Appendix A - Running InSpec In An Airgapped Environment
15.1 Running an InSpec profile using a local archive (for air-gapped target systems)
Tips
For more information on how to install InSpec on an air-gapped system use the chef instructions as guidance
15.2 Prerequisites
Since a variety of different practices are used to create an air-gapped network, this guide focuses solely on the implementation of Chef software - as such, it makes the following assumptions:
- You have a way to get packages to your air-gapped machines
- Machines on your air-gapped network are able to resolve each other using DNS
- A server’s Fully Qualified Domain Name (FQDN) is the name that will be used by other servers to access it
- You have a private Ruby gem mirror to supply gems as needed
- You have an artifact store for file downloads. At a minimum, it should have the following packages available:
- Chef Workstation
- Chef Infra Client
- Chef Supermarket
- An install script for Chef Infra Client
15.3 Required cookbooks
This guide will link to the required cookbooks for each piece of software in that software’s respective section, but this is a full list of the cookbooks required to complete the entire guide:
For Chef Supermarket:
15.4 Required Gems
The following Ruby gems are required to install private Supermarket using the supermarket-omnibus-cookbook:
- mixlib-install
- mixlib-shellout
- mixlib-versioning
- artifactory
These should be accessible from your Gem mirror.
15.5 Create an install script
An install script is used to install Chef Infra Client when bootstrapping a new node. It simply pulls the Chef Infra Client package from your artifact store, and then installs it. For example, on Debian-based Linux systems, it would look similar to this:
#!/bin/bash
cd /tmp/
wget http://packages.example.com/chef_13.2.20-1_amd64.deb
dpkg -i chef_13.2.20-1_amd64.deb
The install script should be accessible from your artifact store.