Air-Gapped

The On-Premises Anchore Enterprise Feeds has two high level functions:

  • Gather vulnerability data from external sources, normalize and persist the data
  • Serve persisted normalized vulnerability data from via an API

These two high level functions are decoupled and can be executed independently of each other. This design allows the service to operate in an API-Only mode and service API requests with the vulnerability data in the service’s database. It is used for running Anchore Enterprise in Air-Gapped / High Side environments.

Public Network / Low side

  1. Install Anchore Enterprise Feeds in a public network with access to internet, and feed source domains listed here.
  2. Start the service and use the tasks API to query the status of the FeedSyncTask that should have started
  3. Wait for the FeedSyncTask to complete and populate the database
  4. Stop the service
  5. Create a database dump using pg_dump tool pg_dump -h <public-network-db-hostname> -p 5432 -U postgres -Fc -v -f anchore-enterprise-feeds.dump postgres
  6. Copy it to a location where it can be restored from in the following steps

Note: For both Compose and Helm, if no Anchore Enterprise services are required in the low side, you can tweak your values or compose file to just run the feed service.

Private Network / High side

Deploy Anchore Enterprise and ensure the feed service is configured in API only mode by setting api_only: true in your deployment. This means the feed service will not attempt to reach out to external sources of vulnerability data and will instead ONLY serve up feed data from the database via an API.

Helm

feeds:
  extraEnv:
    - name: ANCHORE_FEEDS_API_ONLY
      value: "true"

Compose

  feeds:
    environment:
      - ANCHORE_FEEDS_API_ONLY=true

Restore the database from the anchore-enterprise-feeds.dump file created in your low side / public network Anchore Feeds Deployment. pg_restore -h <private-network-db-hostname> -p 5432 -U postgres -C -d postgres anchore-enterprise-feeds.dump

Perform an anchorectl feed sync and check your feeds have been updated with anchorectl feed list

Note: PostgreSQL version must be the same across both databases for the pg_dump and pg_restore utility to work correctly

Last modified September 16, 2024