You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/en/install-upgrade/air-gapped-install.asciidoc
+92-48Lines changed: 92 additions & 48 deletions
Original file line number
Diff line number
Diff line change
@@ -3,6 +3,7 @@
3
3
4
4
Some components of the {stack} require additional configuration and local dependencies in order to deploy in environments without internet access. This guide gives an overview of this setup scenario and helps bridge together existing documentation for individual parts of the stack.
5
5
6
+
// Self-managed install
6
7
* <<air-gapped-self-managed-linux>>
7
8
** <<air-gapped-elasticsearch>>
8
9
** <<air-gapped-kibana>>
@@ -17,17 +18,15 @@ Some components of the {stack} require additional configuration and local depend
@@ -42,120 +41,165 @@ Some components of the {stack} require additional configuration and local depend
42
41
[[air-gapped-self-managed-linux]]
43
42
=== 1. Self-Managed Install (Linux)
44
43
45
-
**TBD Intro text**
44
+
Refer to the section for each Elastic compopnent for air-gapped installation configuration and dependencies in a self-managed Linux environment.
46
45
47
46
[discrete]
48
47
[[air-gapped-elasticsearch]]
49
-
=== 1.1. {es}
48
+
==== 1.1. {es}
50
49
51
-
Air-gapped install of Elasticsearch is fairly straightforward, as this component does not have any default dependencies on other services. Detailed install & configuration guides are available in the {es} {ref}/install-elasticsearch.html[official install docs].
50
+
Air-gapped install of {es} is fairly straightforward, as this component does not have any default dependencies on other services. Detailed install and configuration instructions are available in the {ref}/install-elasticsearch.html[{es} install documentation].
52
51
53
52
[discrete]
54
53
[[air-gapped-kibana]]
55
-
=== 1.2. {kib}
54
+
==== 1.2. {kib}
55
+
56
+
Air-gapped install of {kib} may require a number of additional services in the local network in order to access some of the features. General install and configuration guides are available in the {kibana-ref}/install.html[{kib} install documentation].
57
+
58
+
Specifically (see appropriate sections in the rest of the doc):
59
+
60
+
* To be able to use {kib} mapping visualizations, you need to set up and configure the <<air-gapped-elastic-maps-service,Elastic Maps Service>>.
61
+
* To be able to use {kib} sample data, install or update hundreds of prebuilt alert rules, and explore available data integrations, you need to set up and configure the <<air-gapped-elastic-package-registry,{package-registry}>>.
62
+
To provide detection rule updates for {endpoint-sec} agents, you need to set up and configure the <<air-gapped-elastic-endpoint-artifact-repository,Elastic Endpoint Artifact Repository>>.
63
+
To access {ents} capabilities (in addition to the general search capabilities of {es}), you need to set up and configure <<air-gapped-enterprise-search,{ents}>>.
64
+
To access the APM integration, you need to set up and configure <<air-gapped-elastic-apm,Elastic APM>>.
56
65
57
-
tbd
58
66
59
67
[discrete]
60
68
[[air-gapped-beats]]
61
-
=== 1.3. {beats}
69
+
==== 1.3. {beats}
62
70
63
-
tbd
71
+
Elastic {beats} are light-weight data shippers. They do not require any unique setup in the air-gapped scenario. To learn more, refer to the {beats-ref}/beats-reference.html[{beats} documentation].
64
72
65
73
[discrete]
66
74
[[air-gapped-logstash]]
67
-
=== 1.4. {ls}
75
+
==== 1.4. {ls}
68
76
69
-
tbd
77
+
{ls} is a versatile data shipping and processing application. It does not require any unique setup in the air-gapped scenario. To learn more, refer to the {logstash-ref}/introduction.html[{ls} documentation].
70
78
71
79
[discrete]
72
80
[[air-gapped-elastic-agent]]
73
-
=== 1.5. {agent}
81
+
==== 1.5. {agent}
82
+
83
+
Air-gapped install of {agent} depends on the <<air-gapped-elastic-package-registry,{package-registry}>> and the <<air-gapped-elastic-artifact-registry,Elastic Artifact Registry>> for most use-cases. The agent itself is fairly lightweight and installs dependencies only as required by its configuration. In terms of connections to these dependencies, {agents} need to be able to connect to the Elastic Artifact Registry directly, but {package-registry} connections are handled through <<air-gapped-kibana,{kib}>>.
84
+
85
+
Additionally, if the {agent} {elastic-defend} integration is used, then <<air-gapped-elastic-endpoint-artifact-repository,Elastic Endpoint Artifact Repository>> is necessary in order to deploy updates for some of the detection and prevention capabilities.
86
+
87
+
To learn more about install and configuration, refer to the {fleet-guide}/elastic-agent-installation.html[{agent} install documentation].
88
+
89
+
To get a better understanding of how to work with {agent} configuration settings and policies, refer to <<air-gapped-agent-integration-guide>>.
74
90
75
-
tbd
76
91
77
92
[discrete]
78
93
[[air-gapped-fleet]]
79
-
=== 1.6. {fleet}
94
+
==== 1.6. {fleet-server}
80
95
81
-
tbd
96
+
{fleet-server} is a required middleware component for any scalable deployment of the {agent}. Air-gapped dependencies of {fleet-server} are the same as those of the <<air-gapped-elastic-agent,{agent}>>.
97
+
98
+
To learn more about installing {fleet-server}, refer to the {fleet-guide}/fleet-server.html[{fleet-server} set up documentation].
82
99
83
100
[discrete]
84
101
[[air-gapped-elastic-apm]]
85
-
=== 1.7. Elastic APM
102
+
==== 1.7. Elastic APM
86
103
87
-
tbd
104
+
Air-gapped setup of the APM server is possible in two ways:
105
+
106
+
* By setting up one of the {agent} deployments with an APM integration, as described in {apm-guide-ref}/apm-integration-upgrade-steps.html[Switch a self-installation to the APM integration].
107
+
* Or, by installing a standalone Elastic APM Server, as described in the APM {apm-guide-ref}/configuring-howto-apm-server.html[configuration documentation].
88
108
89
109
[discrete]
90
110
[[air-gapped-elastic-maps-service]]
91
-
=== 1.8. {ems}
111
+
==== 1.8. {ems}
92
112
93
-
tbd
113
+
To learn about air-gapped setup of the {ems}, refer to {kibana-ref}/maps-connect-to-ems.html#elastic-maps-server[Host {ems} locally] in the {kib} documentation.
94
114
95
115
[discrete]
96
116
[[air-gapped-enterprise-search]]
97
-
=== 1.9. {ents}
117
+
==== 1.9. {ents}
98
118
99
-
tbd
119
+
Detailed install and configuration instructions are available in the {enterprise-search-ref}/installation.html[{ents} install documentation].
100
120
101
121
[discrete]
102
122
[[air-gapped-elastic-package-registry]]
103
-
=== 1.10. {package-registry}
123
+
==== 1.10. {package-registry}
104
124
105
-
tbd
125
+
Air-gapped install of the EPR is possible using any OCI-compatible runtime like Podman (a typical choice for RHEL-like Linux systems) or Docker. Links to the official container image and usage guide is available on the {fleet-ref}/air-gapped.html[Air-gapped environments] page in the {fleet} and {agent} Guide.
126
+
127
+
Refer to <<air-gapped-elastic-package-registry-example>> for additional setup examples.
128
+
129
+
NOTE: Besides setting up the EPR service, you also need to <<air-gapped-kibana,configure {kib}>> to use this service. If using TLS with the EPR service, it is also necessary to set up {kib} to trust the certificate presented by the EPR.
106
130
107
131
[discrete]
108
132
[[air-gapped-elastic-artifact-registry]]
109
-
=== 1.11. Elastic Artifact Registry
133
+
==== 1.11. Elastic Artifact Registry
110
134
111
-
tbd
135
+
Air-gapped install of the Elastic artifact registry is necessary in order to enable {agent} deployments to perform self-upgrades and install certain components which are needed for some of the data integrations (that is, in addition to what is also retrieved from the EPR). To learn how to set up such a repository, refer to {fleet-guide}/air-gapped.html#host-artifact-registry[Host your own artifact registry for binary downloads] in the {fleet} and {elastic-agent} Guide.
136
+
137
+
Refer to <<air-gapped-elastic-artifact-registry-example>> for additional setup examples.
138
+
139
+
NOTE: When setting up own web server, such as NGINX, to function as the Elastic Artifact Registry, it is recommended not to use TLS as there are, currently, no direct ways to establish certificate trust between {agents} and this service.
Air-gapped setup of this component is, essentially, identical to the setup of the <<air-gapped-elastic-artifact-registry,Elastic Artifact Registry>> except that different artifacts are served. To learn more, refer to {security-guide}/offline-endpoint.html[Configure offline endpoints and air-gapped environments] in the Elastic Security guide.
116
146
117
147
[discrete]
118
-
[[air-gapped-kubernetes-and-open-shift]]
148
+
[[air-gapped-kubernetes-and-openshift]]
119
149
=== 2. Kubernetes & OpenShift Install
120
150
121
-
Setting up air-gapped kubernetes/openshift installs of the {stack} has some unique concerns, but the general dependencies are the same as in the self-managed install case on a regular Linux machine.
122
-
151
+
Setting up air-gapped Kubernetes or OpenShift installs of the {stack} has some unique concerns, but the general dependencies are the same as in the self-managed install case on a regular Linux machine.
123
152
124
153
[discrete]
125
154
[[air-gapped-k8s-os-elastic-kubernetes-operator]]
126
-
=== 2.1. Elastic Kubernetes Operator (ECK)
155
+
==== 2.1. Elastic Kubernetes Operator (ECK)
127
156
128
-
tbd
157
+
The Elastic Kubernetes operator is an additional component in the Kubernetes OpenShift install that, essentially, does a lot of the work in installing, configuring, and updating deployments of the {stack}. For details, refer to the {eck-ref}/k8s-air-gapped.html[{eck} install instructions].
158
+
159
+
The main requirements are:
160
+
161
+
* Syncing container images for ECK and all other {stack} components over to a locally-accessible container repository.
162
+
* Modifying the ECK helm chart configuration so that ECK is aware that it is supposed to use your offline container repository instead of the public Elastic repository.
163
+
* Optionally, disabling ECK telemetry collection in the ECK helm chart. This configuration propagates to all other Elastic components, such as {kib}.
164
+
* Building your custom deployment container image for the Elastic Artifact Registry.
165
+
* Building your custom deployment container image for the Elastic Endpoint Artifact Repository.
129
166
130
167
[discrete]
131
168
[[air-gapped-k8s-os-elastic-package-registry]]
132
-
=== 2.2. Elastic Package Registry
169
+
==== 2.2. Elastic Package Registry
133
170
134
-
tbd
171
+
The container image can be downloaded from the official Elastic Docker repository, as described in the {fleet} and {elastic-agent} {fleet-guide}/air-gapped.html[air-gapped environments] documentation.
172
+
173
+
This container would, ideally, run as a Kubernetes deployment. Refer to <<air-gapped-epr-kubernetes-example>> for examples.
135
174
136
175
[discrete]
137
176
[[air-gapped-k8s-os-elastic-artifact-registry]]
138
-
=== 2.3. Elastic Artifact Registry
177
+
==== 2.3. Elastic Artifact Registry
139
178
140
-
tbd
179
+
A custom container would need to be created following similar instructions to setting up a web server in the <<air-gapped-elastic-artifact-registry,self-managed install case>>. For example, a container file using an NGINX base image could be used to run a build similar to the example described in <<air-gapped-elastic-artifact-registry-example>>.
Just like Elastic Artifact Registry. A custom container would need to be created following similar instructions to setting up a web server for the <<air-gapped-elastic-artifact-registry,self-managed install case>>.
147
186
148
187
[discrete]
149
188
[[air-gapped-k8s-os-ironbank-secure-images]]
150
-
=== 2.5. Ironbank Secure Images for Elastic
189
+
==== 2.5. Ironbank Secure Images for Elastic
151
190
152
-
tbd
191
+
Besides the public link:https://www.docker.elastic.co[Elastic container repository], most {stack} container images are also available in Platform One's link:https://ironbank.dso.mil/repomap?vendorFilters=Elastic&page=1&sort=1[Iron Bank].
153
192
154
193
[discrete]
155
194
[[air-gapped-elastic-package-registry-example]]
156
195
=== Appendix A - {package-registry}
157
196
158
-
tbd
197
+
The following script generates a SystemD service file on a RHEL 8 system in order to run EPR with Podman in a production environment.
0 commit comments