Deploy a RHEL appliance in a disconnected environment
Deploy the Ansible automation portal RHEL appliance in a disconnected or air-gapped environment where the appliance has no access to external registries or the internet.
You have a method to transfer the disk image to the disconnected environment (for example, removable media, secure file transfer, or an internal mirror registry).
You have a virtualization platform available in the disconnected environment (Red Hat OpenShift Virtualization, VMware vSphere, or KVM).
You have network connectivity from the appliance to your Ansible Automation Platform instance (internal network).
The appliance image includes everything needed to run without pulling content from external registries:
Pre-bundled Ansible plugins
Dynamic plugins are extracted at build time and stored at /usr/share/portal/plugins/. The appliance loads plugins from the local filesystem, not from a registry.
Pre-pulled container images
The Ansible automation portal and PostgreSQL container images are embedded in the appliance image. No container image pulls occur at runtime.
Self-signed SSL certificates
Generated locally at first boot. You can replace them with your own certificates after deployment.
No registry authentication required
The appliance starts and runs without registry credentials. Registry authentication is only needed for future upgrades.
Procedure
Transfer the appliance image
Transfer the disk image from a connected machine to your disconnected environment. Choose the method that fits your network topology.
Removable media: Copy the disk image directly to the disconnected host using removable media (USB drive, portable storage) or a secure file transfer mechanism.
Internal mirror registry: If your disconnected environment has an internal container registry, you can copy the bootc container image to your mirror and build disk images from it.
On a connected machine, copy the bootc container image to your internal registry:
If your mirror registry uses a self-signed certificate, add the CA certificate to the system trust store on the machine where you will build the disk image:
Build the disk image from the mirror registry in your disconnected environment. Refer to the Red Hat documentation for building bootc disk images from a custom registry source.
Deploy the resulting disk image using the standard installation procedure for your platform.
Deploy the appliance
Deploy the appliance on your virtualization platform following the standard deployment procedure for your environment:
Provide initial configuration through cloud-init, VMware guestinfo properties, or a pre-seeded configuration file.
The cloud-init configuration for a disconnected deployment is the same as a connected deployment. Use the templates from Configure the appliance at first boot.
The following differences apply in a disconnected environment:
Source control integrations require network access. The integrations.github and integrations.gitlab cloud-init fields require network access to the source control service. If your disconnected environment has internal GitHub Enterprise or GitLab instances, configure these fields with the internal hostnames.
Set network.base_url to match your internal DNS or IP. Set network.base_url to the hostname or IP address that users will use to access the Ansible automation portal RHEL appliance on your internal network. If omitted, the appliance auto-detects the VM IP address.
Minimal cloud-init template for disconnected deployment:
SSH into the Ansible automation portal RHEL appliance:
$ ssh <username>@<appliance-ip>
Check that all three services are running:
$ sudo systemctl status portal postgres devtools
All three services (portal, postgres, devtools) should show active (running).
Alternatively, use the portal management CLI for detailed diagnostics:
$ sudo ansible-portal status
Verify that the Ansible automation portal is accessible:
$ curl -fk https://<appliance-address>
Verify that Ansible plugins loaded from the local filesystem:
$ sudo podman exec portal ls /opt/app-root/src/dynamic-plugins-root/
You should see plugin directories listed. These plugins were loaded from the pre-baked files at /usr/share/portal/plugins/, not from a registry.
Set up registry credentials for upgrades (optional)
If you plan to upgrade the appliance using bootc upgrade from registry.redhat.io or a mirror registry, log in to the container registry and save the credentials: