search

IBM / ibm-z-oss-hub

Open source software hub for IBM Z
Apache License 2.0
8 stars 2 forks source link

Use of images in a airgaped environment #133

Open ccc13481 opened 6 months ago

ccc13481 commented 6 months ago

Hi

How do I use a container in a airgaped environment?

Is the a way to clone the repository or to download a container?

BR Frank Allan Rasmussen

jbostian commented 6 months ago

Any OCI-compliant command line interface (CLI) like Docker or Podman will allow you to acquire images from a repository like the IBM Z and LinuxONE Container Registry using a pull command. Once you have them pulled into a given environment on any platform - Linux, zCX on z/OS or a cloud environment, you can save those container images through the save command. This will create a tar file archive that you can move to any platform you want within your enterprise. Once you have them on a target system for deployment, you can load them, and effectively accomplish the same thing as if you had pull-ed the image directly to the air-gapped system.

Collecting and managing container images like this from a different platform than the IBM Z system where they are deployed is a good isolation strategy that enhances security. By using a CLI like the ones provided by Podman or Docker to gather images from a secure server, you should have the tools you need for an air-gapped enterprise.

The Docker CLI documentation is pretty good at describing the kinds of operations available to manage container images: https://docs.docker.com/engine/reference/commandline/cli/

ccc13481 commented 6 months ago

I was hoping for something easy like SMP/E... ;-)

I will read the Docker CLI and see if I can figure out how to do it...

Thank

BR Frank Allan Rasmussen

jbostian commented 6 months ago

The ease-of-use issue is one to handle carefully, because it all depends on the background of the user. Since this is open source, we want to provide the infrastructure people generally use to interact with the software. However, this infrastructure overlaps in purpose with existing z/OS software deployment components like SMP/E. We have tried to re-factor open source software to deploy through SMP/E in the past, and it hasn't gone well, for a number of reasons.

That said, we're trying to strike a balance so we don't make the z/OS system admin job miserable when managing open source on z/OS. Please feel free comment in the discussion area if you have questions or suggestions. We're always looking for ways to make this deployment channel better.