This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
vsolodkyi
Sisense Team Member
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on
04-26-2023
06:17 PM
- edited on
02-16-2024
10:38 AM
by
DRay
An offline, or air-gapped, Sisense environment provides higher security than online, connected environments. As the offline environment has no outside communication, the only method to install Sisense in this environment is by using removable media, such as USB drives.
The system must have the following in place to complete an offline installation:
- A Bastion host with Docker installed (Recommended)
- A secured Docker registry that is accessible to the offline environment
The Registry is a stateless, highly scalable server side application that stores and lets you distribute Docker images. In case of Sisense offline installation Docker Registry is used to distribute the Sisense images within an isolated network.
Next article provides steps on how to install and configure the Docker registry.
Configuring Docker engine
- Install Docker to your server:
a. In case if Docker Registry is also isolated as a future Sisense instance then it is necessary to download all required packages to bastion(or other machine that has Internet connection) and transfer them to a Docker Registry instance:
In case when you are installing Docker registry on the same instance with a Sisense, please note that Sisense currently supports only specific Docker versions: 1.13.x 17.03. x 17.06.x 17.09.x 18.06.x 18.09.x 19.03.x 20.10.×
Install required packages:
|
sudo dpkg -i ./docker-ce-cli_20.10.24~3-0~ubuntu-focal_amd64.deb sudo dpkg -i ./containerd.io_1.6.9-1_amd64.deb sudo dpkg -i ./docker-ce_20.10.24~3-0~ubuntu-focal_amd64.deb |
Start and enable docker and containerd services:
|
sudo systemctl enable containerd sudo systemctl enable docker sudo systemctl start containerd sudo systemctl start docker |
b. If you are configuring Docker Registry on the machine which has internet connection, then it is possible to install docker in next way:
Add Docker’s official GPG key:
|
sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg |
Set up the repository:
|
echo \ "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null |
Update the apt packet index and install latest docker:
|
sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin |
To install a specific version:
|
# List the available versions: #example output: 5:23.0.2-1~ubuntu.20.04~focal 5:23.0.1-1~ubuntu.20.04~focal 5:23.0.0-1~ubuntu.20.04~focal 5:20.10.24~3-0~ubuntu-focal 5:20.10.23~3-0~ubuntu-focal 5:20.10.22~3-0~ubuntu-focal 5:20.10.21~3-0~ubuntu-focal #Install Docker with 5:20.10.21~3-0~ubuntu-focal: sudo apt-get install docker-ce=5:20.10.21~3-0~ubuntu-focal docker-ce-cli=5:20.10.21~3-0~ubuntu-focal containerd.io docker-buildx-plugin docker-compose-plugin
|
Verify installation by running a hello-world container:
| sudo docker run hello-world |
2. [This step could be skipped in case if Docker Registry instance is supposed to be installed on non-isolated environment] Adding essential images to your registry:
a. Pull essential images on the internet-connected machine:
|
sudo docker pull registry:2.7.0 sudo docker pull httpd:2 |
b. Export basic registry images from the machine, that has internet connectivity:
|
sudo docker save -o ./registry.tar registry:2.7.0 sudo docker save -o ./httpd.tar httpd:2 |
c. Transfer the images to the air-gapped machine with the tool of your choice - it could be an USB Flash drive for example
d. Load images into the air-gapped server docker:
|
sudo docker load -i ./httpd.tar sudo docker load -i ./registry.tar |
e. Verify the newly imported images:
|
sudo docker images REPOSITORY TAG IMAGE ID CREATED SIZE registry 2.7.0 8db46f9d7550 2 weeks ago 24.2MB httpd 2 73c10eb9266e 3 months ago 145MB |
Now the docker environment is installed and configured.
Configuring Docker Registry
- As the first step we need to create directories which would be used by Docker Registry container. In this example we will use /var/registry:
|
mkdir /var/registry mkdir /var/registry/auth mkdir /var/registry/certs |
First directory will be used to host the docker images, /var/registry/auth is supposed to be used for authentication files (which we will generate in the next step) and the last directory will be used for SSL certificates.
2. Now we are going to generate a htpasswd file which will contain authentication information for Docker registry. In this example we are using htpasswd as the name of the file and admin as the login. The tool which is generates this file is also called htpasswd:
| htpasswd -cB htpasswd admin |
And copy generated file to /var/registry/auth directory:
| cp htpasswd /var/registry/auth |
3. In case if there are no any certificates prepared for docker registry, it’s possible to create a self-signed certificate:
a. Generate a private key
| openssl genrsa 1024 > domain.key |
b. Create a san.cnf file with the following content:
|
[req] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req prompt = no [req_distinguished_name] countryName = US stateOrProvinceName = N/A localityName = N/A organizationName = Self-signed certificate commonName = 120.0.0.1: Self-signed certificate [req_ext] subjectAltName = @alt_names [v3_req] subjectAltName = @alt_names [alt_names] IP.1 = 10.50.60.6 |
IP.1 here is the example. Please replace it with address of your Docker instance
c. Generate the key with:
| openssl req -new -x509 -nodes -sha1 -days 365 -key domain.key -out domain.crt -config san.cnf |
d. Copy generated files to /var/registry/certs directory:
|
cp domain.ket /var/registry/certs cp domain.crt /var/registry/certs |
4. Time to start your docker registry. It could be done with the next command:
|
docker run -d \ -p 5000:5000 \ --restart=always \ --name registry \ -v /var/registry/auth:/auth \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \ -v /var/registry/certs:/certs \ -v /var/registry:/var/lib/registry \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \ registry:2.7.0 |
With the -v flags we are mounting host directories inside a container. With -e flags we are configuring certificates and auth files. -p flag is configuring a port on which Docker Registry is supposed to work outside the container.
Please note - All directories in this article are examples and could be changed according your needs and requirements.
If all steps were performed correctly, the Docker Registry should run without any issues and ready to be used with a Sisense offline installation. Sisense offline installation is described in our documentation here.
Additional information
To be able to use docker registry with a self-signed certificate, it’s required to place your certificate file into the particular directory on the client machine, that consists of host name (or IP) and host port. Here is an example:
| /etc/docker/certs.d/10.10.10.10:5000/domain.crt |
Test your repository with the “docker login” :
| docker login 10.10.10.10 |
In both cases 10.10.10.10 is just an example address and should be replaced with the actual one.
Please let us know if you have any questions or suggestions regarding this article - we are happy to discuss it below.
Comments
stevediaz
8 - Cloud Apps
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
08-23-2023
10:55 PM
Hello
This article offers essential insights into setting up an offline Sisense environment for enhanced security. Exploring the use of removable media like USB drives, it guides through the key prerequisites, including a Bastion host with Docker and a secure Docker registry. The Docker Registry's significance in distributing Sisense images within an isolated network is emphasized. If you're interested in a more secure Sisense deployment, this guide is a valuable resource.
Thanks for sharing https://docs.sisense.com/main/SisenseLinux/installing-sisense-in-an-offline-air-gapped-environment.h...CCSP Training/
Ontor
7 - Data Storage
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
09-20-2023
11:51 PM
Hi @vsolodkyi , Is there a video that documents Sisense offline air gapped installation end to end. (Note : I already went through the official documentation but still unclear on the steps)
vsolodkyi
Sisense Team Member
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
10-25-2023
01:25 PM
@Ontor I have responded in DM, however don't want to leave it unanswered here.
Unfortunately we don't have any recordings regarding Offline Installation. If you have any questions, you can reach our support team, and they will be very happy to assist you 🙂
Community Toolbox
Recommended quick links to assist you in optimizing your community experience:
- Community FAQs
- Community Welcome & Guidelines
- Discussion Posting Tips
- Partner Guidelines
- Profile Settings
- Ranks & Badges
Developers Group:
Product Feedback Forum:
Need additional support?:
The Legal Stuff
Have a question about the Sisense Community?
Email [email protected]
Share this page:
