When necessary, you can create an air-gapped bundle from a Puppet
Bolt project and copy the bundle to the install target. This bundle contains all
the images and dependencies needed to install Security Compliance Management on the
desired host.
Before you begin
Ensure that the required runtime environment (Docker or Podman)
and Bolt (3.27.2 or later) are installed on the air-gapped
target machine.
-
On your non air-gapped machine, create the Security Compliance Management
Bolt project and switch to that directory.
mkdir comply-bolt-project
cd comply-bolt-project
bolt project init comply_bolt_project
-
Edit the bolt-project.yaml file and change the
modules
section to:
---
name: comply_bolt_project
modules:
- name: puppetlabs/complyadm
version_requirement: 3.y.z
-
Install the
complyadm
module using the command:
bolt module install
.
-
Create an inventory.yaml
file for a localhost installation, for example:
---
targets:
- name: security-compliance-management
uri: localhost
config:
transport: local
features:
- puppet-agent
-
Create an air-gapped bundle using:
bolt plan run complyadm::install::create_offline_bundle
This creates a bundle called project.zip that contains all the images
and dependencies needed to install Security Compliance Management.
-
On the air-gapped target machine, create the Bolt project using:
mkdir comply-bolt-project
.
-
Copy the air-gapped bundle to the
comply-bolt-project
folder.
-
Extract the bundle using:
cd comply-bolt-project
unzip project.zip
-
Install Security Compliance Management on the target host using:
bolt plan run complyadm::install
.
-
Specify an inventory target you would like to use for an All-in-One
install.
-
Specify the DNS-resolvable hostname of the new Security Compliance Management web console.
-
A runtime cannot be installed on the air-gapped machine using the offline
bundle, but it is a required prompt for the Bolt installation plan. So you need
to choose a runtime then answer No when you are prompted to install
one.
-
Configure an mTLS certificate or choose to configure this at a later time.
Automatically generated certificates are only available for hosts that support
SSH.
-
Choose whether to manually configure a TLS certificate or use the automatically
generated self-signed certificate. You can update this certificate at a later
time. If you choose to manually configure the TLS certificate, you need a TLS
certificate chain, private key, and certificate revocation list (CRL).
Results
You can now log into the application at the resolvable hostname with the default
username and password (comply:compliance
). You are
prompted to change the username and password when you first log in.