SUSE Multi-Linux Manager 服务器物理隔离的部署

1. 什么是物理隔离的部署?

物理隔离部署是指设置和操作与不安全网络(尤其是互联网)物理隔离的任何联网系统。这种部署通常用于军事设施、金融系统、关键基础架构等高安全性环境,以及处理敏感数据,因而必须防范其受到外部威胁的任何位置。

2. 部署

SUSE Multi-Linux Manager 支持两种部署变体。

2.1. 通过虚拟机部署

建议的安装方法是使用所提供的 SUSE Multi-Linux Manager 虚拟机映像选项,因为所需的全部工具和容器映像都已预先加载并且随时可用。

For more information about installing SUSE Multi-Linux Manager Server Virtual Machine, see Deploy Server as a Virtual Machine.

要升级 SUSE Multi-Linux Manager 服务器,用户应升级系统中的所有软件包,并按照服务器升级中定义的过程操作。

2.2. Deploy SUSE Multi-Linux Manager on SL Micro

SUSE Multi-Linux Manager 还在 RPM 中提供了可在系统上安装的所需的全部容器映像。

用户应在内部网络上提供所需的 RPM。这可以通过使用第二个 SUSE Multi-Linux Manager 服务器或 RMT 服务器来完成。
Procedure: Install SUSE Multi-Linux Manager on SL Micro in Air-gapped

  1. Install SL Micro

  2. 更新系统

  3. 安装工具软件包和映像包(将 $ARCH$ 替换为正确的体系结构)

    transactional-update pkg install mgradm* mgrctl* multi-linux-manager-5.1-$ARCH$-server-*

  4. 重引导。

  5. Deploy SUSE Multi-Linux Manager with mgradm.

For more detailed information about installing SUSE Multi-Linux Manager Server on SL Micro, see Deploy Server as a Virtual Machine.

要升级 SUSE Multi-Linux Manager 服务器,用户应升级系统中的所有软件包,并按照服务器升级中定义的过程操作。

3. PTFs

The PTF images are not available as packages. This means that they should be pulled using podman on a machine with internet access, then saved in an archive, transferred to the air-gapped machine and loaded there.

Procedure: Pulling the image on a machine with internet access

  1. Install podman.

  2. Authenticate against the SUSE Registry using the SCC credentials:

    set +o history
echo SCC_MIRRORING_PASSWORD | podman login -u "SCC_MIRRORING_USER" --password-stdin registry.suse.com
set -o history

  3. Create a /tmp/ptf-images temporary file with the URL of the PTF images, one per line. In most of the cases only the server image is needed and it can be created with a command like the following, after replacing the SCC_USERID and PTFID values.

    SCC_USERID=aXXXX
PTFID=12345
echo "registry.suse.com/a/$SCC_USERID/$PTFID/multi-linux-manager/5.1/x86_64/server:latest-ptf-$PTFID" >>/tmp/ptf-images

  4. Pull each of the container images of the PTF and save them in a tar archive.

    for image in `cat /tmp/ptf-images`; do
    podman pull $image
done
podman save -o /tmp/ptf-images.tar `cat /tmp/ptf-images`

  5. Transfer the /tmp/ptf-images.tar images archive on the server to patch.

Procedure: Loading the images on the server to patch

  1. Ensure the ptf-images.tar file is available on the server.

  2. Load the images from the archive:

    podman load -i ptf-images.tar

  3. Install the PTF using mgradm support ptf podman as would be done on a connected machine. Because the images are already loaded they will not be pulled.