Air gap environment preparation#
This topic provides guidance for preparing an air-gapped environment and installing an air-gapped environment system for a straightforward installation of Anaconda Server, as detailed in Air gap installation.
Preparing the air-gapped environment#
The installer is a self-extracting binary that contains the all the necessary components to run Anaconda Server services. The basic requirements prior to installation are:
Any Linux variant capable of supporting Docker
Use a fully qualified domain name (FQDN) or Hostname
DNS record and TLS/SSL certs
Make sure that SELinux is not in enforcing mode, either by disabling it or putting it in
permissivemode in the
/etc/selinux/configfile. If it is in enforcing mode, you will need to reboot your instance after updating. After rebooting, run the following command to verify that SELinux is not being enforced:
getenforce # The result should be either Disabled or Permissive
- 1.5TB storage space
Conda_air gap zip file is ~700GB
CVE zip file is ~20MB
When partitioning space, allocate 20gb for
/var/lib and the remaining 1.5TB for
Installing packages and CVE files#
Artifact download authorization
Anaconda supplies air-gapped customers with our repository in the form of tarball files. In order to gain access to the tarball files that contain the conda packages and CVEs, you must* provide Anaconda with the IP address of the machine you are using to download them. Speak with your Anaconda implementation team member to get help allowlisting your IP address.
This must be completed prior to scheduling your implementation with Anaconda. The download will take several hours.
If you prefer not to use a hostname, the public IP address of your environment will be required.
Installing packages and CVEs
In this section, you will install Anaconda Server packages, move those packages to your air-gapped repository, and configure the
.env file to point to the location of the CVEs.
Downloading the Anaconda Server Packages may take several hours.
Run the following commands to install the air gap and cve packages:
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main.zip curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_msys2.zip curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r.zip curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip
Do not unzip the air gap or cve files.
DNS and TLS/SSL certificate requirements#
Anaconda Server can use certificates to provide transport layer security for the cluster. It is required to have your TLS/SSL certs prior to installation; otherwise, self-signed certificates can be generated during the initial installation.
You may purchase certificates commercially, use Let’s Encrypt, or generate them using your organization’s internal public key infrastructure (PKI) system. When using an internal PKI-signed setup, the CA certificate is stored on the file system. You will need to make sure the root certificate of your certificate authority is trusted by the server running the application and the workstations used by users of the application.
Web browsers use domain names and web origins to separate sites, so they cannot tamper with each other. If you want to use DNS, you must have it ready prior to installation. This DNS name is what users will use to access the application.
You must provide the SSL cert for the hostname your Anaconda Server instance is running on.
These are ports that allow access outside of the server. It is important to protect all services running on the node from outside access. The exceptions are as shown below. These ports need to be open to allow access to Anaconda Server via browser and (optionally) via SSH:
:443nginx - only if you are using HTTPS
:22ssh - optional; only if you need SSH
These are ports that allow access within the server and are open on docker containers, exposed only to the docker network. Ideally, Anaconda Server will have a dedicated environment. Anaconda Server uses several ports for internal communication between components. These ports do not need to be open to the end user but they need to be reserved, as some bind to the local host network interfaces.
You can run
docker ps and reference the PORTS column, as shown in the following example:
:5000repo - Anaconda Server API
:5002repo-proxy - Anaconda Server file serving API proxy
:5000repo-dispatcher - Anaconda Server event dispatcher/handler (exposed only for prometheus metrics)
:5000repo-worker - Anaconda Server scheduled jobs worker (exposed only for prometheus metrics)
:8080keycloak - keycloak’s /auth/* endpoints are proxied in Nginx
:5432postgres - Postgresql database used by Anaconda Server and Keycloak
:6379redis - Redis instance used by Anaconda Server services
:9090prometheus - Prometheus is proxied in Nginx at /Prometheus
Enable IP address forwarding#
Forwarding IP addresses allows containers to communicate with one another on your host. You’ll need to configure these settings to allow non-root users to perform installations of Anaconda Server.
sysctl net.ipv4.conf.all.forwarding=1 sysctl net.ipv6.conf.all.forwarding=1 iptables -P FORWARD ACCEPT
Installing air-gapped environment system#
Install Docker and Docker Compose. Contact your operating system vendor or IT department for assistance with this step.
Podman setup requires you to download and configure the
podman-docker package. This package converts docker commands into their corresponding podman commands.
podman-dockerby running the following command:
sudo yum install -y podman-docker
You might need to work with your IT department to secure this package.
If necessary, make your
docker-composevolume executable by running the following command:
sudo chmod +x /usr/local/bin/docker-compose
Create a symbolic link by running the following command:
sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
podman.socketby running the following commands:
sudo systemctl enable --now podman.socket sudo systemctl status podman.socket
Verify that the podman socket works by running the following command:
sudo curl -w "\n" -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/_ping
System validation checks#
Once your environment is prepared, run the following commands to verify it is ready for installation of Anaconda Server.
To verify what type of processor your system is running and the number of CPUs present, run the command:
To verify the amount of system memory is sufficient, run the command:
To verify there is a sufficient amount of disk space for the installation, run the command:
To verify the kernel release version and processor type, run the command:
To verify your operating system release version, run the command:
To verify your version of Docker, run the command:
To verify your version of
docker-compose, run the command:
After ensuring all requirements have been met, proceed to Air gap installation to install Anaconda Server in your air-gapped environment.