VCF Offline Depot deployment
search cancel

VCF Offline Depot deployment

book

Article ID: 312168

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Offline depots will improve the "dark site" customer experience by reducing the number of customer steps needed to distribute artifacts to multiple VCF instances multiple times.
This articles offers a step-by-step workflow on how to set-up an offline depot for VMware Cloud Foundation.

Environment

VMware Cloud Foundation 5.x
VMware Cloud Foundation 4.x

Resolution

Overview

We will need to prepare a dedicated Virtual Machine, that will host the "Offline Depot". Once the Virtual Machine is ready and configured, VCF instances should be configured to point to the "Offline Depot".

Offline Bundle Transfer Utility tool will provide:

  1. Creating a depot-like directory structure.
  2. Bundle management mechanisms.
  3. Upgrade metadata management mechanism.

Out of scope:

  1. Virtual machine to run OBTU.
  2. Life cycle of the OS.

Offline depot deployment and configuration

Virtual Requirements

Requirements

OS: Linux or Windows (Linux CentOS will be used for the examples in this page.)

HDD: A separate disk (at least 1TB) should be dedicated to the Offline Depot storage.

SSL: Web server with SSL TLSv1.2 & TLSv1.3 support.


Additional configurations:

  • The VM should have a dedicated user that will run OBTU.
  • Static IP for the VM.
  • DNS records (optional).


Bundles Download

  1. Create a directory that will be used as a download target. Depending on the amount of bundles downloaded you may require up to 1TB free space.
  2. Download the latest Bundle Transfer Utility version from the Broadcom Support platform.
  3. Move lcm-tools-prod.tar.gz file in an empty directory and extract it. This will be used as a base directory for the tool.
  4. Navigate to the “./bin” directory
  5. For Linux or Mac – Make the file “lcm-bundle-transfer-util” executable: “chmod +x lcm-bundle-transfer-util”
  6. Run the “lcm-bundle-transfer-util” or “lcm-bundle-transfer-util.bat” depending on your platform. From the list below, choose the right set of parameters based on the desired outcome.
    Note: Bash shell should be used in Linux and macOS.

    --setUpOfflineDepot (mandatory) - sets up an offline depot for VSRN. If optional downloadPartnerBundle argument is provided then VXRAIL bundles are also downloaded;

    --offlineDepotRootDir (mandatory) - contains a mandatory argument that defines the download directory that will be used to save downloaded files. If you are using the same machine as Internal Depot host this could be the “Document root” folder of your http server;

    --offlineDepotUrl (mandatory) - contains a mandatory argument that defines the URL that will used for the web server;

    --depotUser (mandatory) - contains a mandatory argument that defines the user that will be used to connect to VMware depot;

    --depotUserPasswordFile (mandatory) - contains a mandatory argument that provides a file path containing the password for VMware depot user; The file should be created manually, it should contain the plain text password, and should have only read permissions for the user that will run the OBTU tool.

    --sourceVersion (optional) - Defines the source version (in format x.x.x.x) for the bundles that will be downloaded; If source version is not provided the default value will be 4.1.0.0

    --ceip (optional) - allows a customer to enroll to a Customer Experience Improvement Program; If this parameter is provided the CEIP will be enabled.

    --skipAriaBundles (optional) - allows a customer to skip Aria bundles download;

    --asyncPatches (optional) - allows a customer to download the "Product version catalog" file and all async patch bundles.

    --partnerDepotUser (mandatory for the VxRail scenario only) - contains a mandatory argument that defines the user that will be used to connect to Dell depot;

    --partnerDepotUserPasswordFile (mandatory for the VxRail scenario only) - contains a mandatory argument that provides a file path containing the password for Dell depot user; The file should be created manually, it should contain the plain text password, and should have only read permissions for the user that will run the OBTU tool.

    Examples of the CLI commands:


    To download the VSRN bundles a customer can use:
    ./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --depotUser user --depotUserPasswordFile /some/directory/password.file --sourceVersion 4.5.1.0

     


    To download the VSRN and VXRAIL bundles a customer can use:
    ./lcm-bundle-transfer-util --setUpOfflineDepot downloadPartnerBundle --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --depotUser user --depotUserPasswordFile /some/directory/password.file --sourceVersion 4.5.0.0 --partnerDepotUser partner-user --partnerDepotUserPasswordFile /some/directory/partner-depot-password.file

     

    To download the VSRN bundles and async patch bundles a customer can use:

    NOTE: VxRail async patch bundles are currently not supported and customer needs to follow standard VxRail AP process.

    ./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --asyncPatches --depotUser user --depotUserPasswordFile /some/directory/password.file --sourceVersion 4.5.1.0


    To clean up bundles below the given source version a customer can use:
    ./lcm-bundle-transfer-util --cleanUpOfflineDepot --sourceVersion 4.5.2.0 --offlineDepotRootDir '/apache/www'


    To clean up bundles below the given source version along with AsyncPatch bundles a customer can use:
    ./lcm-bundle-transfer-util --cleanUpOfflineDepot --sourceVersion 5.0.0.0 --offlineDepotRootDir '/apache/www' --asyncPatches

  7. Once the download is finished, copy the resulting directory (PROD2) and all its contents to the “Document root” folder of the apache server running on the Internal Depot machine. The result should looks like this “<document_root>/PROD2”
  8. On the Internal Depot machine, set the correct file permissions to the newly copied files and directories like:
    Note: The below example uses “apache” as the user running http server, so change accordingly based on your operating system setup. 

    chown apache -R /etc/httpd/html/
    find /opt/lampp/htdocs -type d -exec chmod 0500 {} \;
    find /opt/lampp/htdocs -type f -exec chmod 0400 {} \;



Internal Depot Setup

Below you can find instructions of how to set up an Apache server on a freshly installed Photon OS 5 minimum installation. If you have a policy to use different OS and/or HTTPS Server, please use the below commands as an example and adopt them to fit your needs.

The below example uses the path “/etc/httpd/html/” as a ‘Document root’ for the web server. If you are using a different path, please change it accordingly in the configuration files and in the below blocks/commands.

1TB free disk space is required in the ‘Document root’ directory.

 

Warning: All commands should be run as a root user or with “sudo” in front of them.

  1. Open an SSH connection and update the OS:
    tdnf update --assumeyes

  2. Reboot the OS:
    reboot

  3. Open an SSH connection and install httpd and all dependencies:
    tdnf install httpd --assumeyes

  4. Create a temp directory that will be used during certificate preparation
    mkdir /root/http-certificates

  5. Generate a private key and certificate sign request files for a certificate that will be used for the HTTP server.
    openssl genpkey -out /root/http-certificates/server.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
    openssl req -new -key /root/http-certificates/server.key -out /root/http-certificates/request.csr

  6. Once you get the private key and certificate sign request you need to sign the certificate. The recommended option is to sign the “request.csr” file with the same Certificate Authority that you have used for other certificates in your VCF environment. As an alternative you could  use the VMCA (The certificate authority of the vCenter Server) to sign the “request.csr”.
    Do one of the following based on your company security policies:

    1. Sign the “request.csr” with your Certificate Authority. 

      1. Add all parent certificates into one certificate file “server.crt” in the following order (top to bottom): <machine certificate>, <intermediate certificate>, <root certificate>. All the certificates should be in a PEM format and encoded in Base64.

      2. Copy the resulting file as “server.crt” in the same directory (/root/http-certificates/) as “server.key and “request.csr” files in the internal depot machine.

    2. Generate a VMCA signed certificate:
      1. Copy from “depot machine” the “/root/http-certificates/request.csr” file generated in the previous step to the Management Domain vCenter Server in the /root/ folder

      2. SSH to the Management Domain vCenter Server as the root user and run the following command:
        bash shell

      3. Go to /root/ directory and run the following command to sign the certificate sign request with vCenter VMSA:
        Note: Adjust the number of days to match your internal policy

        openssl x509 -req -days 365 -in request.csr -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -CAcreateserial -out server.crt -sha256

      4. Add the VMSA public key to the certificate:
        cat /var/lib/vmware/vmca/root.cer >> server.crt

      5. Download the “server.crt” file and upload it to Depot Machine in the same directory (/root/http-certificates/) as “server.key and “request.csr” files resides.
      6. Remove “server.crt” and “request.csr” files from the vCenter server:
        rm -f server.crt && rm -f request.csr

      7. Logout from SSH session in vCenter Server

  7. On the local depot VM, put the private key and certificate in the /etc/httpd/conf/ directory:
    mv /root/http-certificates/server.* /etc/httpd/conf/
  8. Fix permissions for the key and certificate:
    chmod 0400 /etc/httpd/conf/server.key && chown root:root /etc/httpd/conf/server.key
    chmod 0400 /etc/httpd/conf/server.crt && chown root:root /etc/httpd/conf/server.crt

  9. Edit  the “/etc/httpd/conf/httpd.conf” file and set “ServerName” and “ServerAdmin” accordingly.

  10. Enable HTTPS in the Apache Server - In the “/etc/httpd/conf/httpd.conf” file, remove the “#” symbol in front of the following lines:
    “#LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so”
    “#LoadModule socache_shmcb_module /usr/lib/httpd/modules/mod_socache_shmcb.so”
    “#Include conf/extra/httpd-ssl.conf”

    You could use the following commands to do the necessary changes in an automatic way:
    sed --in-place 's|#LoadModule ssl_module|LoadModule ssl_module|' /etc/httpd/conf/httpd.conf
    sed --in-place 's|#LoadModule socache_shmcb_module|LoadModule socache_shmcb_module|' /etc/httpd/conf/httpd.conf
    sed --in-place 's|#Include conf/extra/httpd-ssl.conf|Include conf/extra/httpd-ssl.conf|' /etc/httpd/conf/httpd.conf

  11. Generate user/password pair for the internal depot:
    Note: This command will overwrite “/etc/httpd/conf/.htpasswd” file if it exists. Change file name if needed. If you want to create multiple user/password pairs, please remove “-c” switch after the initial file creation.
    htpasswd -c /etc/httpd/conf/.htpasswd <username>

    Set the .htpasswd file’s permissions:
    Note: .htpasswd file should be owned by the user running the http process. For Photon OS 5 it is the “apache” user, please change accordingly based on your operating system.
    chown apache /etc/httpd/conf/.htpasswd && chmod 0400 /etc/httpd/conf/.htpasswd

  12. Insert the following lines in the “/etc/httpd/conf/extra/httpd-ssl.conf” file, above the last line of the file (stating “</VirtualHost>”):
    Note: If you are using Document root that is not “/etc/httpd/html”, please change all occurrences of “/etc/httpd/html” below. It should point to the Document root directory in your setup.
    Note: If you have changed the “/etc/httpd/conf/.htpasswd” filename in the previous step, please do the same change below.

    ########################
    <Directory /etc/httpd/html/PROD2/evo/vmw>
    # Basic Auth (VCF 4.x and 5.0)
    AuthType Basic
    AuthName "Basic Authentication"
    AuthUserFile /etc/httpd/conf/.htpasswd
    require valid-user
    </Directory>
    <Directory "/etc/httpd/html/PROD2/evo/vmw/Compatibility/VxrailCompatibilityData.json">
    # VxRail VVS Cookie Validation (VCF 5.0)
    <If "%{HTTP:Cookie} == 'ngssosession=ngsso-token' ">
    Require all granted
    </If>
    </Directory>
    <Directory /etc/httpd/html/PROD2/vsan/hcl>
    <If "%{HTTP:X-vmw-esp-clientid} == 'offline-depot-hcl-vcf' ">
    Require all granted
    </If>
    </Directory>
    # Those Alias statements are needed only for VCF 5.1.0.0.
    Alias /products/v1/bundles/lastupdatedtime /etc/httpd/html/PROD2/vsan/hcl/lastupdatedtime.json
    Alias /products/v1/bundles/all /etc/httpd/html/PROD2/vsan/hcl/all.json
    ###################

  13. Validate http server configuration files syntax:
    httpd -t

  14. Start the http server:
    systemctl start httpd

  15. Check that the http server is started:
    systemctl status httpd

  16. Enable the http server on system startup:
    systemctl enable httpd

  17. Allow traffic to the web server in the firewall.
    Edit  the file “/etc/systemd/scripts/ip4save” and add the line:
    Note: If you have changed the default HTTPS port, please adjust the below line accordingly

    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

    right after the line permitting SSH traffic “-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT”

     

  18. Restart the iptables service:
    systemctl restart iptables

  19. Open a web browser to the internal depot VM and verify that connection to https://<internal-depot-fqdn>/ can be established.

  20. Clean up the directory used to generate the certificates:
    rm -rf /root/http-certificates

  21. Cleanup default index file if exists:
    rm -rf /etc/httpd/html/index.html

  22. Once you copy the downloaded files and directories to the “/etc/httpd/html/” (the ‘Document root’), you need to fix the files permissions:
    Note: The below example uses “apache” as the user running http server, so change accordingly based on your operating system setup.

    chown apache -R /etc/httpd/html/
    find /opt/lampp/htdocs -type d -exec chmod 0500 {} \;
    find /opt/lampp/htdocs -type f -exec chmod 0400 {} \;


Point SDDC Manager to the Internal Depot

Once you have the internal depot machine prepared you need to point your VCF instances to it. 

For VCF version 5.2.0.0 and newer:

  1. Open SDDC manager UI
  2. Navigate to “Lifecycle Manaqgement” -> “Depot Settings” -> “Set up an Offline Depot”
  3. Enter the offline depo hostname, port, username and password

For VCF version prior 5.2.0.0:

  1. Obtain the “depot_config.py” file from “conf/offline_depot/” directory in Bundle Transfer Utility archive.
  2. Upload the “depot_config.py” file to SDDC Manager VM
  3. Run the “depot_config.py” script as a root user (or with sudo) on the SDDC Manager VM
    python depot_config.py --depotMode offline --depotUrl {offline_depot_url}
    Example command: python depot_config.py --depotMode offline --depotUrl https://internal-depot.rainpole.io:8443/

  4. Open SDDC Manager UI
  5. Navigate to “Lifecycle Management” -> “Depot Settings” and enter internal depot user and password

 

Others

Offline depot directory structure

OBTU will generate the following directory structure: //comment: Update the new structure, that will include the PVC file.

PROD2/

├── evo

│   └── vmw

│   ├── asyncPatchSpecs

│   │   └── v1

│   │   ├── bundle-102132.spec

│   │   └── bundle-107668.spec

│   ├── bundles

│   │   ├── bundle-73785.tar

│   │   ├── bundle-73786.tar

│   │   ├── bundle-102132.tar

│   │   ├── bundle-107668.tar

│   │   └── J2YFV_VxRail-8.0.100-Composite-Upgrade-Package-for-7.0.x.zip

│   ├── Compatibility

│   │   ├── VmwareCompatibilityData.json

│   │   └── VxrailCompatibilityData.json

│   ├── deltaFileDownloaded

│   ├── deltaFileDownloaded.md5

│   ├── index.offline

│   ├── index.v3

│   ├── lcm

│   │   ├── manifest

│   │   │   └── v1

│   │   │       └── lcmManifest.json

│   │   └── productVersionCatalog

│   │       └── v1

│   │           └── productVersionCatalog.json

│   ├── manifests

│   │   ├── bundle-102132.manifest

│   │   ├── bundle-102132.manifest.sig

│   │   ├── bundle-107668.manifest

│   │   ├── bundle-107668.manifest.sig

│   │   ├── bundle-73785.manifest

│   │   ├── bundle-73785.manifest.sig

│   │   ├── bundle-73786.manifest

│   │   ├── bundle-73786.manifest.sig

│   ├── partnerBundleMetadata.json

│   ├── softwareCompatibilitySets.json

│   ├── tmp

│   │   ├── index.v3

│   │   ├── lcmManifestIndex

│   │   └── lcmManifest.json

│       ├── vxrail

│       │   ├── catalog_index.xml

│       │   └── token.json

│   └── vxrailPartnerBundleMetadata.json

└── vsan

    └── hcl

        ├── all.json

        └── lastupdatedtime.json