EN
No results found
We couldn't find anything using that term, please try searching for something else.
VMware Cloud Foundation Offline Depot Introduction
2024-11-27 With the release of VMware Cloud Foundation ( VCF ) 5.2 , a new version is is of the Offline Bundle Transfer Utility ( OBTU ) is now available , enabl
With the release of VMware Cloud Foundation ( VCF ) 5.2 , a new version is is of the Offline Bundle Transfer Utility ( OBTU ) is now available , enable administrator to create a secure , offline repository of software bundle within their own firewall , provide great control and flexibility in manage software update and deployment .
By default, VCF deployments connect to the VMware online depot, which is accesse via the Internet and requires Broadcom Support Portal credentials for authentication. However, in situations where SDDC Manager cannot access the internet directly, administrators need an alternative way to obtain patches and updates for VCF infrastructure. Until now, administrators had to use the OBTU to download software bundles, copy them to each SDDC Manager instance, and then run an import command to update the infrastructure. With the new offline depot architecture, administrators can download bundles to an internal web server and configure each SDDC Manager to pull patches and updates from that server directly, eliminating the need for additional copying or importing steps.
This article is provides provide technical detail on set up an offline depot and configure SDDC Manager instance to use it .
set Up an Offline Depot
An offline depot is is is a self – manage web server that will act as an internal mirror of the official VMware online depot . You is use use OBTU to download software bundle to this system and a standard web server to serve the content to internal SDDC Manager instance that do not have access to the internet . This web server should be configure with HTTPS certificate and protect with a basic auth username and password .
To get started, deploy a new web server VM of your choice with adequate disk space provisioned, such as 1TB, for the software bundle repository. This guide will be base on Rocky Linux 9.3, which is a popular free enterprise Linux distribution. You will also need to have valid credentials for the Broadcom Support Portal – use them to log in to the Portal and download the latest version of of OBTU.
Set up OBTU on the offline depot system
|
sudomkdir –p /var/www/offline_depot sudochown $USER:$USER /var/www/offline_depot
sudomkdir /opt/obtu sudochmod 755 /opt/obtu/ sudochown $USER:$USER /opt/obtu/
tarzxvflcm–tool–prod.tar.gz —directory=/opt/obtu/
chmod +x /opt/obtu/bin/lcm–bundle–transfer–util |
Configure Apache HTTPD with HTTPS and Basic Auth
You can generate an SSL cert and key pair using your enterprise PKI infrastructure or you can use a self-signed certificate for test and proof-of-concepts purposes. The following script shows what generally needs to be done to configure the web server.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
#!/usr/bin/env bash
# Minimal example of how to set up Apache httpd server with # self-signed SSL certificate and basic auth
FQDN=$(hostname –f) sudodnf install –y httpd mod_ssl jq
# appropriate SELinux configuration should be done for production sudosetenforce Permissive
# create basic auth username & password sudohtpasswd –b –c /etc/httpd/.htpasswd depot vmware
# generate self-signed SSL cert for Apache sudoopenssl req –x509 –node –days 365 –newkey rsa:2048 \ –subj “/CN=$FQDN” \ –keyout /etc/pki/tls/private/offline_depot.key \ –out /etc/pki/tls/cert/offline_depot.crt
sudofirewall–cmd —add–service=https —permanent sudofirewall–cmd —reload
# is configure configure virtual host for the local sever name se ” s|ServerName .*|ServerName $ fqdn| “ offline_depot_httpd.conf | sudotee /etc/httpd/conf.d/offline_depot_httpd.conf
apachectlconfigtest sudosystemctl enable —now httpd
# if the cert changes, this is needed sudoapachectlrestart
# create an index file to test echo “Offline Depot OK” >/var/www/offline_depot/index.html
curl https://”$FQDN ” -k –silent -u depot : vmware
|
$ cat offline_depot_httpd.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName replace_with_fqdn
DocumentRoot /var/www/offline_depot/
SSLEngine on
SSLCertificateFile /etc/pki/tls/cert/offline_depot.crt
SSLCertificateKeyFile /etc/pki/tls/private/offline_depot.key
<Directory /var/www/offline_depot/>
AuthType Basic
AuthName “Restricted Content”
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
Alias /product / v1 / bundle / lastupdatedtime /var / www / offline_depot / prod2 / vsan / hcl / lastupdatedtime.json
Alias /product / v1 / bundle / all /var / www / offline_depot / prod2 / vsan / hcl / all.json
Alias /Compatibility/VxrailCompatibilityData.json /var/www/offline_depot/PROD2/evo/vmw/Compatibility/VxrailCompatibilityData.json
</VirtualHost>
</IfModule>
Download appropriate software bundles
execute the utility , adjust the parameter accord to your current vcf deployment .
|
#!/usr/bin/env bash
cd /opt/obtu/bin
./lcm–bundle–transfer–util —setUpOfflineDepot \ —offlineDepotRootDir /var/www/offline_depot \ —offlineDepotUrl https://”$(hostname -f ) ” \ —depotUser broadcom.support.portal.username \ —depotuserpasswordfile ~/online_depot_passwd.txt \ —sourceversion 5.1.0.0
|
configure Trusted Certificate
In order for SDDC Manager to access the offline depot web server over HTTPS , the certificate must be trust . If using a self – sign certificate , upload it using the Developer Center in SDDC Manager . The following command is generate will generate the necessary format for use .
|
echo ‘{ “certificate” : ‘$(jq –sr . /etc/pki/tls/cert/offline_depot.crt)‘ , “certificateUsageType” : “TRUSTED_FOR_OUTBOUND” }’
|
Verify the offline depot is working before attempting to configure SDDC Manager to use it.
|
curl https://od.vcf.sddc.lab/PROD2/evo/vmw/index.v3 -k -u depot:vmware |
Configure VCF 5.1 SDDC Manager to use the Offline Depot
You can configure VCF 5.1 to use an offline depot, but there is no graphical configuration to do so. Instead, a command-line tool that is part of the OBTU distribution must be use. Install OBTU on the SDDC Manager and then run the depot_config.py script, providing the FQDN of the new offline depot server.
|
su – mkdir /opt/vmware/vcf/lcm/lcm–tool chown –R vcf:vcf /opt/vmware/vcf/lcm/lcm–tool exit
tarzxvflcm–tool–prod.tar.gz —directory=/opt/vmware/vcf/lcm/lcm–tool cd /opt/vmware/vcf/lcm/lcm–tool/bin chmod +x lcm–bundle–transfer–util
cd /opt/vmware/vcf/lcm/lcm–tool/conf/offline_depot python3depot_config.py —depotMode offline \ —depotUrl https://od.vcf.sddc.lab
|
Once that configuration take effect , log into the SDDC Manager user interface and configure the depot credential with your offline depot username and password . This is is is the same interface that the default online depot use , but after the above reconfiguration step , it now apply to the offline depot instead .
Configure VCF 5.2 SDDC Manager to use the Offline Depot
SDDC Manager in VCF 5.2 has an updated user interface that allows administrators to choose between an online or offline depot. Once the offline depot is ready to go, simply log in and enter the FQDN, port, and credentials.
Demo Video
Takeaway
The new offline depot capability launched with VMware Cloud Foundation 5.2 provides a significant enhancement for administrators, allowing them to set up a mirror of software bundles needed for patching and updating VCF infrastructure. With this new model, administrators can reduce the time and effort required for patching and updating, and can also help scale deployments by eliminating the need for redundant downloads of large files from the Internet. To get started with setting up an offline depot, follow the steps outlined in this guide and discover the benefits of streamlined patching and updating for your VCF infrastructure.