Airgapped Installation Support

Marc Campbell
 | 
May 25, 2016

Replicated now supports three types of installation: direct connect, proxy and today we’re introducing air gapped installation. “Air gapped” basically means a server or network that is physically isolated and does not have outbound or inbound internet access. By default, Replicated installed applications require access to an outbound internet connection to check for updates & sync license information. Air gapped installations ensure that this is no longer a requirement. Instead of reaching out to our remote endpoint for installations and updates, we check a local file path.

install from local package

The constraints of air gapped environments will create a few additional hurdles for vendors and end customers. Replicated Vendors will lose some functionality around instance tracking and meta data reporting as that information is no longer reported back during update checks. End customers will need to follow a more manual installation flow (including transferring application packages via a SAN or thumb drive). Additionally, they’ll need to download each update and move it to a consistent file path reachable by the server.

The process has been streamlined as much as possible to ensure a secure and easily reproducible experience. Vendors need to visit the Licenses page, hover over the license and select the settings icon. From the license settings page toggle on “Enable Airgap Download”.

airgap download screeshot

The “Download Link” is specific for this customer’s license it is protected by the generated password. Only 1 password may be active at a time, and each time the “Change Download Password” link is clicked the password is reset to the displayed password. It is important to protect this password as anyone with both the link and password will be able to download a copy of your application images.

If a customer requires an air gap installation, you’ll need to provide them with:

  1. Installation instructions
  2. Air gap enabled Replicated license file (.rli)
  3. a) generated “Download Link” and generated “Download Password” or b) a vendor hosted and protected download of the full .airgap package (often a GB or more).

.airgap packages include the Replicated YAML, a manifest of the release history (to ensure that no required updates are skipped) and all application images.

Air gap enabled Replicated license files (.rli) are a bit different than their non-air gapped counterparts. First, they include a .json payload of the meta data associated with the license. Second, they include a signature and public key used to verify that data in the license file meta data has not been altered. As a result of this additional information, air gap enabled .rli files are generally a few KB larger than non-air-gap versions.

When a customer installs from an air gap install they will find an “Airgap Settings” section on :8800/console/settings:

airgap settings

Updates will need to be placed in the path indicated above in order to be detected by Replicated (once detected they’re applied just like connected installs).

This feature (while still in beta) is already being used by defense contractors and banks in order to run applications in environments that meet their security profiles. If you’d like to have this feature toggled for your account, just reach out to the team.