Environment Setup with an Existing RHEL VM
This guide helps you prepare your VMware vSphere airgap environment for Palette installation using an existing Red Hat Enterprise Linux (RHEL) VM.
You will learn how to execute an appliance binary in your VM that installs the necessary tools to deploy an OCI registry for hosting Palette images and assists in starting the Palette installation.
This guide is for preparing your airgap environment only. For instructions on installing Palette on VMware, refer to the Install Palette guide.
Limitations
- Currently,
9.4
is the only supported RHEL version.
Prerequisites
-
An RHEL airgap VM deployed in your VMware vSphere. The VM must be registered with Red Hat and have ports
80
and443
available. This guide uses RHEL version9.4
as an example. -
The RHEL VM must have a Fully Qualified Domain Name (FQDN) that is DNS resolvable and must be accessible via SSH.
-
The RHEL VM must have Podman installed.
-
An HTTP file server installed within the RHEL VM to host the Palette files. The file server must serve files from the
/var/www/html
directory and have SSL support enabled. Below is a list of common file servers. This guide uses Apache as an example.warningTake the necessary steps to secure your file server and ensure it can automatically recover from failure. The file server is a critical component of the airgap installation and must be available post-install for Palette to function properly.
-
Review the required vSphere permissions and ensure you have created the proper custom roles and zone tags. Zone tagging enables dynamic storage allocation across fault domains when provisioning workloads that require persistent storage. Refer to Zone Tagging for information.
-
The following artifacts must be available in the root home directory of the RHEL airgap VM. You can download the files in a system with internet access and then transfer them to your airgap environment. Contact your Palette support representative to obtain the latest version of each artifact.
- RHEL airgap appliance binary.
- Palette airgap installation binary.
Prepare for Airgap Installation
-
Log in to your vCenter environment.
-
Create a vSphere template folder named
spectro-templates
. Ensure you can access this folder with the user account you plan to use when deploying the Palette installation. -
Right-click on your cluster or resource group and select Deploy OVF Template.
-
In the Deploy OVF Template wizard, enter the following URL to import the Operating System (OS) and Kubernetes distribution OVA required for the Palette nodes creation. Refer to the Kubernetes Requirements section to learn if the version of Palette you are installing requires a new OS and Kubernetes OVA.
/enterprise-version/install-palette#kubernetes-requirements- Non-FIPS
- FIPS
https://vmwaregoldenimage-console.s3.amazonaws.com/u-2204-0-k-1294-0.ova
https://vmwaregoldenimage-console.s3.amazonaws.com/u-2004-0-k-1294-fips.ova
Place the OVA in the spectro-templates folder. Append the
r_
prefix, and remove the.ova
suffix when assigning its name and target location. For example, the final output should look liker_u-2204-0-k-1294-0
. This naming convention is required for the installation process to identify the OVA. Refer to the Additional Packs page for a list of additional OS and Kubernetes OVAs.You can terminate the deployment after the OVA is available in the
spectro-templates
folder. Refer to the Deploy an OVF or OVA Template guide for more information about deploying an OVA in vCenter.warningIf you encounter an error message during the OVA deployment stating that vCenter is unable to retrieve a manifest or certificate, refer to this known issue from VMware's knowledge base for guidance on how to resolve the issue.
-
Open a terminal window and SSH into the RHEL airgap VM as a root user with the command below. Replace
/path/to/private_key
with the path to your private SSH key,docs
with the username, andpalette.example.com
with the FQDN of the RHEL airgap VM.ssh -i /path/to/private_key docs@palette.example.com
-
Switch to the
root
user account to complete the remaining steps.sudo --login
-
Set the VM timezone to Coordinated Universal Time (UTC).
timedatectl set-timezone UTC
-
Ensure that ports
80
and443
are not in use by your file server, as these ports will be used by the Harbor registry that will be installed later.Open the
/etc/httpd/conf.d/ssl.conf
file and make the following changes:- Replace the line
Listen 443 https
withListen 8443 https
. - Replace the line
<VirtualHost _default_:443>
with<VirtualHost _default_:8443>
.
Save and exit the file.
- Replace the line
-
Next, open the
/etc/httpd/conf/httpd.conf
file and replace the lineListen 80
withListen 8080
. Save and exit the file. -
Restart the Apache HTTP server to apply the configuration changes.
systemctl restart httpd.service
-
Allow TCP traffic on ports
80
,8080
,443
, and8443
, then reload the firewall.firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=8443/tcp
firewall-cmd --reloadThe output displays a success message.
success
-
Set the
AIRGAP_BUILD
variable astrue
. This is required for the RHEL airgap appliance binary.export AIRGAP_BUILD=true
-
Start the RHEL airgap appliance binary, which installs the tools and configures the manifests that are required to set up the Harbor registry and push images. Replace
<version>
with the version of the binary received from the support team.chmod +x ./airgap-appliance-<version>-rhel-podman.bin && ./airgap-appliance-<version>-rhel-podman.bin
Consider the following example for reference.
chmod +x ./airgap-appliance-v4.4.2-rhel-podman.bin && ./airgap-appliance-v4.4.2-rhel-podman.bin
Verifying archive integrity... 100% MD5 checksums are OK. All good.
Uncompressing Airgap Appliance Setup - 4.4.2 100%
Setting up directories and certs
warning: /opt/spectro/pwgen-2.08-3.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Verifying... ################################# [100%]
Preparing... ################################# [100%]
Updating / installing...
1:pwgen-2.08-3.el8 ################################# [100%]
Skipping setting up Nginx and Podman for airgap
Installing Podman
Setting up Harbor
Setting up oras and jq
Setting up Manifests
Cleaning up setup files
Reboot the system for selinux changes to take effect -
Reboot your RHEL VM to apply the changes.
reboot
Your SSH connection will be terminated.
-
Start a new SSH session and switch to
sudo
mode before proceeding.sudo --login
-
Issue the following command to configure the Harbor registry. Replace
palette.example.com
with the FQDN of the RHEL airgap VM. The script will generate a self-signed certificate for the value you provide./bin/airgap-setup.sh palette.example.com
The script output should look similar to the example below. It contains the credentials and values you will need when completing the installation with the Palette CLI. If you need to review this information in the future, invoke the script again.
Setting up SSL Certs
/opt/spectro/functions.sh: line 118: /etc/nginx/.htpasswd: No such file or directory
chmod: cannot access '/etc/nginx/.htpasswd': No such file or directory
mkdir: cannot create directory ‘/etc/nginx/ssl’: No such file or directory
cp: target '/etc/nginx/ssl' is not a directory
Setting up Harbor
setenforce is /usr/sbin/setenforce
Setup Completed
Details:
-------
Spectro Cloud Repository
Location: https://palette.example.com:8443
UserName: spectro
Password: **************
CA certificate filepath: /opt/spectro/ssl/server.crt
Pack OCI Registry
Endpoint: https://palette.example.com
Base Content Path: spectro-packs
CA certificate Filepath: /opt/spectro/ssl/server.crt
Username: admin
Password: **************
Image OCI Registry
Endpoint: https://palette.example.comv
Base Content Path: spectro-images
CA certificate Filepath: /opt/spectro/ssl/server.crt
Username: admin
Password: ************** -
Update the SSL certificate file and key in the httpd service.
warningYou can skip this step if you do not plan to use the local Spectro Cloud Artifact Repository (SCAR) during the Palette installation process.
Open the
/etc/httpd/conf.d/ssl.conf
file and add the path to the certificate and key generated in step 15 of this guide:- Replace the line
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
withSSLCertificateFile /opt/spectro/ssl/server.crt
. - Replace the line
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
withSSLCertificateKeyFile /opt/spectro/ssl/server.key
.
Save and exit the file. Next, restart the HTTP server to apply the changes.
systemctl restart httpd.service
- Replace the line
-
Start the Palette installation binary, which uploads release-specific Palette images and packs to the Harbor registry. Replace
<version>
with the version of the binary received from the support team.chmod +x airgap-<version>.bin && ./airgap-<version>.bin
Consider the following example for reference.
chmod +x airgap-4-4-14.bin && ./airgap-4-4-14.bin
This step may take some time to complete. A
Setup Completed
message confirms it is finished.Verifying archive integrity... 100% MD5 checksums are OK. All good.
Uncompressing Airgap Setup - Version 4.4.14 100%
Setting up CLI
Setting up Manifests
Setting up Packs
...
Setup Completed -
Grant the Apache user and group the necessary permissions to serve the files in the
/var/www/html
directory.chown -R apache.apache /var/www/html
Restart the HTTP server to apply the changes.
systemctl restart httpd.service
-
Review the Additional Packs page and identify any additional packs you want to add to your registry. You can also add additional packs after the installation is complete.
You have now completed the preparation steps for an airgap installation. Check out the Validate section to ensure the airgap setup process is completed successfully. After you validate the airgap setup process, review the Next Steps.
Do not power off the RHEL VM. The RHEL VM is required for Palette to function properly and must remain available at all times. If for some reason the VM is powered off, power the VM back on and restart the required services.
Switch to sudo
mode and restart the file server.
sudo --login
systemctl restart httpd
Next, navigate to the /opt/spectro/harbor directory and issue the following command to restart the registry.
docker compose up --detach
Validate
-
SSH into the RHEL airgap VM as a root user with the command below. Replace
/path/to/private_key
with the path to the private SSH key,docs
with the username, andpalette.example.com
with the FQDN of the RHEL airgap VM.ssh -i /path/to/private_key docs@palette.example.com
-
Switch to the
root
user account.sudo --login
-
Issue the following command to validate that you have successfully completed the airgap setup process. Replace
palette.example.com
with the FQDN of the RHEL airgap VM.bin/airgap-setup.sh palette.example.com
The output must include the registry location and credentials, which must be accessible from within your environment.
Setting up SSL Certs
/opt/spectro/functions.sh: line 118: /etc/nginx/.htpasswd: No such file or directory
chmod: cannot access '/etc/nginx/.htpasswd': No such file or directory
mkdir: cannot create directory ‘/etc/nginx/ssl’: No such file or directory
cp: target '/etc/nginx/ssl' is not a directory
Setting up Harbor
setenforce is /usr/sbin/setenforce
Setup Completed
Details:
-------
Spectro Cloud Repository
Location: https://palette.example.com:8443
UserName: spectro
Password: **************
CA certificate filepath: /opt/spectro/ssl/server.crt
Pack OCI Registry
Endpoint: https://palette.example.com
Base Content Path: spectro-packs
CA certificate Filepath: /opt/spectro/ssl/server.crt
Username: admin
Password: **************
Image OCI Registry
Endpoint: https://palette.example.comv
Base Content Path: spectro-images
CA certificate Filepath: /opt/spectro/ssl/server.crt
Username: admin
Password: **************
Next Steps
You are now ready to deploy Palette in an airgapped environment with the Palette CLI. As a root user, issue the Palette CLI command below to start the installation.
palette ec install
Complete all the Palette CLI steps outlined in the Install guide from the RHEL VM.
The following table maps the airgap script output values to their respective Palette CLI prompts and example values. The example values are for reference only.
Output Value | Palette CLI Prompt | Example Value |
---|---|---|
Spectro Cloud Repository Location | SCAR Location | https://palette.example.com:8443 |
CA certificate filepath | SCAR CA certificate filepath | /opt/spectro/ssl/server.crt |
OCI Registry | Registry Type | OCI |
Pack OCI Registry | Registry Endpoint | https://palette.example.com |
CA certificate Filepath | Registry CA certificate filepath | /opt/spectro/ssl/server.crt |
Image OCI Registry | Registry Endpoint | https://palette.example.com |
CA certificate Filepath | Registry CA certificate filepath | /opt/spectro/ssl/server.crt |
When prompted for Allow Insecure Connection (Bypass x509 Verification)?, enter n
to continue and specify the
server certificate file path from the script output.