Air-gapped clusters

This document walks you through the process of installing Portworx into an air-gapped environment. First, you must fetch the required container images from the public container registries on the internet. Then, you can load these images directly onto your nodes or upload them into your private container registry. Once you’ve loaded the Portworx images, you will continue with the standard installation procedure.

Step 1: Download the air-gapped bootstrap script

Export your Kubernetes version by entering the following command:
```
KBVER=$(kubectl version --short | awk -Fv '/Server Version: / {print $3}')
```
If the current node doesn’t have kubectl installed, you can set the KBVER variable manually by running export KBVER=<YOUR_KUBERNETES_VERSION>. For example, if your Kubernetes version is 1.17.5, run the following command:
```
KBVER=1.17.5
```
Download the air-gapped-install bootstrap script by entering the following curl command:
```
curl -o px-ag-install.sh -L "https://install.portworx.com/2.5/air-gapped?kbver=$KBVER"
```

Step 2: Pull the container images

Pull the container images by running the px-ag-install script with the pull option:

sh px-ag-install.sh pull

Step 3: Make container images available to your nodes

There are two ways in which you can make the Portworx container images available to your nodes:

Follow Step 3a if your company uses private container registry
Otherwise, follow Step 3b to push directly to your nodes

Step 3a: Push to a local registry server, accessible by the air-gapped nodes

NOTE: For details about how you can use a private registry, see the Using a Private Registry section of the Kubernetes documentation.

Push the images to the registry by running the px-ag-install script with the push option and your registry location:
```
sh px-ag-install.sh push <YOUR_REGISTRY_LOCATION>
```
For example:
```
sh px-ag-install.sh push myregistry.net:5443
```
alternatively you can put all images in the same repository:
```
sh px-ag-install.sh push myregistry.net:5443/px-images
```
Once you’ve loaded the images into your registry, continue with Step 4: Install Portworx. When you install Portworx, specify your custom registry in the Customize section of the spec generator:

Step 3b: Push directly to your nodes

Load container images onto your nodes individually by running the px-ag-install script with the load option and your intranet host locations:

sh px-ag-install.sh load <intranet-host> [<host2> <host3>...]

For <intranet-host>, use the hostname or IP-address of your node.

NOTE:

The command above uses ssh to load the images on the nodes on intranet. You can customize or replace the ssh command with the -e command switch. For example, px-ag-install.sh -e "sshpass -p 5ecr3t ssh -l root" uses the sshpass(1) command to automatically pass root’s password when logging into the intranet host.
If you’re using this method, you can specify Image Pull Policy as IfNotPresent or Never on the “Registry and Image Settings” page when generating the Portworx spec.

Step 4: Install Portworx

Once you’ve loaded the container images into your registry or nodes, continue with the standard installation procedure:

Air-gapped install bootstrap script reference

./px-ag-install.sh [image-commands] [options] '[arguments...]'

NOTE: The script name px-ag-install.sh reflects the default name specified in the installation instructions, but can be whatever you named the script file when you downloaded it.

Image commands

Command	Description	Required?
`pull`	Pulls the Portworx container images locally
`push <registry[/repo]>`	Pushes the Portworx images into remote container registry server
`load node1 [node2 [...]]`	Loads the images tarball to remote nodes (note: ssh-access required)

Options

Option	Description	Required?
`--help`	Displays help output
`-I`, `--include <image>`	Specify additional images to include
`-E`, `--exclude <glob>`	Specify images to EXCLUDE (e.g. -E ‘csi’)
`-n`, `--dry-run`	Show commands instead of running
`-V`, `--version`	Print version of the script
`-v`	Verbose output

Load-specific options

Option	Description	Required?
`-e`, `--rsh <command>`	specify the remote shell to use (default ssh)
`-L`, `--load-cmd <command>`	specify the remote container-load command to use (default auto)
`-t <prefix>`	specify temporary tarball filename (default px-agtmp.tar)
`--pks`	assume PKS environment; transfer images using ‘bosh’ command

Examples

Pull images from default container registries, push them to custom registry server (default repositories)
```
px-ag-install.sh pull push your-registry.company.com:5000
```
Pull images from default container registries, push them to custom registry server and portworx repository
```
px-ag-install.sh pull
px-ag-install.sh push your-registry.company.com:5000/portworx
```

Push images to password-protected remote registry, then import docker/podman configuration as kuberentes secret

docker login your-registry.company.com:5000
px-ag-install.sh pull
px-ag-install.sh push your-registry.company.com:5000/portworx
px-ag-install.sh import-secrets

Pull images, then load to given nodes using ssh

px-ag-install.sh pull
px-ag-install.sh load node1 node2 node33 node444

Pull images, then load to given nodes using ssh and root-account

px-ag-install.sh -e "ssh -l root" pull load node1 node2 node33 node444

Load images to given nodes using ssh and password ‘5ecr3t’

px-ag-install.sh -e "sshpass -p 5ecr3t ssh" load node1 node2 node33 node444

Pull ONLY busybox image, load it to given nodes

px-ag-install.sh -E '*' -I docker.io/busybox:latest pull load node1 node2 node33 node444