• Preparation of a medium containing the necessary tools and packages, for which an Internet connection is required.
• Actual deployment on the offline machine
• Installation of additional software requiring the association of a node (frontend and Re6st).

Most of the commands given are indicative; however, those preceded by a hash (#) will require changes depending on system configuration.
For lines starting with an hash, changes to be made are emphasized using bold.

In order to follow the procedure, the following items are required:

• Access to a machine (assumed to be virtual) close to the final environment
• Any medium capable of transferring data between machines
• An IPv6 /32 subnet for the Re6st registry
• An IPv6 /64 subnet for the master (the latter may be included in the former)
• A local DNS server capable of responding to queries associated with all the sub-domains of a domain
• A generic TLS certificate associated with the domain name
• Local Ubuntu repositories if installing packages offline is needed

mkdir /mnt/device#mount /dev/sdd1 /mnt/devicemkdir /mnt/device/{miscellaneous,packages,software}

• Download the slapos-node and re6st-node packages from Nexedi's repositories

#wget -O /mnt/device/packages/Nexedi.key https://download.opensuse.org/repositories/home:/VIFIBnexedi/xUbuntu_22.04/Release.key#wget -O /mnt/device/packages/slapos-node.deb https://download.opensuse.org/repositories/home:/VIFIBnexedi/xUbuntu_22.04/amd64/slapos-node_1.11.0+1.0.352+1-1_amd64.deb#wget -O /mnt/device/packages/re6st-node.deb https://download.opensuse.org/repositories/home:/VIFIBnexedi/xUbuntu_22.04/amd64/re6st-node_0.624+slapos1.g0d8cd135c-1_amd64.deb

Note: you should replace "xUbuntu_22.04" by the name of the distribution you are using. See here for a list. Also, the versions here are provided for example purposes, you should also check the latest available version on that same link.

• Install the previously downloaded slapos-node package

apt-key add /mnt/device/packages/Nexedi.keyapt install /mnt/device/packages/slapos-node.deb

• Find the name of the network interface providing IPv6 and create proxy configuration

ip amkdir /opt/slapgrid#slapos configure local --interface-name enp1s0

• Clone the repository containing a local cache software on the medium

git clone https://lab.nexedi.com/tsoulard/gakeshadeba.git /mnt/device/gakeshadebacd /mnt/device/gakeshadeba

• Install required dependencies for the local cache

apt install python3-pip python3-venvpython3 -m venv .venvsource .venv/bin/activatepip install -r requirements.txtdeactivate

• Create a key pair to sign ShaDir entries

openssl req -x509 -nodes -days 3653 -subj "/CN=ShaCache Signing Cert" -newkey rsa:1024 -keyout /mnt/device/miscellaneous/sign.key -out /mnt/device/miscellaneous/sign.crt

• Create a list of software served by the cache, as well as a local cache configuration file, as mentioned in the project's README.md

You now need add to the local cache software to be installed on the offline machine. There are two ways to do this: getting them from Nexedi's cache, or compiling them locally on the VM.

Option 1: Retrieval from Nexedi cache

• Locate required software on Nexedi's cache

SR="https://lab.nexedi.com/nexedi/slapos/raw/1.0.344/software/rapid-cdn/software.cfg"curl "http://shadir.nxdcdn.com/$(printf $SR | md5sum | cut -d ' ' -f 1)"

• From the returned list, extract the hash corresponding to the current system and add it to the local cache

#curl -o /mnt/device/software/rapid-cdn-1.0.344-ubuntu-22.04.tar.gz "http://shacache.nxdcdn.com/sha512"

Note: the name rapid-cdn-1.0.344-ubuntu-22.04 is the one that will be used locally. The sha512 hash is given as part of the previous command's response, and you should use the one matching your distribution.

curl -o /mnt/device/software/slapos-master-1.0.349-ubuntu-22.04.tar.gz "http://shacache.nxdcdn.com/3e7b53fdcdab2b5a85b5d941a3bc0474749d73c80ca8aafd531a2c491929e601add293674c817a9e60319c2e796324eca69fcaffa7e3c06437d241a4f422d7b6"curl -o /mnt/device/software/rapid-cdn-1.0.344-ubuntu-22.04.tar.gz "http://shacache.nxdcdn.com/48fe5d2ba13404264785bb3e2cf31cc46238a32f0fd6962809e96354a49343236277936bbeed36d10892994915ccdb33769c248cd5e4e4ad29aae32770de48f9"curl -o /mnt/device/software/re6stnet-1.0.338-ubuntu-22.04.tar.gz "http://shacache.nxdcdn.com/e6387d47284b06ea4472c2117fb2982e8b7bca647deb433e537b23c8e1ef683139055d2b314209c3db7c418d6ee9afa4d2fb3e53b6179f50953529bcbee2e769"

Option 2: Local compilation

• Compile software to be installed on the machine using slapos supply

slapos supply https://lab.nexedi.com/nexedi/slapos/raw/1.0.358/software/slapos-master/software.cfg local_computerslapos supply https://lab.nexedi.com/nexedi/slapos/raw/1.0.358/software/rapid-cdn/software.cfg local_computerslapos supply https://lab.nexedi.com/nexedi/slapos/raw/1.0.358/software/re6stnet/software.cfg local_computer

• Once compilation is done, add compiled software to local cache

#tar -C /opt/slapgrid -czf /mnt/device/software/slapos-master-1.0.358-ubuntu-22.04.tar.gz 16d47c5ab38233146f11c11abdd14575

Extra step: Using the new master

No SR currently allows using the new master. If this is needed, you will need to manually checkout the correct branches before compressing the software.

#cd /opt/slapgrid/16d47c5ab38233146f11c11abdd14575/parts/erp5sudo -u slapsoft git fetch originsudo -u slapsoft git reset --hard origin/erp5-vifibcd bt5../product/ERP5/bin/genbt5list .cd ../../vifibsudo -u slapsoft git fetch originsudo -u slapsoft git reset --hard origin/mastercd master/bt5/../../../erp5/product/ERP5/bin/genbt5list .

At this stage, the data transfer medium is ready, and neither the Internet connection nor the virtual machine will be needed anymore.
However, the virtual machine can still be used to compile future software versions and keep the offline computer up-to-date.

mkdir /mnt/device#mount /dev/sdd1 /mnt/device

• Install the slapos-node package on the machine

apt-key add /mnt/device/packages/Nexedi.keyapt install /mnt/device/packages/slapos-node.deb

Note: installing system packages (slapos-node et re6st-node) does not work without local Ubuntu repositories, hence why is it a prerequisite.
Look towards /var/cache/apt/archives and apt-get download linux-libc-dev if that is a problem.

• Find the name of the network interface providing IPv6 and create the proxy configuration

ip amkdir /opt/slapgrid#slapos configure local --interface-name enp1s0

• Setup SlapOS to use local cache by adding its URL and signing key to the configuration

echo "[networkcache]download-binary-cache-url = http://192.168.32.10:5050/bcachedownload-binary-dir-url = http://192.168.32.10:5050/bdirsignature-certificate-list =$(cat /mnt/device/miscellaneous/sign.crt | sed 's/^/ /')" >> /etc/opt/slapos/slapos.cfg

Note: you should remove the networkcache section already present in the file if there is one.

• Launch the local cache

cd /mnt/device/gakeshadebasource .venv/bin/activatepython3 server.py -c config.ini

• Install the master from the binary cache with slapos supply
  • Warning: the link requested must be strictly identical to the one prepared in the cache
  • Otherwise, the software will be re-compiled from the Internet (or wait forever if no Internet connection is available)

slapos supply https://lab.nexedi.com/nexedi/slapos/raw/1.0.358/software/slapos-master/software.cfg local_computer

• Create a shared folder between all SlapOS users for certificates authentication

groupadd slapcommonfor i in {0..19}; do usermod -aG slapcommon slapuser$i; donemkdir -p /srv/slapcommon/erp5-sslchown -R slapuser5:slapcommon /srv/slapcommonchmod -R 777 /srv/slapcommon

• Request the master with slapos request

slapos request --state started --force-serialisation json-in-xml --parameters-file request-parameters-slapos.json slapos-master https://lab.nexedi.com/nexedi/slapos/raw/1.0.358/software/slapos-master/software.cfg

{ "city": "Lille", "company": "ViFiB SARL", "country-code": "FR", "email": "admin@vifib.org", "shared-certificate-authority-path": "/srv/slapcommon/erp5-ssl", "check-crl": false, "site-id": "erp5", "state": "Nord-Pas-de-Calais", "timezone": "UTC", "zope-partition-dict": { "1": { "family": "1", "instance-count": 1, "ssl-authentication": false, "port-base": 2200 }, "service": { "backend-path": "/%(site-id)s/portal_slap", "family": "service", "port-base": 2240, "ssl-authentication": true, "thread-amount": 5 } }}

• Set permissions again on the common folder, as they have been redefined by instanciation process

chown -R slapuser5:slapcommon /srv/slapcommonchmod -R 777 /srv/slapcommon

• Set up a redirection to access ERP5 instance
  • The IP to which requests shall be redirected is the address of the zope-1 instance
  • It can be found inside the zope-address-list of partition zope-1 using the command slapos proxy show --cfg /etc/opt/slapos/slapos-proxy.cfg

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.confsysctl -p#iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.24.205:2200

• Log in to ERP5 using the credentials obtained with slapos proxy show --cfg /etc/opt/slapos/slapos-proxy.cfg | grep "inituser"
• Launch the configurator
• Go to/erp5/portal_certificate_authority/manage_editCertificateAuthorityToolForm and set the certification authority path to /srv/slapcommon/erp5-ssl
• If you are using the new version of the master, you must set up a correct configuration with the right users, the following documentation gives an example of how to do it: https://www.erp5.com/NXD-SlapOS.Configuring.Master.from.Scratch

The master is now fully functional. The following steps are optional but recommended.
They require a node, i.e. a separate machine from the master, and enable the installation of a local CDN server and Re6st registry.

• Mount the data transfer medium

mkdir /mnt/device#mount /dev/sdd1 /mnt/device

• Install the slapos-node package on the machine

apt-key add /mnt/device/packages/Nexedi.keyapt install /mnt/device/packages/slapos-node.deb

• Setup SlapOS to use local cache by adding its URL and signing key to the configuration. The cache can be either:
  • launched locally on each node, in which case the IP is the IP of the node;
  • launched only once on the local master, and the IP is the IP of the master, but another way needs to be used to transfer .deb packages to the nodes.

echo "[networkcache]download-binary-cache-url = http://192.168.32.10:5050/bcachedownload-binary-dir-url = http://192.168.32.10:5050/bdirsignature-certificate-list =$(cat /mnt/device/miscellaneous/sign.crt | sed 's/^/ /')" >> /etc/opt/slapos/slapos.cfg

• Create a user with a Member task on the master
• Log in to the management interface with the user and associate a server with an access token.
  • For the master-url-web parameter : use the URL given by the web interface of the master
  • For the master-url parameter : the web interface gives a wrong URL by default, so the IP address given in family-service-v6 should be used instead

#slapos node register --token 20231218-D14F --master-url https://[fdbb:eb3c:1b95:d6c1::a]:2155 --master-url-web http://192.168.32.10/erp5/web_site_module/hostingjs --interface-name enp1s0 --partition-number 20 node-1slapos node format --now --alter_user=True

• Restart all services on the master, in order to refresh Zope cache

slapos node restart all

Having completed these steps, a node configuration file has been created in /etc/opt/slapos. The same machine will be used to compile and instantiate software on the node. To do this, perform the following steps with another user (non-administrator).

• On the management interface, click on Login Account then Token to obtain an access token for the user.
• Create a client configuration file

slapos configure client --master-url https://[fdbb:eb3c:1b95:d6c1::a]:2158 --master-url-web http://192.168.32.10/erp5/web_site_module/hostingjs

Creating a Re6st registry

• Compile and instantiate the Re6st registry

echo "{ "ipv6-prefix": "fdbb:eb3c:1b95:d6c1::/64", "prefix-length": 32}" > request-parameters.jsonslapos supply https://lab.nexedi.com/nexedi/slapos/raw/1.0.338/software/re6stnet/software.cfgslapos request --state started --force-serialisation json-in-xml --parameters-file request-parameters.json re6st-registry https://lab.nexedi.com/nexedi/slapos/raw/1.0.338/software/re6stnet/software.cfg

• Install the re6st-node package on the machine

apt-key add /mnt/device/packages/Nexedi.keyapt install /mnt/device/packages/re6st-node.deb

• Create an access token from the management interface and initialize the first node on the registry machine

cd /etc/re6stnet#re6st-conf -d /etc/re6stnet --registry http://[fdbb:eb3c:1b95:d6c1:5054:ff:fefc:b90e]:9026 --token 18xlhwdzojbyfgevkmsuirsystemctl start re6stnet.service

• Associate the master as the second Re6st node, in the same way as above
• Delete files slapos.xml and slapos.xml.zip from /opt/slapos on both master and node
• Update interface_name to lo in /etc/opt/slapos/slapos.cfg on both machines
• First reboot the node, then the master
• Wait for all network interfaces to be created, then run slapos node instance --all

SlapOS should now try to use IPs from re6st instead of the default configured IP network.
Please check at this step that it is indeed the case before proceeding, and update all references to old IPv6.

Creating a frontend

• Go to the erp5/portal_skins/slapos_cloud/ComputePartition_getCustomAllocationParameterDict.py page and modify the script to force the URL of the frontend (not needed with the new master)
• Compile and instantiate the frontend service with the same URL as specified in the script

slapos supply https://lab.nexedi.com/nexedi/slapos/raw/1.0.344/software/rapid-cdn/software.cfgslapos request --parameters "domain=my.domain" "apache-certificate=$(cat /path/to/certificate.crt)" "apache-key=$(cat /path/to/key.pem)" master-frontend https://lab.nexedi.com/nexedi/slapos/raw/1.0.344/software/rapid-cdn/software.cfg

• Configure local DNS server (see prerequisites) on the frontend machine

echo "DNS=192.168.32.1" >> /etc/systemd/resolved.confsystemctl restart systemd-resolved

• Set up redirections via iptables, to access the correct port and to access the public IPv4: see the iptables.sh script below.

#!/bin/bashPUBLIC_IPV4=$1PRIVATE_IPV4=$2PUBLIC_IPV6=$3PRIVATE_IPV6=$4sysctl net.ipv4.conf.enp1s0.forwarding=1sysctl net.ipv6.conf.enp1s0.forwarding=1for CHAIN in PREROUTING OUTPUT; do iptables -t nat -F ip6tables -t nat -F iptables -t nat -A -d ${PUBLIC_IPV4}/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination ${PRIVATE_IPV4}:8080 ip6tables -t nat -A -d ${PUBLIC_IPV6}/128 -p tcp -m tcp --dport 80 -j DNAT --to-destination [${PRIVATE_IPV6}]:8080 iptables -t nat -A -d ${PUBLIC_IPV4}/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination ${PRIVATE_IPV4}:4443 ip6tables -t nat -A -d ${PUBLIC_IPV6}/128 -p tcp -m tcp --dport 443 -j DNAT --to-destination [${PRIVATE_IPV6}]:4443doneiptables -t nat -F POSTROUTINGip6tables -t nat -F POSTROUTINGiptables -t nat -A POSTROUTING -d ip6tables -t nat -A POSTROUTING -d ]

• Note: for now, the alarm slapos_allocate_instance must be launched after creating a new slave frontend service (periodicity can be enabled)