Offline GitHub workflow

[cbaxley]

🗣 Description

This builds the workflow for offline install testing

💭 Motivation and context

📷 Screenshots (DELETE IF UNAPPLICABLE)

🧪 Testing

✅ Pre-approval checklist

• Changes are limited to a single goal AND
  the title reflects this in a clear human readable format
• Issue that this PR solves has been selected in the Development section
• I have read and agree to LME's CONTRIBUTING.md document.
• The PR adheres to LME's requirements in RELEASES.md
• These code changes follow cisagov code standards.
• All relevant repo and/or project documentation has been updated to reflect the changes in this PR.

✅ Pre-merge Checklist

• All tests pass
• PR has been tested and the documentation for testing is above
• Squash and merge all commits into one PR level commit

✅ Post-merge Checklist

• Delete the branch to keep down number of branches

[Mastermjr]

all tests should run while LME instance and all the guest vms have no network connectivity.
I think the best way to do this is to setup a jump box that you can connect to and all the other vms in the network have no internet

[cbaxley]

I only open it to install the stuff for the tests. If we don't at least open all the ports, for maybe remote testing, I am not sure exactly how we can do it.

[mreeve-snl]

thank you, we have to be careful what we allow to run, or else we can run random repos that people create PRs for!

[mreeve-snl]

we should never add outbound back into u2, if we ever allow outbound anything, then the testing framework might lie to us and say something works, when it truly doesn't work on a no-net system

if this is an issue, let me know and we can hop on a call and try and figure out what needs to happen

[cbaxley]

I don't think I can ssh to it without allowing traffic both ways. I can limit the traffic to u2 and the build machine maybe.
I was also thinking about redoing it and putting both machines on the same network with different nsgs. That might be the best way.

[mreeve-snl]

I think either way should work, having only 22 open is probably fine. The multiple NSGs is also what I was thinking too lol Hopefully this goes to github

________________________________ From: Clint Baxley ***@***.***> Sent: Tuesday, December 2, 2025 9:12:26 AM To: cisagov/LME ***@***.***> Cc: Reeves, Mikey Johnathan ***@***.***>; Review requested ***@***.***> Subject: [EXTERNAL] Re: [cisagov/LME] Offline GitHub workflow (PR #733) @cbaxley commented on this pull request.

________________________________ In .github/workflows/offline.yml<#733 (comment)>:

run: |

- echo "Offline workflow - ready for implementation" - echo "Azure region: ${{ inputs.azure_region || 'centralus' }}" + cd testing/v2/development + docker compose -p ${{ env.UNIQUE_ID }} exec -T pipeline bash -c " + ssh -o StrictHostKeyChecking=no lme-user@${{ env.U2_IP }} 'cd ~/LME && NON_INTERACTIVE=true AUTO_CREATE_ENV=true ./install.sh -o -d' I don't think I can ssh to it without allowing traffic both ways. I can limit the traffic to u2 and the build machine maybe. I was also thinking about redoing it and putting both machines on the same network with different nsgs. That might be the best way. — Reply to this email directly, view it on GitHub<#733 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDCGUN6WO3UWMBIXKPNQUAL37WM4VAVCNFSM6AAAAACNAT7NWWVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZTKMZQGM2DSMZSHA>. You are receiving this because your review was requested.Message ID: ***@***.***>

[mreeve-snl]

your design looks good to me
u2 has no internet
do u run an agent install on a no net windows and no net linux?

[cbaxley]

your design looks good to me u2 has no internet do u run an agent install on a no net windows and no net linux?
I am wondering how they will get the clients installed. I wonder if we should download the clients as well for the version they are using. Hmmm. Either way, I am going to go ahead and install a client on servers that have internet access. I am going to add a windows machine.