Setting up a bastion compute device
You can store everything that you need to install Cloud Pak for Business Automation on a bastion host and use this server in an air gap environment.
Before you begin
A bastion host is a server that is provisioned with a public IP address that is accessible through remote access Secure Shell (SSH). When configured, the bastion server acts as an intermediate server that allows a secure connection to the instances made available without a public IP address. For more information, see Create a bastion host.
Note: The bastion host must be on a Linux® x86_64 platform
with any operating system that the IBM Cloud Pak® CLI and the OCP CLI support.
The following prerequisites are also needed.
- An OpenShift Container Platform (OCP) 4.6+ cluster must be installed. For more information, see Preparing for an Enterprise deployment.
- The bastion host must be able to access the OCP cluster, an internal image registry, and the internet.
Procedure
Results
The following network ports must be available on the bastion server:
- For docker, see Whitelisting Docker Hub Hosts for Firewalls and HTTP Proxy Servers.
icr.io:443
for the IBM Entitled Registry.quay.io:443
for foundational services.github.com
for CASE and tools.redhat.com
for OpenShift upgrades.
If the bastion host is unable to retrieve the source images from the public
registries, you might need to allow specific access to these sites. A HTTP 403
response is an indication of such a parsing error. Docker and quay image registries might
use proxies or mirror sites, so if you see images blocked check whether it is related to one of
these image registries. If one of the registries is blocked, you must add that URL to the website
allowlist. The following websites can be added to the allowlist to prevent
pulling image errors.
cp.icr.io/cp
*.docker.io/ibmcom
*.quay.io/opencloudio
icr.io/cpopen