Configure the appliance and install software

This page describes how to set up and configure Google Distributed Cloud (GDC) air-gapped appliance at the customer site.

On first boot, the drives are unlocked without human intervention.

Decrypt the drive and boot the machine

Each GDC air-gapped appliance is shipped with Yubikeys inserted into each blade. Ensure that the yubikeys are correctly inserted with the gold side facing up. Once the key is inserted it is paired with that server and cannot be moved to a different server. These Yubikeys must be in their original slots in the corresponding server blade in order for the GDC air-gapped appliance to boot.

Configure the appliance

Verify all fields of the input configuration file are accurate. Once the file is copied to the server blade in the following steps, the final configuration begins automatically and cannot easily be stopped.

1. Transfer the input configuration file to the path /var/lib/assets/ciq_configure_input.yaml on the server blade assigned the 198.18.0.6 IP address.

   scp configuration-input.yaml applianceusr@198.18.0.6:/var/lib/assets/ciq_configure_input.yaml
   

2. The configuration starts automatically and saves output in the /var/log/gdch-install.txt file.

3. Configuration is expected to take 4-5 hours. Monitor progress with one of the following:

   • Monitor the /var/log/gdch-install.txt file with the following:

     ssh applianceusr@198.18.0.6 'tail -f /var/log/gdch-install.txt'
     

     The install is complete when the cleanup phase has completed. The log shows a line like the following:

     <<< Completed phase: cleanup
     

   • Alternatively, you can look for the status of the installation service, with the following:

     ssh applianceusr@198.18.0.6 'systemctl status gdch-app-install'
     

     The output indicates the status of the installation. In particular, the Active field indicates if the install is ongoing, failed, or inactive. When the line indicates that the install process is inactive and has a status of 0/SUCCESS, the installation is complete.

Back up the credentials

Retrieve the device emergency credentials and store them in a secure location

1. Create a backup archive of the access credentials by running the following, enter the applianceusr password when prompted:

   ssh applianceusr@198.18.0.6 'sudo -S /var/lib/release/gdcloud appliance install --phase=postinstall'
   

2. Copy the credential backup to the bootstrapper by running the following, enter the applianceusr password when prompted:

   ssh applianceusr@198.18.0.6 'sudo -S setfacl -m u:applianceusr:rwx /var/lib/assets/credentials.tar.gz'
   scp applianceusr@198.18.0.6:/var/lib/assets/credentials.tar.gz .
   

3. Verify the contents of this archive include, the cellcfg backup, identity provider credentials, switch credentials, and SSH keys for the server blade assigned to the 198.18.0.6 IP address.

4. Store the archive on a separate, secure medium (such as a USB drive) for emergency access.

Delete appliance user and stop appliance install services

After the backup of emergency credentials is completed, run the following command on the server blade assigned the 198.18.0.6 IP address to delete the default appliance user account and stop install services. In order to use the server blade assigned the 198.18.0.6 IP address in the future, you can use emergency credentials.

1. Execute the following to remove the default user access and secure the device

   ssh applianceusr@198.18.0.6 'sudo -S /usr/local/bin/cleanup_appliance_user.sh'
   

Manage YubiKeys

After the installation completes, the YubiKeys must stay in the server until you return the system.