You can store everything that you need to install Cloud Pak for Business Automation on a host that can be connected to the internet and use this host in an air
gap environment.
Before you begin
You can use a bastion server, a portable compute device, or two compute devices with portable
storage as your host.
- Bastion host
-
A bastion host is a server that is provisioned with a public IP address that is accessible
through remote access Secure Shell (SSH). When configured, the bastion server acts as an
intermediate server that allows a secure connection to the instances made available without a public
IP address.
- Portable compute device
-
A portable compute device, such as a laptop, can be used to download images from the entitled
registry to a portable image registry that is running locally on the device. You can then bring the
device behind your firewall and copy the images from your portable registry on the device to the
local private registry.
- Portable storage device
-
A portable storage device, such as a hard disk drive, can be connected to a compute device
external to your firewall to download the images. The portable storage can then be connected to a
device behind the firewall so that the images can be loaded to the local private registry.
No matter what medium you choose for your air-gapped installation, the host must satisfy the
following prerequisites.
- The host must be able to access the OpenShift Container Platform (OCP) cluster, an internal
image registry, and the internet.
- The host must be on a Linux® x86_64 or Mac platform with any operating system that the IBM Cloud
Pak® CLI and the OCP CLI support. If you are on a Windows platform, you must run the actions in a
Linux® x86_64 VM or from a Windows Subsystem for Linux (WSL) terminal.
Procedure
-
Install the
oc
OCP CLI tool 4.12.xx or later. For more information, see OCP CLI
tools.
-
Install Podman on an RHEL machine. For more information, see Podman
installation instructions.
-
Download and install the most recent version (v1.11.0 or later) of the
IBM Catalog
Management Plug-in
.
Option 1
- Download
IBM Catalog Management Plug-in
based on the host operating system from
here.
-
Extract the binary file by entering the following command.
tar -xf oc-ibm_pak-linux-amd64.tar.gz
- Run the following commands to move the file to the /usr/local/bin
directory.
mv oc-ibm_pak-linux-amd64 /usr/local/bin/oc-ibm_pak
chmod 755 /usr/local/bin/oc-ibm_pak
Note: If you are installing as a non-root user, you
must use sudo
.
- You can confirm that
oc ibm-pak -h
is installed by running the following
command.oc ibm-pak --help
The plug-in usage is displayed.
Option 2The plug-in is also provided in a container image
cp.icr.io/cpopen/cpfs/ibm-pak:TAG
where TAG
must be replaced with
the corresponding plug-in version. For example
cp.icr.io/cpopen/cpfs/ibm-pak:v1.11.0
for the v1.11.0 of the plug-in.
The
following command creates a container and copies the plug-ins for all the supported platforms in a
directory (plugin-dir).
Note: The command requires that you have Docker
installed. For more information about how to install Docker on an RHEL machine, see
How to Install Docker CE.
id=$(podman create cp.icr.io/cpopen/cpfs/ibm-pak:TAG - )
podman cp $id:/ibm-pak-plugin plugin-dir
podman rm -v $id
cd plugin-dir
You can specify any directory name. After it copied the plug-ins, it
deletes the temporary container, and the target directory contains all the binaries and artifacts in
the IBM/ibm-pak-plugin GitHub repository.
-
Download and install
oc mirror
with version 4.14.x to mirror images using
oc mirror
- Download the
oc mirror
based on the OpenShift cluster version from here.
-
Extract the binary file by entering the following command.
tar -xf oc-mirror.tar.gz
- Run the following commands to move the file to the /usr/local/bin
directory.
mv oc-mirror /usr/local/bin/oc-mirror
chmod 755 /usr/local/bin/oc-mirror
Note: If you are installing as a
non-root user, you must use sudo
.
- You can confirm that
oc mirror
is installed by running the following
command.oc mirror help
The command usage is displayed.
- Make sure that the following network ports are available on the host.
Tip: If the bastion host is unable to retrieve the source images from the public
registries, you might need to allow specific access to these sites. A
HTTP 403
response is an indication of such a parsing error. Docker and quay image registries might
use proxies or mirror sites, so if you see images blocked check whether it is related to one of
these image registries. If one of the registries is blocked, you must add that URL to the website
allowlist. The following websites can be added to the
allowlist to prevent
pulling image errors.
cp.icr.io/cp
*.quay.io/opencloudio
*.icr.io/cpopen
What to do next
You can now download the CASE files. For more information, see Setting up a private registry.