Installing oVirt 4.5 on RHEL 9 (Offline / NIST 800-53 Compliance)
Hi all, I’m working on setting up production oVirt 4.5 with a self-hosted engine on RHEL 9 in an offline, NIST 800-53 environment. The server does not have internet access, but I can download repositories and packages separately and hand transfer them over. I’ve looked through the available documentation, but aside from https://www.ovirt.org/download/install_on_rhel.html, I haven’t found details on which additional repositories (RHEL, oVirt, dependencies, etc.) are required for a full installation. I’m looking for guidance on the best approach for this type of setup. Ideally, whether there’s a simpler or supported method to get a self-hosted engine running in an offline environment without having to mirror all repositories manually. Thanks in advance for any advice or pointers. Cheers ________________________________ This electronic message contains information from CACI International Inc or subsidiary companies, which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately.
I have not found a supported method but would be interested in what you find. If the environment does not have access to the internet, you will need to host the repos internally so the engine and hypervisors can install packages through regular operations like adding a new host. Unless you modify the ansible scripts. I prefer running nginx local to the environment but NFS and a file:// call in the repo would work the same depending on compliance needs. I like to deploy the engine in a Podman container with macvlan for a separated network with its own IP and FQDN. HA can then be configured in a couple of ways to mimic the internal HA VM Engine and a singular IP/DNS use case. Also helps with deployment time since the engine only needs to be built once, deployed, and configured for that new cluster. This still requires internal repos for the hypervisors unless you containerize the vdsm and other supporting services
I'm newer to oVirt and may be leading you astray, but have you looked at the OLVM docs for setting up the self-hosted engine in offline mode? https://docs.oracle.com/en/virtualization/oracle-linux-virtualization-manage... It's Oracle Linux, not RHEL, but were are doing something similar in that our self hosted environment does not have access to the public repositories. As such, we've created custom repos and repoint to those, so not completely air gapped. "hosted-engine --deploy --ansible-extra-vars=he_pause_before_engine_setup=true" does seem to work now, but originally we had to run the setup in tmux and pause the deployment just before the initial OLVM instance attempted to download packages else the whole deployment would fail. "hosted-engine --deploy --ansible-extra-vars=he_pause_before_engine_setup=true" will pause the deployment. At that point you ssh into the new OLVM instance's temporary NAT address and update the repo list.
I do this all the time using Oracle Linux, and their oVIrt build OLVM. The RPMs are easily sneaker-neted through the airgapped network. Just clone the OL8 repo, walk the disk through the air-gap, mount and point the hosts to use the yum server inside the air gapped environment. Patching is easier too, plus you can do a FIPS install. Erik
participants (4)
-
erik@xyzzy.net -
Justian Reynolds -
ovirt.etjgu@simplelogin.com -
Rockwell, Jenn - US