SUSE Multi-Linux Manager Server Air-gapped Deployment

1. What is Air-gapped Deployment?

Air-gapped deployment refers to the setup and operation of any networked system that is physically isolated from insecure networks, especially the internet. This type of deployment is commonly used in high-security environments such as military installations, financial systems, critical infrastructure, and anywhere sensitive data is handled and must be protected from external threats.

2. Deployments

SUSE Multi-Linux Manager supports two deployment variants.

2.1. Deploy with Virtual Machine

The recommended installation method is using the provided SUSE Multi-Linux Manager Virtual Machine Image option, since all the needed tools and container images are pre-loaded and will work out of the box.

For more information about installing SUSE Multi-Linux Manager Server Virtual Machine, see Deploy Server as a Virtual Machine.

To upgrade SUSE Multi-Linux Manager Server, users should upgrade all packages in the system and follow the procedures defined in Server Upgrade.

2.2. Deploy SUSE Multi-Linux Manager on SL Micro

SUSE Multi-Linux Manager also provides all the needed container images in RPM’s that can be installed on the system.

User should make the needed RPM available on the internal network. That can be done by using a second SUSE Multi-Linux Manager Server or an RMT server.
Procedure: Install SUSE Multi-Linux Manager on SL Micro in Air-gapped

  1. Install SL Micro

  2. Update the system

  3. Install tools packages and image packages (replace $ARCH$ with the correct architecture)

    transactional-update pkg install mgradm* mgrctl* multi-linux-manager-5.1-$ARCH$-server-*

  4. Reboot.

  5. Deploy SUSE Multi-Linux Manager with mgradm.

For more detailed information about installing SUSE Multi-Linux Manager Server on SL Micro, see Deploy Server as a Virtual Machine.

To upgrade SUSE Multi-Linux Manager Server, users should upgrade all packages in the system and follow the procedures defined in Server Upgrade.

3. PTFs

The PTF images are not available as packages. This means that they should be pulled using podman on a machine with internet access, then saved in an archive, transferred to the air-gapped machine and loaded there.

Procedure: Pulling the image on a machine with internet access

  1. Install podman.

  2. Authenticate against the SUSE Registry using the SCC credentials:

    set +o history
echo SCC_MIRRORING_PASSWORD | podman login -u "SCC_MIRRORING_USER" --password-stdin registry.suse.com
set -o history

  3. Create a /tmp/ptf-images temporary file with the URL of the PTF images, one per line. In most of the cases only the server image is needed and it can be created with a command like the following, after replacing the SCC_USERID and PTFID values.

    SCC_USERID=aXXXX
PTFID=12345
echo "registry.suse.com/a/$SCC_USERID/$PTFID/multi-linux-manager/5.1/x86_64/server:latest-ptf-$PTFID" >>/tmp/ptf-images

  4. Pull each of the container images of the PTF and save them in a tar archive.

    for image in `cat /tmp/ptf-images`; do
    podman pull $image
done
podman save -o /tmp/ptf-images.tar `cat /tmp/ptf-images`

  5. Transfer the /tmp/ptf-images.tar images archive on the server to patch.

Procedure: Loading the images on the server to patch

  1. Ensure the ptf-images.tar file is available on the server.

  2. Load the images from the archive:

    podman load -i ptf-images.tar

  3. Install the PTF using mgradm support ptf podman as would be done on a connected machine. Because the images are already loaded they will not be pulled.