Configure the appliance and install software

This page describes how to set up and configure Google Distributed Cloud (GDC) air-gapped appliance at the customer site.

On first boot, the drives are unlocked without human intervention. The configuration takes about four to six hours to complete.

Before you begin

1. Create input configuration file.
2. If you plan to use an external NTP server or HSM, connect the appliance to the hardware before you run the install.

Configure the appliance

Verify all fields of the input configuration file are accurate. Once the file is copied to the server blade in the following steps, the final configuration begins automatically and cannot easily be stopped.

1. Transfer the input configuration file to the path /var/lib/assets/ciq_configure_input.yaml on the server blade assigned the 198.18.0.6 IP address.

   scp configuration-input.yaml applianceusr@198.18.0.6:/var/lib/assets/ciq_configure_input.yaml
   

2. The configuration starts automatically and saves output in the /var/log/gdch-install.txt file.

3. Monitor progress with one of the following:

   • Monitor the /var/log/gdch-install.txt file with the following:

     ssh applianceusr@198.18.0.6 'tail -f /var/log/gdch-install.txt'
     

     The install is complete when the cleanup phase has completed. The log shows a line like the following:

     <<< Completed phase: cleanup
     

   • Alternatively, you can look for the status of the installation service, with the following:

     ssh applianceusr@198.18.0.6 'systemctl status gdch-app-install'
     

     The output indicates the status of the installation. In particular, the Active field indicates if the install is ongoing, failed, or inactive. When the line indicates that the install process is inactive and has a status of 0/SUCCESS, the installation is complete.

Back up the credentials

Retrieve the device emergency credentials and store them in a secure location

1. Create a backup archive of the access credentials by running the following, enter the applianceusr password when prompted:

   ssh applianceusr@198.18.0.6 'sudo -S /var/lib/release/gdcloud appliance install --phase=postinstall'
   

2. Copy the credential backup to the bootstrapper by running the following, enter the applianceusr password when prompted:

   ssh applianceusr@198.18.0.6 'sudo -S setfacl -m u:applianceusr:rwx /var/lib/assets/credentials.tar.gz'
   scp applianceusr@198.18.0.6:/var/lib/assets/credentials.tar.gz .
   

3. Verify the contents of this archive include, the cellcfg backup, identity provider credentials, switch credentials, and SSH keys for the server blade assigned to the 198.18.0.6 IP address.

4. Store the archive on a separate, secure medium (such as a USB drive) for emergency access.

Delete appliance user and stop appliance install services

After the backup of emergency credentials is completed, run the following command on the server blade assigned the 198.18.0.6 IP address to delete the default appliance user account and stop install services. In order to use the server blade assigned the 198.18.0.6 IP address in the future, you can use emergency credentials.

1. Execute the following to remove the default user access and secure the device

   ssh applianceusr@198.18.0.6 'sudo -S /usr/local/bin/cleanup_appliance_user.sh'
   

Manage YubiKeys

After the key is inserted, it is paired with that server and cannot be moved to a different server. The keys can't be used interchangeably.

The Yubikey only needs to be inserted during the boot process. If you remove the Yubikey after the boot process, it doesn't affect the operation of the appliance. If you remove the Yubikey, it must be reinserted in the same node before the next boot.

What's next

• Configure external NTP
• Configure external HSM
• Set up IO tools to access runbooks
• Configure alert notifications