PAM standalone offline installation
Use these instructions to install Puppet Application Manager (PAM) in an offline environment where the Puppet Application Manager host server does not have direct access to the internet.
- Review the Puppet Application Manager system requirements.
- Note that Swap is not supported for use with this version of Puppet Application Manager (PAM). The installation script attempts to disable Swap if it is enabled.
- (Optional) If necessary, prepare additional steps
related to SELinux and Firewalld:
The PAM installation script disables SELinux and Firewalld by default. If you want to keep SELinux enabled, append the
-s preserve-selinux-configswitch to the PAM install command. This may require additional configuration to adapt SELinux policy to the installation.
If you want to keep Firewalld enabled:
Make sure Firewalld is installed on your system.
To prevent the installation from disabling Firewalld, provide a patch file to the PAM install command using
-s installer-spec-file=patch.yaml, where
patch.yamlis the name of your patch file. For reference, here's an example patch file that enables Firewalld during installation, starts the service if it isn't running, and adds rules to open relevant ports:
apiVersion: cluster.kurl.sh/v1beta1 kind: Installer metadata: name: patch spec: firewalldConfig: firewalld: enabled command: ["/bin/bash", "-c"] args: ["echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.conf && sysctl -p"] firewalldCmds: - ["--permanent", "--zone=trusted", "--add-interface=weave"] - ["--zone=external", "--add-masquerade"] # SSH port - ["--permanent", "--zone=public", "--add-port=22/tcp"] # HTTPS port - ["--permanent", "--zone=public", "--add-port=443/tcp"] # Kubernetes etcd port - ["--permanent", "--zone=public", "--add-port=2379-2830/tcp"] # Kubernetes API port - ["--permanent", "--zone=public", "--add-port=6443/tcp"] # Weave Net port - ["--permanent", "--zone=public", "--add-port=6783/udp"] # Weave Net port - ["--permanent", "--zone=public", "--add-port=6783-6874/tcp"] # CD4PE Webhook callback port (uncomment line below if needed) # - ["--permanent", "--zone=public", "--add-port=8000/tcp"] # KOTS UI port - ["--permanent", "--zone=public", "--add-port=8800/tcp"] # CD4PE Local registry port (offline only, uncomment line below if needed) # - ["--permanent", "--zone=public", "--add-port=9001/tcp"] # Kubernetes component ports (kubelet, kube-scheduler, kube-controller) - ["--permanent", "--zone=public", "--add-port=10250-10252/tcp"] # Reload firewall rules - ["--reload"] bypassFirewalldWarning: true disableFirewalld: false hardFailOnFirewalld: false preserveConfig: false
- Ensure that IP address ranges
10.32.0.0/22are locally accessible. See Resolve IP address range conflicts for instructions.
- Ensure that the nodes can resolve their own hostnames, through either local host mapping or a reachable DNS server.
If you use the
puppetlabs/firewallmodule to manage your cluster's firewall rules with Puppet, be advised that purging unknown rules from changes breaks Kubernetes communication. To avoid this, apply the
puppetlabs/pam_firewallmodule before installing Puppet Application Manager.
If you're restoring a backup from a previous cluster, make sure you include the
kurl-registry-ip=<YOUR_IP_ADDRESS>installation option. For more information, see Migrating PAM data to a new system.
From a workstation with internet access, download the cluster installation
bundle (note that this bundle is ~6GB):
Copy the installation bundle to the host node and unpack it:
tar xzf puppet-application-manager-standalone.tar.gz
Run the installation command:
cat install.sh | sudo bash -s airgap
The installation script prints the address and password (only shown
once, so make careful note of it) for Puppet Application Manager:
--- Kotsadm: http://<PUPPET APPLICATION MANAGER ADDRESS>:8800 Login with password (will not be shown again): <PASSWORD> ---Note: If you lose this password or wish to change it, see Reset the Puppet Application Manager password for instructions.
- The installation script prints the address and password (only shown once, so make careful note of it) for Puppet Application Manager:
Navigate to the Puppet Application Manager UI using the address
provided by the installation script (
http://<PUPPET APPLICATION MANAGER ADDRESS>:8800) and follow the prompts.The Puppet Application Manager UI is where you manage Puppet applications. You’ll be guided through the process of setting up SSL certificates, uploading a license, and checking to make sure your infrastructure meets application system requirements.
Follow the instructions for configuring and deploying your Puppet applications on Puppet Application Manager. For more information, see Install applications via the PAM UI.
For more information on installing Continuous Delivery for PE offline, see Install Continuous Delivery for PE in an offline environment.
For more information on installing Comply offline, see Install Comply offline.