Setting up a Harbor registry in an air-gapped environment and synchronizing it with BMC DTR

An air-gapped environment is a security measure for your system. You can access container images from an environment that is disconnected or physically isolated from unsecured networks such as the public internet. Such environments are called air-gapped environments.

The are various registries available, we have decided to document Harbor as one example which can be used as a template for other registry products.  We do not supply or support Harbor or any other registry product. It is the responsibility of the customer administrator to install, configure, and maintain the registry.

Harbor is an open-source registry that secures artifacts with policies and role-based access control. For more information, see the Harbor documentation.

The BMC Helix IT Operations Management ( BMC Helix ITOM ) container images are hosted on the BMC Docker Trusted Registry (DTR) which is available at containers.bmc.com.

If your repository is in a demilitarized zone (DMZ) or air-gapped environment and does not have direct access to the internet, use the information in this section to synchronize your repository with BMC DTR. 

Before you begin

  • Make sure you have downloaded the key to access the container images from the BMC Electronic Product Distribution ( EPD ) site.

  • Make sure that your system meets the following requirements to set up a Harbor registry:

To synchronize a Harbor registry in an air-gapped environment with  BMC DTR

  1. Set up and synchronize a Harbor registry in a local network with BMC DTR:
    1. Create a Harbor registry

      1. In your local system, download Harbor by using the following command:

        wget https://github.com/goharbor/harbor/releases/download/v<version>/harbor-offline-installer-v<version>.tgz

        Example:

        wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v2.1.4.tgz

      2. Run the following command to unzip the TAR file:

        tar xvzf harbor-offline-installer*.tgz

      3. Go to the Harbor directory by using the following command:

        cd harbor

      4. Copy the configuration template by using the following command:

        cp harbor.yml.tmpl harbor.yml
      5. In the harbor.yml file, update the values for the following parameters:
        • hostname: Specify the name of system where you want to install Harbor.
        • harbor_admin_password: Specify the password for the Harbor system administrator.
          The  harbor.yml file contains a default password harbor_admin_password. You can modify the password.
        • database password: Specify the root password for the local database.
          The harbor.yml file contains a default database password. You can modify the password.

      6. Configure Harbor registry by using self-signed SSL certificates.
        See Configure HTTPS Access to Harbor in the Harbor documentation.

      7. Add the Harbor certificate to the trust store on all your Kubernetes nodes.
        Follow the Kubernetes documentation appropriate for your Kubernetes distribution.

      8. Run the following command to install the Harbor registry :

        ./install.sh

      9. Log in to verify that you can access the Harbor registry.
        Use the admin username and password to log in.

        Important

        The default Harbor installation does not include Notary and Clair services that are used for vulnerability scanning.

    2. Configure the Harbor registry
      1. In the Harbor admin UI, navigate to the Administration menu, and click Registries.

      2. Click NEW ENDPOINT, and specify the following field values:

        • ProviderDocker Registry
        • Endpoint URLhttps://containers.bmc.com
        • Access IDSupport user ID that you use to log in to EPD.
        • Access Secret: The container image access key specified in the container-token.bmc file that you downloaded from EPD.

        The following image shows an example configuration:
        harbor_registry_configuration.png

      3. Click OK.
        The configuration is saved and the configuration status is displayed as Healthy :

        registry_configuration_status.png

      Use this configuration in a replication rule to synchronize your local Harbor registry and BMC DTR.


    3. Synchronize the local Harbor registry with BMC DTR 
      1. Log in to the system where you downloaded and extracted the deployment manager helix-on-prem-deployment-manager-<BMC Helix ITOM release version>.sh
        For example, helix-on-prem-deployment-manager-23.2.02.sh
      2. Downloaded the all_images.txt file.
      3. Go to helix-on-prem-deployment-manager/utilities/push_to_repo.
      4. In the push_to_repo directory, copy the all_images.txt file.

      5. Convert the all_images.txt file to UNIX format by using the following command:

        dos2unix all_images.txt

      6. Create separate .txt files for the images that you want (for which you are licensed) to synchronize. 
        For example, if you want to synchronize the BMC Helix Platform common services images:

        1. Create a .txt file called lp0lz_images.txt
        2. Copy all the images related to BMC Helix Platform common services from the all_images.txt file into the lp0lz_images.txt file.

        Similarly, if you want to synchronize the BMC Helix Continuous Optimization images:

        1. Create a .txt file called lp0oz_images.txt
        2. Copy all the images related to BMC Helix Continuous Optimization from the all_images.txt file into the lp0oz_images.txt file.
      7. Save all the .txt files that you created in utilities/push_to_repo.
      8.  Log in to Harbor registry and perform the following steps to create a new project:
        1. Select Projects and then click NEW PROJECT.
          23.1.02_HarborCreateNewProject.png
        2. In the New Project window, specify the following values:
          • Project Name: Enter a name; for example, bmc.
          • Access Level: Select the Public check box.
            Leave the other values to their default.
            23.1.02_HarborCreateNewProject2.png
        3. Click OK.

      9. Open the push_to_custom_repo.sh file and update the following parameter values:

      10. Run the push_to_custom_repo.sh file by using the following command:

        Important

        Before you run the push_to_custom_repo.sh file, make sure that you have installed the Docker Engine. For more information, see System-requirements for the Harbor registry requirements.

        ./push_to_custom_repo.sh

      11. Repeat steps 9 and 10 to synchronize images for the resources for which you are licensed
        For example, if you are licensed for BMC Helix Operations Management (lp0mz) and BMC Helix Continuous Optimization (lp0pz), repeat the steps 9 and 10 to synchronize images for lp0mz and then repeat the steps 9 and 10 to synchronize images for lp0pz. 

        Source repository

        Registry in the deployment.config file

        Component

        bmc/lp0lz

        IMAGE_REGISTRY_ORG  

        CORE_IMAGE_REGISTRY_ORG

        BMC Helix Platform


        bmc/lp0oz

        IA_IMAGE_REGISTRY_ORG

        BMC Helix Intelligent Automation


        bmc/lp0pz

        OPTIMIZE_IMAGE_REGISTRY_ORG

        BMC Helix Continuous Optimization

        bmc/lp0mz

        BHOM_IMAGE_REGISTRY_ORG

        BMC Helix Operations Management


        bmc/la0cz

        AIOPS_IMAGE_REGISTRY_ORG

        BMC Helix AIOps


  2. Set up a Harbor registry in an air-gapped environment or DMZ:
    1. Create a Harbor registry

      1. In your local system, download Harbor by using the following command:

        wget https://github.com/goharbor/harbor/releases/download/v<version>/harbor-offline-installer-v<version>.tgz

        Example:

        wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v2.1.4.tgz

      2. Run the following command to unzip the TAR file:

        tar xvzf harbor-offline-installer*.tgz

      3. Go to the Harbor directory by using the following command:

        cd harbor

      4. Copy the configuration template by using the following command:

        cp harbor.yml.tmpl harbor.yml
      5. In the harbor.yml file, update the values for the following parameters:
        • hostname: Specify the name of system where you want to install Harbor.
        • harbor_admin_password: Specify the password for the Harbor system administrator.
          The  harbor.yml file contains a default password harbor_admin_password. You can modify the password.
        • database password: Specify the root password for the local database.
          The harbor.yml file contains a default database password. You can modify the password.

      6. Configure Harbor registry by using self-signed SSL certificates.
        See Configure HTTPS Access to Harbor in the Harbor documentation.

      7. Add the Harbor certificate to the trust store on all your Kubernetes nodes.
        Follow the Kubernetes documentation appropriate for your Kubernetes distribution.

      8. Run the following command to install the Harbor registry :

        ./install.sh

      9. Log in to verify that you can access the Harbor registry.
        Use the admin username and password to log in.

        Important

        The default Harbor installation does not include Notary and Clair services that are used for vulnerability scanning.

    2. Configure the Harbor registry
      1. In the Harbor admin UI, navigate to the Administration menu, and click Registries.

      2. Click NEW ENDPOINT, and specify the following field values:

        • ProviderDocker Registry
        • Endpoint URLhttps://containers.bmc.com
        • Access IDSupport user ID that you use to log in to EPD.
        • Access Secret: The container image access key specified in the container-token.bmc file that you downloaded from EPD.

        The following image shows an example configuration:
        harbor_registry_configuration.png

      3. Click OK.
        The configuration is saved and the configuration status is displayed as Healthy :

        registry_configuration_status.png

      Use this configuration in a replication rule to synchronize your local Harbor registry and BMC DTR.


  3. Set up a proxy to enable communication between the local Harbor registry and the Harbor registry in an air-gapped environment or DMZ.
    We do not have a recommendation for this step. Use your preferred method to set up a proxy.

  4. Synchronize your Harbor registry in an air-gapped environment or DMZ with your local Harbor registry
    1. Log in to the Harbor registry in a DMZ.
    2. Navigate to a directory, download and extract the deployment manager helix-on-prem-deployment-manager-<BMC Helix ITOM release version>.sh
      • For example, helix-on-prem-deployment-manager-23.2.02.sh
    1. Make sure that you have downloaded the all_images.txt file.
    2. Go to helix-on-prem-deployment-manager/utilities/push_to_repo.
    3. In the push_to_repo directory, copy the all_images.txt file.

    4. Convert the all_images.txt file to UNIX format by using the following command:

      dos2unix all_images.txt

    5. Create separate .txt files for the images that you want (for which you are licensed) to synchronize. 
      For example, if you want to synchronize the BMC Helix Platform common services images:

      1. Create a .txt file called lp0lz_images.txt
      2. Copy all the images related to BMC Helix Platform common services from the all_images.txt file into the lp0lz_images.txt file.

      Similarly, if you want to synchronize the BMC Helix Continuous Optimization images:

      1. Create a .txt file called lp0oz_images.txt
      2. Copy all the images related to BMC Helix Continuous Optimization from the all_images.txt file into the lp0oz_images.txt file.
    6. Save all the .txt files that you created in utilities/push_to_repo.
    7. Log in to DMZ Harbor registry and perform the following steps to create a new project:
      1. Select Projects and then click NEW PROJECT.
      2. In the New Project window, specify the following values:
        • Project Name: Enter a name; for example, bmcDMZ.
        • Access Level: Select the Public check box.
      3. Click OK.

    8. Open the push_to_custom_repo.sh file and update the following parameter values:

    9. Run the push_to_custom_repo.sh file by using the following command:

      Important

      Before you run the push_to_custom_repo.sh  file, make sure that you have installed the Docker Engine. For more information, see System-requirements for the Harbor registry requirements.

      ./push_to_custom_repo.sh
    10. Repeat steps j and k to synchronize images for the source repository for which you are licensed:
      For example, if you are licensed for BMC Helix Operations Management (lp0mz) and BMC Helix Continuous Optimization (lp0pz) , repeat the steps and k to synchronize images for lp0mz and then repeat the steps and k to synchronize images for lp0pz.
      • bmc/lp0lz
      • bmc/lp0oz
      • bmc/lp0pz
      • bmc/lp0mz
      • bmc/la0cz




 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*