Getting started with an air-gapped store¶
In this tutorial, we will set up and test the Enterprise Store in a functionally offline environment. We will cover how to set the store up, how to make specific snaps available from the store, and how to obtain those snaps on a connected device.
Once you’ve completed this tutorial, you should be able to set the Enterprise Store up in your own air-gapped environment, connect your devices to it, and be able to use it to control snap revisions on any connected devices.
Lesson plan¶
This tutorial will run through processes to set up and utilise an air-gapped Enterprise Store. We will show you how to:
Install the Enterprise Store in an offline environment
Sideload a snap in an offline environment
Obtain a snap from the store in an offline mode
We will also cover how to mimic and air-gapped environment for the containers, so there’s no need to take your host machine offline.
What you’ll need¶
For this tutorial, you will need:
An x64 system running Ubuntu 22.04 or Ubuntu 24.04
A local user with super user privileges
30GB of free storage
A stable internet connection
Before you begin¶
Ensure LXD is installed on your host machine:
Ensure LXD is set up properly:
Launch two containers, test-offline-store, and test-offline-device:
Note
For this tutorial, it is recommended to open each container in a separate terminal tab or window for convenience.
How-to open a container’s shell
We can open a container by running bash. For example, to open the CLI of the test-store:
This will simulate SSH access to the container, and show you as root within the container:
Download required software¶
Normally, you need to obtain software online, and transfer it to your test-offline-store. In this tutorial, we will download the files to the store before taking it offline and then install and set up the store when it is offline.
We want to obtain:
PostgreSQL, to provide the store’s database
A registered Enterprise Store
Snaps to make available in the offline store
On the test-offline-store, download PostgreSQL:
To obtain a functional Enterprise Store for installation offline, you need to register it while online. This is something done by using the store-admin snap and specifically registering an offline store with your Ubuntu One credentials.
On the test-offline-store, install the store-admin snap:
Then, register an offline store with the domain to be used offline:
Note
You may be prompted to open a browser and verify your Ubuntu One account.
To sideload a snap into an air-gapped Enterprise Store, you need to use an online device with the store-admin snap installed to export the snap, move it to your air-gapped device, then import it into the store.
On your test-offline-store, use store-admin to export the helix and htop snaps:
Note
store-admin is used to export snaps in a convenient bundle.
Mimic an air-gapped network¶
To effectively set up and test the Enterprise Store in an air-gapped environment, we need to ensure that the devices within that environment cannot contact external services.
To do that, we are going to set firewall rules to ensure the containers can only communicate with each other, and your host machine.
From your host machine, use iptables to isolate our LXC containers:
Note
This adds these two settings to the top of the FORWARD chain of iptables, which means they are processed first.
See the Cleanup section on how to revert this setting.
This will ensure that your test-offline-store and test-offline-device cannot access external services. You can test this to make sure.
Test access to api.snapcraft.io on your host machine:
Compare it to the same command used in test-offline-store:
Install your offline store¶
In test-offine-store, install PostgreSQL:
In test-offline-store, unzip the store:
Then use the install script, and verify the installation:
Next, configure PostgreSQL for use with the Enterprise Store:
Copy the following into ~/proxydb.sql, and save the file:
CREATE ROLE "snapproxy-user" LOGIN CREATEROLE PASSWORD 'snapproxy-password';
CREATE DATABASE "snapproxy-db" OWNER "snapproxy-user";
\connect "snapproxy-db"
CREATE EXTENSION "btree_gist";
When prompted, enter the password set in ~/proxydb.sql, snapproxy-password.
Check the status of the store again:
The Enterprise Store should now be fully set up and configured.
Sideloading a snap¶
Snaps in the offline Enterprise Store need to be sideloaded. Normally they need to be transferred from an online environment, but in this case we have already downloaded the snaps we want to test.
On the test-offline-store, push the helix snap to the Enterprise Store:
Check that the snaps have been successfully pushed to the store:
Now our air-gapped Enterprise Store is set up with multiple snaps available for connected devices to obtain.
Offline device configuration¶
To properly test an air-gapped Enterprise Store, we need a device that also can’t connect to any online services. In this section, we’ll make some adjustments to the test-device to properly validate our air-gapped store.
Ensure test-offline-device cannot access any online services:
Configure test-offline-device to use the air-gapped Enterprise Store:
Now our device is configured to use the air-gapped Enterprise Store.
Using your air-gapped Enterprise Store¶
In this section we want to validate that the store can be used by your device. All we want to do is to install the snaps we pushed on the test-offline-device.
Use test-offline-device to query the snaps, starting with helix:
Check if htop is available:
Note
This will fail, as htop has not been pushed to the Enterprise Store.
Finally, install the helix snap to verify functionality:
Cleanup¶
We’ve tried to keep the impact on your host machine minimal, but there are some iptable rules and a few LXC containers to clean up.
On your host machine, delete the firewall rules we created for offline testing:
And then delete the containers we created for this tutorial:
This should return your system to the state it was in before this tutorial.
Next steps¶
Once you’ve completed this tutorial, you might be interested in how to implement High Availability, or serve Charms with your Enterprise Store.