How to use TPAexec to create a local repository for air-gapped environments

Edgar Silva Leitão
Edgar Silva Leitão

This approach is utilized for environments without Internet access and no satellite repositories. It involves using TPAexec to download all the necessary packages through Docker to a local directory. The local repository will only contain packages to build the same cluster or a similar cluster as defined in the config.yml file referenced during the package download.

The steps below use a PGD 5 cluster as an example, but this approach also applies for any architecture and any version.

For this example, we need two TPAexec host machines: one with Internet access and the other without Internet access. In this example, they are both on the same local network, but the only requirement is that they are reachable to each other.

Environment (all machines are running RedHat 8):

Host name IP address Role
TPAWITHNET 192.168.1.100 TPAexec + Docker
TPAWITHOUTNET 192.168.1.101 TPAexec
NODE1 192.168.1.102 PGD 5 data node
NODE2 192.168.1.103 PGD 5 data node
NODE3 192.168.1.104 PGD 5 data node
BARMAN-SERVER 192.168.1.105 Barman

Only the host TPAWITHNET has Internet access, and we're going to use it to download the packages with the help of Docker. So, make sure to have Docker installed on the TPAexec host with Internet access.

The steps to create the local repository are then as follows.

1- Create a simple PGD 5 cluster directory in the user's home directory on the TPAWITHNET host:

tpaexec configure ~/mycluster \
  --architecture PGD-Always-ON \
  --platform bare \
  --edb-postgres-advanced 15 \
  --redwood \
  --location-names dc1 \
  --pgd-proxy-routing global \
  --keyring legacy \
  --no-git

2- Create a local-repo directory under your TPA cluster directory. For example, for RedHat 8:

mkdir -p ~/mycluster/local-repo/RedHat/8/repodata

Note that the local repository directory path must be created with the following nomenclature:

  • local-repo: This is the directory name that TPAexec will look for, to store all the downloaded packages;
  • RedHat: The Linux distribution which you intend to download the compatible packages for;
  • 8: The version of the Linux distribution;
  • repodata: Sub-directory that will contain the repository data.

3- Download the packages to the local-repo directory:

tpaexec download-packages ~/mycluster --docker-image tpa/redhat:8

If we take a look at the config.yml, we will see that we have the following repositories which all necessary packages to build our cluster will be downloaded from:

...
edb_repositories:
  - enterprise
  - postgres_distributed
...
yum_repository_list:
  - EPEL
...

4- Access the TPAexec host TPAWITHOUTNET and create a cluster directory (repeat step 1).

5- Copy the local-repo directory from the TPAWITHNET machine to TPAWITHOUTNET. For example, considering that the two TPAexec hosts can communicate to each other using SSH:

scp -r root@192.168.1.100:~/mycluster/local-repo root@192.168.1.101:~/mycluster/

6- With the local-repo directory now present in the TPA cluster of the TPA host without Internet access, we need to add some important settings to the config.yml file to utilize the local repository:

cluster_vars:
...
   use_local_repo_only: true
   disable_repository_checks: true
   edb_repositories: []
   yum_repositories: []
...

instance_defaults:
   platform: bare
   vars:
      local_source_directories:
      - ~/mycluster/local-repo:/var/opt/tpa/local-repo:ro
      ansible_user: root
...

The setting use_local_repo_only will not remove the already existing repositories from the target machine. Instead, it will only disable them, allowing you to manually enable these repositories back if needed.

The setting local_source_directories will copy the local-repo directory from the TPAexec host to /var/opt/tpa/local-repo of all the target machines. The :ro means read-only.

If you are using the Docker platform to test the settings, you must configure the use_local_repo_only under instance_defaults and out of vars, as shown in the example below:

instance_defaults:
  platform: docker
  image: tpa/redhat:8
  local_source_directories:
      - /mycluster/local-repo:/var/opt/tpa/local-repo:ro
  vars:
    ansible_user: root

7- This is a sample config.yml file for a bare metal deployment:

---
architecture: PGD-Always-ON
cluster_name: mycluster2
cluster_tags: {}

keyring_backend: legacy

cluster_vars:
  use_local_repo_only: true
  disable_repository_checks: true
  apt_repository_list: []
  bdr_database: bdrdb
  bdr_node_group: mycluster2
  bdr_node_groups:
  - name: mycluster2
    options:
      enable_proxy_routing: true
  - name: dc1_subgroup
    options:
      location: dc1
    parent_group_name: mycluster2
  bdr_version: '5'
  default_pgd_proxy_options:
    listen_port: 6432
  edb_repositories: []
  epas_redwood_compat: true
  failover_manager: pgd
  postgres_coredump_filter: '0xff'
  postgres_flavour: epas
  postgres_version: '15'
  preferred_python_version: python3
  use_volatile_subscriptions: false
  yum_repository_list: []

locations:
- Name: dc1

instance_defaults:
  platform: bare
  vars:
    ansible_user: root
    local_source_directories:
      - ~/mycluster/local-repo:/var/opt/tpa/local-repo:ro

instances:
- Name: NODE1
  backup: BARMAN-SERVER
  ip_address: 192.168.1.102
  location: dc1
  node: 1
  role:
  - bdr
  - pgd-proxy
  vars:
    bdr_child_group: dc1_subgroup
    bdr_node_options:
      route_priority: 100
- Name: NODE2
  ip_address: 192.168.1.103
  location: dc1
  node: 2
  role:
  - bdr
  - pgd-proxy
  vars:
    bdr_child_group: dc1_subgroup
    bdr_node_options:
      route_priority: 100
- Name: NODE3
  ip_address: 192.168.1.104
  location: dc1
  node: 3
  role:
  - bdr
  - pgd-proxy
  vars:
    bdr_child_group: dc1_subgroup
    bdr_node_options:
      route_priority: 100
- Name: BARMAN-SERVER
  ip_address: 192.168.1.105
  location: dc1
  node: 4
  role:
  - barman

8- Run tpaexec provision and then tpaexec deploy. If you don't have SSH access correctly configured between the TPAexec host and the target nodes for a bare deployment, you must follow these instructions here: bare(-metal servers).

After the deployment, the target machines will have only the tpa-local-repo available if you check them using the yum repolist command. However, you can manually enable any repository back, as mentioned above. They are located in /etc/yum.repos.d/ in the case of RedHat-like distributions:

$ yum repolist

repo id          repo name
tpa-local-repo   Local repository (set up by TPA)

Was this article helpful?

0 out of 0 found this helpful