling image errors.

cp.icr.io/cp
*.docker.io/ibmcom
*.quay.io/opencloudio
icr.io/cpopen