This page describes how to set up and configure Google Distributed Cloud (GDC) air-gapped appliance at the customer site.
On first boot, the drives are unlocked without human intervention. The configuration takes about four to six hours to complete.
Before you begin
- Create input configuration file.
- If you plan to use an external NTP server or HSM, connect the appliance to the hardware before you run the install.
Configure the appliance
Verify all fields of the input configuration file are accurate. Once the file is copied to the server blade in the following steps, the final configuration begins automatically and cannot easily be stopped.
Transfer the input configuration file to the path
/var/lib/assets/ciq_configure_input.yaml
on the server blade assigned the198.18.0.6
IP address.scp configuration-input.yaml applianceusr@198.18.0.6:/var/lib/assets/ciq_configure_input.yaml
The configuration starts automatically and saves output in the
/var/log/gdch-install.txt
file.Monitor progress with one of the following:
Monitor the
/var/log/gdch-install.txt
file with the following:ssh applianceusr@198.18.0.6 'tail -f /var/log/gdch-install.txt'
The install is complete when the cleanup phase has completed. The log shows a line like the following:
<<< Completed phase: cleanup
Alternatively, you can look for the status of the installation service, with the following:
ssh applianceusr@198.18.0.6 'systemctl status gdch-app-install'
The output indicates the status of the installation. In particular, the
Active
field indicates if the install is ongoing, failed, or inactive. When the line indicates that the install process is inactive and has a status of0/SUCCESS
, the installation is complete.
Back up the credentials
Retrieve the device emergency credentials and store them in a secure location
Create a backup archive of the access credentials by running the following, enter the
applianceusr
password when prompted:ssh applianceusr@198.18.0.6 'sudo -S /var/lib/release/gdcloud appliance install --phase=postinstall'
Copy the credential backup to the bootstrapper by running the following, enter the
applianceusr
password when prompted:ssh applianceusr@198.18.0.6 'sudo -S setfacl -m u:applianceusr:rwx /var/lib/assets/credentials.tar.gz' scp applianceusr@198.18.0.6:/var/lib/assets/credentials.tar.gz .
Verify the contents of this archive include, the cellcfg backup, identity provider credentials, switch credentials, and SSH keys for the server blade assigned to the
198.18.0.6
IP address.Store the archive on a separate, secure medium (such as a USB drive) for emergency access.
Delete appliance user and stop appliance install services
After the backup of emergency credentials is completed, run the following
command on the server blade assigned the 198.18.0.6
IP address to delete the
default appliance user account and stop install services. In order to use the server blade assigned the 198.18.0.6
IP address in the future, you can use emergency credentials.
Execute the following to remove the default user access and secure the device
ssh applianceusr@198.18.0.6 'sudo -S /usr/local/bin/cleanup_appliance_user.sh'
Manage YubiKeys
After the key is inserted, it is paired with that server and cannot be moved to a different server. The keys can't be used interchangeably.
The Yubikey only needs to be inserted during the boot process. If you remove the Yubikey after the boot process, it doesn't affect the operation of the appliance. If you remove the Yubikey, it must be reinserted in the same node before the next boot.
What's next
- Configure external NTP
- Configure external HSM
- Set up IO tools to access runbooks
- Configure alert notifications