Air-Gapped Installations

For security purposes, some installations require that systems be isolated from the internet or outside networks.

An air-gapped system is not connected to an unsecured network, such as the public Internet, to an unsecured LAN, or to other computers that are connected to an unsecured network. The default mechanisms to update software on DGX systems and loading container images from the NGC Container Registry require an Internet connection. On an air-gapped system, which is isolated from the Internet, you must provide alternative mechanisms to update software and load container images.

Since most DGX software updates are completed through an over-the-network process with NVIDIA servers, this section explains how updates can be made when using an over-the-network method is not an option. It also includes a process to install Docker containers.

Here are the methods you can use:

  • Download the ISO image, copy it to removable media and then reimage the DGX System from the media.

    This method is available only for software versions that are available as ISO images for download. For details, see Reimaging This section provides information about how to install the DGX OS.

  • Update the DGX software by performing a network update from a local repository.

    This method is available only for software versions that are available for over-the-network updates.

Note

If you are using apt-mirror version 0.5.4-1 or higher, the following method described in this topic does not successfully update the repositories. To work around this issue, refer to Errors Occur When Loading Mirrored Repositories on Air-Gapped Systems in the Known Issues section for an alternative method.

Creating a Local Mirror of the NVIDIA and Canonical Repositories

Here are the steps to download the necessary packages to create a mirror of the repositories that are needed to update NVIDIA DGX systems. For more information on DGX OS versions and the release notes available, refer to Release Notes

Note

These procedures apply only to upgrades in the same major release, such as from 5.x to 5.y. The steps do not support upgrades across major releases, such as from DGX OS 4 to DGX OS 5.

  1. Identify the sources that correspond to the public NVIDIA and Canonical repositories that provide updates to the DGX OS.

    You can identify these sources from the /etc/apt/sources.list file and the contents of the /etc/apt.sources.list.d/ directory, or by using [System Settings, Software & Updates].

  2. Create and maintain a private mirror of the repository sources that you identified in the previous step.

  3. Update the sources that provide updates to the DGX system to use your private repository mirror instead of the public repositories.

To update these sources, modify the /etc/apt/sources.list file and the contents of /etc/apt.sources.list.d/ directory.

Creating the Mirror of the Repositories

The instructions in this section are to be performed on a system with internet access.

  • A system installed with Ubuntu OS is needed to create the mirror because there are several Ubuntu tools that need to be used.

  • You must be logged in to the system installed with Ubuntu OS as an administrator user because this procedure requires sudo privileges.

  • The system must contain enough storage space to replicate the repositories to a file system. The space requirement could be as high as 250 GB.

  • An efficient way to move large amount of data is needed, for example, shared storage in a DMZ, or portable USB drives that can be brought into the air-gapped area.

    The data will need to be moved to the systems that need to be updated. Make sure that any portable drives are formatted using ext4 or FAT32.

To create the mirror:

  1. Ensure that the storage device is attached to the system with network access and identify the mount point of the device.

    Here is a sample mount point that was used in these instructions:

    /media/usb/repository
    
  2. Install the apt-mirror package.

    sudo apt update
    
    sudo apt install apt-mirror
    
  3. Change the ownership of the target directory to the apt-mirror user in the apt-mirror group.

    sudo chown apt-mirror:apt-mirror /media/usb/repository
    

    The target directory must be owned by the user apt-mirror or the replication will not work.

  4. Configure the path of the destination directory in /etc/apt/mirror.list and use the included list of repositories below to retrieve the packages for both Ubuntu base OS and the NVIDIA DGX OS packages.

    ############# config ##################
    #
    set base_path /media/usb/repository #/your/path/here
    #
    # set mirror_path $base_path/mirror
    # set skel_path $base_path/skel
    # set var_path $base_path/var
    # set cleanscript $var_path/clean.sh
    # set defaultarch <running host architecture>
    # set postmirror_script $var_path/postmirror.sh
    set run_postmirror 0
    set nthreads 20
    set _tilde 0
    #
    ############# end config ##############
    # Standard Canonical package repositories:
    deb http://security.ubuntu.com/ubuntu jammy-security main multiverse universe restricted
    deb http://archive.ubuntu.com/ubuntu/ jammy main multiverse universe restricted
    deb http://archive.ubuntu.com/ubuntu/ jammy-updates main multiverse universe restricted
    #
    deb-i386 http://security.ubuntu.com/ubuntu jammy-security main multiverse universe restricted
    deb-i386 http://archive.ubuntu.com/ubuntu/ jammy main multiverse universe restricted
    deb-i386 http://archive.ubuntu.com/ubuntu/ jammy-updates main multiverse universe restricted
    #
    # CUDA specific repositories:
    deb http://developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64/ /
    #
    # DGX specific repositories:
    deb http://repo.download.nvidia.com/baseos/ubuntu/jammy/x86_64/ jammy common dgx
    deb http://repo.download.nvidia.com/baseos/ubuntu/jammy/x86_64/ jammy-updates common dgx
    #
    deb-i386 http://repo.download.nvidia.com/baseos/ubuntu/jammy/x86_64/ jammy common dgx
    deb-i386 http://repo.download.nvidia.com/baseos/ubuntu/jammy/x86_64/ jammy-updates common dgx
    # Clean unused items
    clean http://archive.ubuntu.com/ubuntu
    clean http://security.ubuntu.com/ubuntu
    
  5. Run apt-mirror and wait for it to finish downloading content.

    This will take a long time depending on the network connection speed.

    sudo apt-mirror
    
  6. Eject the removable storage with all packages.

    sudo eject /media/usb/repository
    

Configuring the Target Air-Gapped System

Here are the steps that explain how you can configure a target air-gapped DGX OS 5 system.

The instructions in this section are to be performed on the target air-gapped DGX system.

  • The target air-gapped DGX system is installed, has gone through the first boot process, and is ready to be updated with the latest packages.

  • The USB storage device on which the mirrors were created is attached to the target DGX system.

There are other ways to transfer the data that are not covered in this document as they will depend on the data center policies for the air-gapped environment.

  1. Mount the storage device on the air-gapped system to /media/usb/repository for consistency2. Configure the apt command to use the file system as the repository in the file /etc/apt/sources.list by modifying the following lines.

    deb file:///media/usb/repository/mirror/security.ubuntu.com/ubuntu focal-security main multiverse universe restricted
    deb file:///media/usb/repository/mirror/archive.ubuntu.com/ubuntu/ focal main multiverse universe restricted
    deb file:///media/usb/repository/mirror/archive.ubuntu.com/ubuntu/ focal-updates main multiverse universe restricted
    
  2. Configure apt to use the NVIDIA DGX OS packages in the /etc/apt/sources.list.d/dgx.list file.

    deb file:///media/usb/repository/mirror/repo.download.nvidia.com/baseos/ubuntu/focal/x86_64/ focal main dgx
    deb file:///media/usb/repository/mirror/repo.download.nvidia.com/baseos/ubuntu/focal/x86_64/ focal-updates main dgx
    
  3. Configure [apt] to use the NVIDIA CUDA packages in the /etc/apt/sources.list.d/cuda-compute-repo.list file.

    deb file:///media/usb/repository/mirror/developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64/ /
    
  4. Update the apt repository.

    sudo apt update
    

    The output from this command is similar to the following example.

    Get:1 file:/media/usb/repository/mirror/security.ubuntu.com/ubuntu focal-security InRelease [107 kB]
    Get:2 file:/media/usb/repository/mirror/archive.ubuntu.com/ubuntu focal InRelease [265 kB]
    Get:3 file:/media/usb/repository/mirror/archive.ubuntu.com/ubuntu focal-updates InRelease [111 kB]
    Get:4 file:/media/usb/repository/mirror/developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64  InRelease
    Get:5 file:/media/usb/repository/mirror/repo.download.nvidia.com/baseos/ubuntu/focal/x86_64 focal InRelease [12.5 kB]
    Get:6 file:/media/usb/repository/mirror/repo.download.nvidia.com/baseos/ubuntu/focal/x86_64 focal-updates InRelease [12.4 kB]
    Get:7 file:/media/usb/repository/mirror/developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64  Release [697 B]
    Get:8 file:/media/usb/repository/mirror/developer.download.nvidia.com/compute/cuda/repos/ubuntu2004/x86_64  Release.gpg [836 B]
    Reading package lists... Done
    
  5. Upgrade the system using the newly configured local repositories.

    sudo apt full-upgrade