Setting up a Harbor registry through a proxy connection for an air-gapped deployment

An air-gapped environment is disconnected or physically isolated from unsecured networks such as the public internet. 

The BMC Helix IT Operations Management (BMC Helix ITOM) container images are hosted on the BMC Docker Trusted Registry (DTR), which is available at containers.bmc.com. To access the BMC Helix ITOMcontainer images, we recommend setting up a registry (such as the Harbor registry) in your local network and synchronizing it with BMC DTR. If your registry is in a demilitarized zone (DMZ) or air-gapped environment, use the instructions in this topic to synchronize your registry with BMC DTR.

We have documented the steps to set up and synchronize a Harbor registry with BMC DTR only as an example. We do not supply or support Harbor or any other registry product. As an administrator, you must install, configure, and maintain the registry. For more information about the Harbor registry, see the Harbor documentation Open link

You can use the instructions in this topic as a template to set up other registry products.


Before you begin

  • Make sure that you have downloaded the key to access the container images from the BMC Electronic Product Distribution ( EPD Open link ) site.
  • Make sure that your system meets the following requirements to set up a Harbor registry:

    RequirementDescription
    Software

    To know about software requirements for Harbor, see Harbor Installation Prerequisites Open link  in Harbor documentation.

    Important: Make sure the software versions match the version of Harbor that you want to install.

    Network port
    • Port 443 with HTTPS protocol
    • Port 4443 with HTTPS protocol
    • Port 80 with HTTP protocol
    Hardware

    Minimum 4 CPUs with 8 GB memory and 500 GB disk space.

    The 500 GB disk space might be required while upgrading BMC Helix ITOM.


To synchronize a Harbor registry with BMC DTR through a proxy connection

  1. Set up and synchronize a Harbor registry in a local network with BMC DTR:
      1. In your local system, download Harbor by using the following command:

        wget https://github.com/goharbor/harbor/releases/download/v<version>/harbor-offline-installer-v<version>.tgz

        Example:

        wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v2.1.4.tgz
      2. Run the following command to unzip the TAR file:

        tar xvzf harbor-offline-installer*.tgz
      3. Go to the Harbor directory by using the following command:

        cd harbor
      4. Copy the configuration template by using the following command:

        cp harbor.yml.tmpl harbor.yml
      5. In the harbor.yml file, update the values for the following parameters:
        • hostname: Specify the name of system where you want to install Harbor.

        • harbor_admin_password: Specify the password for the Harbor system administrator.
          The  harbor.yml file contains a default password harbor_admin_password. You can modify the password.

        • database password: Specify the root password for the local database.
          The harbor.yml file contains a default database password. You can modify the password.

      6. Configure Harbor registry by using self-signed SSL certificates.
        See
        Configure HTTPS Access to Harbor Open link in the Harbor documentation.

      7. Add the Harbor certificate to the trust store on all your Kubernetes nodes.
        Follow the Kubernetes documentation appropriate for your Kubernetes distribution.

      8. Run the following command to install the Harbor registry :

        ./install.sh
      9. Log in to verify that you can access the Harbor registry.
        Use the admin username and password to log in.

        Important

        The default Harbor installation does not include Notary and Clair services that are used for vulnerability scanning.

      1. In the Harbor admin UI, navigate to the Administration menu, and click Registries.
      2. Click NEW ENDPOINT, and specify the following field values:
        • Provider: Docker Registry

        • Endpoint URL: https://containers.bmc.com

        • Access ID: Support user ID that you use to log in to EPD.

        • Access Secret: The container image access key specified in the container-token.bmc file that you downloaded from EPD.

        The following image shows an example configuration:


      3. Click OK.
        The configuration is saved and the configuration status is displayed as Healthy :

      Use this configuration in a replication rule to synchronize your local Harbor registry and BMC DTR.


      1. Log in to the system where you downloaded and extracted the deployment manager helix-on-prem-deployment-manager-<BMC Helix ITOM release version>.sh
        For example, helix-on-prem-deployment-manager-23.2.02.sh
      2. Downloaded the all_images.txt file.
      3. Go to helix-on-prem-deployment-manager/utilities/push_to_repo.
      4. In the push_to_repo directory, copy the all_images.txt file.

      5. Convert the all_images.txt file to UNIX format by using the following command:

        dos2unix all_images.txt
      6. Create separate .txt files for the images that you want (for which you are licensed) to synchronize. 
        For example, if you want to synchronize the BMC Helix Platform common services images:

        1. Create a .txt file called lp0lz_images.txt

        2. Copy all the images related to BMC Helix Platform common services from the all_images.txt file into the lp0lz_images.txt file.

        Similarly, if you want to synchronize the BMC Helix Continuous Optimization images:

        1. Create a .txt file called lp0oz_images.txt
        2. Copy all the images related to BMC Helix Continuous Optimization from the all_images.txt file into the lp0oz_images.txt file.
      7. Save all the .txt files that you created in utilities/push_to_repo.
      8.  Log in to Harbor registry and perform the following steps to create a new project:
        1. Select Projects and then click NEW PROJECT.
        2. In the New Project window, specify the following values:
          • Project Name: Enter a name; for example, bmc.
          • Access Level: Select the Public check box.
            Leave the other values to their default.
        3. Click OK.
      9. Open the push_to_custom_repo.sh file and update the following parameter values:

        ParameterDescription
        SOURCE_DOCKER_REPO Specify the value as  containers.bmc.com.
        SOURCE_DOCKER_PASSWORDSpecify the container image access key specified in the container-token.bmc file that you downloaded from EPD.
        SOURCE_DOCKER_USER

        Specify the support user ID that you use to log in to EPD.

        IMAGE_REGISTRY_HOST

        Specify the host name of your local registry.

        Important: Do not specify the host path; specify only the host name.

        For example, IMAGE_REGISTRY_HOST=value-investing.cluster3.bmc.com.

        IMAGE_REGISTRY_PASSWORDSpecify a password to log in to your local registry.
        IMAGE_REGISTRY_USERNAME

        Specify an user name to log in to your local registry.

        IMAGE_REGISTRY_PROJECTSpecify the name of the project that you created; for example, BMC.
        IMAGE_REGISTRY_ORGSpecify the source repository name; for example, lp0lz.

      10. Run the push_to_custom_repo.sh file by using the following command:

        Important

        Before you run the push_to_custom_repo.sh file, make sure that you have installed the Docker Engine. For more information, see System requirements for the Harbor registry requirements.

        ./push_to_custom_repo.sh
      11. Repeat steps 9 and 10 to synchronize images for the resources for which you are licensed
        For example, if you are licensed for BMC Helix Operations Management (lp0mz) and BMC Helix Continuous Optimization (lp0pz), repeat the steps 9 and 10 to synchronize images for lp0mz and then repeat the steps 9 and 10 to synchronize images for lp0pz. 

        Source repositoryRegistry in the deployment.config fileComponent
        bmc/lp0lz

        IMAGE_REGISTRY_ORG  

        CORE_IMAGE_REGISTRY_ORG

        BMC Helix Platform


        bmc/lp0oz IA_IMAGE_REGISTRY_ORG

        BMC Helix Intelligent Automation


        bmc/lp0pz OPTIMIZE_IMAGE_REGISTRY_ORG

        BMC Helix Continuous Optimization

        bmc/lp0mz BHOM_IMAGE_REGISTRY_ORG

        BMC Helix Operations Management


        bmc/la0cz AIOPS_IMAGE_REGISTRY_ORG

        BMC Helix AIOps


  2. Set up a Harbor registry in an air-gapped environment or DMZ:
      1. In your local system, download Harbor by using the following command:

        wget https://github.com/goharbor/harbor/releases/download/v<version>/harbor-offline-installer-v<version>.tgz

        Example:

        wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v2.1.4.tgz
      2. Run the following command to unzip the TAR file:

        tar xvzf harbor-offline-installer*.tgz
      3. Go to the Harbor directory by using the following command:

        cd harbor
      4. Copy the configuration template by using the following command:

        cp harbor.yml.tmpl harbor.yml
      5. In the harbor.yml file, update the values for the following parameters:
        • hostname: Specify the name of system where you want to install Harbor.

        • harbor_admin_password: Specify the password for the Harbor system administrator.
          The  harbor.yml file contains a default password harbor_admin_password. You can modify the password.

        • database password: Specify the root password for the local database.
          The harbor.yml file contains a default database password. You can modify the password.

      6. Configure Harbor registry by using self-signed SSL certificates.
        See
        Configure HTTPS Access to Harbor Open link in the Harbor documentation.

      7. Add the Harbor certificate to the trust store on all your Kubernetes nodes.
        Follow the Kubernetes documentation appropriate for your Kubernetes distribution.

      8. Run the following command to install the Harbor registry :

        ./install.sh
      9. Log in to verify that you can access the Harbor registry.
        Use the admin username and password to log in.

        Important

        The default Harbor installation does not include Notary and Clair services that are used for vulnerability scanning.

      1. In the Harbor admin UI, navigate to the Administration menu, and click Registries.
      2. Click NEW ENDPOINT, and specify the following field values:
        • Provider: Docker Registry

        • Endpoint URL: https://containers.bmc.com

        • Access ID: Support user ID that you use to log in to EPD.

        • Access Secret: The container image access key specified in the container-token.bmc file that you downloaded from EPD.

        The following image shows an example configuration:


      3. Click OK.
        The configuration is saved and the configuration status is displayed as Healthy :

      Use this configuration in a replication rule to synchronize your local Harbor registry and BMC DTR.


  3. Set up a proxy to enable communication between the local Harbor registry and the Harbor registry in an air-gapped environment or DMZ.
    We do not have a recommendation for this step. Use your preferred method to set up a proxy.

    1. Log in to the Harbor registry in a DMZ.
    2. Navigate to a directory, download and extract the deployment manager helix-on-prem-deployment-manager-<BMC Helix ITOM release version>.sh
      For example, helix-on-prem-deployment-manager-23.2.02.sh
    3. Make sure that you have downloaded the all_images.txt file.
    4. Go to helix-on-prem-deployment-manager/utilities/push_to_repo.
    5. In the push_to_repo directory, copy the all_images.txt file.

    6. Convert the all_images.txt file to UNIX format by using the following command:

      dos2unix all_images.txt
    7. Create separate .txt files for the images that you want (for which you are licensed) to synchronize. 
      For example, if you want to synchronize the BMC Helix Platform common services images:

      1. Create a .txt file called lp0lz_images.txt

      2. Copy all the images related to BMC Helix Platform common services from the all_images.txt file into the lp0lz_images.txt file.

      Similarly, if you want to synchronize the BMC Helix Continuous Optimization images:

      1. Create a .txt file called lp0oz_images.txt
      2. Copy all the images related to BMC Helix Continuous Optimization from the all_images.txt file into the lp0oz_images.txt file.
    8. Save all the .txt files that you created in utilities/push_to_repo.
    9. Log in to DMZ Harbor registry and perform the following steps to create a new project:
      1. Select Projects and then click NEW PROJECT.
      2. In the New Project window, specify the following values:
        • Project Name: Enter a name; for example, bmcDMZ.
        • Access Level: Select the Public check box.
      3. Click OK.
    10. Open the push_to_custom_repo.sh file and update the following parameter values:

      ParameterDescription
      SOURCE_DOCKER_REPO Specify the URL of the local Harbor registry.
      SOURCE_DOCKER_PASSWORDSpecify the password that you had set to access the local Harbor registry. 
      SOURCE_DOCKER_USER

      Specify the user ID that you use to log in to the local Harbor registry.

      IMAGE_REGISTRY_HOST

      Specify the URL of your DMZ Harbor registry.

      Important : Do not specify the host path; specify only the host name.

      For example: IMAGE_REGISTRY_HOST=value-investing.cluster3.bmc.com

      IMAGE_REGISTRY_PASSWORDSpecify a password to log in to your DMZ Harbor registry.
      IMAGE_REGISTRY_USERNAME

      Specify an user name to log in to your DMZ Harbor registry.

      IMAGE_REGISTRY_PROJECTSpecify the value the project that you created; for example, bmcDMZ.
      IMAGE_REGISTRY_ORGSpecify the source repository name; for example, lp0lz.

    11. Run the push_to_custom_repo.sh file by using the following command:

      Important

      Before you run the push_to_custom_repo.sh  file, make sure that you have installed the Docker Engine. For more information, see System requirements for the Harbor registry requirements.

      ./push_to_custom_repo.sh
    12. Repeat steps j and k to synchronize images for the source repository for which you are licensed:
      For example, if you are licensed for BMC Helix Operations Management (lp0mz) and BMC Helix Continuous Optimization (lp0pz) , repeat the steps j and k to synchronize images for lp0mz and then repeat the steps j and k to synchronize images for lp0pz. 

      • bmc/lp0lz

      • bmc/lp0oz

      • bmc/lp0pz

      • bmc/lp0mz

      • bmc/la0cz


    Important

    After you synchronize the Harbor registry in an air-gapped environment or DMZ with a local Harbor registry, make sure you close the proxy. 



Was this page helpful? Yes No Submitting... Thank you

Comments