Anchore Enterprise in an Air-Gapped Environment

Anchore Enterprise can run in an isolated environment with no outside internet connectivity. It does require a network connection to its own components and should be able to reach registries (Docker v2 API compatible) where the images to be analyzed are hosted.

Installation

Air-gapped deployment follows the standard deployment procedure for either Docker Compose or Kubernetes with Helm.

Accessing Images

Make sure that the Anchore Enterprise images are either proxied into a local registry or available as local images on the system running Anchore Enterprise. These images should be referenced in your docker-compose.yaml or Helm values.yaml to enable installation within a private network.

Data Synchronization

To ensure that the Anchore Enterprise installation has up-to-date vulnerability data from the vulnerability sources, you will need to periodically download and import feed data into your Anchore Enterprise deployment. Details on how to do this can be found in the Air-Gapped Configuration.

For more detail regarding the Anchore Data Service, please see Anchore Data Service.

1 - Anchore Enterprise in an Air-Gapped Environment

Once you have all the required images locally, you will need to push the images to your local registry and point image location for each service to the url of the images in your registry.

We will assume we are using a Habor registry locally accessible at core.harbor.domain. Follow these steps to push the images to your local registry and deploy Anchore Enterprise:

Tag images Since Docker images are currently tagged with docker.io, you need to retag them with your Harbor registry URL.

Replace core.harbor.domain with your actual registry domain:

docker tag docker.io/anchore/enterprise:v5.15.0 core.harbor.domain/anchore/enterprise:v5.15.1
docker tag docker.io/library/postgres:13 core.harbor.domain/library/postgres:13
docker tag docker.io/library/redis:7 core.harbor.domain/library/redis:7
docker tag docker.io/anchore/enterprise-ui:v5.15.0 core.harbor.domain/anchore/enterprise-ui:v5.15.0

Push the Tagged Images to Harbor

docker push core.harbor.domain/anchore/enterprise:v5.15.0
docker push core.harbor.domain/library/postgres:13
docker push core.harbor.domain/library/redis:7
docker push core.harbor.domain/anchore/enterprise-ui:v5.15.0

Once all the required images are the private registry, you will then need to point all Anchore images in the docker-compose.yaml file to it.

In this example, I have replace all docker.io to core.harbor.domain:

services:
  # The primary API endpoint service
  api:
    image: docker.io/anchore/enterprise:v5.15.0
    depends_on:
      anchore-db:
        condition: service_healthy
      catalog:
        condition: service_healthy

To:

services:
  # The primary API endpoint service
  api:
    image: core.harbor.domain/anchore/enterprise:v5.15.0
    depends_on:
      anchore-db:
        condition: service_healthy
      catalog:
        condition: service_healthy

Do this for all services as we will be deploying anchore from your private repository and not docker.io

Also, do not forget to set ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED to false in the dataSyncer service.

dataSyncer:
  extraEnv:
    - name: ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED
      value: "false"

With your license file and docker-compose.yaml file in the active directory, execute the following to deploy Anchore Enterprise in your air-gapped environment

docker compose up -d

2 - Anchore Enterprise in an Air-Gapped Environment

Download images locally

Follow these steps to manually transfer the images and deploy Anchore Enterprise on Docker.

Download Images from a System with Internet Access On a machine that has internet access, pull all the relevant Anchore images: We will assume the latest Anchore Enterprise version is v5.15, so we will be pulling down these images (make sure to pull current version as needed)

docker pull docker.io/anchore/enterprise:v5.15.0
docker pull docker.io/library/postgres:13
docker pull docker.io/library/redis:7
docker pull docker.io/anchore/enterprise-ui:v5.15.0

Save Images as Tar Files Once the images are pulled, save them as a tarball so that they can be transferred to the air-gapped system. Run the following command:

docker save -o anchore_images.tar \
    docker.io/anchore/enterprise:v5.15.0 \
    docker.io/library/postgres:13 \
    docker.io/library/redis:7 \
    docker.io/anchore/enterprise-ui:v5.15.0

This command will create a tar file (approx. 2.2GB in size) containing all the pulled images.

Transfer Images to the Air-Gapped Environment Now, transfer the anchore_images.tar file (via a memory stick or other means) to the air-gapped system.
Load the Images onto the Air-Gapped System On the air-gapped system, load the images from the tarball using the following command:

docker load -i anchore_images.tar

You can verify that the images have been loaded by running:

docker images

Deploy Anchore on the Air-Gapped System

Once the images are available on the offline system, you can proceed with the deployment using docker-compose.

Download the Docker Compose File On a system with internet access, download the official Docker Compose file for Anchore:


curl https://docs.anchore.com/5.15/docs/deployment/docker_compose/docker-compose.yaml > docker-compose.yaml

Transfer this file to your offline system (using a memory stick or similar method).

Set Up and Deploy On the air-gapped system, place the downloaded docker-compose.yaml file in your working directory, along with your license file. Make sure the docker-compose.yaml file references the images by name and tag exactly as they appear on your local system.

Now, you can deploy Anchore with:

docker compose up -d

Docker will automatically use the locally loaded images if they exist with the correct name and tag, as referenced in the docker-compose.yaml file.