Anchore Enterprise in an Air-Gapped Environment

This document is intended to be a complete reference guide to deploying Anchore Enterprise in an air-gapped environment. Use the print button to take this guide into your air-gapped environment.

Prerequisites

Terminology

The “low side” represents the Internet-facing side. The “high side” represents the air-gapped side.

Please note that detailed deployment requirements can be otherwise found in Requirements

Kubernetes

Command-line tools Helm (>=3.8) and Docker static binary (low side and high side)
Command-line tool kubectl (high side)
Helm is the package manager for Kubernetes used to manage Kubernetes applications using Helm charts.
Kubectl communicates with the Kubernetes API server to send commands and manage resources within a Kubernetes cluster.
Helm and Docker (client/static binary) can be installed as standalone binaries. The Docker static binary is only needed to pull/download/save/load Docker images.
Kubectl can be installed as a standalone binary.
For an air-gapped deployment:
Helm and Docker should be installed on an Internet-facing system (can be a normal workstation on the low side) as well as the air-gapped system (can be the management system/control node on the high side).
Kubectl should be installed on the air-gapped system (can be the management system/control node on the high side) to interact with the Kubernetes cluster.
How to install (Helm, >=3.8): https://helm.sh/docs/intro/install/
How to install (Docker, static binary): https://docs.docker.com/engine/install/binaries/
How to install (kubectl): https://kubernetes.io/docs/tasks/tools/

Docker

Install Docker static binary (low side)
Install Docker Engine/CE (>=1.12) (high side)
The Docker static binary is only needed to pull/download/save Docker images (on the low side).
Docker Engine/CE is needed for the Anchore Enterprise deployment (on the high side).
For an air-gapped deployment:
The Docker static binary should be installed on an Internet-facing system (can be a normal workstation on the low side) and Docker Engine/CE should be installed on the air-gapped system.
How to install (Docker, static binary): https://docs.docker.com/engine/install/binaries/
How to install (Docker Engine/CE): https://docs.docker.com/engine/install/

Pull/Download images locally (from low side)

All Helm, Docker, and/or curl commands should be run from a system on the low side in which Helm, Docker, and/or curl was installed.

Image Access

The Anchore-provided DockerHub credentials and PAT (Personal Access Token) will be required for pulling/downloading Docker images.

The Anchore Enterprise and Enterprise UI version should correspond to the latest/current version of Anchore Enterprise when pulling/downloading Docker images.

The pulled/downloaded Docker images will require approx. 2 - 4 GB’s of available local disk space.

Kubernetes

Pull the latest Anchore Enterprise Helm chart and dependencies

helm repo add anchore https://charts.anchore.io
helm repo update
helm pull anchore/enterprise

The “helm pull” command will create a .tgz file named: enterprise-“helm-chart-version”.tgz
The file size will be small (under 1 MB).

Pull the latest Anchore Enterprise and dependent Docker images

docker pull docker.io/anchore/enterprise:v5.21.0
docker pull docker.io/anchore/enterprise-ui:v5.21.0
docker pull docker.io/bitnamilegacy/postgresql:16.6.0-debian-12-r2
docker pull docker.io/redis:7.4.6
docker pull docker.io/bitnamilegacy/kubectl:1.30
docker pull docker.io/postgres:13-bookworm

Save the Anchore Enterprise and dependent Docker images into a single tar file for transfer to the high side

docker save -o <filename>.tar \
docker.io/anchore/enterprise:v5.21.0 \
docker.io/anchore/enterprise-ui:v5.21.0 \
docker.io/bitnamilegacy/postgresql:16.6.0-debian-12-r2 \
docker.io/redis:7.4.6 \
docker.io/bitnamilegacy/kubectl:1.30 \
docker.io/postgres:13-bookworm

Docker

Download the latest Docker Compose file which should correspond to the latest/current version of Anchore Enterprise

curl https://docs.anchore.com/5.21/docs/deployment/docker_compose/docker-compose.yaml > docker-compose.yaml

Pull the latest Anchore Enterprise and dependent Docker images

docker pull docker.io/anchore/enterprise:v5.21.0
docker pull docker.io/anchore/enterprise-ui:v5.21.0
docker pull docker.io/postgres:16
docker pull docker.io/redis:7.4.6

Save the Anchore Enterprise and dependent Docker images into a single tar file for transfer to the high side

docker save -o <filename>.tar \
docker.io/anchore/enterprise:v5.21.0 \
docker.io/anchore/enterprise-ui:v5.21.0 \
docker.io/postgres:16 \
docker.io/redis:7.4.6

Transfer source files (to high side)

NOTE

All Docker commands should be run on the air-gapped system in which Docker was installed.

Kubernetes

Transfer (via USB or other medium/method) the below files to the air-gapped system (on the high side):

The Anchore Enterprise Helm chart .tgz file
The Docker images tar file
The Anchore-provided Anchore Enterprise license file

Untar the Anchore Enterprise Helm chart .tgz file on the air-gapped system

The tarball will be extracted to a directory named: enterprise
The directory will include the Anchore Enterprise Helm chart and the dependent PostgreSQL and Redis Helm charts.

Copy the Anchore Enterprise license file into the “enterprise” directory and if need be rename the file to: license.yaml
Load and verify the Docker images locally on the air-gapped system

docker load -i <filename>.tar
docker images

Import the Docker images into the container runtime/Kubernetes cluster directly (from the air-gapped system) as the images may not be visible to the cluster although they are available locally

For instance, if containerd or CRI-O is the container runtime - the ctr command can be used directly from the management system/worker node.

ctr images import <filename>.tar
ctr images ls

If using Rancher (RKE), KIND, K9s, Minikube, etc. the procedure may vary so be sure to research accordingly.

Docker

Transfer (via USB or other medium/method) the below files to the air-gapped system (on the high side):

The Docker Compose file
The Docker images tar file
The Anchore-provided Anchore Enterprise license file

Place the Docker Compose and Anchore Enterprise license files into a designated working directory on the air-gapped system

If need be, rename the Anchore Enterprise license file to: license.yaml

Load and verify the Docker images locally on the air-gapped system

docker load -i <filename>.tar
docker images

Deploy Anchore Enterprise (on high side)

NOTE

The Kubernetes or Docker deployment of Anchore Enterprise should take place on the air-gapped system.

Kubernetes

From the air-gapped system (on the high side), change into the “enterprise” directory that was extracted from the Anchore Enterprise Helm chart .tgz file and make a backup copy of the existing values.yaml file (as custom settings will be defined).

cd enterprise
cp values.yaml values-original.yaml

Modify the settings in the values.yaml file so that the default password for the admin user is set. Save the file once modified.

The password for the admin user MUST be initially set via the “default_admin_password” parameter. The admin password can be changed post-installation via the UI.

- default_admin_password stanza under "Anchore Configuration Parameters" section

## @param anchoreConfig.default_admin_password The password for the Anchore Enterprise admin user
## This value is only used during creation of the admin user, cannot be used to change the password
  ##
  default_admin_password: <strong password_of_your_choosing>

Modify the settings in the values.yaml file so that the Anchore Enterprise, Anchore Enterprise UI, PostgreSQL, Redis, and bookworm Docker images are appropriately referenced relative to an installation from local images. Save the file once modified.

The Anchore Enterprise and Enterprise UI images should correspond to the latest/current version of Anchore Enterprise based on the previously pulled images.
The “image” value for Anchore Enterprise and Enterprise UI should be modified to remove the “docker.io” registry as local images will be used.
The “tag” value for PostgreSQL and Redis should correspond to the version based on the previously pulled image.
The “registry” key for PostgreSQL and Redis should be commented out as local images will be used.
The “migrationPodImage” value should be modified to remove the “docker.io” registry as a local image will be used.

Example:

- Anchore Enterprise stanza under "Common Resource Parameters" section

## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI
## Only one of digest or tag should be used if using image.tag / image.digest, if both are specified it will default to using tag
## Ensure tag value is quoted so it's interpreted as a string
##
image: anchore/enterprise:v5.21.0
  # registry: docker.io
  # repository: anchore/enterprise
  # tag: "v5.21.0"
  # digest: sha256:abcdef123456

- Anchore Enterprise UI stanza under "Anchore UI Parameters" section

ui:
  ## @param ui.image Image used for the Anchore UI container
  ## Ensure tag value is quoted so it's interpreted as a string
  ##
  image: anchore/enterprise-ui:v5.21.0
    # registry: docker.io
    # repository: anchore/enterprise-ui
    # tag: "v5.21.0"
    # digest: sha256:abcdef123456

- postgresql stanza under "Anchore Database Parameters" section

  ## @param postgresql.image.repository Specifies the image repository to use for this chart.
  ## @param postgresql.image.registry Specifies the image registry to use for this chart.
  ## @param postgresql.image.tag Specifies the image to use for this chart.
  ## @param postgresql.image.pullSecrets Specifies the image pull secrets to use for this chart.
  ##
  image:
    repository: bitnamilegacy/postgresql
    #registry: docker.io
    tag: 16.6.0-debian-12-r2
    pullSecrets:
      - anchore-enterprise-pullcreds

- ui-redis stanza under "Anchore UI Redis Parameters" section

  ## @param ui-redis.image.registry Specifies the image registry to use for this chart.
  ## @param ui-redis.image.repository Specifies the image repository to use for this chart.
  ## @param ui-redis.image.tag Specifies the image to use for this chart.
  ## @param ui-redis.image.pullSecrets Specifies the image pull secrets to use for this chart.
  ##
  image:
    #registry: docker.io
    repository: redis
    tag: 7.4.6
    pullSecrets:
      - anchore-enterprise-pullcreds

- migrationPodImage stanza under "Common Resource Parameters" section

## @param migrationPodImage The image reference to the migration pod
##
migrationPodImage: postgres:13-bookworm

Modify the settings in the values.yaml file so that the environment variable “ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED” is set to false. This environment variable needs to be defined under the dataSyncer.extraEnv stanza. Save the file once modified.

This setting governs downloading of feeds data by the Anchore data syncer service. As the deployment will be air-gapped, feeds data will be downloaded/uploaded manually via the anchorectl binary.

- dataSyncer stanza under "Anchore Data Syncer k8s Deployment Parameters" section

## @param dataSyncer.extraEnv Set extra environment variables for Anchore DataSyncer pods
  ##
  extraEnv:
    - name: ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED
      value: "false"

Perform the Helm deployment of Anchore Enterprise

Follow the below steps from the Helm deployment guide:
Installing the Chart: https://docs.anchore.com/current/docs/deployment/helm/
Step 1: The NAMESPACE can be named: anchore
Step 2: The license file should exist in the same directory as the extracted Anchore Enterprise Helm chart and the dependent PostgreSQL and Redis Helm charts - which would be the “enterprise” directory. If need be, the license file should also be renamed: license.yaml
Step 3: This step can be skipped as a Kubernetes secret for DockerHub credentials will not be needed in an air-gapped deployment to pull/download Docker images.
Step 4: A custom values file will not need to be created as the existing one (values.yaml) with custom-defined settings will be used.
There is also no need to add the charts repository as the chart/dependencies would have been previously pulled and transferred to the air-gapped system (on the high side).
RELEASE can be the same value as NAMESPACE and the variables can be exported as listed below.

export NAMESPACE=anchore
export RELEASE=anchore

The Helm command to deploy Anchore Enterprise would be as follows:

helm install ${RELEASE} -n ${NAMESPACE} /path/to/extracted/enterprise/directory

The “helm install” will initiate the installation of Anchore Enterprise. Upon completion, the pod status can be checked per the below and should reflect READY 1/1 and STATUS Running for each pod.

kubectl get pods -n ${NAMESPACE}

- Example Output

kubectl get pods -n anchore
NAME                                                READY   STATUS    RESTARTS      AGE
anchore-enterprise-analyzer-5f7f97ffcf-6rtrn        1/1     Running   1 (72s ago)   20h
anchore-enterprise-api-587fb89495-sl2xn             1/1     Running   1 (72s ago)   20h
anchore-enterprise-catalog-7767d58d4f-6dsv7         1/1     Running   1 (72s ago)   20h
anchore-enterprise-datasyncer-558959869f-qp9nx      1/1     Running   1 (72s ago)   20h
anchore-enterprise-notifications-64ccbf9864-pl629   1/1     Running   1 (72s ago)   20h
anchore-enterprise-policy-6dc88b5df6-vrrcw          1/1     Running   1 (72s ago)   20h
anchore-enterprise-reports-569587dbf5-jjfz2         1/1     Running   1 (72s ago)   20h
anchore-enterprise-reportsworker-6bc7f7b4dd-7fnrn   1/1     Running   1 (72s ago)   20h
anchore-enterprise-simplequeue-7f848498df-64bxq     1/1     Running   1 (72s ago)   20h
anchore-enterprise-ui-6fd7d78449-2vc6l              1/1     Running   1 (72s ago)   20h
anchore-postgresql-0                                1/1     Running   1 (72s ago)   20h
anchore-ui-redis-master-0                           1/1     Running   1 (72s ago)   20h

There should be 12 Anchore Enterprise pods in total which includes PostgreSQL and Redis.

NOTE

The “helm install” will also install Anchore Enterprise with a chart-managed PostgreSQL database which is NOT recommended for Production use. The chart-managed PostgreSQL database is more suited for POC (proof-of-concept) evaluation use.

For Production use, an external database is recommended as described here: https://github.com/anchore/anchore-charts/tree/main/stable/enterprise#external-database-requirements

For air-gapped deployments, leveraging a managed database service such as Amazon RDS or Google Cloud SQL may not be feasible. However, a standalone PostgreSQL 16.x or higher database instance/cluster may also be used in lieu of a managed database service. Also, if utilizing a standalone database instance/cluster it is VITAL to maintain proper backups in the event data recovery is necessary.

Docker

From the air-gapped system (on the high side), change into the designated working directory where the Docker Compose and Anchore Enterprise license files were placed.

cd <designated working directory>

Modify the settings in the docker-compose.yaml file so that the default password for the admin user is set. Save the file once modified.

The password for the admin user MUST be initially set via the “ANCHORE_ADMIN_PASSWORD” environment variable. This environment variable is listed by default under the “catalog” and “queue” services. The admin password can be changed post-installation via the UI.

- default "ANCHORE_ADMIN_PASSWORD" environment variable

environment:
  - ANCHORE_ADMIN_PASSWORD=<strong password of your choosing>

Modify the settings in the docker-compose.yaml file so that the Anchore Enterprise, Anchore Enterprise UI, PostgreSQL, and Redis Docker images are appropriately referenced relative to an installation from local images for each Anchore Enterprise service. Save the file once modified.

The Anchore Enterprise and Enterprise UI images should correspond to the latest/current version of Anchore Enterprise based on the previously pulled images.
The “image” value should be modified to remove the “docker.io” registry as local images will be used.
The “repository:tag” should match exactly what’s listed on the local system when running the “docker images” command.
There should be 12 Anchore Enterprise services in total which includes PostgreSQL and Redis.

Example:

services:
  api:
    image: anchore/enterprise:v5.21.0

  ui:
    image: anchore/enterprise-ui:v5.21.0

  anchore-db:
    image: postgres:16

  ui-redis:
    image: redis:7.4.6

Modify the settings in the docker-compose.yaml file so that the environment variable “ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED” is set to false. This environment variable is listed by default under the “data-syncer” service. Save the file once modified.

This setting governs downloading of feeds data by the Anchore data syncer service. As the deployment will be air-gapped, feeds data will be downloaded/uploaded manually via the anchorectl binary.

- data-syncer stanza

environment:
  - ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED=false

Perform the Docker deployment of Anchore Enterprise

From within the designated working directory where the Docker Compose and Anchore Enterprise license files were placed, execute the below command.

docker compose up -d

Upon completion, the container status can be checked per the below and should reflect STATUS (healthy) for each container.

docker ps

- Example Output

CONTAINER ID   IMAGE                           COMMAND                  CREATED         STATUS                   PORTS                          NAMES
f1cbeeb57d17   anchore/enterprise-ui:v5.21.0   "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   0.0.0.0:3000->3000/tcp         anchore-airgap-ui-1
9a31c0b9179e   anchore/enterprise:v5.21.0      "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   8228/tcp                       anchore-airgap-policy-engine-1
4dbe734493ec   anchore/enterprise:v5.21.0      "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   0.0.0.0:8228->8228/tcp         anchore-airgap-api-1
e9b28374d305   anchore/enterprise:v5.21.0      "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   8228/tcp                       anchore-airgap-reports_worker-1
a59c7e637b29   anchore/enterprise:v5.21.0      "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   0.0.0.0:8558->8228/tcp         anchore-airgap-reports-1
800e9d3e59d6   anchore/enterprise:v5.21.0      "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   8228/tcp                       anchore-airgap-analyzer-1
cc990f7b6025   anchore/enterprise:v5.21.0      "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   0.0.0.0:8668->8228/tcp         anchore-airgap-notifications-1
05b93536f286   anchore/enterprise:v5.21.0      "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   0.0.0.0:8778->8228/tcp         anchore-airgap-data-syncer-1
569ebfec977b   anchore/enterprise:v5.21.0      "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   8228/tcp                       anchore-airgap-catalog-1
128c2874c243   anchore/enterprise:v5.21.0      "/docker-entrypoint.…"   4 minutes ago   Up 3 minutes (healthy)   8228/tcp                       anchore-airgap-queue-1
efeadcbf1dbc   postgres:16                     "docker-entrypoint.s…"   4 minutes ago   Up 4 minutes (healthy)   0.0.0.0:5432->5432/tcp         anchore-airgap-anchore-db-1
2d23836db688   redis:7.4.6                     "docker-entrypoint.s…"   4 minutes ago   Up 4 minutes (healthy)   6379/tcp                       anchore-airgap-ui-redis-1

There should be 12 Anchore Enterprise containers in total which includes PostgreSQL and Redis.

NOTE

Docker is more suited for POC (proof-of-concept) evaluation use or environments with low workload requirements. Kubernetes with a Helm-based deployment is recommended for Production use or environments with high workload requirements.

Last modified October 24, 2025