# HPECP Airgap Installation

# Solution components overview

RMT server
Repository server

a. Docker registry

b. K8s RPMs registry
Deploying HPE Ezmeral Container Platform

# Solution architecture

Figure 37: HPECP Airgap Architecture

# RMT server

# Server hardware configuration

Network adapter - 1 interface on the production network.
CPU - 12 vCPU
Memory - 36 GB
Hard disk - a minimum of 3.5 TB

a. / - 2 TB

b. /home - 1 TB

c. /swap - 70 GB
OS - SUSE Enterprise Linux 15 SP2 Figure 38: Server Hardware Configuration

# Partition details

> lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

sda 8:0 0 10T 0 disk

├─sda1 8:1 0 8M 0 part

└─sda2 8:2 0 10T 0 part

├─system-root 254:0 0 2T 0 lvm /

├─system-swap 254:1 0 70.8G 0 lvm

└─system-home 254:2 0 953.2G 0 lvm /home

sr0 11:0 1 663M 0 rom

sr1 11:1 1 1.1G 0 rom

# Configuring RMT server

While installing OS or once the OS is installed on the server to be used as SLES RMT server, provide the following details:
- While installing OS
  - Select the registration method as "register system via scc.suse.com" and provide the registered email address and registration code for "SUSE Linux Enterprise Server for x86, AMD64, Intel64"
- Once OS is installed, register the system and enable required modules by executing below commands.
  - SUSEConnect -r REGISTRATION_CODE -e EMAIL_ADDRESS
  - SUSEConnect -p sle-ha/15.2/x86_64 -r ADDITIONAL REGCODE
  - SUSEConnect -p sle-caas/15.2/x86_64 -r ADDITIONAL REGCODE
  - SUSEConnect -p sle-module-containers/15.2/x86_64
  - SUSEConnect -p sle-module-desktop-applications/15.2/x86_64
  - SUSEConnect -p sle-module-development-tools/15.2/x86_64
  - SUSEConnect -p sle-module-cap-tools/15.2/x86_64
  - SUSEConnect -p PackageHub/15.2/x86_64
  - SUSEConnect -d -p sle-module-server-applications/15.2/x86_64
  - SUSEConnect -p sle-module-legacy/15.2/x86_64
  - SUSEConnect -p sle-module-public-cloud/15.2/x86_64
  - SUSEConnect -p sle-module-web-scripting/15.2/x86_64
Once the server is registered to SUSE and the required modules are enabled, perform the following steps to install RMT service. Ensure the server is connected to the internet at this moment.
- Install the prerequisite modules
```
> zypper in screen vim iputils bind-utils
```
- Install RMT server module
```
> zypper in rmt-server
```
Configure RMT
```
> yast2 rmt
```
This will open a wizard for configuring RMT service

Enter your organization credentials. To retrieve your credentials, login to scc.suse.com/proxies and look for the "Mirroring Credentials"

  ![](../media/SD-HA-3.png)

  **Figure 39:** Retrieve Credentials

  ![](../media/SD-HA-4.png)

  **Figure 40:** RMT configuration step 1

  ![](../media/SD-HA-5.png)

  **Figure 41:** RMT configuration step 1 successful

Enter credentials for a new MariaDB user and database name. This user will then be created. Then select Next.

Figure 42: RMT configuration step 2
If a password for the MariaDB root user is already set, you are required to enter it. If no password is set for root, you are asked to enter a new one.

Figure 43: RMT configuration set database root password
Enter a common name for the SSL certificates. The common name should usually be the fully qualified domain name (FQDN) of the server. Enter all domain names and IP addresses with which you want to reach the RMT server as alternative common names.

Figure 44: RMT configuration step 3
When all common names are entered, select Next.
Provide a password for the CA private certificate key and click OK.

Figure 45: RMT configuration setting CA private key
If firewalld is enabled on this system, enable the checkbox to open the required ports.

Figure 46: RMT configuration step 4
Continue with Next.

Figure 47: RMT configuration step 5
To view the summary, click Next. Close YaST by clicking Finish. YaST then enables and starts all systemd services and timers.

Figure 48: RMT configuration Summary

# Enabling SLP Announcements

The SLP is service discovery protocol that allows computers and other devices to find services in a LAN without prior configuration. RMT includes the SLP service description file /etc/slp.reg.d/rmt-server.reg.

To enable SLP announcements of the RMT service, follow these steps:

If firewalld is running, open relevant ports and reload the firewalld configuration:

> firewall-cmd --permanent --add-port=427/tcp
> firewall-cmd --permanent --add-port=427/udp
> firewall-cmd --reload

Verify that SLP server is installed and possibly install it:

> zypper install openslp-server

3.Enable and start the SLP service:

> systemctl enable slpd.service
> systemctl restart slpd.service

# Mirror SUSE products and packages

Synchronise all repositories and ID that you have access to.

> rmt-cli sync

List and enable all the products

> rmt-cli product list --all
> rmt-cli product enable <ID>

Start mirror of enabled products

> screen rmt-cli mirror

Register clients to the RMT server using the following URL
- As a boot parameter
```
> regurl=[/]{.ul}
```
- As a local subscription server
```
> SUSEConnect --url [/]{.ul}
```

# Download the packages

The following files, packages and RPMs are necessary for installing Kubernetes cluster in HPECP in an airgap environment. Download them when the system is connected to internet. Once they are downloaded, disconnect the server from the internet.

Container images

Refer to appendix Images required for deploying Kubernetes deployment for detailed list of images to install HPECP & kubernetes in an airgap environment.

NOTE

For Internal QA -- link to obtain container images https://bdk8s.s3.us-east-2.amazonaws.com/5.3/3031/k8s-images.tgz (opens new window)

Kubernetes RPMs

Refer to appendix for the RPMs required for deploying Kubernetes for a detailed list of RPMs required to install kubernetes in an airgap environment.

NOTE

For Internal link QA -- link to obtain kubernetes RPMs -- https://bdk8s.s3.us-east-2.amazonaws.com/5.3/3031/k8s-rpms.tar (opens new window)

# Disconnect from internet

Once the server is connected to SUSE customer center, up to date with the repositories, packages, RPMs and files, and they are mirrored into the local repository, it is time to disconnect the server from the internet. Refer to appendix Simulating an air gap environment for the configuration steps utilized in this document.

# Registering to RMT server

Once OS is installed, please refer to the Preparing hosts for HPECP section for registering client systems to RMT server.

Make sure following modules are enabled and up to date by running

> zypper refresh

SUSEConnect -p sle-ha/15.2/x86_64
SUSEConnect -p sle-caas/15.2/x86_64
SUSEConnect -p sle-module-containers/15.2/x86_64
SUSEConnect -p sle-module-desktop-applications/15.2/x86_64
SUSEConnect -p sle-module-development-tools/15.2/x86_64
SUSEConnect -p sle-module-cap-tools/15.2/x86_64
SUSEConnect -p PackageHub/15.2/x86_64
SUSEConnect -d -p sle-module-server-applications/15.2/x86_64
SUSEConnect -p sle-module-legacy/15.2/x86_64
SUSEConnect -p sle-module-public-cloud/15.2/x86_64
SUSEConnect -p sle-module-web-scripting/15.2/x86_64

# Docker registry and K8s RPMs repository server

# Server hardware configuration

Network adapter - 1 interface on the production network.
CPU - 2 vCPU
Memory - 16GB
Hard disk - a minimum of 500GB
OS - SUSE Enterprise Linux 15 SP2 Figure 49: Server Hardware details

# Partition details

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT

sda 8:0 0 500G 0 disk

├─sda1 8:1 0 500M 0 part /boot/efi

└─sda2 8:2 0 499.5G 0 part

├─system-swap 254:0 0 63G 0 lvm [SWAP]

├─system-root 254:1 0 150G 0 lvm /

├─system-var 254:2 0 100G 0 lvm /var

├─system-srv 254:3 0 100G 0 lvm /srv

└─system-home 254:4 0 25G 0 lvm /home

sr0 11:0 1 1024M 0 rom

sr1 11:1 1 1024M 0 rom

# Configuring docker registry

Register to the RMT server. Refer to section Registering to RMT server for more details.
Install and start Docker on SLES

zypper install docker
docker --version
systemctl enable docker.service
systemctl start docker.service

Create registry on SLES as a docker container with restart policy as always.

> docker run -d -p 5000:5000 --restart=always --name registry registry:2

Disconnect the server from the internet. Refer to section Simulating an air gap environment for more details.
Pull, Tag & Push an image to the local registry

Copy the container images tar file from the repository server into this server.
Navigate to the folder containing images required for deploying HPECP
```
> cd <path_to_the_images_tar_file>
```
Load the tar file containing the images required to setup the kubernetes cluster from HPECP in an airgap environment. See Appendix for detailed list of images needed.
```
> docker load -i <images_tar_file>
```

Tag each of the image from the list using the following command

> docker tag <individual image name extracted from images_tar_file> /
localhost:5000/<individual image name extracted from images_tar_file>

Push each of the tagged image using the following command

> docker push localhost:5000/<individual image name extracted from images_tar_file>

NOTE

There is a script available in k8simages.tgz called populate_registry.sh. Using this script, we can load, tag & push all k8s images. Instead of tagging with localhost, it's better to tag with internal registry IP address.

Eg: ./populate_registry.sh load k8s_container_metadata.txt <registry_server_IP>:5000

k8s_container_metadata.txt file should have all images and example image as shown below:

The k8s_container_metadata.txt file content as shown in below Figure

Figure 50: Registry file content

k8s_container_metada.txt file content template as shown below

<Reference_to_image> <Image_name:tag> <Image_tar_file>

populate_registry.sh script content as shown below:

$ cat populate_registry.sh
#!/bin/bash
if [ "$#" -lt 3 ]; then
    echo "$0  <load | pull> <k8s_metadata_file> <registry_url> [<registry_url> <registry_url> ...]"
    exit 1
fi
case $1 in
  load|pull)
    ;;
  *)
    echo "$0 <load | pull> <k8s_metadata_file> <registry_url> [<registry_url> <registry_url> ...]"
    exit 1
    ;;
esac

LOAD_OR_PULL=$1; shift
META_FILE=$1; shift
registry_urls=$@
echo "File=$META_FILE"

   for REG_URL in $registry_urls
   do
      echo "Updating registry: $REG_URL"
      echo ""
  while read LINE
  do
        DL_IMAGE_FILE_NAME=$(echo ${LINE} | cut -d' ' -f3)
    DL_FULL_IMAGE_NAME=$(echo ${LINE} | cut -d' ' -f2)
    case ${LOAD_OR_PULL} in
      load)
        echo "load cmd: docker load -i ${DL_IMAGE_FILE_NAME}"
        docker load -i ${DL_IMAGE_FILE_NAME}
        ;;
      pull)
        echo "pull cmd: docker pull ${DL_FULL_IMAGE_NAME}"
        docker pull ${DL_FULL_IMAGE_NAME}
        ;;
    esac

    echo "tag cmd: docker tag ${DL_FULL_IMAGE_NAME} ${REG_URL}/${DL_FULL_IMAGE_NAME}"
    docker tag ${DL_FULL_IMAGE_NAME} ${REG_URL}/${DL_FULL_IMAGE_NAME}

    echo "push cmd: docker push ${REG_URL}/${DL_FULL_IMAGE_NAME}"
    docker push ${REG_URL}/${DL_FULL_IMAGE_NAME}

    echo ""
  done < ${META_FILE}
done

Other than the images in k8s-images.tgz, we need below docker images from registry.suse.com
- registry.suse.com/caasp/v4.5/kube-apiserver:v1.18.6
- registry.suse.com/caasp/v4.5/kube-controller-manager:v1.18.6
- registry.suse.com/caasp/v4.5/kube-scheduler:v1.18.6
- registry.suse.com/caasp/v4.5/kube-proxy:v1.18.6
- registry.suse.com/caasp/v4.5/pause:3.2
- registry.suse.com/caasp/v4.5/etcd:3.4.3
- registry.suse.com/caasp/v4.5/coredns:1.6.7
NOTE

Please use below script to download suse images. Use this script on a server which have internet access.

Figure 51: Script to download suse images

Test the presence of images

> docker images
> docker images | grep "'internal registry ip address':5000"

# Validate registry from local environment

Within the same server

> docker pull <image_not_present_in_registry> - fail since internet isn't available
> docker pull <image_within_registry> - success

Outside of this registry server, on the hosts that need access to the local docker registry
- Create or update the /etc/docker/daemon.json on the docker hosts which needs access to the above created docker registry. Assuming there are no other settings in the file, it should have the following contents:
```
{
"insecure-registries" : ["<registry_server_ip_address>:5000"]
}
```
Substitute the "<registry_server_ip_address>" with the address of insecure registry.
- Restart Docker for the changes to take effect.
```
> systemctl restart docker.service
```
- Pull the images
```
> docker pull <image_not_present_in_registry> - fail since internet isn't available
> docker pull <image_within_registry> - success
```

# Configuring Kubernetes RPMs server

Install Nginx

> zypper in nginx

Check the nginx configuration file (/etc/nginx/nginx.conf) to know the nginx server root directory.

> cd <nginx _server_root_directory>

Copy and untar the kubernetes RPM tar file within the nginx server root directory.

Copy kubernetes.tar file under NGINX configuration file location
        location /kubernetes/ {
            root   /srv/www/htdocs/;
            autoindex on;
        }

> cd /srv/www/htdocs

> Copy kubernetes.tar file

> tar xvf kubernetes.tar

Start the Nginx web service

> systemctl enable nginx
> systemctl start nginx

# Troubleshooting

In case there is an issue NGINX "403 Forbidden" Error, perform the following steps

Ensure right file permissions are set to the files to be served by web server

> chmod 755 <path_to_k8s_rpms_in_nginx_root_directory>

Change the ownership of all the files

> chown -R nginx:nginx *

Restart NGINX

> nginx -s reload

# Validate the availability of Kubernetes RPMs

To validate if the kubernetes RPMs is accessible, execute the following command:

> curl http://<webserver_ip_address>/kubernetes/

# HPECP Deployment

# Operating System Deployment for HPECP hosts

The supported version of SLES for deploying HPE Container Platform is SUSE Enterprise Linux 15 SP2. This section outlines the manual steps involved in deploying OS for the servers used as HPECP controller, HPECP gateway, kubernetes master and kubernetes worker nodes.

NOTE

OS can be deployed by using the script located in https://github.com/HewlettPackard/hpe-solutions-hpecp/tree/master/DL/scripts/os_deployment (opens new window). Please refer to the "Deploying operating system on bare-metal nodes" section in this document for more details.

Boot using the installation Media select language & and the product "Sles 15 SP2".
Select you registration method as the RMT server set up previously in section RMT server and choose "yes" to receive updated repos.

Figure 52: Registration Method
Select the following Extension and Modules:
- sle-ha/15.2/x86_64
- caasp/4.5/x86_64
- PackageHub/15.2/x86_64
- sle-module-legacy/15.2/x86_64
- sle-module-python2/15.2/x86_64
- sle-module-containers/15.2/x86_64
- sle-module-basesystem/15.2/x86_64
- sle-module-public-cloud/15.2/x86_64
- sle-module-desktop-applications/15.2/x86_64
- sle-module-server-applications/15.2/x86_64
- sle-module-development-tools/15.2/x86_64

NOTE

Alternatively, refer to the section Registering to RMT server for registering to RMT server once OS is installed.

Using guided Partitioning setup the OS partition as shown below

Figure 53: OS Partitioning
Choose "minimal" installation mode:

Figure 54: System Role
In the install summary ensure SSH access is enabled and then click Install.

Figure 55: Enable SSH Access

NOTE

DNS/Bind A record, PTR record is required for the HPE CP installation.

# HPECP Host preparation

This section covers manual steps for preparing Hosts for ECP Ezmeral Container Platform. Automated script is available for HPECP Host preparation at https://github.com/HewlettPackard/hpe-solutions-hpecp/tree/master/DL/scripts/prepare_hpecp_hosts (opens new window). Please refer to the following section "Host Preparation" section in this document for more details.

If using proxy or ignore, setup proxy as shown below in the configuration file - /etc/sysconfig/proxy

> NO_PROXY="localhost, 127.0.0.1l"
> HTTP_PROXY="http://<proxy server>:port/"
> HTTPS_PROXY=" http://<proxy server>:port/"

Fix autofs configuration.

> zypper in autofs
> sed -i'' -e "s|#/net.*$|/net -hosts|g" /etc/auto.master

Install libcgroup V1

> zypper in libcgroup1

Reboot the server

> reboot

Perform a system update if necessary

> zypper up --non-interactive

# Preparing legacy GPU hosts

All the above repos for worker hosts are required. In addition, perform the following steps from http://docs.bluedata.com/50_gpu-driver-installation (opens new window)

Except of course, you will be using zypper instead of yum.

For the new kernel to load.

> zypper install kernel-default-devel gcc-c++ perl pciutils

In addition, you need to install the following package before running the NVIDIA installer on the host.

> zypper in libglvnd-devel

NOTE

If the server is not rebooted platform install will fail. You may choose to not reboot now for GPU hosts.

# HPECP controller

Once the OS is installed as per the section Operating System Deployment for HPECP hosts, login to the server to be configured as the HPECP controller and perform the steps as per Host preparation section.

# Installing HPECP Controller for SLES

On the same server, perform the following steps to install HPECP controller

Copy the hpe-cp-sles-release-5.3-xxxx.bin to /root folder from the repository server.

You can download .bin file from https://bdk8s.s3.us-east-2.amazonaws.com/5.3/3031/hpe-cp-sles-release-5.3-3031.bin
Copy the feed.json file from the repository server to the /srv/bluedata/catalog folder.

> mkdir -p /srv/bluedata/catalog
> cp <location_of_feed.json_in_controller> /srv/bluedata/catalog/

Give execute permission using the following command

> chmod +x /root/hpe-cp-sles-release-5.3-xxxx.bin
> chmod +x /srv/bluedata/catalog/
> chmod +x /srv/bluedata/catalog/*

Execute the HPECP bin file using the following command

> ./hpe-cp-sles-release-5.3-3031.bin --default-password <password>

Once completed, Login to the controller via browser to land to the admin UI
Once logged in to the HPECP Controller UI, configure the controller by providing the details as shown in the following figure and click submit.

Figure 56: HPECP controller configuration
Controller installation is then instantiated, wait until it is complete.

Figure 57: HPECP controller setup
Once the installation is complete, the HPECP login page would be accessible.

Figure 58: HPECP Login Page

Figure 59: HPECP Dashboard

NOTE

Default credentials to HPECP login access is admin/admin123

# HPECP gateway server

Once the OS is installed as per the section Operating System Deployment for HPECP hosts, login to the server to be configured as the HPECP controller and perform the steps as per gateway section.

# Airgap settings in HPECP Controller

The Air Gap tab of the System Settings screen allows the Platform Administrator to specify "air gap" settings to be used when the Kubernetes hosts, clusters, and tenants within HPE Container Platform do not have connectivity to the Internet.

Enter the following settings:

Yum repository section of this tab:
- Base URL: This is the URL to the YUM repository.
- Repo GPG URL: This is the URL to the YUM repository GNU Privacy Guard (optional).
- RPM GPG URL: This is the URL to the RPM repository GNU Privacy Guard (optional).
The Container Registry section of this tab:
- Container URL: URL to the Docker registry that contains the images needed for air-gap Kubernetes installations within HPE Container Platform.
- Username: Username to access the Docker registry, if needed.
- Password: Password to access the Docker registry, if needed.
- Secured: Checking the Secured checkbox indicates that the Kubernetes air-gap Docker registry is secure.
- Docker Client Certificate: Location of the Docker registry certificate, if you are using a secured connection. Clicking the Browse button opens a browser-standard Open dialog box that allows you to navigate to and locate the certificate to add.
- Clicking Submit saves your changes.
Figure 60: Airgap Settings

# Kubernetes hosts

# Preparing Kubernetes hosts

After the hosts are prepared, login to the servers and perform the following:

Edit the /etc/sysctl.conf file and turn off reverse path filter (add the following line if necessary):
```
> vi /etc/sysctl.conf
> net.ipv4.conf.all.rp_filter = 0
```
Reboot the server for changes to reflect
```
> reboot
```
Turn off swap
```
> swapoff -a
```
Once above-mentioned configurations are completed on the host, we can perform the kubernetes host installation and create the kubernetes cluster

# Kubernetes host installation

Please refer to the "Adding Kubernetes Hosts" section in this document for installing Hosts." section in this document for installing Hosts.

# Creating a Kubernetes Cluster

Please refer to the "Creating Kubernetes Cluster" section in this document for creating cluster.

# Launching Kubernetes Dashboard

Please refer to the "Launching Kubernetes Dashboard" section to launch kubernetes dashboard

# Validating the deployment

The following example is based on the WordPress and MySQL with Persistent Volume described here (opens new window).

MySQL and WordPress each require a Persistent Volume to store data. Their Persistent Volume Claims will be created at the deployment step. HPE Container Platform uses MapR as the default persistent volume.

Begin by adding a Secret generator in kustomization.yaml by executing the following command, being sure to replace YOUR_PASSWORD with the password you want to use.

> mkdir wordpress
> cd wordpress
> cat <<EOF >./kustomization.yaml

secretGenerator:
- name: mysql-pass
literals:
- password=YOUR_PASSWORD
EOF

Next, use either of the following methods, create manifests based on the following two yaml manifest files for the MySQL and WordPress services, respectively:
- https://kubernetes.io/examples/application/wordpress/mysql-deployment.yaml (opens new window)
- https://kubernetes.io/examples/application/wordpress/wordpress-deployment.yaml (opens new window)
If you installed HPE Container Platform with tenant storage, then MapR will already be registered as the default Storage Class in this namespace.

> kubectl get StorageClass

NAME PROVISIONER AGE
default (default) com.mapr.csi-kdf 39h

> kubectl describe StorageClass

Name : default
IsDefaultClass : Yes
Annotations : storageclass.kubernetes.io/is-default-class=true
Provisioner : com.mapr.csi-kdf
Parameters :
cldbHosts=192.168.20.131:7222,cluster=epic.mapr.cluster,csi.storage.k8s.io/provisioner-secret-name=mapr-user-secret,csi.storage.k8s.io/provisioner-secret-namespace=mapr-csi,csiNodePublishSecretName=mapr-ticket-secret,csiNodePublishSecretNamespace=mapr-csi,mountPre
fix=/mapr-csi,namePrefix=k8s-1-,platinum=true,restServers=192.168.20.131:8443,securityType=secure
AllowVolumeExpansion : <unset>
MountOptions : <none>
ReclaimPolicy : Delete
VolumeBindingMode : Immediate
Events : <none>

In these two manifest files, both the WordPress service and MySQL are requesting a persistent volume (PV)

Neither pod makes any explicit request for a specific storageClassName. Hence, they will use the default MapR StorageClass.

Edit the WordPress manifest yaml to use the NodePort service instead of LoadBalancer service. This needs to be done in order for HPE Container Platform to re-map the ports.

Continue by adding these two manifests to the kustomization.yaml file.

> cat <<EOF >>./kustomization.yaml

resources:
- mysql-deployment.yaml
- wordpress-deployment.yaml
EOF

The kustomization.yaml contains all of the resources for deploying a WordPress site and a MySQL database. You can apply the directory, and then verify both the MapR volumes and the services, as follows:

> kubectl apply --kustomize ./

secret/mysql-pass-9tt65k5fgm created
service/wordpress-mysql created
service/wordpress created
deployment.apps/wordpress-mysql created
deployment.apps/wordpress created
persistentvolumeclaim/mysql-pv-claim created
persistentvolumeclaim/wp-pv-claim created

Confirm that PVC is using the MapR StorageClass (see highlighted text below).

> kubectl get pvc

NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
mysql-pv-claim Bound mapr-pv-16f97a33-b8dd-488a-b6db-1d94a84286e2 20Gi
RWO default 48s
wp-pv-claim Bound mapr-pv-896b3504-e9ba-4593-b9a0-88a9ece392b5 20Gi RWO
default 48s

> kubectl get pv

NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS
REASON AGE

mapr-pv-32850109-ef66-42db-9522-b563fbc01eae 10Gi RWO Delete Bound
bdwebterm/pvc-kd-977sb-0 default 41h

mapr-pv-a24b1733-39db-40d2-bdaf-0be7c22ed83b 10Gi RWO Delete Bound
bdwebterm/pvc-kd-nbwhn-0 default 31h

mapr-pv-dbf96aed-dafd-47b7-87d4-7d343f182d8b 20Gi RWO Delete Bound
default/mysql-pv-claim default 69s

mapr-pv-e3c1db71-2865-425c-971e-c01466e9d295 20Gi RWO Delete Bound
default/wp-pv-claim default 69s

mapr-pv-ed5f1be3-9be2-4470-83cf-67f9b31e9dbf 10Gi RWO Delete Bound
bdwebterm/pvc-kd-dl2

Label the WordPress service so that the front-end NodePort service will be exposed via the HPE Container Platform Gateway host. This step is not necessary if the service was created in the namespace of a tenant that has the Map Services to Gateway option enabled.

> kubectl get services

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 26h
wordpress NodePort 10.96.98.248 <none> 80:30996/TCP 24s
wordpress-mysql ClusterIP None <none> 3306/TCP 24s

> kubectl label svc wordpress hpecp.hpe.com/hpecp-internal-gateway=true

service/wordpress labeled

> kubectl describe service wordpress

Name: wordpress
Namespace: default
Labels: app=wordpress
hpecp.hpe.com/hpecp-internal-gateway=true
Annotations: hpecp-internal-gateway/80: mip.storage.enterprise.net:10006
Selector: app=wordpress,tier=frontend
Type: NodePort
IP: 10.96.98.248
Port: <unset> 80/TCP
TargetPort: 80/TCP
NodePort: <unset> 30996/TCP
Endpoints: 10.244.2.11:80
Session Affinity: None
External Traffic Policy: Cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Service 26s kubedirector Created HPECP K8S service

Copy the IP address and port number (see highlighted text above) to your browser. You should see set-up page similar to the following screenshot:

Figure 61: Wordpress Application
Destroy the application deployments (e.g. pods) and restart the deployments, making sure to preserve the WordPress application information and still preserved.

> kubectl delete deployment wordpress

deployment.extensions "wordpress" deleted

> kubectl delete deployment wordpress-mysql

deployment.extensions "wordpress-mysql" deleted

> kubectl get pods

No resources found.

> kubectl get deployments

No resources found.

The service is gone, as expected.

![](../media/SD-HA-25.png)

**Figure 62:** Wordpress application is removed

Reapply the same deployment, and reconnect to persistent storage.

> kubectl apply -k ./

secret/mysql-pass-9tt65k5fgm unchanged
service/wordpress-mysql unchanged
service/wordpress unchanged
deployment.apps/wordpress-mysql created
deployment.apps/wordpress created
persistentvolumeclaim/mysql-pv-claim unchanged
persistentvolumeclaim/wp-pv-claim unchanged

> kubectl get pods

NAME READY STATUS RESTARTS AGE
wordpress-594759d7f6-jdnvp 1/1 Running 0 27s
wordpress-mysql-847b7b996d-dwf6s 1/1 Running 0 28s

> kubectl describe service wordpress

Name: wordpress
Namespace: default
Labels: app=wordpress
Hpecp.hpe.com/hpecp-internal-gateway=true
Annotations: hpecp-internal-gateway/80: mip.storage.enterprise.net:10006
Selector: app=wordpress,tier=frontend
Type: NodePort
IP: 10.96.35.129
Port: <unset> 80/TCP
TargetPort: 80/TCP
NodePort: <unset> 31589/TCP
Endpoints: 10.244.1.18:80
Session Affinity: None
External Traffic Policy: Cluster
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Service 12m kubedirector Created HPECP K8S service

The WordPress service is restored.

Finally, you will need to delete the entire deployment in order to free up all of the resources, including the persistent storage.

> kubectl delete -k ./

secret "mysql-pass-9tt65k5fgm" deleted
service "wordpress-mysql" deleted
service "wordpress" deleted
deployment.apps "wordpress-mysql" deleted
deployment.apps "wordpress" deleted
persistentvolumeclaim "mysql-pv-claim" deleted
persistentvolumeclaim "wp-pv-claim" deleted

# Appendix

# Simulating an air gap environment

Update a dummy gateway IP address in either of the following files

> vi /etc/sysconfig/network/ifcfg-eth0
> vi /etc/sysconfig/network/ifroute-eth0

Restart the network

> systemctl restart network

Validate if the server is disconnected to internet or not

> curl api.ipify.org

This command provides the external facing IP address of the server in the event server is connected to the internet

# SUSE RMT server

This section provides a detailed list of SUSE RPMs required for bringing up the HPECP setup on SUSE Linux SP2 in an airgap environment.

# SUSE products and extensions overview

ID	Product	Mandatory	Mirror ?
4450	SLE-15-SP2-Desktop-NVIDIA-Driver for	Mandatory	Mirror
4001	SLE-Module-Basesystem15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
3999	SLE-Module-Basesystem15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4098	SLE-Module-Containers15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4096	SLE-Module-Containers15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4118	SLE-Module-Desktop-Applications15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4116	SLE-Module-Desktop-Applications15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4138	SLE-Module-DevTools15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4136	SLE-Module-DevTools15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4173	SLE-Module-HPC15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4171	SLE-Module-HPC15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4193	SLE-Module-Legacy15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4191	SLE-Module-Legacy15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4033	SLE-Module-Packagehub-Subpackages15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4030	SLE-Module-Packagehub-Subpackages15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4223	SLE-Module-Public-Cloud15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4221	SLE-Module-Public-Cloud15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4243	SLE-Module-Python2-15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4241	SLE-Module-Python2-15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4058	SLE-Module-Server-Applications15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4056	SLE-Module-Server-Applications15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4163	SLE-Module-Web-Scripting15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4161	SLE-Module-Web-Scripting15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4078	SLE-Product-HA15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4076	SLE-Product-HA15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
3934	SLE-Product-HPC-15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
3932	SLE-Product-HPC-15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
3939	SLE-Product-SLED15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
3937	SLE-Product-SLED15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
3963	SLE-Product-SLES15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
3960	SLE-Product-SLES15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
4278	SLE-Product-WE15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror
4276	SLE-Product-WE15-SP2-Updates for sle-15-x86_64	Mandatory	Mirror
3962	SLE15-SP2-Installer-Updates for sle-15-x86_64	Mandatory	Mirror
4923	SUSE-CAASP-4.5-Pool for sle-15-x86_64	Mandatory	Mirror
4921	SUSE-CAASP-4.5-Updates for sle-15-x86_64	Mandatory	Mirror
4028	SUSE-PackageHub-15-SP2-Backports-Pool for sle-15-x86_64	Mandatory	Mirror
4032	SUSE-PackageHub-15-SP2-Pool for sle-15-x86_64	Mandatory	Mirror

← Manually Install and configure HPE Ezmeral Container Platform 5.3 Lite Touch Installation (LTI) →