Uploading Model Repositories for an air-gapped environment

The Model artifacts must be manually transferred, uploaded to the object storage utilized by the Cloudera AI Registry and Cloudera AI Inference service.

Configure AWS CLI with the appropriate Ozone credentials.
- Generate the Ozone S3 secret key and Ozone access key.
  note
  Make sure the user, for whom you are generating the Ozone credentials, has the proper permissions in Ranger for the resource cm_ozone.
  1. SSH to the Cloudera Manager host and run klist.You can find the hostname on Cloudera Manager > Environments under Cloudera Manager.
  2. Skip this step if you see Kerberos ticket information. Otherwise run the following command with the configured Keytab.
```
# kinit -kt /cdep/keytabs/om.keytab om
Run klist to check if kerberos ticket is granted.
[root@cml-pvc-oldap-1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: om@CDSW-INT.CLOUDERA.COM

Valid starting   	Expires          	Service principal
05/25/2022 14:32:13  05/26/2022 14:32:13  krbtgt/CDSW-INT.CLOUDERA.COM@CDSW-INT.CLOUDERA.COM
    renew until 06/02/2022 14:32:13
```
  3. Run this command to get the Ozone S3 secret key (awsSecret) and the Ozone access key (awsAccessKey).
```
[root@cml-pvc-oldap-1 ~]# ozone s3 getsecret --om-service-id=ozone1

awsAccessKey=om@CDSW-INT.CLOUDERA.COM
awsSecret=40d5fc02fc882d53df3758a76184eb810ee97d9e1c45e5a7f2ef715bf31e5a0a
```
- Copy awsAccessKey and awsSecret for configuring AWS CLI by executing the aws configure command:
```
aws configure
AWS Access Key ID [****************PAOF]: 
AWS Secret Access Key [****************U4Fz]: 
Default region name [None]: 
Default output format [None]:
```

Run the import_to_arigap.py script.

python3.9 import_to_arigap.py -i -e <endpoint> -c <cloud_type> -s <source_directory> -d <destination> -ri <repository_id>

The script is used to upload the downloaded Model artifacts to a secured location in Cloudera on premises. The destination format must be s3://bucket/secured-models. This bucket location can be modified by the administrator to have a different value, as for example, s3://newBucket/not-secured .

You can use the following parameters for uploading the Models:

Table 1. Paramaters for uploading the Models
Parameter	Description	Example
`-i`	Run in insecure mode (skip SSL verification). This is valid only for on premises environments, but it is not recommended for production use cases. Fetch the CA certificate to be used for the on premises environment.	`-i`
`-ca`	Specify the certificate to be used for Ozone S3 gateway communication.	`-ca /path/to/cert.pem`
`-e`	Ozone S3 gateway endpoint URL	`-ehttps://ccycloud-5.cml-cai.root.comops.site:9879`
`-c`	Cloud type (on premises)	`-c pvc`
`-s`	Must contain the previously downloaded Model artifacts as it is the source directory of the downloaded Model.	`-s $PWD/models`
`-d`	Must point to the Cloudera AI Registry bucket with the appropriate path. The destination format must be: s3://bucket/secured-models	`-d s3://bucket/secured-models`
`-rt`	Repository type (Hugging Face or NVIDIA NGC)	`-rt hf`
`-ri`	Repository ID of the Model downloaded to local filesystem	`-ri nim/meta/llama-3_1-70b-instruct: 0.11.1+14957bf8-h100x4-fp8-throughput. 1.2.18099809`
`--account`	Azure storage account name (Azure only)	`--account $AZURE_STORAGE_ACCOUNT_NAME`
`--container`	Azure storage container name (Azure only)	`--container data`

Upload the Model artifacts to a secured location.

The destination format must be: s3://bucket/secured-models:

python3.9 import_to_arigap.py -i -e https://ccycloud-5.cml-cai.root.comops.site:9879 -c pvc -s $PWD/models -d s3://bucket/secured-models -ri nim/meta/llama-3_1-70b-instruct:0.11.1+14957bf8-h100x4-fp8-throughput.1.2.18099809