Air gap environment preparation¶
This topic provides guidance for preparing an air-gapped environment and installing an air-gapped environment system for a straightforward installation of Anaconda Team Edition, as detailed in Air gap installation.
The installer is a self-extracting binary (ate-x.x.x-installer.sh, where x.x.x is the version number) that contains the necessary components to run Anaconda Team Edition.
The following tools and components are required to install Anaconda Team Edition in your air-gapped environment:
Any Linux variant capable of supporting Docker (RHEL 7.x/CentOS)
If SELinux is enabled, it cannot be in enforcing mode
Use FQDN(Fully Qualified Domain Name) or Hostname
If you are not using DNS: you will use the public IP address of your instance
- 1.5TB storage space
Conda_air gap zip file is~ 700GB
CVE zip file is ~20MB
Installing packages and CVE files¶
Artifact download authorization
In order to pull down the conda packages and CVEs, you will need to provide the IP address of the server you are going to store the packages and CVEs on. This enables us to grant you access to the S3 bucket where we store the packages and CVEs.
This will need to be completed prior to scheduling your implementation with Anaconda. The download will take several hours.
If you prefer not to use a hostname, the public IP address of your environment will be required.
Installing packages and CVEs
In this section, you will install Team Edition packages, move those packages to your air-gapped repository, and configure the
.env file to point to the location of the CVEs.
Downloading the Anaconda Team Edition Packages may take several hours.
Run the following commands to install the air gap and cve packages:
curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_main_airgap.zip curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_msys2_airgap.zip curl -O https://anaconda-airgap-te.s3.amazonaws.com/conda_r_airgap.zip curl -O https://anaconda-airgap-te.s3.amazonaws.com/cve.zip
Do not unzip the air gap or cve files.
DNS and TLS/SSL certificate requirements¶
Team Edition can use certificates to provide transport layer security for the cluster. It is required to have your TLS/SSL certs prior to installation; otherwise, self-signed certificates can be generated during the initial installation. You can configure the platform to use organizational TLS/SSL certificates after completing the installation.
You may purchase certificates commercially, use Let’s Encrypt, or generate them using your organization’s internal public key infrastructure (PKI) system. When using an internal PKI-signed setup, the CA certificate is stored on the file system. You will need to make sure the root certificate of your certificate authority is trusted by the server running the application and the workstations used by users of the application.
You must provide the SSL cert for the hostname your Team Edition instance is running on.
These are ports that allow access outside of the server. It is important to protect all services running on the node from outside access. The exceptions are as shown below. These ports need to be open to allow access to Anaconda Team Edition via browser and (optionally) via SSH:
:80nginx - only if you are using HTTP
:443nginx - only if you are using HTTPS
:22ssh - optional; only if you need SSH
These are ports that allow access within the server and are open on docker containers, exposed only to the docker network. Ideally, Anaconda Team Edition will have a dedicated environment. Anaconda Team Edition uses several ports for internal communication between components. These ports do not need to be open to the end user but they need to be reserved, as some bind to the local host network interfaces.
You can run
docker ps and reference the PORTS column, as shown in the following example:
:5000repo - Team Edition API
:5002repo-proxy - Team Edition file serving API proxy
:5000repo-dispatcher - Team Edition event dispatcher/handler (exposed only for prometheus metrics)
:5000repo-worker - Team Edition scheduled jobs worker (exposed only for prometheus metrics)
:8080keycloak - keycloak’s /auth/* endpoints are proxied in Nginx
:5432postgres - Postgresql database used by Team Edition and Keycloak
:6379redis - Redis instance used by Team Edition services
:9090prometheus - Prometheus is proxied in Nginx at /Prometheus
Install Docker and Docker Compose. Contact your operating system vendor or IT department for assistance with this step.
After ensuring all requirements have been met, proceed to Air gap installation to install Team Edition in your air-gapped environment.