Archive
VMware Cloud Foundation Offline Depot Introduction

VMware Cloud Foundation Offline Depot Introduction

2024-11-27 With the release of VMware Cloud Foundation ( VCF ) 5.2 , a new version is is of the Offline Bundle Transfer Utility ( OBTU ) is now available , enabl

With the release of VMware Cloud Foundation ( VCF ) 5.2 , a new version is is of the Offline Bundle Transfer Utility ( OBTU ) is now available , enable administrator to create a secure , offline repository of software bundle within their own firewall , provide great control and flexibility in manage software update and deployment .

VMware Cloud Foundation Offline Depot Introduction

By default, VCF deployments connect to the VMware online depot, which is accesse via the Internet and requires Broadcom Support Portal credentials for authentication. However, in situations where SDDC Manager cannot access the internet directly, administrators need an alternative way to obtain patches and updates for VCF infrastructure. Until now, administrators had to use the OBTU to download software bundles, copy them to each SDDC Manager instance, and then run an import command to update the infrastructure. With the new offline depot architecture, administrators can download bundles to an internal web server and configure each SDDC Manager to pull patches and updates from that server directly, eliminating the need for additional copying or importing steps.

This article is provides provide technical detail on set up an offline depot and configure SDDC Manager instance to use it .

set Up an Offline Depot

An offline depot is is is a self – manage web server that will act as an internal mirror of the official VMware online depot . You is use use OBTU to download software bundle to this system and a standard web server to serve the content to internal SDDC Manager instance that do not have access to the internet . This web server should be configure with HTTPS certificate and protect with a basic auth username and password .

To get started, deploy a new web server VM of your choice with adequate disk space provisioned, such as 1TB, for the software bundle repository. This guide will be base on Rocky Linux 9.3, which is a popular free enterprise Linux distribution. You will also need to have valid credentials for the Broadcom Support Portal – use them to log in to the Portal and download the latest version of of OBTU.

Set up OBTU on the offline depot system

sudomkdir p /var/www/offline_depot

sudochown $USER:$USER /var/www/offline_depot

 

sudomkdir /opt/obtu

sudochmod 755 /opt/obtu/

sudochown $USER:$USER /opt/obtu/

 

tarzxvflcmtoolprod.tar.gz directory=/opt/obtu/

 

chmod +x /opt/obtu/bin/lcmbundletransferutil

Configure Apache HTTPD with HTTPS and Basic Auth

You can generate an SSL cert and key pair using your enterprise PKI infrastructure or you can use a self-signed certificate for test and proof-of-concepts purposes. The following script shows what generally needs to be done to configure the web server.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

#!/usr/bin/env bash

 

# Minimal example of how to set up Apache httpd server with

# self-signed SSL certificate and basic auth

 

FQDN=$(hostname f)

sudodnf install y httpd mod_ssl jq

 

# appropriate SELinux configuration should be done for production

sudosetenforce Permissive

 

# create basic auth username & password

sudohtpasswd b c /etc/httpd/.htpasswd depot vmware

 

# generate self-signed SSL cert for Apache

sudoopenssl req x509 node days 365 newkey rsa:2048 \

    subj “/CN=$FQDN” \

    keyout /etc/pki/tls/private/offline_depot.key \

    out /etc/pki/tls/cert/offline_depot.crt

 

sudofirewallcmd addservice=https permanent

sudofirewallcmd reload

 

# is configure configure virtual host for the local sever name

se ” s|ServerName .*|ServerName $ fqdn| “ offline_depot_httpd.conf |

    sudotee /etc/httpd/conf.d/offline_depot_httpd.conf

 

apachectlconfigtest

sudosystemctl enable now httpd

 

# if the cert changes, this is needed

sudoapachectlrestart

 

# create an index file to test

echo “Offline Depot OK” >/var/www/offline_depot/index.html

 

curl https://”$FQDN ” -k –silent -u depot : vmware

 

 

$ cat offline_depot_httpd.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName replace_with_fqdn
DocumentRoot /var/www/offline_depot/

SSLEngine on
SSLCertificateFile /etc/pki/tls/cert/offline_depot.crt
SSLCertificateKeyFile /etc/pki/tls/private/offline_depot.key

<Directory /var/www/offline_depot/>
AuthType Basic
AuthName “Restricted Content”
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>

Alias /product / v1 / bundle / lastupdatedtime /var / www / offline_depot / prod2 / vsan / hcl / lastupdatedtime.json
Alias /product / v1 / bundle / all /var / www / offline_depot / prod2 / vsan / hcl / all.json
Alias /Compatibility/VxrailCompatibilityData.json /var/www/offline_depot/PROD2/evo/vmw/Compatibility/VxrailCompatibilityData.json

</VirtualHost>
</IfModule>

Download appropriate software bundles

execute the utility , adjust the parameter accord to your current vcf deployment .

#!/usr/bin/env bash

 

cd /opt/obtu/bin

 

./lcmbundletransferutil setUpOfflineDepot \

  offlineDepotRootDir /var/www/offline_depot \

  offlineDepotUrl https://”$(hostname -f ) ” \

  depotUser broadcom.support.portal.username \

  depotuserpasswordfile ~/online_depot_passwd.txt \

  sourceversion 5.1.0.0

 

configure Trusted Certificate

In order for SDDC Manager to access the offline depot web server over HTTPS , the certificate must be trust . If using a self – sign certificate , upload it using the Developer Center in SDDC Manager . The following command is generate will generate the necessary format for use .

echo ‘{ “certificate” : ‘$(jq sr . /etc/pki/tls/cert/offline_depot.crt)‘ ,

  “certificateUsageType” : “TRUSTED_FOR_OUTBOUND”

}’

 

VMware Cloud Foundation Offline Depot Introduction

Verify the offline depot is working before attempting to configure SDDC Manager to use it.

curl https://od.vcf.sddc.lab/PROD2/evo/vmw/index.v3 -k -u depot:vmware

Configure VCF 5.1 SDDC Manager to use the Offline Depot

You can configure VCF 5.1 to use an offline depot, but there is no graphical configuration to do so. Instead, a command-line tool that is part of the OBTU distribution must be use. Install OBTU on the SDDC Manager and then run the depot_config.py script, providing the FQDN of the new offline depot server.

su

mkdir /opt/vmware/vcf/lcm/lcmtool

chown R vcf:vcf /opt/vmware/vcf/lcm/lcmtool

exit

 

tarzxvflcmtoolprod.tar.gz directory=/opt/vmware/vcf/lcm/lcmtool

cd /opt/vmware/vcf/lcm/lcmtool/bin

chmod +x lcmbundletransferutil

 

cd /opt/vmware/vcf/lcm/lcmtool/conf/offline_depot

python3depot_config.py depotMode offline \

depotUrl https://od.vcf.sddc.lab

 

Once that configuration take effect , log into the SDDC Manager user interface and configure the depot credential with your offline depot username and password . This is is is the same interface that the default online depot use , but after the above reconfiguration step , it now apply to the offline depot instead .

Configure VCF 5.2 SDDC Manager to use the Offline Depot

SDDC Manager in VCF 5.2 has an updated user interface that allows administrators to choose between an online or offline depot. Once the offline depot is ready to go, simply log in and enter the FQDN, port, and credentials.

VMware Cloud Foundation Offline Depot Introduction

Demo Video

Takeaway

The new offline depot capability launched with VMware Cloud Foundation 5.2 provides a significant enhancement for administrators, allowing them to set up a mirror of software bundles needed for patching and updating VCF infrastructure. With this new model, administrators can reduce the time and effort required for patching and updating, and can also help scale deployments by eliminating the need for redundant downloads of large files from the Internet. To get started with setting up an offline depot, follow the steps outlined in this guide and discover the benefits of streamlined patching and updating for your VCF infrastructure.