Operational Defect Database
BugZero updated this defect 54 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
VMware | 95552
VCF Offline Depot deployment.
Last update date:
3/27/2024
Affected products:
Cloud Foundation
Cloud foundation
Affected releases:
5.x4.x5.1
Fixed releases:
No fixed releases provided.
Description:
Symptoms
Dark side (offline) customers still have to perform bundle transfers on a per-instance basis.
Purpose
Offline depots will improve the "dark side" customer experience by reducing the number of customer steps needed to distribute artifacts to multiple VCF instances multiple times. In order to properly setup the depot, the customer will need a step-by-step KB article on how to do that.
Resolution
Overview A dedicated Virtual Machine that will host the "Offline Depot". Once the Virtual Machine is ready and configured, VCF instances should be configured to point to the "Offline Depot".OBTU will provide: Depot like directory structureBundle management mechanismsUpgrade metadata management mechanism Pre-installed: Virtual machine with enough spaceWeb-server with SSL configured Offline depot deploy and configure Virtual machine configuration Requirements: OS: Linux or Windows (Linux CentOS will be used for the examples on this page) HDD: Separate disks (at least 1TB) should be dedicated to the Offline depot. SSL: SSL TLSv1.2 & TLSv1.3 Directory permissions: The user that will run the OBTU tool should have read/write privileges for the Offline Depot root directory. Web server This section includes an illustrative example of configuring a basic web server which will be necessary to host the VCF upgrade artifacts. NOTE: Please be aware that each customer is responsible for setting up the web server in accordance with their specific security requirements. Install Apache Web Server - example Use yum to install the web server: sudo yum install httpd If web server is already installed use yum to update: sudo yum update httpd By default, apache web server is running on port 443. If you want to change the port of the web server, we need to open a custom port first. For example, you will use port 8282. iptables -I INPUT 1 -m state --state NEW -m tcp -p tcp --dport {ServerPort} -j ACCEPT a) You can use the above command or can manually edit /etc/sysconfig/iptables and add the following line it it: -A INPUT -p tcp -m state --state NEW -m tcp --dport {ServerPort} -j ACCEPT b) Then you need to restart the iptables service: systemctl restart iptables c) Once you have opened the desired port, you need to configure the port in the web server config file located under /etc/httpd/conf.d/ssl.conf Listen {ServerPort} d) Once the above is completed, the server is ready to be started: systemctl start httpdsystemctl enable httpd Generate SSL certificate - example vi openssl.cfg The file above should contain: [ req ]default_bits = 2048distinguished_name = req_distinguished_namereq_extensions = req_extprompt = no [ req_distinguished_name ]countryName = { Country name e.g. US }stateOrProvinceName = { State or province name e.g. California }localityName = { Locality name e.g. Palo Alto }organizationName = { organization name e.g. VMware }commonName = {VM IP address} [ req_ext ]subjectAltName = @alt_names [alt_names]IP.1 = {VM IP address}DNS.1 = vcfdns.goat.org {VM IP address} : Replace with the VM IP address. Certificate should rely on the offline depot hostname. openssl genpkey -out pkey.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048 openssl req -new -key pkey.key -out req.csr -config openssl.cfg openssl x509 -req -in req.csr -signkey pkey.key -out cert.crt -extfile openssl.cfg -extensions req_ext mv cert.crt /etc/pki/tls/certs mv pkey.key /etc/pki/tls/private Apply the generate certificate in /etc/httpd/conf.d/ssl.conf # Server Certificate:# Point SSLCertificateFile at a PEM encoded certificate. If# the certificate is encrypted, then you will be prompted for a# pass phrase. Note that a kill -HUP will prompt again. A new# certificate can be generated using the genkey(1) command.SSLCertificateFile /etc/pki/tls/certs/cert.crt # Server Private Key:# If the key is not combined with the certificate, use this# directive to point at the key file. Keep in mind that if# you've both a RSA and a DSA private key you can configure# both in parallel (to also allow the use of DSA ciphers, etc.)SSLCertificateKeyFile /etc/pki/tls/private/pkey.key Then reload httpd - systemctl reload httpd Configure Basic Auth - Mandatory step As an additional step, you can configure auth on our web server, so the credentials provided by the VCF will be validated. In the example below, Basic Auth is used as authentication. a) Mandatory step: Create/Modify the /etc/httpd/conf.d/auth_basic.conf file and add the below content in it: <Directory /var/www/PROD2/evo/vmw> # Basic Auth (VCF 4.x and 5.0) AuthType Basic AuthName "Basic Authentication" AuthUserFile /etc/httpd/conf/.htpasswd require valid-user</Directory> <Directory "/var/www/PROD2/evo/vmw/Compatibility/VxrailCompatibilityData.json"> # VxRail VVS Cookie Validation (VCF 5.0) <If "%{HTTP:Cookie} == 'ngssosession=ngsso-token' "> Require all granted </If></Directory> # This Alias is needed only for VCF 5.1.0.0. Used for getting last updated time of HCL file.Alias /products/v1/bundles/lastupdatedtime /var/www/PROD2/vsan/hcl/lastupdatedtime.json<Directory /var/www/PROD2/vsan/hcl> <If "%{HTTP:X-vmw-esp-clientid} == 'offline-depot-hcl-vcf' "> Require all granted </If></Directory> # This Alias is needed only for VCF 5.1.0.0. Used for getting the HCL file.Alias /products/v1/bundles/all /var/www/PROD2/vsan/hcl/all.json<Directory /var/www/PROD2/vsan/hcl> <If "%{HTTP:X-vmw-esp-clientid} == 'offline-depot-hcl-vcf' "> Require all granted </If></Directory> b) Create username used to authenticate to the web server (after the command execution you will be prompted to enter password for the provided username): htpasswd -c /etc/httpd/conf/.htpasswd testUser c) Restart the web server: systemctl restart httpd OBTU a) Download the latest OBTU version from the customer connect platform. Every command can be scheduled and executed without interactions. Following additional OBTU cli parameters will be added for supporting the offline depot: --setUpOfflineDepot (mandatory) - Sets up an offline depot for VSRN. If an optional downloadPartnerBundle argument is provided than VXRAIL bundles are also downloaded; --offlineDepotRootDir (mandatory) - Contains a mandatory argument that defines the root directory that will be used to host the offline depot; --offlineDepotUrl (mandatory) - Contains a mandatory argument that defines the URL that will be used for the web server; --depotUser (mandatory) - Contains a mandatory argument that defines the user that will be used to connect to VMware depot; --depotUserPasswordFile (mandatory) - contains a mandatory argument that provides a file path containing the password for VMware depot users; --sourceVersion (optional)(default value: 4.1.0.0) - contains a mandatory argument that defines the source version for the bundles that will be downloaded; --ceip (optional) - Allows a users to enrol in CEIP; --ariaBundles (optional) - Allows users to download Aria bundles; --asyncPatches (optional) - Allows users to download async patch bundles. If an optional downloadPartnerBundle argument is provided, then VXRAIL async patch bundles will be downloaded (for now this is not supported); --partnerDepotUser (optional) - Contains a mandatory argument that defines the user that will be used to connect to Dell depot; --partnerDepotUserPasswordFile (optional) - Contains a mandatory argument that provides a file path containing the password for Dell depot users; Examples of the CLI commands: To download the VSRN bundles use: ./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --depotUser user --depotUserPasswordFile /some/directory/password.file --sv 4.5.1.0 To download the VSRN bundles with VCF Aria bundles (VRA, VROPS, VRLI, VRSLCM and WSA) and enrol to CEIP use: ./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --ceip --ariaBundles --depotUser user --depotUserPasswordFile /some/directory/password.file --sv 4.5.1.0 To download the VSRN and VXRAIL bundles use: ./lcm-bundle-transfer-util --setUpOfflineDepot downloadPartnerBundle --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --depotUser user --depotUserPasswordFile /some/directory/password.file --sv 4.5.0.0 --partnerDepotUser partner-user --partnerDepotUserPasswordFile /some/directory/partner-depot-password.file To download the VSRN bundles and async patch bundles use: NOTE: VxRail async patch bundles are currently not supported and customer needs to follow standard VxRail AP process. ./lcm-bundle-transfer-util --setUpOfflineDepot --offlineDepotRootDir '/apache/www' --offlineDepotUrl http://10.0.0.250:8282 --asyncPatches --depotUser user --depotUserPasswordFile /some/directory/password.file --sv 4.5.1.0 To clean up bundles below, the given source version can be used: ./lcm-bundle-transfer-util --cleanUpOfflineDepot --sv 4.5.2.0 --offlineDepotRootDir '/apache/www'./lcm-bundle-transfer-util --cleanUpOfflineDepot --sv 4.5.2.0 --offlineDepotRootDir '/apache/www' To clean up bundles below the given source version along with AsyncPatch bundles can be used: ./lcm-bundle-transfer-util --cleanUpOfflineDepot --sv 5.0.0.0 --offlineDepotRootDir '/apache/www' --asyncPatches Connect SDDC Manager to offline depot VCF instance 5.1.1 and above Upload generated SSL certificate Navigate to Developer center and upload the generated trusted certificate using the v1/sddc-manager/trusted-certifcates Example body: { "certificate": "-----BEGIN CERTIFICATE-----\nMIIDazCCAlOgAwIBAgIJALBdtFYXfBGSMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQTGFvIEFsdG8x\nDzANBgNVBAoMBlZNd2FyZTEWMBQGA1UEAwwNMTAuMjA2LjIxMC45OTAeFw0yMzA4\nMjIxMjU5NDNaFw0yMzA5MjExMjU5NDNaMF8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI\nDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQTGFvIEFsdG8xDzANBgNVBAoMBlZNd2Fy\nZTEWMBQGA1UEAwwNMTAuMjA2LjIxMC45OTCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBAO4vbbDwpv1AvcvF3/5E8bv3F+irjeHdxjErZcbJs7rxxAPYIGNU\nvoFBEf4UganlImnU0/+su/Pf5+O8KOpO7m1Mwc5px3e/qPq/vZFGv/M8bKLrukze\nLWVbit7O0M3lVj4qxRAtlIwWKxw6ixnoTTYF+IBE7Z8yTzQ+NrOq6uDwjZgfc6ty\nQCSeDqi2ojd2CJk2NTUYRlT5eZRvzteeJRgULdT5AtP4KdZYNHqrN14YwcgbnGu8\nVteiJhnp8VUIFJXSvzAuW7uXcTmIIdJj44GzRTNo+ftWFgVUbx9GObTJr1+6mm6m\nBNIWx5REVYxhnUYK3nBBsGzEIpIKLTFdRocCAwEAAaMqMCgwJgYDVR0RBB8wHYcE\nCgAA+ocECs7SY4IPdmNmZG5zLmdvYXQub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQA1\nwhz1HCbc/+zBSX9qjpGmd//jJF9tjkgtHAKLeYIjtc5iCJnyMh3FsA0zyKYq0cYZ\ndaWYgregoaBbheitNqEdvs2IE+Km1w110noNjYWIDieRveYzJfN7Skx1rqoBfc0E\n8O6PTJ6DfeObZITPC2mMuOcnojzm6VEqVBPuo3oQ0vk2UU1BTuceSCrCXkPgK++r\nD9PCjPhsOVKZ0nh9EKWjOz5AaE1q++BCOPHN9QhxS0vRrb943x1DmrqrNcGprAUx\npOXkKC5ilCjCxUhT0CNbXhLipyHGW9+Ve0lwHcZ0eaSDvl+gX/V9S/9N51rYqXyz\nORedTmOJ5u7A7vPswAf4\n-----END CERTIFICATE-----", "certificateUsageType": "TRUSTED_FOR_OUTBOUND"} Configure offline depot Navigate to "Lifecycle Management"→ Depot Settings. Set up an Offline Depot. Enter offline depot hostname, port, username and password. VCF instance 5.1.0 and below 1. Upload the SSL certificate 2. In the OBTU package can be found a script that must be executed in order to change the depot mode from online to offline. python depot_config.py --depotMode offline --depotUrl {offline_depot_url} 3. Navigate to "Online Depot" and authenticate with the offline depot credentials. Others Offline depot directory structure OBTU will generate the following directory structure: PROD2/├── evo│ └── vmw│ ├── asyncPatchSpecs│ │ └── v1│ ├── bundles│ │ ├── bundle-73785.tar│ │ ├── bundle-73786.tar│ │ └── J2YFV_VxRail-8.0.100-Composite-Upgrade-Package-for-7.0.x.zip│ ├── Compatibility│ │ ├── VmwareCompatibilityData.json│ │ └── VxrailCompatibilityData.json│ ├── deltaFileDownloaded│ ├── deltaFileDownloaded.md5│ ├── index.v3│ ├── lcm│ │ └── manifest│ │ └── v1│ │ └── lcmManifest.json│ ├── manifests│ │ ├── bundle-73785.manifest│ │ ├── bundle-73785.manifest.sig│ │ ├── bundle-73786.manifest│ │ ├── bundle-73786.manifest.sig│ ├── partnerBundleMetadata.json│ ├── softwareCompatibilitySets.json│ ├── tmp│ │ ├── index.v3│ │ ├── lcmManifestIndex│ │ └── lcmManifest.json│ └── vxrail│ ├── catalog_index.xml│ └── token.json└── vsan └── hcl ├── all.json └── lastupdatedtime.json
