Skip to content

Offline installation full#719

Merged
cbaxley merged 112 commits intodevelopfrom
offline-installation-full
Nov 12, 2025
Merged

Offline installation full#719
cbaxley merged 112 commits intodevelopfrom
offline-installation-full

Conversation

@aarz-snl
Copy link
Collaborator

@aarz-snl aarz-snl commented Oct 20, 2025
edited
Loading

🗣 Description

💭 Motivation and context

📷 Screenshots (DELETE IF UNAPPLICABLE)

🧪 Testing

Redhat:
Build two machines using the exporter.txt in this format. Use r1 and r2

export RESOURCE_GROUP="lme-yourname-r1"
export PUBLIC_IP="0.0.0.0/0"  
export VM_SIZE="Standard_D8_v4"
export LOCATION="westus"
export AUTO_SHUTDOWN_TIME="00:00"
export LME_USER="lme-user"

Source the exporter.txt file and login to azure:

source exporter.txt
az login

Build the machines using a larger disk.

./azure/build_azure_linux_network.py -g $RESOURCE_GROUP -s $PUBLIC_IP -vs $VM_SIZE -l $LOCATION -ast $AUTO_SHUTDOWN_TIME --use-rhel -os 256

On the build machine (r1):

sudo dnf -y install git
git clone https://github.com/cisagov/LME.git
cd LME/
git checkout offline-installation-full
sudo ./scripts/expand_disk_for_offline.sh
./scripts/prepare_offline.sh

You will now have a tar file in your home directory that you are going to copy to r2

Change exporter.txt resource group to r2.
Source the exporter.txt file and build r2:

source exporter.txt

Build the r2 machine using a larger disk.

./azure/build_azure_linux_network.py -g $RESOURCE_GROUP -s $PUBLIC_IP -vs $VM_SIZE -l $LOCATION -ast $AUTO_SHUTDOWN_TIME --use-rhel -os 256

Note the ip and password. You will need it for when you are copying the build and such from r1 to r2

Now you want to copy the expand_disk_for_offline.sh to r2 (The target machine) from r1 (The build machine):
On the build machine:

scp /home/lme-user/LME/scripts/expand_disk_for_offline.sh r2ipaddress:~

Then you need to ssh into r2 and run the expand_disk_for_offline.sh as root:

# On r2
sudo /home/lme-user/expand_disk_for_offline.sh

Now go back to r1 and scp the offline tarball to r2:

cd ~/
# Replace with the real name of the tarball and the real ip of r2
scp lme-offline-todaysdate-uniqueid.tar.gz  r2ipaddress:~

Now go back to r2 and move the tarball to a larger volume and untar it:

sudo mv /home/lme-user/lme-offline-todaysdate-uniqueid.tar.gz /var
# Untar the file into the lme-user home directory
tar -xzf /var/lme-offline-todaysdate-uniqueid.tar.gz -C /home/lme-user/
cd ~/LME

Now you need to set up the outbound traffic on r2
Go into the azure web interface and find the r2 NSG1 and open it.
Click on the left Settings->Outbound Security Rules
Click the plus to add a new rule and add two rules, one at a time.

Instructions for Creating SSH Access Rule

  1. Source: Select "Any"
  2. Source port ranges: Enter "*" (asterisk)
  3. Destination: Select "Any"
  4. Service: Select "Custom"
  5. Destination port ranges: Enter "22"
  6. Protocol: Select "Any"
  7. Action: Select "Allow"
  8. Priority: Set to "1000"
  9. Name: Enter "ssh"
  10. Description: Leave blank or add an optional description

This will create a rule allowing SSH traffic (port 22) from any source to any destination using any protocol.

Now you need to block all of the other traffic.

Instructions for Creating Deny All Traffic Rule

To create the network security rule shown in the image, follow these steps in this exact order:

  1. Source: Select "Any"
  2. Source port ranges: Enter "*" (asterisk)
  3. Destination: Select "Any"
  4. Service: Select "Custom"
  5. Destination port ranges: Enter "*" (asterisk)
  6. Protocol: Select "Any"
  7. Action: Select "Deny"
  8. Priority: Set to "1015"
  9. Name: deny_all
  10. Description: Leave blank or add an optional description

This will create a rule denying all traffic from any source to any destination using any protocol. Note that this is a blocking rule with a priority of 1015, which means it will be processed after rules with lower priority numbers.

Now ssh back into r2 and run ping until the packets stop getting out.

ping google.com

Once the traffic stops flowing hit ctrl-c to stop the ping.

Now you can run the install in offline mode.

cd ~/LME
./install.sh -o -d

Running the tests

You can either run the tests on your local machine pointing the .env file to the server, or you can install the python environment on r2 and run the tests on it.
In either case, you will have to go back to the azure web gui and remove (click the trash can) the deny rule to test, because you either have to get to it from your local machine or you have to install the pip requirements from the web for the tests.

✅ Pre-approval checklist

  • Changes are limited to a single goal AND
    the title reflects this in a clear human readable format
  • Issue that this PR solves has been selected in the Development section
  • I have read and agree to LME's CONTRIBUTING.md document.
  • The PR adheres to LME's requirements in RELEASES.md
  • These code changes follow cisagov code standards.
  • All relevant repo and/or project documentation has been updated to reflect the changes in this PR.

✅ Pre-merge Checklist

  • All tests pass
  • PR has been tested and the documentation for testing is above
  • Squash and merge all commits into one PR level commit

✅ Post-merge Checklist

  • Delete the branch to keep down number of branches

Clint Baxley and others added 30 commits July 30, 2025 08:37
Adds RHEL9 Dockerfile and related files
a70f1cb
Adds RHEL9 to the ansible roles
17999ce
Import the redhat 9 gpg key
dd816d8
@cbaxley
RHEL 9: SELinux-friendly Nix install flow and container-wide policy; …
0184164 
…compile/load via nix role; guarded SELinux mode changes
@cbaxley
Modified SELinux policy to use container_policy module
01e536c
@cbaxley
Adds a script to fix SELinux contexts for quadlet units on RHEL 9
6844a7e
@cbaxley
Adds the quadlet fix script
46eb603
Fixes the SELinux install to only install when selinux_available is true
3bcf34c
@cbaxley
Collects the SELinux setup tasks into a single role
0637501
@cbaxley
Adds container-selinux package to base role if selinux is available
bf4c4a5
@cbaxley
Fixes errors in SELinux policy and setup
9603043
@cbaxley
Break out the selinux policies for nix and podman
d416ad8
@cbaxley
Setting further selinux policies for redhat 9.1
ee521f4
@cbaxley
Fixes the expand_rhel_disk.sh script
7361220
@cbaxley
Adds SELinux context fixes for Nix store packages
e3b942d
@cbaxley
Load the SELinux policy for Podman Quadlet and restorecon the files
b823d7a
@cbaxley
Reorder SELinux tasks to ensure proper context restoration
f6521f7
Adds RHEL 9.1 to the docker workflow
62bbe47
@cbaxley
Merge branch 'develop' into cbaxley-563-redhat-9-1
cc0ec18
@cbaxley
Updates the expand_rhel_disk.sh script to double the root partition s…
abcd1dc 
…ize and double the /home partition size.
Rename Wazuh dashboard files: remove 'dumped' from filenames
6e596a8
Merge branch 'cbaxley-563-redhat-9-1' of https://github.com/cisagov/LME
4836fb0 
… into cbaxley-563-redhat-9-1
@cbaxley
Merge branch 'develop' into cbaxley-563-redhat-9-1
e088fdd
@cbaxley
Adds a new installer for RHEL 9
a3b7be2
@cbaxley
Updates the RHEL 9 pipeline to use the new installer
8817487
@cbaxley
Updates the RHEL 9 installer to use the --yes flag for the expand_rhe…
8184a87 
…l_disk.sh script
@cbaxley
Update to run all tests on RHEL 9
bfe32e5
@cbaxley
Remove caddy from the certificate setup
0216c41
@cbaxley
Adds RHEL 9 cluster workflow
e180155
Adds RHEL remote installation instructions
ebfaa4f
@github-project-automation github-project-automation bot moved this to 🆕 Product Backlog in LME-Development Oct 20, 2025
@aarz-snl
Merge origin/develop into offline-installation-full
3abf7dc 
Resolved conflicts:
- Kept all offline_mode logic in ansible tasks (YOUR working code)
- Accepted workflow trigger changes from develop (push instead of PR)
- Merged install.sh: kept offline mode flags/logic + accepted improved ansible installation prompts
- Merged .gitignore: kept both SELinux and offline resources
@aarz-snl aarz-snl force-pushed the offline-installation-full branch from 9f85f8e to 3abf7dc Compare October 20, 2025 13:38
aarz-snl and others added 6 commits October 20, 2025 13:40
@aarz-snl
Fix .gitignore conflict markers
4400a5c
@aarz-snl
Revert unnecessary task name changes - keep original names from develop
10ad6f3 
Only functional changes (when conditions) should be in the diff, not cosmetic task name changes.
@aarz-snl
Remove uninstall_lme.sh and reset wipe_lme.sh to develop version
4852f47 
- Removed scripts/uninstall_lme.sh (development-only script)
- Reset scripts/wipe_lme.sh to match develop (no offline changes needed)
@aarz-snl
Remove UNINSTALL.md (development-only documentation)
1beedef
@aarz-snl
Revert quadlet container changes to develop version
b1489c4 
Keep only new container: lme-fleet-distribution.container
Revert memory limit changes to elasticsearch and kibana containers
Adds six to the requirements.txt file
a367284
@cbaxley
Copy link
Collaborator

cbaxley commented Oct 20, 2025

We are going to have to add the tests for redhat in here. A merge with development would add them.

cbaxley
cbaxley reviewed Oct 23, 2025
View reviewed changes
scripts/prepare_offline.sh Outdated
fi

# Set default versions if not found in env file
STACK_VERSION=${STACK_VERSION:-"8.18.0"}
Copy link
Collaborator

@cbaxley cbaxley Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change this to 8.18.3

@cbaxley cbaxley merged commit 4a358d0 into develop Nov 12, 2025
8 checks passed
@cbaxley cbaxley deleted the offline-installation-full branch November 12, 2025 18:02
@github-project-automation github-project-automation bot moved this from 🆕 Product Backlog to ✅ Done in LME-Development Nov 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cbaxley cbaxley cbaxley approved these changes

Assignees

No one assigned

Labels

None yet

Projects

LME-Development
Status: ✅ Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aarz-snl @cbaxley @HopperShell