Overview
We will need to prepare a dedicated Virtual Machine, that will host the "Offline Depot". Once the Virtual Machine is ready and configured, VCF instances should be configured to point to the "Offline Depot".
Offline Bundle Transfer Utility tool will provide:
Out of scope:
Offline depot deployment and configuration
Virtual Requirements
Requirements
OS: Linux or Windows (Linux CentOS will be used for the examples in this page.)
HDD: A separate disk (at least 1TB) should be dedicated to the Offline Depot storage.
SSL: Web server with SSL TLSv1.2 & TLSv1.3 support.
Bundles Download
--setUpOfflineDepot (mandatory) - sets up an offline depot for VSRN. If optional downloadPartnerBundle argument is provided then VXRAIL bundles are also downloaded;
--offlineDepotRootDir (mandatory) - contains a mandatory argument that defines the download directory that will be used to save downloaded files. If you are using the same machine as Internal Depot host this could be the “Document root” folder of your http server;
--offlineDepotUrl (mandatory) - contains a mandatory argument that defines the URL that will used for the web server;
--depotUser (mandatory) - contains a mandatory argument that defines the user that will be used to connect to VMware depot;
--depotUserPasswordFile (mandatory) - contains a mandatory argument that provides a file path containing the password for VMware depot user; The file should be created manually, it should contain the plain text password, and should have only read permissions for the user that will run the OBTU tool.
--sourceVersion (optional) - Defines the source version (in format x.x.x.x) for the bundles that will be downloaded; If source version is not provided the default value will be 4.1.0.0
--ceip (optional) - allows a customer to enroll to a Customer Experience Improvement Program; If this parameter is provided the CEIP will be enabled.
--skipAriaBundles (optional) - allows a customer to skip Aria bundles download;
--asyncPatches (optional) - allows a customer to download the "Product version catalog" file and all async patch bundles.
--partnerDepotUser (mandatory for the VxRail scenario only) - contains a mandatory argument that defines the user that will be used to connect to Dell depot;
--partnerDepotUserPasswordFile (mandatory for the VxRail scenario only) - contains a mandatory argument that provides a file path containing the password for Dell depot user; The file should be created manually, it should contain the plain text password, and should have only read permissions for the user that will run the OBTU tool.
Examples of the CLI commands:
To download the VSRN bundles a customer can use:./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --depotUser user --depotUserPasswordFile /some/directory/password.file --sourceVersion 4.5.1.0
To download the VSRN and VXRAIL bundles a customer can use:./lcm-bundle-transfer-util --setUpOfflineDepot downloadPartnerBundle --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --depotUser user --depotUserPasswordFile /some/directory/password.file --sourceVersion 4.5.0.0 --partnerDepotUser partner-user --partnerDepotUserPasswordFile /some/directory/partner-depot-password.file
To download the VSRN bundles and async patch bundles a customer can use:
NOTE: VxRail async patch bundles are currently not supported and customer needs to follow standard VxRail AP process.
./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --asyncPatches --depotUser user --depotUserPasswordFile /some/directory/password.file --sourceVersion 4.5.1.0
To clean up bundles below the given source version a customer can use:./lcm-bundle-transfer-util --cleanUpOfflineDepot --sourceVersion 4.5.2.0 --offlineDepotRootDir '/apache/www'
To clean up bundles below the given source version along with AsyncPatch bundles a customer can use:./lcm-bundle-transfer-util --cleanUpOfflineDepot --sourceVersion 5.0.0.0 --offlineDepotRootDir '/apache/www' --asyncPatches
chown apache -R /etc/httpd/html/
find /opt/lampp/htdocs -type d -exec chmod 0500 {} \;
find /opt/lampp/htdocs -type f -exec chmod 0400 {} \;
Internal Depot Setup
Below you can find instructions of how to set up an Apache server on a freshly installed Photon OS 5 minimum installation. If you have a policy to use different OS and/or HTTPS Server, please use the below commands as an example and adopt them to fit your needs.
The below example uses the path “/etc/httpd/html/” as a ‘Document root’ for the web server. If you are using a different path, please change it accordingly in the configuration files and in the below blocks/commands.
1TB free disk space is required in the ‘Document root’ directory.
Warning: All commands should be run as a root user or with “sudo” in front of them.
Open an SSH connection and update the OS:
tdnf update --assumeyes
Reboot the OS:
reboot
Open an SSH connection and install httpd and all dependencies:
tdnf install httpd --assumeyes
Create a temp directory that will be used during certificate preparation
mkdir /root/http-certificates
Generate a private key and certificate sign request files for a certificate that will be used for the HTTP server.
openssl genpkey -out /root/http-certificates/server.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
openssl req -new -key /root/http-certificates/server.key -out /root/http-certificates/request.csr
Once you get the private key and certificate sign request you need to sign the certificate. The recommended option is to sign the “request.csr” file with the same Certificate Authority that you have used for other certificates in your VCF environment. As an alternative you could use the VMCA (The certificate authority of the vCenter Server) to sign the “request.csr”.
Do one of the following based on your company security policies:
Sign the “request.csr” with your Certificate Authority.
Add all parent certificates into one certificate file “server.crt” in the following order (top to bottom): <machine certificate>, <intermediate certificate>, <root certificate>. All the certificates should be in a PEM format and encoded in Base64.
Copy the resulting file as “server.crt” in the same directory (/root/http-certificates/) as “server.key” and “request.csr” files in the internal depot machine.
Fix permissions for the key and certificate:
chmod 0400 /etc/httpd/conf/server.key && chown root:root /etc/httpd/conf/server.key
chmod 0400 /etc/httpd/conf/server.crt && chown root:root /etc/httpd/conf/server.crt
Edit the “/etc/httpd/conf/httpd.conf” file and set “ServerName” and “ServerAdmin” accordingly.
Enable HTTPS in the Apache Server - In the “/etc/httpd/conf/httpd.conf” file, remove the “#” symbol in front of the following lines:
“#LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so”
“#LoadModule socache_shmcb_module /usr/lib/httpd/modules/mod_socache_shmcb.so”
“#Include conf/extra/httpd-ssl.conf”
You could use the following commands to do the necessary changes in an automatic way:
sed --in-place 's|#LoadModule ssl_module|LoadModule ssl_module|' /etc/httpd/conf/httpd.conf
sed --in-place 's|#LoadModule socache_shmcb_module|LoadModule socache_shmcb_module|' /etc/httpd/conf/httpd.conf
sed --in-place 's|#Include conf/extra/httpd-ssl.conf|Include conf/extra/httpd-ssl.conf|' /etc/httpd/conf/httpd.conf
Generate user/password pair for the internal depot:
Note: This command will overwrite “/etc/httpd/conf/.htpasswd” file if it exists. Change file name if needed. If you want to create multiple user/password pairs, please remove “-c” switch after the initial file creation.
htpasswd -c /etc/httpd/conf/.htpasswd <username>
Set the .htpasswd file’s permissions:
Note: .htpasswd file should be owned by the user running the http process. For Photon OS 5 it is the “apache” user, please change accordingly based on your operating system.
chown apache /etc/httpd/conf/.htpasswd && chmod 0400 /etc/httpd/conf/.htpasswd
Insert the following lines in the “/etc/httpd/conf/extra/httpd-ssl.conf” file, above the last line of the file (stating “</VirtualHost>”):
Note: If you are using Document root that is not “/etc/httpd/html”, please change all occurrences of “/etc/httpd/html” below. It should point to the Document root directory in your setup.
Note: If you have changed the “/etc/httpd/conf/.htpasswd” filename in the previous step, please do the same change below.
########################
<Directory /etc/httpd/html/PROD2/evo/vmw>
# Basic Auth (VCF 4.x and 5.0)
AuthType Basic
AuthName "Basic Authentication"
AuthUserFile /etc/httpd/conf/.htpasswd
require valid-user
</Directory>
<Directory "/etc/httpd/html/PROD2/evo/vmw/Compatibility/VxrailCompatibilityData.json">
# VxRail VVS Cookie Validation (VCF 5.0)
<If "%{HTTP:Cookie} == 'ngssosession=ngsso-token' ">
Require all granted
</If>
</Directory>
<Directory /etc/httpd/html/PROD2/vsan/hcl>
<If "%{HTTP:X-vmw-esp-clientid} == 'offline-depot-hcl-vcf' ">
Require all granted
</If>
</Directory>
# Those Alias statements are needed only for VCF 5.1.0.0.
Alias /products/v1/bundles/lastupdatedtime /etc/httpd/html/PROD2/vsan/hcl/lastupdatedtime.json
Alias /products/v1/bundles/all /etc/httpd/html/PROD2/vsan/hcl/all.json
###################
Validate http server configuration files syntax:
httpd -t
Start the http server:
systemctl start httpd
Check that the http server is started:
systemctl status httpd
Enable the http server on system startup:
systemctl enable httpd
Allow traffic to the web server in the firewall.
Edit the file “/etc/systemd/scripts/ip4save” and add the line:
Note: If you have changed the default HTTPS port, please adjust the below line accordingly
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
right after the line permitting SSH traffic “-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT”
Restart the iptables service:
systemctl restart iptables
Open a web browser to the internal depot VM and verify that connection to https://<internal-depot-fqdn>/ can be established.
Clean up the directory used to generate the certificates:
rm -rf /root/http-certificates
Cleanup default index file if exists:
rm -rf /etc/httpd/html/index.html
Once you copy the downloaded files and directories to the “/etc/httpd/html/” (the ‘Document root’), you need to fix the files permissions:
Note: The below example uses “apache” as the user running http server, so change accordingly based on your operating system setup.
chown apache -R /etc/httpd/html/
find /opt/lampp/htdocs -type d -exec chmod 0500 {} \;
find /opt/lampp/htdocs -type f -exec chmod 0400 {} \;
Point SDDC Manager to the Internal Depot
Once you have the internal depot machine prepared you need to point your VCF instances to it.
For VCF version 5.2.0.0 and newer:
For VCF version prior 5.2.0.0:
python depot_config.py --depotMode offline --depotUrl {offline_depot_url}
python depot_config.py --depotMode offline --depotUrl https://internal-depot.rainpole.io:8443/
OBTU will generate the following directory structure: //comment: Update the new structure, that will include the PVC file.
PROD2/ |