With the release of VMware Cloud Foundation (VCF) 5.2, a new version of the Offline Bundle Transfer Utility (OBTU) is now available, enabling administrators to create a secure, offline repository of software bundles within their own firewall, providing greater control and flexibility in managing software updates and deployments.
By default, VCF deployments connect to the VMware online depot, which is accessed via the Internet and requires Broadcom Support Portal credentials for authentication. However, in situations where SDDC Manager cannot access the internet directly, administrators need an alternative way to obtain patches and updates for VCF infrastructure. Until now, administrators had to use the OBTU to download software bundles, copy them to each SDDC Manager instance, and then run an import command to update the infrastructure. With the new offline depot architecture, administrators can download bundles to an internal web server and configure each SDDC Manager to pull patches and updates from that server directly, eliminating the need for additional copying or importing steps.
This article provides technical details on setting up an offline depot and configuring SDDC Manager instances to use it.
Setting Up an Offline Depot
An offline depot is a self-managed web server that will act as an internal mirror of the official VMware online depot. You use OBTU to download software bundles to this system and a standard web server to serve the content to internal SDDC Manager instances that do not have access to the Internet. This web server should be configured with HTTPS certificates and protected with a basic auth username and password.
To get started, deploy a new web server VM of your choice with adequate disk space provisioned, such as 1TB, for the software bundle repository. This guide will be based on Rocky Linux 9.3, which is a popular free enterprise Linux distribution. You will also need to have valid credentials for the Broadcom Support Portal – use them to log in to the Portal and download the latest version of of OBTU.
Set up OBTU on the offline depot system
|
1 2 3 4 5 6 7 8 9 10 |
<code>sudo mkdir -p /var/www/offline_depot sudo chown $USER:$USER /var/www/offline_depot sudo mkdir /opt/obtu sudo chmod 755 /opt/obtu/ sudo chown $USER:$USER /opt/obtu/ tar zxvf lcm-tools-prod.tar.gz --directory=/opt/obtu/ chmod +x /opt/obtu/bin/lcm-bundle-transfer-util</code> |
Configure Apache HTTPD with HTTPS and Basic Auth
You can generate an SSL cert and key pair using your enterprise PKI infrastructure or you can use a self-signed certificate for test and proof-of-concepts purposes. The following script shows what generally needs to be done to configure the web server.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
#!/usr/bin/env bash # Minimal example of how to set up Apache httpd server with # self-signed SSL certificate and basic auth FQDN=$(hostname -f) sudo dnf install -y httpd mod_ssl jq # Appropriate SELinux configuration should be done for production sudo setenforce Permissive # create basic auth username & password sudo htpasswd -b -c /etc/httpd/.htpasswd depot vmware # generate self-signed SSL cert for Apache sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -subj "/CN=$FQDN" \ -keyout /etc/pki/tls/private/offline_depot.key \ -out /etc/pki/tls/certs/offline_depot.crt sudo firewall-cmd --add-service=https --permanent sudo firewall-cmd --reload # configure virtual host for the local sever name sed "s|ServerName .*|ServerName $FQDN|" offline_depot_httpd.conf | sudo tee /etc/httpd/conf.d/offline_depot_httpd.conf apachectl configtest sudo systemctl enable --now httpd # if the cert changes, this is needed sudo apachectl restart # create an index file to test echo "Offline Depot OK" >/var/www/offline_depot/index.html curl https://"$FQDN" -k --silent -u depot:vmware |
$ cat offline_depot_httpd.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName replace_with_fqdn
DocumentRoot /var/www/offline_depot/
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/offline_depot.crt
SSLCertificateKeyFile /etc/pki/tls/private/offline_depot.key
<Directory /var/www/offline_depot/>
AuthType Basic
AuthName “Restricted Content”
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
</Directory>
Alias /products/v1/bundles/lastupdatedtime /var/www/offline_depot/PROD2/vsan/hcl/lastupdatedtime.json
Alias /products/v1/bundles/all /var/www/offline_depot/PROD2/vsan/hcl/all.json
Alias /Compatibility/VxrailCompatibilityData.json /var/www/offline_depot/PROD2/evo/vmw/Compatibility/VxrailCompatibilityData.json
</VirtualHost>
</IfModule>
Download appropriate software bundles
Execute the utility, adjusting the parameters according to your current VCF deployments.
|
1 2 3 4 5 6 7 8 9 10 11 |
#!/usr/bin/env bash cd /opt/obtu/bin ./lcm-bundle-transfer-util --setUpOfflineDepot \ --offlineDepotRootDir /var/www/offline_depot \ --offlineDepotUrl https://"$(hostname -f)" \ --depotUser broadcom.support.portal.username \ --depotUserPasswordFile ~/online_depot_passwd.txt \ --sourceVersion 5.1.0.0 |
Configure Trusted Certificate
In order for SDDC Manager to access the offline depot web server over HTTPS, the certificate must be trusted. If using a self-signed certificate, upload it using the Developer Center in SDDC Manager. The following command will generate the necessary format for use.
|
1 2 3 4 |
echo '{ "certificate" : '$(jq -sR . /etc/pki/tls/certs/offline_depot.crt)', "certificateUsageType" : "TRUSTED_FOR_OUTBOUND" }' |
Verify the offline depot is working before attempting to configure SDDC Manager to use it.
|
1 |
curl https://od.vcf.sddc.lab/PROD2/evo/vmw/index.v3 -k -u depot:vmware |
Configure VCF 5.1 SDDC Manager to use the Offline Depot
You can configure VCF 5.1 to use an offline depot, but there is no graphical configuration to do so. Instead, a command-line tool that is part of the OBTU distribution must be used. Install OBTU on the SDDC Manager and then run the depot_config.py script, providing the FQDN of the new offline depot server.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
su - mkdir /opt/vmware/vcf/lcm/lcm-tools chown -R vcf:vcf /opt/vmware/vcf/lcm/lcm-tools exit tar zxvf lcm-tools-prod.tar.gz --directory=/opt/vmware/vcf/lcm/lcm-tools cd /opt/vmware/vcf/lcm/lcm-tools/bin chmod +x lcm-bundle-transfer-util cd /opt/vmware/vcf/lcm/lcm-tools/conf/offline_depot python3 depot_config.py --depotMode offline \ --depotUrl https://od.vcf.sddc.lab |
Once that configuration takes effect, log into the SDDC Manager user interface and configure the depot credentials with your offline depot username and password. This is the same interface that the default online depot uses, but after the above reconfiguration step, it now applies to the offline depot instead.
Configure VCF 5.2 SDDC Manager to use the Offline Depot
SDDC Manager in VCF 5.2 has an updated user interface that allows administrators to choose between an online or offline depot. Once the offline depot is ready to go, simply log in and enter the FQDN, port, and credentials.
Demo Video
Takeaway
The new offline depot capability launched with VMware Cloud Foundation 5.2 provides a significant enhancement for administrators, allowing them to set up a mirror of software bundles needed for patching and updating VCF infrastructure. With this new model, administrators can reduce the time and effort required for patching and updating, and can also help scale deployments by eliminating the need for redundant downloads of large files from the Internet. To get started with setting up an offline depot, follow the steps outlined in this guide and discover the benefits of streamlined patching and updating for your VCF infrastructure.
