Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ocient.com/llms.txt

Use this file to discover all available pages before exploring further.

An air gap is a security measure that physically isolates a computer or network from any other network, including the internet. This isolation removes wired or wireless connections between the isolated system and any external and potentially unsecured networks. Organizations that handle highly sensitive information, such as government agencies, financial institutions, and critical infrastructure operators, use air-gapped environments to protect against various security incidents. supports using an Ocient System in an air-gapped environment without any special configuration. Here, you can find the general workflow for using an Ocient System in an air-gapped environment and the required installation steps.

Work with an Ocient System in an Air-Gapped Environment

This workflow shows the high-level steps to set up an Ocient System in an air-gapped environment.
1
Ensure that your drive firmware and operating system is up to date.
2
Install and configure an Ocient System in a connected environment where you can download the required files from the internet.
3
Disassemble the cluster.
4
Pack and deliver the hardware to your secured location.
5
Reassign a new IP address.
6
Reassign a new hostname.
7
Bootstrap the system again.

Install an Ocient System in an Air-Gapped Environment

Follow these steps to install the Ocient System in an air-gapped environment. These steps assume that you have met the system requirements for installation.
1

Bootstrap the First Node

Bootstrap the Node

Connect to the initial SQL Node with the username and password of your server and the IP address of your node. This example connects as the administrator admin to the IP Address 10.10.10.10.
Shell
ssh admin@10.10.10.10
Use your preferred text editor with sudo to create the /var/opt/ocient/bootstrap.conf file as root with these contents./var/opt/ocient/bootstrap.conf example
YAML
initialSystem: true
Start the database.
Shell
sudo systemctl start rolehostd
Verify that the node and the service is active by executing this status command.
Shell
systemctl status rolehostd

rolehostd.service - Rolehostd daemon startup
     Loaded: loaded (/etc/systemd/system/rolehostd.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-01-26 23:31:36 UTC; 7s ago
     ...
If the rolehostd service is running, you can also check the Ocient logs on your node. Search and ensure there are no [ERROR] log messages.
Shell
tail -f /var/opt/ocient/log/rolehostd.log

Verify Connection to the SQL Node

At this point, you have a running database with a single node. You should be able to connect to the database using JDBC or pyocient and execute commands.Every new system starts with a system database. To connect to a new system, use the username and password configured in the bootstrap.conf file or the username admin@system and password admin if none were provided.For example, assume your node named sql0 has an IP address of 10.10.0.1. Use the JDBC driver CLI to connect with this connection string.
Shell
connect to jdbc:ocient://10.10.0.1:4050/system user "myuser@system" using "mypassword";
To see the roles running on the single node, execute this query.
SQL
select name, operational_status, software_version, array_agg(service_role_type)
        from sys.node_status as ns
        left join sys.nodes as n  on ns.node_id = id
        left join sys.service_roles as sr on sr.node_id = n.id
        group by name, operational_status,software_version;
The initial node should be listed as running the sql, admin, health, and operatorvm roles. If all of these roles are present and the node is Active, you can proceed to the next step to bootstrap the remaining nodes.
2

Bootstrap the Remaining Nodes

Performing the bootstrapping process on the remaining nodes is identical on all nodes. The remaining nodes can be bootstrapped in any order.On each node, log in using SSH and use your text editor with sudo to create the file /var/opt/ocient/bootstrap.conf that contains this text by replacing <FIRST_NODE_IP_ADDRESS> with the IP address of the initial node you created in Step 1./var/opt/ocient/bootstrap.conf example
YAML
adminHost: <FIRST_NODE_ADDRESS>
<FIRST_NODE_IP_ADDRESS> is the DNS name or IP address of the initial node.
You can obtain the IP Address of the initial node by executing ifconfig on that node.
If the password for the system administrator has changed, set the correct username adminUserName and password adminPassword in the bootstrap configuration file bootstrap.conf.
On each node, start the database.
Shell
sudo systemctl start rolehostd
When you replace Foundation Nodes, the Ocient System removes the prior node after the creation of the new node. Some queries of the system catalog tables might not return results until the prior node is removed.
At this point, all the remaining nodes are not configured with any roles. After all nodes have been started, you should see them when you execute this query with only the health role listed. This query uses the sys.node_status, sys.nodes, and sys.service_roles system catalog tables to retrieve node information for the node name, operation status, version, and all service role types. The query uses the ARRAY_AGG function to retrieve the service role type for all rows.
SQL
SELECT name, operational_status, software_version, array_agg(service_role_type)
    FROM sys.node_status AS ns
    LEFT JOIN sys.nodes AS n ON ns.node_id = id
    LEFT JOIN sys.service_roles AS sr ON sr.node_id = n.id
    GROUP BY name, operational_status,software_version;

Remove a Cluster in an Air-Gapped Environment

Use this information and workflow to remove a cluster by shutting down all Ocient processes and erasing the drives and data.
The system administrator must download the sedutil-cli utility used in this workflow.
You can classify the drives in an Ocient System in two categories based on their usage.
  • Operating System (OS) drives: These drives contain the installation of the operating system and software, including the . A system might have a single physical OS drive or an OS installed on a RAID disk created by using more than one drive. The OS drives on nodes with the administrator role (Metadata and possibly SQL Nodes) also store configuration information related to the Ocient System that can include:
    • Node names
    • Node IP addresses
    • User data mapping information for compressed columns
    • Encryption keys for the data drives (unless the keys are under the control of an external key management system)
  • Data drives: The data drives are present in all types of nodes except the node running only the administrator role. On the Foundation Node, the data drives store tables. On SQL Nodes, the data drives store transient query information. And, on Loader Nodes, the data drives store transient loading information.
The data drives in the Ocient System are exclusively NVMe drives. The OS drives can be NVMe or SSD. These drives can support The Computing Group (TCG) Opal Specification or not support it. The type of drive (Opal-supported or not) determines how the system removes all data on the drive. Follow these steps to remove a cluster for Opal-supported drives. To remove data for Opal-supported drives, follow these steps.
These steps irreversibly remove the data. Follow these steps after you ensure that you no longer need the applicable data from the system.
1
Stop the Ocient processes running on the nodes using these commands.For Loader Nodes, use this command. The command combines two commands that stop all processes related to loading.
Shell
sudo systemctl disable lat && sudo systemctl stop lat
For all types of nodes, use this command. The command combines two commands where the first command stops processing on all nodes and the second command stops the main Ocient System process.
Shell
sudo systemctl disable rolehostd && sudo systemctl kill -s SIGKILL rolehostd
2
Bind the data drives to an NVMe driver so that the drives become visible to the OS.
Shell
sudo /opt/ocient/scripts/nvme-driver-util.sh bind-nvme
3
Run this command for each data drive. The impacted drives are the drives displayed as their association change from uio drivers to nvme drivers. You can see the nvme drive association by running the /opt/ocient/scripts/nvme-driver-util.sh script. All data drives are erased.
You can move drives to another node with the sedutil-cli utility if the nodes are already powered off and you cannot power them on. Use the same command to erase the drive: sedutil-cli -n --revertTPer admin /dev/nvmeXn1.
Shell
sedutil-cli -n --revertTPer admin /dev/nvmeXn1
You cannot securely erase the OS drives while the OS is running. You can either use the secure erase facility from BIOS or move drives to an external host with a utility approved by your organization for the remove operation.
Install an Ocient System Ocient System Bootstrapping Set Up System Monitoring with the TIG Stack and Kapacitor
Last modified on May 27, 2026