Air gap installation#
This topic provides guidance for installing Package Security Manager (On-prem) in an air-gapped environment.
Note
To successfully install Package Security Manager in an air-gapped environment, you must have already prepared your environment according to the Air gap environment preparation instructions.
Installing Package Security Manager#
Obtain Package Security Manager installer location and your Package Security Manager license from your Anaconda representative before proceeding.
Download Package Security Manager:
# Replace <INSTALLER_LOCATION> with the provided installer URL curl -O <INSTALLER_LOCATION>
Make it executable:
# Replace <INSTALLER> with the installer you just downloaded chmod +x <INSTALLER>
Run one of the following installation commands. Choose the command that corresponds with your setup:
# Replace <INSTALLER> with the installer you just downloaded # Replace <FQDN> with the fully qualified domain name of your Package Security Manager instance sudo bash <INSTALLER> --keep -- --domain <FQDN> --default-user anaconda --custom-cve-source file://opt/anaconda/repo/airgap/cve.zip 2>&1 | tee as.install.output
Note
To include Grafana monitoring dashboards in your installation of Package Security Manager, add the following argument to your installation command:
--grafana-monitor-stack
If you are using TLS/SSL certificates, run this command to install Package Security Manager:
# Replace <INSTALLER> with the installer you just downloaded # Replace <FQDN> with the fully qualified domain name of your Package Security Manager instance # Replace <PATH_TO_CERT> with the path to your TLS/SSL cert # Replace <PATH_TO_KEY> with the path to your TLS/SSL key sudo bash <INSTALLER> --keep -- --domain <FQDN> --tls-cert <PATH_TO_CERT> --tls-key <PATH_TO_KEY> --default-user anaconda --custom-cve-source file://opt/anaconda/repo/airgap/cve.zip 2>&1 | tee as.install.output
Note
To include Grafana monitoring dashboards in your installation of Package Security Manager, add the following argument to your installation command:
--grafana-monitor-stack
Caution
You must be using Postgres version 9.6 or later and Redis version 6.0 or later.
# Replace <INSTALLER> with the installer file you just downloaded # Replace <FQDN> with the fully qualified domain name of your Package Security Manager instance # Replace <PATH_TO_CERT> with the path to your TLS/SSL cert # Replace <PATH_TO_KEY> with the path to your TLS/SSL key # Replace <EXTERNAL_PS/RD_INSTANCE_IP4> with your external instance IP4 address (in both locations) # Replace <ASSIGNED_PORT> with the port used for communication # Replace <POSTGRES_USERID> with your postgres user ID # Replace <POSTGRES_PASSWORD> with your postgres password chmod +x <INSTALLER> bash <INSTALLER> --keep -- --domain <FQDN> --tls-cert <PATH_TO_CERT> --tls-key <PATH_TO_KEY> -e redis://<EXTERNAL_PS/RD_INSTANCE_IP4> -h <EXTERNAL_PS/RD_INSTANCE_IP4> -p <ASSIGNED_PORT> -u <POSTGRES_USERID> -pw <POSTGRES_PASSWORD> --default-user --custom-cve-source file://opt/anaconda/repo/airgap/cve.zip anaconda -y 2>&1 | tee as.install.output
Note
To include Grafana monitoring dashboards in your installation of Package Security Manager, add the following argument to your installation command:
--grafana-monitor-stack
The installation process creates three distinct user profiles: one for administrating Package Security Manager, one for administrating Keycloak, and one for accessing Prometheus. Login credentials for these profiles are shown during the installer output. Use these credentials for your initial logins, and update them as soon as possible.
Example output
KeyCloak admin user: 'admin' KeyCloak admin password: 'B1EpU33Wasdfh0Z64LL767cD' Updating Keycloak settings ... Default user: 'anaconda' password: '8aZ6302Ssd34ge415Ld97I' Prometheus admin user: username=admin Generated password for prometheus password=34ab35y63CUJak6asdf2Am7z40z7lhG8Note
The Prometheus password cannot currently be updated. Save your password somewhere secure!
Installing packages and CVEs#
In a standard installation, Package Security Manager points to a web URL that contains artifacts for your users to view or download. However, on an air-gapped network, you’ll need to provide network directory folder locations for Package Security Manager to look in when searching for artifacts, and populate those folders with artifacts.
The .zip
files you downloaded during environment preparation will be the source of your packages for Package Security Manager. Choose a set of commands that correlate with the files you downloaded during environment preparation to move the files to their correct folder location:
Open your Package Security Manager installation directory.
# Replace <INSTALLER> with your installation directory cd <INSTALLER>
Stop Package Security Manager by running the following command:
docker compose down
Move your airgap
.zip
files to the correct locations by running the following commands. Choose a set of commands that coorelates with your setup:All platforms
mv conda_main.zip /opt/anaconda/repo/airgap/ mv conda_msys2.zip /opt/anaconda/repo/airgap/ mv conda_r.zip /opt/anaconda/repo/airgap/ mv cve.zip /opt/anaconda/repo/airgap/
Note
Moving the
conda_msys2.zip
andconda_r.zip
files is optional.Windows airgap files
mv conda_main_win-32.zip /opt/anaconda/repo/airgap/ mv conda_main_win-64.zip /opt/anaconda/repo/airgap/ mv conda_main_noarch.zip /opt/anaconda/repo/airgap/ mv conda_msys2.zip /opt/anaconda/repo/airgap/ mv cve.zip /opt/anaconda/repo/airgap/
mv conda_r_win-32.zip /opt/anaconda/repo/airgap/ mv conda_r_win-64.zip /opt/anaconda/repo/airgap/ mv conda_r_noarch.zip /opt/anaconda/repo/airgap/ mv conda_msys2.zip /opt/anaconda/repo/airgap/ mv cve.zip /opt/anaconda/repo/airgap/
Linux airgap files
mv conda_main_linux-32.zip /opt/anaconda/repo/airgap/ mv conda_main_linux-64.zip /opt/anaconda/repo/airgap/ mv conda_main_linux-aarch64.zip /opt/anaconda/repo/airgap/ mv conda_main_linux-armv6l.zip /opt/anaconda/repo/airgap/ mv conda_main_linux-armv7l.zip /opt/anaconda/repo/airgap/ mv conda_main_linux-ppc64le.zip /opt/anaconda/repo/airgap/ mv conda_main_linux-s390x.zip /opt/anaconda/repo/airgap/ mv conda_main_noarch.zip /opt/anaconda/repo/airgap/ mv cve.zip /opt/anaconda/repo/airgap/
mv conda_r_linux-32.zip /opt/anaconda/repo/airgap/ mv conda_r_linux-64.zip /opt/anaconda/repo/airgap/ mv conda_r_linux-ppc64le.zip /opt/anaconda/repo/airgap/ mv conda_r_noarch.zip /opt/anaconda/repo/airgap/ mv cve.zip /opt/anaconda/repo/airgap/
MacOS airgap files
mv conda_main_osx-32.zip /opt/anaconda/repo/airgap/ mv conda_main_osx-64.zip /opt/anaconda/repo/airgap/ mv conda_main_osx-arm64.zip /opt/anaconda/repo/airgap/ mv conda_main_noarch.zip /opt/anaconda/repo/airgap/ mv cve.zip /opt/anaconda/repo/airgap/
mv conda_r_osx-64.zip /opt/anaconda/repo/airgap/ mv conda_r_noarch.zip /opt/anaconda/repo/airgap/ mv cve.zip /opt/anaconda/repo/airgap/
Save your work and close the file, then apply your changes to Package Security Manager by running the following:
docker compose up -d
Monitor the status of your instance by running the following command:
docker ps
Once the containers are healthy and running, access your instance of Package Security Manager by navigating to
https:://<FQDN>.example.com
and complete your installation by entering your license.
Adding hosted miniconda installers#
Because air-gapped users do not have access to the internet, Anaconda provides Miniconda installers for your company’s use through Package Security Manager.
Download a valid
installers.zip
file from the s3 bucket:curl -O https://anaconda-airgap-te.s3.amazonaws.com/installers.zip curl -O https://anaconda-airgap-te.s3.amazonaws.com/installers.sha256
Move the
installers.zip
file to the airgap folder of Package Security Manager repositoryby running the following command:mv /installers.zip /opt/anaconda/repo/airgap/
If necessary, open your Package Security Manager installer directory.
Using your preferred file viewer, open the
docker-compose.yml
file.Verify that the following line is present in the
volumes
section for both therepo_api
andrepo_worker
objects:${BASE_INSTALL_DIR}/airgap:${BASE_INSTALL_DIR}/airgap
If the above line is not present, add it to both locations. This allows docker to have access to the
/opt/anaconda/repo/airgap
directory.Add the following line to the
environments
section for both therepo_api
andrepo_worker
objects:REPO_MINICONDA_INSTALLERS_ZIP_PATH=/opt/anaconda/repo/airgap/installers.zip
Save your work and close the file, then apply your changes to Package Security Manager by running the following command:
docker compose up -d
Tip
Miniconda installers will now be available for your end users to download from the login page of Package Security Manager.