IBM QRadar SOAR

Hi Community,

I am trying to deploy AppHost to our deployment, and then migrate existing apps from integration server to AppHost.

However, I could not find any document describing the procedure apart from migration between AppHosts.

In case of NO MIGRATION is possible, I have tried to build a new AppHost (stand-alone software) in our isolated environment.

I was stuck in the last step of pairing with SOAR platform. 

The status on web GUI of the AppHost was shown as 'Paired'.

And when I checked the status of k3s, it showed error message,

apphost1.localhost k3s[28894]: E0201 22:56:37.737579   28894 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to get sandbox image "docker.io/rancher/pause:3.1"

apphost1.localhost k3s[28894]: E0201 22:56:37.737774   28894 pod_workers.go:191] Error syncing pod

I guess it is due to absence of proxy configuration.

Does having a private repository have an effect on it?

To sum up my questions,

1. Is there a migration procedure from integration server to AppHost.

2. Is it possible to build an AppHost in an isolated environment? If internet connection is needed for certain steps, can I disconnect after the initial setup?

3. Which step do I perform setting up a private repository? Before or after AppHost is successfully paired? Does it bypass internet connection if it is set up?

Reference

https://www.ibm.com/docs/en/sqsp/47?topic=installation-install-app-host

https://www.ibm.com/docs/en/sqsp/47?topic=guide-private-repository

https://community.ibm.com/community/user/security/discussion/resilient-apphost-pairing-fails

https://www.ibm.com/support/pages/node/6321353

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df

------------------------------

Thank you!
Philip Ng
------------------------------

Hey Philip,

I am not sure if there is any official documentation about how to migrate. However, I can try to explain a few things here.

Migration:

1. When deploying the apphost, you will need to ensure that your apphost server can reach a few locations outside of what you want the integrations to be able to connect to a link to those requirements are below (Note: You don't need the NTP Server). This can either be through the proxy settings (also linked below) or by opening firewall ports to these locations.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-network-configuration
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-configure-proxy-authentication
2. Next which sounds like you already were able to do which was create the pairing code and create the new apphost. The 2 links below will get that setup.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-pairing
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-app-hosts
3. After you have your apphost connected and in a running state, then you will need to migrate your apps by installing them in within the Administrator Settings -> Apps section and configure the app. When ready to do the migration, uninstall the app from your integration server and restart the resilient-circuits software and deploy the app to the running apphost.

Air-Gapped Deployment of AppHost:

An air-gapped environment will require you to create your own app registry. This will involve creating an app registry and sync over the apps that you will be using into your private registry. Then you will need to do a few configuration changes to the AppHost to link it to the private registry. I have actually created a video series on this as I got asked about this quite a bit. Take a look! https://www.youtube.com/playlist?list=PLTLN10cI6swAprESsrBbrvGRqaZ6FyYvu. The self created documentation for doing this is linked in the video which also include the official documentation links as well!

I think the last one covers both of your last 2 questions, but let me know if you need any more information! Part of that deployment will be after creating the app registry moving it so it doesn't have an internet connection, hence the air-gapped.

Hope this all helps in your migration!

Hi Community,

I am trying to deploy AppHost to our deployment, and then migrate existing apps from integration server to AppHost.

However, I could not find any document describing the procedure apart from migration between AppHosts.

In case of NO MIGRATION is possible, I have tried to build a new AppHost (stand-alone software) in our isolated environment.

I was stuck in the last step of pairing with SOAR platform. 

The status on web GUI of the AppHost was shown as 'Paired'.

And when I checked the status of k3s, it showed error message,

apphost1.localhost k3s[28894]: E0201 22:56:37.737579   28894 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to get sandbox image "docker.io/rancher/pause:3.1"

apphost1.localhost k3s[28894]: E0201 22:56:37.737774   28894 pod_workers.go:191] Error syncing pod

I guess it is due to absence of proxy configuration.

Does having a private repository have an effect on it?

To sum up my questions,

1. Is there a migration procedure from integration server to AppHost.

2. Is it possible to build an AppHost in an isolated environment? If internet connection is needed for certain steps, can I disconnect after the initial setup?

3. Which step do I perform setting up a private repository? Before or after AppHost is successfully paired? Does it bypass internet connection if it is set up?

Reference

https://www.ibm.com/docs/en/sqsp/47?topic=installation-install-app-host

https://www.ibm.com/docs/en/sqsp/47?topic=guide-private-repository

https://community.ibm.com/community/user/security/discussion/resilient-apphost-pairing-fails

https://www.ibm.com/support/pages/node/6321353

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df

------------------------------

Thank you!
Philip Ng
------------------------------

Hi Nick,

Thank you for your detailed explanation!

I have watched the videos you shared and I would like to clarify few points.

In your lab environment, there are 3 VMs: SOAR, AppHost, Intergration.

My understanding on their roles/functions in an air-gapped environment are,

Integration (Internet required): Establish private registry, generate keys, mirror repositories, etc.

AppHost (air-gapped): Copy everything generated in Integration above.

SOAR (air-gapped): Manage apps and other functions.

In conclusion,

I need to have an Integration server that is accessible to the internet for the initial setup.

And for the entire procedure of (air-gapped) AppHost installation,

AppHost only needs connection to Integration and SOAR but not the internet.

Please advise if the concept is right.

Thank you for your help again!

Hey Philip,

I am not sure if there is any official documentation about how to migrate. However, I can try to explain a few things here.

Migration:

1. When deploying the apphost, you will need to ensure that your apphost server can reach a few locations outside of what you want the integrations to be able to connect to a link to those requirements are below (Note: You don't need the NTP Server). This can either be through the proxy settings (also linked below) or by opening firewall ports to these locations.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-network-configuration
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-configure-proxy-authentication
2. Next which sounds like you already were able to do which was create the pairing code and create the new apphost. The 2 links below will get that setup.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-pairing
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-app-hosts
3. After you have your apphost connected and in a running state, then you will need to migrate your apps by installing them in within the Administrator Settings -> Apps section and configure the app. When ready to do the migration, uninstall the app from your integration server and restart the resilient-circuits software and deploy the app to the running apphost.

Air-Gapped Deployment of AppHost:

An air-gapped environment will require you to create your own app registry. This will involve creating an app registry and sync over the apps that you will be using into your private registry. Then you will need to do a few configuration changes to the AppHost to link it to the private registry. I have actually created a video series on this as I got asked about this quite a bit. Take a look! https://www.youtube.com/playlist?list=PLTLN10cI6swAprESsrBbrvGRqaZ6FyYvu. The self created documentation for doing this is linked in the video which also include the official documentation links as well!

I think the last one covers both of your last 2 questions, but let me know if you need any more information! Part of that deployment will be after creating the app registry moving it so it doesn't have an internet connection, hence the air-gapped.

Hope this all helps in your migration!

Hi Community,

I am trying to deploy AppHost to our deployment, and then migrate existing apps from integration server to AppHost.

However, I could not find any document describing the procedure apart from migration between AppHosts.

In case of NO MIGRATION is possible, I have tried to build a new AppHost (stand-alone software) in our isolated environment.

I was stuck in the last step of pairing with SOAR platform. 

The status on web GUI of the AppHost was shown as 'Paired'.

And when I checked the status of k3s, it showed error message,

apphost1.localhost k3s[28894]: E0201 22:56:37.737579   28894 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to get sandbox image "docker.io/rancher/pause:3.1"

apphost1.localhost k3s[28894]: E0201 22:56:37.737774   28894 pod_workers.go:191] Error syncing pod

I guess it is due to absence of proxy configuration.

Does having a private repository have an effect on it?

To sum up my questions,

1. Is there a migration procedure from integration server to AppHost.

2. Is it possible to build an AppHost in an isolated environment? If internet connection is needed for certain steps, can I disconnect after the initial setup?

3. Which step do I perform setting up a private repository? Before or after AppHost is successfully paired? Does it bypass internet connection if it is set up?

Reference

https://www.ibm.com/docs/en/sqsp/47?topic=installation-install-app-host

https://www.ibm.com/docs/en/sqsp/47?topic=guide-private-repository

https://community.ibm.com/community/user/security/discussion/resilient-apphost-pairing-fails

https://www.ibm.com/support/pages/node/6321353

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df

------------------------------

Thank you!
Philip Ng
------------------------------

The integration server can be any server that is running your app registry. There are other ways to keep the app registry air-gapped the entire time, but you will need to have at least 1 system that is not to pull images from online registries your private registry so I found this to be the easiest method. Other than that you seemed to get all of the concepts that I documented. I did have someone let me know that there are some version changes from the version I did my video on to v51. I have marked those below and will update the documentation linked in the description of the video when I get a chance!

1. on v51 we use v1.23.6+k3s2 instead of v1.23.6+k3s1.
   These are the new versions we need:
   • • rancher/mirrored-metrics-server:v0.6.3
     • rancher/local-path-provisioner:v0.0.24
     • rancher/mirrored-coredns-coredns:1.10.1
       which are not available on k3s1
2. There is also an image called mirrored-pause:3.6 that is not included in that file and I had to manually add to my local registry.

Hi Nick,

Thank you for your detailed explanation!

I have watched the videos you shared and I would like to clarify few points.

In your lab environment, there are 3 VMs: SOAR, AppHost, Intergration.

My understanding on their roles/functions in an air-gapped environment are,

Integration (Internet required): Establish private registry, generate keys, mirror repositories, etc.

AppHost (air-gapped): Copy everything generated in Integration above.

SOAR (air-gapped): Manage apps and other functions.

In conclusion,

I need to have an Integration server that is accessible to the internet for the initial setup.

And for the entire procedure of (air-gapped) AppHost installation,

AppHost only needs connection to Integration and SOAR but not the internet.

Please advise if the concept is right.

Thank you for your help again!

Hey Philip,

I am not sure if there is any official documentation about how to migrate. However, I can try to explain a few things here.

Migration:

1. When deploying the apphost, you will need to ensure that your apphost server can reach a few locations outside of what you want the integrations to be able to connect to a link to those requirements are below (Note: You don't need the NTP Server). This can either be through the proxy settings (also linked below) or by opening firewall ports to these locations.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-network-configuration
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-configure-proxy-authentication
2. Next which sounds like you already were able to do which was create the pairing code and create the new apphost. The 2 links below will get that setup.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-pairing
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-app-hosts
3. After you have your apphost connected and in a running state, then you will need to migrate your apps by installing them in within the Administrator Settings -> Apps section and configure the app. When ready to do the migration, uninstall the app from your integration server and restart the resilient-circuits software and deploy the app to the running apphost.

Air-Gapped Deployment of AppHost:

An air-gapped environment will require you to create your own app registry. This will involve creating an app registry and sync over the apps that you will be using into your private registry. Then you will need to do a few configuration changes to the AppHost to link it to the private registry. I have actually created a video series on this as I got asked about this quite a bit. Take a look! https://www.youtube.com/playlist?list=PLTLN10cI6swAprESsrBbrvGRqaZ6FyYvu. The self created documentation for doing this is linked in the video which also include the official documentation links as well!

I think the last one covers both of your last 2 questions, but let me know if you need any more information! Part of that deployment will be after creating the app registry moving it so it doesn't have an internet connection, hence the air-gapped.

Hope this all helps in your migration!

Hi Community,

I am trying to deploy AppHost to our deployment, and then migrate existing apps from integration server to AppHost.

However, I could not find any document describing the procedure apart from migration between AppHosts.

In case of NO MIGRATION is possible, I have tried to build a new AppHost (stand-alone software) in our isolated environment.

I was stuck in the last step of pairing with SOAR platform. 

The status on web GUI of the AppHost was shown as 'Paired'.

And when I checked the status of k3s, it showed error message,

apphost1.localhost k3s[28894]: E0201 22:56:37.737579   28894 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to get sandbox image "docker.io/rancher/pause:3.1"

apphost1.localhost k3s[28894]: E0201 22:56:37.737774   28894 pod_workers.go:191] Error syncing pod

I guess it is due to absence of proxy configuration.

Does having a private repository have an effect on it?

To sum up my questions,

1. Is there a migration procedure from integration server to AppHost.

2. Is it possible to build an AppHost in an isolated environment? If internet connection is needed for certain steps, can I disconnect after the initial setup?

3. Which step do I perform setting up a private repository? Before or after AppHost is successfully paired? Does it bypass internet connection if it is set up?

Reference

https://www.ibm.com/docs/en/sqsp/47?topic=installation-install-app-host

https://www.ibm.com/docs/en/sqsp/47?topic=guide-private-repository

https://community.ibm.com/community/user/security/discussion/resilient-apphost-pairing-fails

https://www.ibm.com/support/pages/node/6321353

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df

------------------------------

Thank you!
Philip Ng
------------------------------

Hi Nick,

Can you help advise what's usage of the zip file of the app as the image has been pushed?

The integration server can be any server that is running your app registry. There are other ways to keep the app registry air-gapped the entire time, but you will need to have at least 1 system that is not to pull images from online registries your private registry so I found this to be the easiest method. Other than that you seemed to get all of the concepts that I documented. I did have someone let me know that there are some version changes from the version I did my video on to v51. I have marked those below and will update the documentation linked in the description of the video when I get a chance!

1. on v51 we use v1.23.6+k3s2 instead of v1.23.6+k3s1.
   These are the new versions we need:
   • • rancher/mirrored-metrics-server:v0.6.3
     • rancher/local-path-provisioner:v0.0.24
     • rancher/mirrored-coredns-coredns:1.10.1
       which are not available on k3s1
2. There is also an image called mirrored-pause:3.6 that is not included in that file and I had to manually add to my local registry.

Hi Nick,

Thank you for your detailed explanation!

I have watched the videos you shared and I would like to clarify few points.

In your lab environment, there are 3 VMs: SOAR, AppHost, Intergration.

My understanding on their roles/functions in an air-gapped environment are,

Integration (Internet required): Establish private registry, generate keys, mirror repositories, etc.

AppHost (air-gapped): Copy everything generated in Integration above.

SOAR (air-gapped): Manage apps and other functions.

In conclusion,

I need to have an Integration server that is accessible to the internet for the initial setup.

And for the entire procedure of (air-gapped) AppHost installation,

AppHost only needs connection to Integration and SOAR but not the internet.

Please advise if the concept is right.

Thank you for your help again!

Hey Philip,

I am not sure if there is any official documentation about how to migrate. However, I can try to explain a few things here.

Migration:

1. When deploying the apphost, you will need to ensure that your apphost server can reach a few locations outside of what you want the integrations to be able to connect to a link to those requirements are below (Note: You don't need the NTP Server). This can either be through the proxy settings (also linked below) or by opening firewall ports to these locations.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-network-configuration
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-configure-proxy-authentication
2. Next which sounds like you already were able to do which was create the pairing code and create the new apphost. The 2 links below will get that setup.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-pairing
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-app-hosts
3. After you have your apphost connected and in a running state, then you will need to migrate your apps by installing them in within the Administrator Settings -> Apps section and configure the app. When ready to do the migration, uninstall the app from your integration server and restart the resilient-circuits software and deploy the app to the running apphost.

Air-Gapped Deployment of AppHost:

An air-gapped environment will require you to create your own app registry. This will involve creating an app registry and sync over the apps that you will be using into your private registry. Then you will need to do a few configuration changes to the AppHost to link it to the private registry. I have actually created a video series on this as I got asked about this quite a bit. Take a look! https://www.youtube.com/playlist?list=PLTLN10cI6swAprESsrBbrvGRqaZ6FyYvu. The self created documentation for doing this is linked in the video which also include the official documentation links as well!

I think the last one covers both of your last 2 questions, but let me know if you need any more information! Part of that deployment will be after creating the app registry moving it so it doesn't have an internet connection, hence the air-gapped.

Hope this all helps in your migration!

Hi Community,

I am trying to deploy AppHost to our deployment, and then migrate existing apps from integration server to AppHost.

However, I could not find any document describing the procedure apart from migration between AppHosts.

In case of NO MIGRATION is possible, I have tried to build a new AppHost (stand-alone software) in our isolated environment.

I was stuck in the last step of pairing with SOAR platform. 

The status on web GUI of the AppHost was shown as 'Paired'.

And when I checked the status of k3s, it showed error message,

apphost1.localhost k3s[28894]: E0201 22:56:37.737579   28894 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to get sandbox image "docker.io/rancher/pause:3.1"

apphost1.localhost k3s[28894]: E0201 22:56:37.737774   28894 pod_workers.go:191] Error syncing pod

I guess it is due to absence of proxy configuration.

Does having a private repository have an effect on it?

To sum up my questions,

1. Is there a migration procedure from integration server to AppHost.

2. Is it possible to build an AppHost in an isolated environment? If internet connection is needed for certain steps, can I disconnect after the initial setup?

3. Which step do I perform setting up a private repository? Before or after AppHost is successfully paired? Does it bypass internet connection if it is set up?

Reference

https://www.ibm.com/docs/en/sqsp/47?topic=installation-install-app-host

https://www.ibm.com/docs/en/sqsp/47?topic=guide-private-repository

https://community.ibm.com/community/user/security/discussion/resilient-apphost-pairing-fails

https://www.ibm.com/support/pages/node/6321353

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df

------------------------------

Thank you!
Philip Ng
------------------------------

Hey Yi,

I answered this on the video as well. The zip contains not only the code of the App, but also the customizations within SOAR meaning your playbooks, fields, artifact types, data tables and more that would be included in the integration.

Thanks!

Hi Nick,

Can you help advise what's usage of the zip file of the app as the image has been pushed?

The integration server can be any server that is running your app registry. There are other ways to keep the app registry air-gapped the entire time, but you will need to have at least 1 system that is not to pull images from online registries your private registry so I found this to be the easiest method. Other than that you seemed to get all of the concepts that I documented. I did have someone let me know that there are some version changes from the version I did my video on to v51. I have marked those below and will update the documentation linked in the description of the video when I get a chance!

1. on v51 we use v1.23.6+k3s2 instead of v1.23.6+k3s1.
   These are the new versions we need:
   • • rancher/mirrored-metrics-server:v0.6.3
     • rancher/local-path-provisioner:v0.0.24
     • rancher/mirrored-coredns-coredns:1.10.1
       which are not available on k3s1
2. There is also an image called mirrored-pause:3.6 that is not included in that file and I had to manually add to my local registry.

Hi Nick,

Thank you for your detailed explanation!

I have watched the videos you shared and I would like to clarify few points.

In your lab environment, there are 3 VMs: SOAR, AppHost, Intergration.

My understanding on their roles/functions in an air-gapped environment are,

Integration (Internet required): Establish private registry, generate keys, mirror repositories, etc.

AppHost (air-gapped): Copy everything generated in Integration above.

SOAR (air-gapped): Manage apps and other functions.

In conclusion,

I need to have an Integration server that is accessible to the internet for the initial setup.

And for the entire procedure of (air-gapped) AppHost installation,

AppHost only needs connection to Integration and SOAR but not the internet.

Please advise if the concept is right.

Thank you for your help again!

Hey Philip,

I am not sure if there is any official documentation about how to migrate. However, I can try to explain a few things here.

Migration:

1. When deploying the apphost, you will need to ensure that your apphost server can reach a few locations outside of what you want the integrations to be able to connect to a link to those requirements are below (Note: You don't need the NTP Server). This can either be through the proxy settings (also linked below) or by opening firewall ports to these locations.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-network-configuration
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-configure-proxy-authentication
2. Next which sounds like you already were able to do which was create the pairing code and create the new apphost. The 2 links below will get that setup.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-pairing
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-app-hosts
3. After you have your apphost connected and in a running state, then you will need to migrate your apps by installing them in within the Administrator Settings -> Apps section and configure the app. When ready to do the migration, uninstall the app from your integration server and restart the resilient-circuits software and deploy the app to the running apphost.

Air-Gapped Deployment of AppHost:

An air-gapped environment will require you to create your own app registry. This will involve creating an app registry and sync over the apps that you will be using into your private registry. Then you will need to do a few configuration changes to the AppHost to link it to the private registry. I have actually created a video series on this as I got asked about this quite a bit. Take a look! https://www.youtube.com/playlist?list=PLTLN10cI6swAprESsrBbrvGRqaZ6FyYvu. The self created documentation for doing this is linked in the video which also include the official documentation links as well!

I think the last one covers both of your last 2 questions, but let me know if you need any more information! Part of that deployment will be after creating the app registry moving it so it doesn't have an internet connection, hence the air-gapped.

Hope this all helps in your migration!

Hi Community,

I am trying to deploy AppHost to our deployment, and then migrate existing apps from integration server to AppHost.

However, I could not find any document describing the procedure apart from migration between AppHosts.

In case of NO MIGRATION is possible, I have tried to build a new AppHost (stand-alone software) in our isolated environment.

I was stuck in the last step of pairing with SOAR platform. 

The status on web GUI of the AppHost was shown as 'Paired'.

And when I checked the status of k3s, it showed error message,

apphost1.localhost k3s[28894]: E0201 22:56:37.737579   28894 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to get sandbox image "docker.io/rancher/pause:3.1"

apphost1.localhost k3s[28894]: E0201 22:56:37.737774   28894 pod_workers.go:191] Error syncing pod

I guess it is due to absence of proxy configuration.

Does having a private repository have an effect on it?

To sum up my questions,

1. Is there a migration procedure from integration server to AppHost.

2. Is it possible to build an AppHost in an isolated environment? If internet connection is needed for certain steps, can I disconnect after the initial setup?

3. Which step do I perform setting up a private repository? Before or after AppHost is successfully paired? Does it bypass internet connection if it is set up?

Reference

https://www.ibm.com/docs/en/sqsp/47?topic=installation-install-app-host

https://www.ibm.com/docs/en/sqsp/47?topic=guide-private-repository

https://community.ibm.com/community/user/security/discussion/resilient-apphost-pairing-fails

https://www.ibm.com/support/pages/node/6321353

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df

------------------------------

Thank you!
Philip Ng
------------------------------

Thanks, Nick,

While I downloaded some APP zip files from APP exchange, I found that some of the apps put the dependency Python packages in the zip file.

Could you help advise when should we put the dependencies in the zip file? Can it be generated automatically?

Hey Yi,

I answered this on the video as well. The zip contains not only the code of the App, but also the customizations within SOAR meaning your playbooks, fields, artifact types, data tables and more that would be included in the integration.

Thanks!

Hi Nick,

Can you help advise what's usage of the zip file of the app as the image has been pushed?

The integration server can be any server that is running your app registry. There are other ways to keep the app registry air-gapped the entire time, but you will need to have at least 1 system that is not to pull images from online registries your private registry so I found this to be the easiest method. Other than that you seemed to get all of the concepts that I documented. I did have someone let me know that there are some version changes from the version I did my video on to v51. I have marked those below and will update the documentation linked in the description of the video when I get a chance!

1. on v51 we use v1.23.6+k3s2 instead of v1.23.6+k3s1.
   These are the new versions we need:
   • • rancher/mirrored-metrics-server:v0.6.3
     • rancher/local-path-provisioner:v0.0.24
     • rancher/mirrored-coredns-coredns:1.10.1
       which are not available on k3s1
2. There is also an image called mirrored-pause:3.6 that is not included in that file and I had to manually add to my local registry.

Hi Nick,

Thank you for your detailed explanation!

I have watched the videos you shared and I would like to clarify few points.

In your lab environment, there are 3 VMs: SOAR, AppHost, Intergration.

My understanding on their roles/functions in an air-gapped environment are,

Integration (Internet required): Establish private registry, generate keys, mirror repositories, etc.

AppHost (air-gapped): Copy everything generated in Integration above.

SOAR (air-gapped): Manage apps and other functions.

In conclusion,

I need to have an Integration server that is accessible to the internet for the initial setup.

And for the entire procedure of (air-gapped) AppHost installation,

AppHost only needs connection to Integration and SOAR but not the internet.

Please advise if the concept is right.

Thank you for your help again!

Hey Philip,

I am not sure if there is any official documentation about how to migrate. However, I can try to explain a few things here.

Migration:

1. When deploying the apphost, you will need to ensure that your apphost server can reach a few locations outside of what you want the integrations to be able to connect to a link to those requirements are below (Note: You don't need the NTP Server). This can either be through the proxy settings (also linked below) or by opening firewall ports to these locations.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-network-configuration
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-configure-proxy-authentication
2. Next which sounds like you already were able to do which was create the pairing code and create the new apphost. The 2 links below will get that setup.
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-pairing
   • https://www.ibm.com/docs/en/sqsp/51?topic=installation-create-app-hosts
3. After you have your apphost connected and in a running state, then you will need to migrate your apps by installing them in within the Administrator Settings -> Apps section and configure the app. When ready to do the migration, uninstall the app from your integration server and restart the resilient-circuits software and deploy the app to the running apphost.

Air-Gapped Deployment of AppHost:

An air-gapped environment will require you to create your own app registry. This will involve creating an app registry and sync over the apps that you will be using into your private registry. Then you will need to do a few configuration changes to the AppHost to link it to the private registry. I have actually created a video series on this as I got asked about this quite a bit. Take a look! https://www.youtube.com/playlist?list=PLTLN10cI6swAprESsrBbrvGRqaZ6FyYvu. The self created documentation for doing this is linked in the video which also include the official documentation links as well!

I think the last one covers both of your last 2 questions, but let me know if you need any more information! Part of that deployment will be after creating the app registry moving it so it doesn't have an internet connection, hence the air-gapped.

Hope this all helps in your migration!

Hi Community,

I am trying to deploy AppHost to our deployment, and then migrate existing apps from integration server to AppHost.

However, I could not find any document describing the procedure apart from migration between AppHosts.

In case of NO MIGRATION is possible, I have tried to build a new AppHost (stand-alone software) in our isolated environment.

I was stuck in the last step of pairing with SOAR platform. 

The status on web GUI of the AppHost was shown as 'Paired'.

And when I checked the status of k3s, it showed error message,

apphost1.localhost k3s[28894]: E0201 22:56:37.737579   28894 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to get sandbox image "docker.io/rancher/pause:3.1"

apphost1.localhost k3s[28894]: E0201 22:56:37.737774   28894 pod_workers.go:191] Error syncing pod

I guess it is due to absence of proxy configuration.

Does having a private repository have an effect on it?

To sum up my questions,

1. Is there a migration procedure from integration server to AppHost.

2. Is it possible to build an AppHost in an isolated environment? If internet connection is needed for certain steps, can I disconnect after the initial setup?

3. Which step do I perform setting up a private repository? Before or after AppHost is successfully paired? Does it bypass internet connection if it is set up?

Reference

https://www.ibm.com/docs/en/sqsp/47?topic=installation-install-app-host

https://www.ibm.com/docs/en/sqsp/47?topic=guide-private-repository

https://community.ibm.com/community/user/security/discussion/resilient-apphost-pairing-fails

https://www.ibm.com/support/pages/node/6321353

https://community.ibm.com/community/user/security/communities/community-home/digestviewer/viewthread?MessageKey=4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df&CommunityKey=d2f71e8c-108e-4652-b59c-29d61af7163e&tab=digestviewer#bm4e253dc3-2ce7-4adc-adc8-9bccfc7ad6df

------------------------------

Thank you!
Philip Ng
------------------------------