Anchore Enterprise in an Air-Gapped Environment
Anchore Enterprise can run in an isolated environment with no outside internet connectivity. It does require a network connection to its own components and should be able to reach registries (Docker v2 API compatible) where the images to be analyzed are hosted.
Installation
Air-gapped deployment follows the standard deployment procedure for either Docker Compose or Kubernetes with Helm.
Accessing Images
Make sure that the Anchore Enterprise images are either proxied into a local registry or available as local images on the system running Anchore Enterprise. These images should be referenced in your docker-compose.yaml or Helm values.yaml to enable installation within a private network.Data Synchronization
To ensure that the Anchore Enterprise installation has up-to-date vulnerability data from the vulnerability sources, you will need to periodically download and import feed data into your Anchore Enterprise deployment. Details on how to do this can be found in the Air-Gapped Configuration.
For more detail regarding the Anchore Data Service, please see Anchore Data Service.
1 - Anchore Enterprise in an Air-Gapped Environment
Once you have all the required images locally, you will need to push the images to your local registry and point image location for each service to the url of the images in your registry.
We will assume we are using a Habor registry locally accessible at core.harbor.domain. Follow these steps to push the images to your local registry and deploy Anchore Enterprise:
- Tag images
Since Docker images are currently tagged with docker.io, you need to retag them with your Harbor registry URL.
Replace core.harbor.domain with your actual registry domain:
docker tag docker.io/anchore/enterprise:v5.15.0 core.harbor.domain/anchore/enterprise:v5.15.1
docker tag docker.io/library/postgres:13 core.harbor.domain/library/postgres:13
docker tag docker.io/library/redis:7 core.harbor.domain/library/redis:7
docker tag docker.io/anchore/enterprise-ui:v5.15.0 core.harbor.domain/anchore/enterprise-ui:v5.15.0
- Push the Tagged Images to Harbor
docker push core.harbor.domain/anchore/enterprise:v5.15.0
docker push core.harbor.domain/library/postgres:13
docker push core.harbor.domain/library/redis:7
docker push core.harbor.domain/anchore/enterprise-ui:v5.15.0
Once all the required images are the private registry, you will then need to point all Anchore images in the docker-compose.yaml file to it.
In this example, I have replace all docker.io to core.harbor.domain:
services:
# The primary API endpoint service
api:
image: docker.io/anchore/enterprise:v5.15.0
depends_on:
anchore-db:
condition: service_healthy
catalog:
condition: service_healthy
To:
services:
# The primary API endpoint service
api:
image: core.harbor.domain/anchore/enterprise:v5.15.0
depends_on:
anchore-db:
condition: service_healthy
catalog:
condition: service_healthy
Do this for all services as we will be deploying anchore from your private repository and not docker.io
Also, do not forget to set ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED to false in the dataSyncer service.
dataSyncer:
extraEnv:
- name: ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED
value: "false"
- With your license file and docker-compose.yaml file in the active directory, execute the following to deploy Anchore Enterprise in your air-gapped environment
2 - Anchore Enterprise in an Air-Gapped Environment
Download images locally
Follow these steps to manually transfer the images and deploy Anchore Enterprise on Docker.
Note
You need a Dockerhub PAT from Anchore Customer Success in order to pull Anchore Enterprise images- Download Images from a System with Internet Access
On a machine that has internet access, pull all the relevant Anchore images: We will assume the latest Anchore Enterprise version is v5.15, so we will be pulling down these images (make sure to pull current version as needed)
docker pull docker.io/anchore/enterprise:v5.15.0
docker pull docker.io/library/postgres:13
docker pull docker.io/library/redis:7
docker pull docker.io/anchore/enterprise-ui:v5.15.0
- Save Images as Tar Files
Once the images are pulled, save them as a tarball so that they can be transferred to the air-gapped system. Run the following command:
docker save -o anchore_images.tar \
docker.io/anchore/enterprise:v5.15.0 \
docker.io/library/postgres:13 \
docker.io/library/redis:7 \
docker.io/anchore/enterprise-ui:v5.15.0
This command will create a tar file (approx. 2.2GB in size) containing all the pulled images.
Transfer Images to the Air-Gapped Environment
Now, transfer the anchore_images.tar file (via a memory stick or other means) to the air-gapped system.
Load the Images onto the Air-Gapped System
On the air-gapped system, load the images from the tarball using the following command:
docker load -i anchore_images.tar
You can verify that the images have been loaded by running:
Deploy Anchore on the Air-Gapped System
Once the images are available on the offline system, you can proceed with the deployment using docker-compose.
- Download the Docker Compose File
On a system with internet access, download the official Docker Compose file for Anchore:
curl https://docs.anchore.com/5.15/docs/deployment/docker_compose/docker-compose.yaml > docker-compose.yaml
Transfer this file to your offline system (using a memory stick or similar method).
- Set Up and Deploy
On the air-gapped system, place the downloaded docker-compose.yaml file in your working directory, along with your license file. Make sure the docker-compose.yaml file references the images by name and tag exactly as they appear on your local system.
Now, you can deploy Anchore with:
Docker will automatically use the locally loaded images if they exist with the correct name and tag, as referenced in the docker-compose.yaml file.