Air-Gapped

You will find a refined flow to transfer the feed data in v5.10.0. AnchoreCTL is now capable of importing and exporting feeds in a much more streamlined way. AnchoreCTL will be downloading the datasets from the Anchore Data Service and then importing them into the Anchore Enterprise deployment. For more detail regarding the Anchore Data Service, please see Anchore Data Service.

Air Gap Flow

Configuration

To configure your Anchore Enterprise deployment to work in an air-gapped environment, you will need to disable the Data Syncer Service’s automatic feed sync.

For helm

Set the following in your values.yaml

dataSyncer:
  extraEnv:
    - ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED=false

For docker-compose

Set the following in your docker compose yaml file

services:
  data-syncer:
    auto_sync_enabled: false

Alternately, you can also set the environment variable ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED to false in the data-syncer service.

export ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED=false

Downloading and Importing Datasets

Once installed, AnchoreCTL can be used to download the latest feed data from the Anchore Data Service. This data can then be moved across the air gap and uploaded into your Anchore Enterprise deployment.

Downloading the Datasets

Run the following command outside your air-gapped environment to download the datasets

Using your license key

anchorectl airgap feed download -f <filename> -k <your api key>

Using your license file

anchorectl airgap feed download -f <filename> -l <path to your license file>

NOTE:

To get your API key, check your license file for a field called apiKey
This command will download all the feeds from the hosted service to the file specified by ‘-f’.
This command can take a bit of time to return depending on your connection speed.
The resulting file will be approximately 0.5 GB in size as of this writing but will continue to grow as more data is added to the feeds.

Importing the Datasets

Take a copy of this file and move it into your air-gapped environment. Then run the following command to import the feeds into your Anchore Enterprise deployment.

anchorectl airgap feed upload -f <filename>

Your Analyzer Service and Policy Engine Service will now be able to fetch the latest data from the Data Syncer Service as normal. This procedure must be repeated each time you want to update the datasets in your air gapped environment.

Attention

Use the same file for downloading data every time, AnchoreCTL will read the metadata from the file and determine if it needs to download any newer data or if you already have the latest. If it does download newer data, the metadata is the file is overwritten with the latest metadata, this way you will not have to perform any unnecessary downloads.

Last modified September 30, 2024