Air gap environment preparation

This topic provides guidance for preparing an air-gapped environment and installing an air-gapped environment system for a straightforward installation of Anaconda Team Edition, as detailed in Air gap installation.


Preparing the air-gapped environment

Environment requirements

The installer is a self-extracting binary (ate-x.x.x-installer.sh, where x.x.x is the version number) that contains the necessary components to run Anaconda Team Edition.

The following tools and components are required to install Anaconda Team Edition in your air-gapped environment:

Software requirements

  • Any Linux variant capable of supporting Docker (RHEL 7.x/CentOS)

  • If SELinux is enabled, it cannot be in enforcing mode

  • Use FQDN(Fully Qualified Domain Name) or Hostname

  • If you are not using DNS: you will use the public IP address of your instance

Hardware requirements

  • 4 CPUs

  • 8GB RAM

  • 1.5TB storage space
    • Conda_air gap zip file is~ 700GB

    • CVE zip file is ~20MB

Installing packages and CVE files

Artifact download authorization

In order to pull down the conda packages and CVEs, you will need to provide the IP address of the server you are going to store the packages and CVEs on. This enables us to grant you access to the S3 bucket where we store the packages and CVEs.

Note

This will need to be completed prior to scheduling your implementation with Anaconda. The download will take several hours.

If you prefer not to use a hostname, the public IP address of your environment will be required.

Installing packages and CVEs

In this section, you will install Team Edition packages, move those packages to your air-gapped repository, and configure the .env file to point to the location of the CVEs.

Warning

Downloading the Anaconda Team Edition Packages may take several hours.

Run the following commands to install the air gap and cve packages:

curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_msys2.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r.zip
curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip

Warning

Do not unzip the air gap or cve files.

DNS and TLS/SSL certificate requirements

Team Edition can use certificates to provide transport layer security for the cluster. It is required to have your TLS/SSL certs prior to installation; otherwise, self-signed certificates can be generated during the initial installation. You can configure the platform to use organizational TLS/SSL certificates after completing the installation.

You may purchase certificates commercially, use Let’s Encrypt, or generate them using your organization’s internal public key infrastructure (PKI) system. When using an internal PKI-signed setup, the CA certificate is stored on the file system. You will need to make sure the root certificate of your certificate authority is trusted by the server running the application and the workstations used by users of the application.

You must provide the SSL cert for the hostname your Team Edition instance is running on.

Security requirements

External Ports

These are ports that allow access outside of the server. It is important to protect all services running on the node from outside access. The exceptions are as shown below. These ports need to be open to allow access to Anaconda Team Edition via browser and (optionally) via SSH:

  • :80 nginx - only if you are using HTTP

  • :443 nginx - only if you are using HTTPS

  • :22 ssh - optional; only if you need SSH

Internal Ports

These are ports that allow access within the server and are open on docker containers, exposed only to the docker network. Ideally, Anaconda Team Edition will have a dedicated environment. Anaconda Team Edition uses several ports for internal communication between components. These ports do not need to be open to the end user but they need to be reserved, as some bind to the local host network interfaces.

You can run docker ps and reference the PORTS column, as shown in the following example:

../_images/docker_ps.png

  • :5000 repo - Team Edition API

  • :5002 repo-proxy - Team Edition file serving API proxy

  • :5000 repo-dispatcher - Team Edition event dispatcher/handler (exposed only for prometheus metrics)

  • :5000 repo-worker - Team Edition scheduled jobs worker (exposed only for prometheus metrics)

  • :8080 keycloak - keycloak’s /auth/* endpoints are proxied in Nginx

  • :5432 postgres - Postgresql database used by Team Edition and Keycloak

  • :6379 redis - Redis instance used by Team Edition services

  • :9090 prometheus - Prometheus is proxied in Nginx at /Prometheus

Installing air-gapped environment system

Install Docker and Docker Compose. Contact your operating system vendor or IT department for assistance with this step.


After ensuring all requirements have been met, proceed to Air gap installation to install Team Edition in your air-gapped environment.