Skip to content

Air-gap

Introduction

This section is applicable only for the installation of Privacera Manager in an air-gapped network environment (i.e., without Internet access).

Warning

  • This is not a standard installation setup.

Overview

An air gap network is a secure, isolated network environment with no Internet access. To install Privacera software in such a network, you must first download the Privacera Docker images and upload them to your Docker registry. Additionally, the Privacera Manager tarball must be hosted in an object store accessible to the compute host within the air gap network. A script named pm-airgap.sh is available to facilitate this setup process.

Prerequisites

Before proceeding with the installation, make sure you have the following prerequisites in place:

Important

Ensure that all Self-Managed Prerequisites are completed before proceeding with the instructions in this section.

Warning

Access to public GitHub is required for monitoring features to function. If the Linux host where you are running the script blocks this access, the features will not work. You must disable monitoring for now.

Support for restricted environments will be added in a future release

  1. A Linux host with Internet access is required to run the pm-airgap.sh script. This host must have password-less SSH access to the Privacera jumphost.
  2. A local Docker registry is needed to host the Privacera Docker images. Ensure you have the registry URL and credentials to push images to it.
  3. The compute host (Privacera jumphost) must be in the air gap network (no Internet access). This host should have access to the local Docker registry where Privacera Docker images are hosted.
  4. The jumphost must have permissions to create repositories and perform operations such as push, pull, delete, and modify the images in the your private hub.
  5. Obtain the following information from your Privacera Sales Representative:
    • PRIV_MGR_PACKAGE: The format will be https://<domain>/<filepath>/<file.tar.gz>
    • PRIV_MGR_IMAGE: The format will be <PRIVACERA_HUB_HOST>/privacera-manager:<PRIV_MGR_IMAGE_TAG>
    • PRIVACERA_HUB_USER: Privacera Docker hub registry username
    • PRIVACERA_HUB_PASSWORD: Privacera Docker hub registry password

  6. Download the script. The airgap installation is performed using the scripts listed below.

    a. Access a server (intermediate machine) with Internet access, which will be used to download the Privacera package and push the Docker images for Privacera Manager.

    b. Run the following commands:

    Bash
    1
2
3
    cd ~/
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/airgap-installation/airgap-env.sh -o airgap-env.sh
curl -s https://raw.githubusercontent.com/privacera/privacera-installation-scripts/refs/heads/main/airgap-installation/pm-airgap.sh -o pm-airgap.sh

  7. Update the Privacera Airgap configuration file airgap-env.sh. This file contains the variables required for initial downloading and uploading Privacera components.

    Variable Name Description Sample Value
    PRIV_MGR_IMAGE Docker image for Privacera Manager, including the repository URL and image tag. "hub2.privacera.com/privacera-manager:rel_9.0.0.3"
    PRIV_MGR_PACKAGE URL for the Privacera Manager package, usually hosted on an S3 bucket or similar repository. "https://privacera-host/path/privacera-manager.tar.gz"
    PRIVACERA_HUB_USER Username for accessing Privacera Hub, the central repository for Privacera images. "hub_user"
    PRIVACERA_HUB_PASSWORD Password for accessing Privacera Hub. This should be securely stored. "hub_password"
    DESTINATION_HUB_URL The private hub URL where you want to upload the Privacera Images. "<ECR_URL>"
    DESTINATION_HUB_USER Username for accessing Private Hub. "dev"
    DESTINATION_HUB_PASSWORD Password for accessing Privacera Hub. This should be securely stored. "private_hub_password"
    PM_HOSTNAME The Privacera Jumphost where you want to sync the Privacera Package. "10.210.1.30"
    PM_HOST_USERNAME The username which you created for Privacera where the packages will be copied. "privacera"
    REMOTE_DIR The path in your Privacera Jumphost where you want to copy the Privacera package. It should be always /home/<PM_HOST_USERNAME>/privacera
    DOWNLOAD_CORE_COMPONENTS The Privacera Core components to download. It includes Privacera Manager, Ranger, Portal, Solr, Zookeeper, Ranger Tagsync and Usersync, Privacera Usersync, Auditserver and Audit Fluentd. y/n
    DOWNLOAD_MARIADB Privacera Mariadb. y/n
    DOWNLOAD_DATASERVER_COMPONENTS Privacera Dataserver components. It includes Dataserver. y/n
    DOWNLOAD_DISCOVERY_COMPONENTS Privacera Discovery components. It includes Discovery, Kafka and Pkafka. y/n
    DOWNLOAD_MASKING_AND_ENCRYPTION_COMPONENTS Privacera Masking and Encryption components. It includes Peg and Scheme Server. y/n
    DOWNLOAD_OPS_SERVER_COMPONENTS Privacera Ops Server components. It includes Ops server. y/n
    DOWNLOAD_DIAGNOSTICS_COMPONENTS Privacera Diagnostics components. It includes Diagnostics server and client. y/n
    DOWNLOAD_MONITORING_COMPONENTS Privacera Monitoring components. y/n
    DOWNLOAD_CONNECTOR_COMPONENTS Privacera Connector components. y/n
    POLICYSYNC_MSSQL_IMAGE MSSQL Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_POSTGRES_IMAGE Postgres Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_SNOWFLAKE_IMAGE Snowflake Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_DATABRICKS_IMAGE Databricks Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_DREMIO_IMAGE Dremio Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_REDSHIT_IMAGE Redshift Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_POWERBI_IMAGE PowerBI Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_BIGQUERY_IMAGE Bigquery Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_LAKEFORMATION_IMAGE Lakeformation Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_DATABRICKS_UNITY_CATALOG_IMAGE Databricks Unity Calalog Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n
    POLICYSYNC_VERTICA_IMAGE Vertica Connector. If DOWNLOAD_CONNECTOR_COMPONENTS is set to y then you need to set the value for this. y/n

  8. Run the following commands to download packages and images of Privacera Manager:

    Bash
    1
2
    cd ~/
./pm-airgap.sh
    The script will download the Privacera Manager package to the ~/privacera/downloads location, retrieve and upload the required images to the private Docker repository, and synchronize the Privacera package with the remote jumphost.

  9. (Optional) If the synchronization failed in the previous step, re-run the script with the sync action to copy the Privacera Manager package to your Privacera Manager host.

    Bash
    1
2
    cd ~/
./pm-airgap.sh push
    Alternatively, you can manually copy the package from ~/privacera/downloads/privacera-manager.tar.gz to the ~/privacera/downloads directory on the Privacera Manager host.

  1. A local Docker registry is needed to host the Privacera Docker images. Ensure you have the registry URL and credentials to push images to it.
  2. The compute host (Privacera jumphost) must be in the air gap network (no Internet access). This host should have access to the local Docker registry where Privacera Docker images are hosted.
  3. The jumphost must have permissions to create repositories and perform operations such as push, pull, delete, and modify the images in the your private hub.
  4. Obtain the following information from your Privacera Sales Representative:
    • PRIV_MGR_PACKAGE: The format will be https://<domain>/<filepath>/<file.tar.gz>
    • PRIV_MGR_IMAGE: The format will be <PRIVACERA_HUB_HOST>/privacera-manager:<PRIV_MGR_IMAGE_TAG>
    • PRIVACERA_HUB_USER: Privacera Docker hub registry username
    • PRIVACERA_HUB_PASSWORD: Privacera Docker hub registry password

  5. Replace PRIVACERA_RELEASE_VERSION in the URL and then download the script.

    Bash
    1
    wget https://s3.amazonaws.com/privacera-archives/rel/platform/<PRIVACERA_RELEASE_VERSION>/pm-airgap-installation.sh

  6. After setting the above variables, run the following code in your shell to initialize these variables. Copy the output to a text file to be used in the next section.

    Bash
    1
2
3
4
5
6
7
8
9
    PRIVACERA_HUB_HOSTNAME=$(echo $PRIV_MGR_IMAGE | awk -F'/' '{print $1}')
PRIV_MGR_IMAGE_TAG=$(echo $PRIV_MGR_IMAGE | awk -F':' '{print $2}')
PRIV_MGR_BASE_URL=${PRIV_MGR_PACKAGE%/privacera-manager.tar.gz}

echo && \
echo "PRIVACERA_HUB_HOSTNAME=${PRIVACERA_HUB_HOSTNAME}" && \
echo "PRIV_MGR_IMAGE_TAG=${PRIV_MGR_IMAGE_TAG}" && \
echo "PRIV_MGR_BASE_URL=${PRIV_MGR_BASE_URL}" && \
echo

  7. Run the following wget command from the home folder of your Linux host to download the script.

    Bash
    1
2
3
    cd ~
wget ${PRIV_MGR_BASE_URL}/pm-airgap-installation.sh
chmod +x pm-airgap-installation.sh

  8. Download packages and images of Privacera Manager

    Bash
    1
2
    cd ~
./pm-airgap-installation.sh
    Bash
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
    Enter Privacera Base Download URL:
<PRIV_MGR_BASE_URL>

Download Privacera Core Components ? Y/N

Download Internal Mariadb Database Image  ? Y/N

Download Privacera Access Manager Component Images  ? Y/N

Download Privacera Discovery Component Images  ? Y/N

Download Encryption & Masking Component Images  ? Y/N

Download Statistics & Monitoring Component Images  ? Y/N

Download Privacera Diagnostics Component Images  ? Y/N

    The script lists the packages and images downloaded and saved in ~/privacera/downloads and ~/privacera/downloads/images locations respectively.

  9. Push the images to internal repository. Run the script again with push action to upload the images to your private Repository and copy (.tar) packages to your Privacera Manager host.

    Bash
    1
2
3
4
5
6
7
8
    cd ~
./pm-airgap-installation.sh push

Enter Privacera Docker Hub URL:
Enter Privacera Image Tag:
Enter Docker login URL:
Enter Docker user:
Enter Docker password:

  10. Once the images are pushed to the internal repository, it will clean up images in the ~/privacera/downloads/images directory and it will prompt to copy package to Privacera Manager host using rsync over ssh.

  11. Run the script again with the sync action to copy the Privacera Manager package to your Privacera Manager host.

    Bash
    1
2
3
4
5
6
    cd ~
./pm-airgap-installation.sh sync
Do you want to copy packages to PM Host [y/n]:
Can Current User <logged-in-user> can SSH(Passwordless), to PM Host [y/n]?:
Enter Hostname of PM HOST:
Enter Username of PM HOST:
    You can also manually copy the package from ~/privacera/downloads/privacera-manager.tar.gz to the ~/privacera/downloads directory on the Privacera Manager host.

You will now have the following details ready: the hostname of your airgap Docker registry and the credentials needed to pull from it for configuration.