How to manage repositories in an airgapped or offline environment¶
See also: Repository mirroring
You can manage repositories with Landscape in an airgapped or offline environment, although the setup is more involved than in a standard online environment. This guide provides a high-level overview of how to set up Landscape in an airgapped environment. If you aren’t familiar with repository mirroring and management in Landscape, it’s recommended that you read our About repository mirroring guide first.
This guide assumes you already have Landscape installed and set up in your airgapped environment. If you don’t have Landscape installed yet, follow the instructions in How to install Landscape in an airgapped or offline environment before completing this guide.
Background information¶
To use Landscape’s repository management feature within an airgapped environment, you need Landscape server connectivity that allows it to reach the necessary endpoints. For details on required external network access, see Network access. Depending on your network architecture, this can be achieved in different ways:
Single server inside the environment: You can run one Landscape Server inside the airgapped environment if your firewall rules allow it to reach external endpoints for repository updates.
Single server outside the environment: You can run one Landscape Server outside the environment with all client machines configured to communicate with it.
Two servers: You can run two Landscape Servers–one online server outside the environment and one offline server inside the environment. This configuration provides maximum network isolation.
There are also two possible network configurations for your airgapped environment:
Restricted network airgap (One-way controlled access): Your airgapped environment has controlled access to external endpoints (such as the public internet or an external Landscape Server). The inside server can communicate with the outside through a controlled connection, allowing updates and data to be pulled securely. Client machines remain isolated inside the airgapped environment. This reduces the manual effort required to transfer data into the airgapped environment with physical media.
Fully disconnected airgap (Manual data transfer): Your airgapped environment has no network connectivity to external endpoints or the public internet. Any updates or data must be manually transferred into the airgapped environment using physical media.
Using a restricted network airgap drastically simplifies the Landscape repository management process, although managing repositories in a fully disconnected airgap is still possible.
Limitations¶
For fully disconnected airgapped environments, using physical media to manually transfer large amounts of data can be a challenge. At this time, Landscape doesn’t have the ability to generate a diff between the existing repository contents and the latest repository contents. This means you can’t bring only the differences into the airgapped environment—you must bring in the entire repository contents every time you update. Since the size of the Ubuntu repositories is 100s of GB of data per version of Ubuntu, this manual transfer of data can be difficult and time-consuming.
Restricted network airgap¶
Note: This process will take a while to set up, especially if you’re not familiar with repository management. For general information on repository management in Landscape, see Repository mirroring.
In a restricted network airgap, you can use different server configurations depending on your requirements:
Single server inside the environment: If you have one Landscape Server inside the airgapped environment with firewall rules allowing it to reach external endpoints, follow the standard repository setup process either via the web portal or (legacy) API.
One server outside, clients inside: If your Landscape Server is outside the environment and your client machines are configured to reach the server, follow the standard repository setup process either via the web portal or (legacy) API.
Two servers: If you have two Landscape servers, set up an outside server as a third-party repository for the inside server. For detailed instructions, see How to create tiered repository mirrors for multi-region and airgapped deployments.
After you’ve set up your repository mirror structure, see How to manage and mirror repositories with the API for instructions on how to create the repositories, repository profiles, and associate the profiles to client machines (computers).
Fully disconnected airgap¶
Note: This process will take a while to set up, especially if you’re not familiar with repository management. For general information on repository management in Landscape, see Repository mirroring.
If you’re in a fully-disconnected airgap, the general process is that you copy the necessary data from your outside (online) server and manually transfer it to your inside (offline) server via physical media.
To make this work, you need to set up identical repository structures in your outside and inside servers. This includes using the same GPG key in both servers.
Create your repository structure and profile(s)¶
Use the following steps to create your repository structure. It doesn’t matter which server you start with; it only matters that they are built identically.
On one of your servers, follow the guidance in How to manage and mirror repositories with the API to create your repository structure and any profiles. You need to use the API (instead of the web portal) because the inside server won’t have network access.
We recommend you save the commands that you ran so you can use them again on the other server
On your other server, re-create the repository structure and profiles exactly the same as the first server. This includes using the same GPG key.
Manually transfer data into your airgapped environment¶
To manually transfer the data:
In your outside server, copy the contents of
/var/lib/landscape/landscape-repository/standalone/to an acceptable form of physical media for your environment, such as a DVD or USB drive.Manually transfer those files into the same location on your inside server.
Once all of the data is successfully transferred to the inside server, Landscape will serve the repository contents to all of your Landscape Client machines based on the profiles.