cancel
Showing results for 
Search instead for 
Did you mean: 
vsolodkyi
Sisense Team Member
Sisense Team Member

An offline, or air-gapped, Sisense environment provides higher security than online, connected environments. As the offline environment has no outside communication, the only method to install Sisense in this environment is by using removable media, such as USB drives.

The system must have the following in place to complete an offline installation:

  • A Bastion host with Docker installed (Recommended)
  • A secured Docker registry that is accessible to the offline environment

The Registry is a stateless, highly scalable server side application that stores and lets you distribute Docker images. In case of Sisense offline installation Docker Registry is used to distribute the Sisense images within an isolated network.

Next article provides steps on how to install and configure the Docker registry.

Configuring Docker engine 

  1. Install Docker to your server:

a. In case if Docker Registry is also isolated as a future Sisense instance then it is necessary to download all required packages to bastion(or other machine that has Internet connection) and transfer them to a Docker Registry instance:

wget https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/docker-ce_20.10.24~3-0~ubuntu...

wget https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/containerd.io_1.6.9-1_amd64.d...

wget https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/docker-ce-cli_20.10.24~3-0~ub...

In case when you are installing Docker registry on the same instance with a Sisense, please note that Sisense currently supports only specific Docker versions: 1.13.x 17.03. x 17.06.x 17.09.x 18.06.x 18.09.x 19.03.x 20.10.×

Install required packages:

sudo dpkg -i ./docker-ce-cli_20.10.24~3-0~ubuntu-focal_amd64.deb

sudo dpkg -i ./containerd.io_1.6.9-1_amd64.deb

sudo dpkg -i ./docker-ce_20.10.24~3-0~ubuntu-focal_amd64.deb

Start and enable docker and containerd services:

sudo systemctl enable containerd

sudo systemctl enable docker

sudo systemctl start containerd

sudo systemctl start docker

b. If you are configuring Docker Registry on the machine which has internet connection, then it is possible to install docker in next way:

Add Docker’s official GPG key:

sudo install -m 0755 -d /etc/apt/keyrings

 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

 sudo chmod a+r /etc/apt/keyrings/docker.gpg

Set up the repository:

echo \

  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \

  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \

  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update the apt packet index and install latest docker:

sudo apt-get update

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

To install a specific version: 

# List the available versions:
apt-cache madison docker-ce | awk '{ print $3 }'

#example output: 

5:23.0.2-1~ubuntu.20.04~focal

5:23.0.1-1~ubuntu.20.04~focal

5:23.0.0-1~ubuntu.20.04~focal

5:20.10.24~3-0~ubuntu-focal

5:20.10.23~3-0~ubuntu-focal

5:20.10.22~3-0~ubuntu-focal

5:20.10.21~3-0~ubuntu-focal

#Install Docker with 5:20.10.21~3-0~ubuntu-focal:

sudo apt-get install docker-ce=5:20.10.21~3-0~ubuntu-focal docker-ce-cli=5:20.10.21~3-0~ubuntu-focal containerd.io docker-buildx-plugin docker-compose-plugin

 

 

Verify installation by running a hello-world container:

sudo docker run hello-world

2. [This step could be skipped in case if Docker Registry instance is supposed to be installed on non-isolated environment] Adding essential images to your registry:

a. Pull essential images on the internet-connected machine:

sudo docker pull registry:2.7.0

sudo docker pull httpd:2

b. Export basic registry images from the machine, that has internet connectivity:

sudo docker save -o ./registry.tar registry:2.7.0

sudo docker save -o ./httpd.tar httpd:2

c. Transfer the images to the air-gapped machine with the tool of your choice - it could be an USB Flash drive for example

d. Load images into the air-gapped server docker:

sudo docker load -i ./httpd.tar

sudo docker load -i ./registry.tar

e. Verify the newly imported images:

sudo docker images 

REPOSITORY   TAG       IMAGE ID       CREATED        SIZE

registry     2.7.0         8db46f9d7550   2 weeks ago    24.2MB

httpd        2         73c10eb9266e   3 months ago   145MB

Now the docker environment is installed and configured.



Configuring Docker Registry

  1. As the first step we need to create directories which would be used by Docker Registry container. In this example we will use /var/registry:

mkdir /var/registry

mkdir /var/registry/auth

mkdir /var/registry/certs

First directory will be used to host the docker images, /var/registry/auth is supposed to be used for authentication files (which we will generate in the next step) and the last directory will be used for SSL certificates. 

2. Now we are going to generate a htpasswd file which will contain authentication information for Docker registry. In this example we are using htpasswd as the name of the file and admin as the login. The tool which is generates this file is also called htpasswd:

htpasswd -cB htpasswd admin

And copy generated file to /var/registry/auth directory:

cp htpasswd /var/registry/auth

3. In case if there are no any certificates prepared for docker registry, it’s possible to create a self-signed certificate:

a. Generate a private key

openssl genrsa 1024 > domain.key

b. Create a san.cnf file with the following content:

[req]

default_bits  = 4096

distinguished_name = req_distinguished_name

req_extensions = req_ext

x509_extensions = v3_req

prompt = no

[req_distinguished_name]

countryName = US

stateOrProvinceName = N/A

localityName = N/A

organizationName = Self-signed certificate

commonName = 120.0.0.1: Self-signed certificate

[req_ext]

subjectAltName = @alt_names

[v3_req]

subjectAltName = @alt_names

[alt_names]

IP.1 = 10.50.60.6

IP.1 here is the example. Please replace it with address of your Docker instance 

c. Generate the key with:

openssl req -new -x509 -nodes -sha1 -days 365 -key domain.key -out domain.crt -config san.cnf

d. Copy generated files to /var/registry/certs directory:

cp domain.ket /var/registry/certs

cp domain.crt /var/registry/certs

4. Time to start your docker registry. It could be done with the next command:

docker run -d \

 -p 5000:5000 \

 --restart=always \

 --name registry \

 -v /var/registry/auth:/auth \

 -e "REGISTRY_AUTH=htpasswd" \

 -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \

 -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \

 -v /var/registry/certs:/certs \

 -v /var/registry:/var/lib/registry \

 -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \

 -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \

registry:2.7.0

With the -v flags we are mounting host directories inside a container. With -e flags we are configuring certificates and auth files. -p flag is configuring a port on which Docker Registry is supposed to work outside the container.
Please note - All directories in this article are examples and could be changed according your needs and requirements.

If all steps were performed correctly, the Docker Registry should run without any issues and ready to be used with a Sisense offline installation. Sisense offline installation is described in our documentation here.

Additional information

 To be able to use docker registry with a self-signed certificate, it’s required to place your certificate file into the particular directory on the client machine, that consists of host name (or IP) and host port. Here is an example:

/etc/docker/certs.d/10.10.10.10:5000/domain.crt

Test your repository with the “docker login” :

docker login 10.10.10.10

In both cases 10.10.10.10 is just an example address and should be replaced with the actual one.

Please let us know if you have any questions or suggestions regarding this article - we are happy to discuss it below. 

Rate this article:
Comments
stevediaz
8 - Cloud Apps
8 - Cloud Apps

Hello

This article offers essential insights into setting up an offline Sisense environment for enhanced security. Exploring the use of removable media like USB drives, it guides through the key prerequisites, including a Bastion host with Docker and a secure Docker registry. The Docker Registry's significance in distributing Sisense images within an isolated network is emphasized. If you're interested in a more secure Sisense deployment, this guide is a valuable resource.

Thanks for sharing https://docs.sisense.com/main/SisenseLinux/installing-sisense-in-an-offline-air-gapped-environment.h...CCSP Training/

Ontor
7 - Data Storage
7 - Data Storage

Hi @vsolodkyi , Is there a video that documents Sisense offline air gapped installation end to end. (Note : I already went through the official documentation but still unclear on the steps)

vsolodkyi
Sisense Team Member
Sisense Team Member

@Ontor I have responded in DM, however don't want to leave it unanswered here. 

Unfortunately we don't have any recordings regarding Offline Installation. If you have any questions, you can reach our support team, and they will be very happy to assist you 🙂 

Version history
Last update:
‎02-16-2024 10:38 AM
Updated by:
Contributors