Skip to Content

Setting up a Harbor registry in an air-gapped environment and synchronizing it with BMC DTR

An air-gapped environment is a security measure for your system. You can access container images from an environment that is disconnected or physically isolated from unsecured networks such as the public internet. Such environments are called air-gapped environments.

The are various registries available, we have decided to document Harbor as one example which can be used as a template for other registry products.  We do not supply or support Harbor or any other registry product. It is the responsibility of the customer administrator to install, configure, and maintain the registry.

Harbor is an open-source registry that secures artifacts with policies and role-based access control. For more information, see the Harbor documentation.

The BMC Helix IT Operations Management ( BMC Helix ITOM ) container images are hosted on the BMC Docker Trusted Registry (DTR) which is available at docker.io.

If your repository is in a demilitarized zone (DMZ) or air-gapped environment and does not have direct access to the internet, use the information in this section to synchronize your repository with BMC DTR. 

Before you begin

  • Make sure you have downloaded the key to access the container images from the BMC Electronic Product Distribution ( EPD ) site.

  • Make sure that your system meets the following requirements to set up a Harbor registry:

    Requirement

    Description

    Software

    To know about software requirements for Harbor, see Harbor Installation Prerequisites in Harbor documentation.

    Important: Make sure the software versions match the version of Harbor that you want to install.

    Network port

    • Port 443 with HTTPS protocol
    • Port 4443 with HTTPS protocol
    • Port 80 with HTTP protocol

    Hardware

    Minimum 4 CPUs with 8 GB memory and 500 GB disk space.

    The 500 GB disk space might be required while upgrading BMC Helix ITOM.

To synchronize a Harbor registry in an air-gapped environment with  BMC DTR

  1. Set up and synchronize a Harbor registry in a local network with BMC DTR:
    1. Create a Harbor registry
      1. In your local system, download Harbor by using the following command:
        wget https://github.com/goharbor/harbor/releases/download/v<version>/harbor-offline-installer-v<version>.tgz
        Example:
        wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v2.1.4.tgz
      2. Run the following command to unzip the TAR file:
        tar xvzf harbor-offline-installer*.tgz
      3. Go to the Harbor directory by using the following command:
        cd harbor
      4. Copy the configuration template by using the following command:
        cp harbor.yml.tmpl harbor.yml
      5. In the harbor.yml file, update the values for the following parameters:
        • hostname: Specify the name of system where you want to install Harbor.
        • harbor_admin_password: Specify the password for the Harbor system administrator.
          The  harbor.yml file contains a default password harbor_admin_password. You can modify the password.
        • database password: Specify the root password for the local database.
          The harbor.yml file contains a default database password. You can modify the password.
      6. Configure Harbor registry by using self-signed SSL certificates.
        See Configure HTTPS Access to Harbor in the Harbor documentation.
      7. Add the Harbor certificate to the trust store on all your Kubernetes nodes.
        Follow the Kubernetes documentation appropriate for your Kubernetes distribution.
      8. Run the following command to install the Harbor registry:
        ./install.sh
      9. Log in to verify that you can access the Harbor registry.
        Use the admin username and password to log in.

        Important
        The default Harbor installation does not include Notary and Clair services that are used for vulnerability scanning.

    2. Configure the Harbor registry
      1. In the Harbor admin UI, navigate to the Administration menu, and click Registries.

      2. Click NEW ENDPOINT, and specify the following field values:

        • Provider: Docker Registry
        • Endpoint URLhttps://registry-1.docker.io
        • Access ID: Specify the user ID generated with the Personal Access Token (PAT).
        • Access Secret: Specify the Personal Access Token (PAT) that you generated from Docker.
          For information on how to generate the token, see Downloading the deployment manager.
          The following image shows an example configuration:
          harbor_registry_configuration.png
      3. Click OK.
        The configuration is saved and the configuration status is displayed as Healthy.
        registry_configuration_status.png

        Use this configuration in a replication rule to synchronize your local Harbor registry and BMC DTR.

    3. Synchronize the local Harbor registry with BMC DTR

      1. Log in to the system where you downloaded and extracted the deployment manager helix-on-prem-deployment-manager-<BMC Helix ITOM release version>.sh
        For example, helix-on-prem-deployment-manager-25.1.sh
      2. Download the all_images_25.1.txt file.
      3. Go to helix-on-prem-deployment-manager/utilities/push_to_repo.
      4. In the push_to_repo directory, copy the all_images_25.1.txt file.
      5. Rename all_images_25.1.txt to all_images.txt.
      6. Log in to the Harbor registry and perform the following steps to create a new project:
        1. Select Projects and then click NEW PROJECT
          New project.png
        2. In the New Project window, specify the following values:
          • Project Name—Enter a name; for example, bmc.
          • Access Level—Select the Public check box.
            Leave the other parameters to their default values.
            Public check box.png
        3. Click OK.
      7. Download the push_to_custom_repo.shfile.
      8. Replace the push_to_custom_repo.sh file with the existing file at helix-on-prem-deployment-manager/utilities/push_to_repo.

      9. To give execution permission to push_to_custom_repo.sh, run the following command:
        chmod +x push_to_custom_repo.sh

      10. Run the following command to convert the file to an UNIX format:
        dos2unix push_to_custom_repo.sh

      11. Open the push_to_custom_repo.sh file and update the following parameter values: 

        Parameter

        Description

        SOURCE_DOCKER_REPO

        Specify the value as docker.io.

        SOURCE_DOCKER_PASSWORD

        Specify the Personal Access Token (PAT) that you generated from Docker. 

        SOURCE_DOCKER_USER

        		Specify the user ID generated with the Personal Access Token (PAT).

        IMAGE_REGISTRY_HOST

        Specify the host name of your local registry.

        Important: Do not specify the host path name; specify only the host name.

        For example, IMAGE_REGISTRY_HOST=value-investing.cluster3.bmc.com.

        IMAGE_REGISTRY_PASSWORD

        Specify a password to log in to your local registry.

        IMAGE_REGISTRY_USERNAME

        Specify a user name to log in to your local registry.

        IMAGE_REGISTRY_PROJECT

        Specify the name of the project that you created; for example, BMC.

      12. Run the push_to_custom_repo.sh file by using the following command and provide image repository names as arguments separated by a comma based on the products you want to install and the licenses:

        Important
        Before you run the push_to_custom_repo.sh file, make sure you have installed the Docker Engine.
        For more information, see System requirements for the Harbor registry requirements.

        ./push_to_custom_repo.sh <list of image repository names separated by commas>

        BMC repository

        Repository content

         lp0lz 

        BMC Helix Platform images

         lp0oz   

        BMC Helix Intelligent Automationimages

         lp0pz     

         

        BMC Helix Continuous Optimizationimages

        lp0mz 

        BMC Helix Operations Management on-premisesimages

        la0cz 

        BMC Helix AIOpsimages

        Example:
        ./push_to_custom_repo.sh la0cz,lp0lz,lp0mz,lp0oz,lp0pz

  2. Set up a Harbor registry in an air-gapped environment or DMZ:
    1. Create a Harbor registry
      1. In your local system, download Harbor by using the following command:
        wget https://github.com/goharbor/harbor/releases/download/v<version>/harbor-offline-installer-v<version>.tgz
        Example:
        wget https://github.com/goharbor/harbor/releases/download/v2.1.4/harbor-offline-installer-v2.1.4.tgz
      2. Run the following command to unzip the TAR file:
        tar xvzf harbor-offline-installer*.tgz
      3. Go to the Harbor directory by using the following command:
        cd harbor
      4. Copy the configuration template by using the following command:
        cp harbor.yml.tmpl harbor.yml
      5. In the harbor.yml file, update the values for the following parameters:
        • hostname: Specify the name of system where you want to install Harbor.
        • harbor_admin_password: Specify the password for the Harbor system administrator.
          The  harbor.yml file contains a default password harbor_admin_password. You can modify the password.
        • database password: Specify the root password for the local database.
          The harbor.yml file contains a default database password. You can modify the password.

      6. Configure Harbor registry by using self-signed SSL certificates.
        See Configure HTTPS Access to Harbor in the Harbor documentation.

      7. Add the Harbor certificate to the trust store on all your Kubernetes nodes.
        Follow the Kubernetes documentation appropriate for your Kubernetes distribution.

      8. Run the following command to install the Harbor registry:
        ./install.sh

      9. Log in to verify that you can access the Harbor registry.
        Use the admin username and password to log in.

        Important
        The default Harbor installation does not include Notary and Clair services that are used for vulnerability scanning.

    2. Configure the Harbor registry
      1. In the Harbor admin UI, navigate to the Administration menu, and click Registries.

      2. Click NEW ENDPOINT, and specify the following field values:

        • Provider: Docker Registry
        • Endpoint URLhttps://registry-1.docker.io
        • Access ID: Specify the user ID generated with the Personal Access Token (PAT).
        • Access Secret: Specify the Personal Access Token (PAT) that you generated from Docker.
          For information on how to generate the token, see Downloading the deployment manager.
          The following image shows an example configuration:
          harbor_registry_configuration (1).png

         

      3. Click OK.
        The configuration is saved and the configuration status is displayed as Healthy:
        registry_configuration_status (1).png

        Use this configuration in a replication rule to synchronize your local Harbor registry and BMC DTR.

  3. Set up a proxy to enable communication between the local Harbor registry and the Harbor registry in an air-gapped environment or DMZ.
    We do not have a recommendation for this step. Use your preferred method to set up a proxy.
  4. Synchronize your Harbor registry in an air-gapped environment or DMZ with your local Harbor registry.
    1. Log in to the Harbor registry in a DMZ.
    2. Navigate to a directory, download and extract the deployment manager helix-on-prem-deployment-manager-<BMC Helix ITOM release version>.sh
      • For example, helix-on-prem-deployment-manager-25.1.sh
    3. Download the all_images_25.1.txt file.
    4. Go to helix-on-prem-deployment-manager/utilities/push_to_repo.
    5. In the push_to_repo directory, copy the all_images_25.1.txt file.
    6. Rename all_images_25.1.txt to all_images.txt.

    7. Convert the all_images.txt file to UNIX format by using the following command:
      dos2unix all_images.txt

    8. Create separate .txt files for the images that you want (for which you are licensed) to synchronize. 
      For example, if you want to synchronize the BMC Helix Platform common services images:

      1. Create a .txt file called lp0lz_images.txt
      2. Copy all the images related to BMC Helix Platform common services from the all_images.txt file into the lp0lz_images.txt file.

      Similarly, if you want to synchronize the BMC Helix Continuous Optimization images:

      1. Create a .txt file called lp0oz_images.txt
      2. Copy all the images related to BMC Helix Continuous Optimization from the all_images.txt file into the lp0oz_images.txt file.
    9. Save all the .txt files that you created in utilities/push_to_repo.
    10. Log in to DMZ Harbor registry and perform the following steps to create a new project:
      1. Select Projects and then click NEW PROJECT.
      2. In the New Project window, specify the following values:
        • Project Name: Enter a name; for example, bmcDMZ.
        • Access Level: Select the Public check box.
      3. Click OK.

    11. Open the push_to_custom_repo.sh file and update the following parameter values:

      Parameter

      Description

      SOURCE_DOCKER_REPO

      Specify the URL of the local Harbor registry.

      SOURCE_DOCKER_PASSWORD

      Specify the password that you had set to access the local Harbor registry. 

      SOURCE_DOCKER_USER

      Specify the user ID that you use to log in to the local Harbor registry.

      IMAGE_REGISTRY_HOST

      Specify the URL of your DMZ Harbor registry.

      Important: Do not specify the host path; specify only the host name.

      For example: IMAGE_REGISTRY_HOST=value-investing.cluster3.bmc.com

      IMAGE_REGISTRY_PASSWORD

      Specify a password to log in to your DMZ Harbor registry.

      IMAGE_REGISTRY_USERNAME

      Specify a user name to log in to your DMZ Harbor registry.

      IMAGE_REGISTRY_PROJECT

      Specify the value the project that you created; for example, bmcDMZ.

      IMAGE_REGISTRY_ORG

      Specify the source repository name; for example, lp0lz.

    12. Run the push_to_custom_repo.sh file by using the following command

      Important
      Before you run the push_to_custom_repo.sh  file, make sure that you have installed the Docker Engine. For more information, see System requirements for the Harbor registry requirements.

       ./push_to_custom_repo.sh

    13. Repeat steps j and k to synchronize images for the source repository for which you are licensed:
      For example, if you are licensed for BMC Helix Operations Management (lp0mz) and BMC Helix Continuous Optimization (lp0pz) , repeat the steps and k to synchronize images for lp0mz and then repeat the steps and k to synchronize images for lp0pz.
      • bmc/lp0lz
      • bmc/lp0oz
      • bmc/lp0pz
      • bmc/lp0mz
      • bmc/la0cz

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix IT Operations Management deployment 25.1