Open 6547709 opened 5 days ago
I've made some progress on resolving the issue and can now run and build the image in an offline environment. Here’s a summary of my approach, though I’m not sure if it’s the best solution:
image-factory:
image: "ghcr.io/siderolabs/image-factory:v0.5.0"
restart: unless-stopped
container_name: image-factory
privileged: true
ports:
- "8080:8080"
environment:
SIGSTORE_ROOT_FILE: /root.pem
SIGSTORE_REKOR_PUBLIC_KEY: /cosign.pub
SIGSTORE_CT_LOG_PUBLIC_KEY_FILE: /cosign.pub
volumes:
- /dev:/dev
- /sys:/sys
- ./cache-signing-key.key:/cache-signing-key.key
- ./certs/import-cosign.key:/cosign.key
- ./certs/import-cosign.pub:/cosign.pub
- ./tmp:/tmp
- ./certs/omni-ca.pem:/root.pem
- ./10.root.json:/root.json
command: >
-http-port=0.0.0.0:8080
-image-registry ${OMNI_IP}:5000
-external-url http://${OMNI_IP}:8080
-schematic-service-repository ${OMNI_IP}:5000/image-factory/schematic
-installer-internal-repository ${OMNI_IP}:5000/siderolabs
-installer-external-repository ${OMNI_IP}:5000/siderolabs
-cache-repository ${OMNI_IP}:5000/cache
-insecure-image-registry
-insecure-cache-repository
-insecure-schematic-service-repository
-insecure-installer-internal-repository
-cache-signing-key-path /cache-signing-key.key
-container-signature-pubkey /cosign.pub
-container-signature-issuer http://localhost
Handling Sigstore components offline: This can be achieved using three environment variables: SIGSTORE_ROOT_FILE
, SIGSTORE_REKOR_PUBLIC_KEY
, and SIGSTORE_CT_LOG_PUBLIC_KEY_FILE
.
Image synchronization: I used the command below to download images to a local directory and then copied them to the offline registry:
--all and --preserve-digests,It can ensure that the digest of the image remains unchanged, which is very important because Image-Factory pulls extentions through digest;
skopeo copy --retry-times 3 --all --preserve-digests "docker://${image}" "dir:dynamic_images/$(echo "$image" | tr '/:' '_')"
- 2.1: Use the API from
factory.talos.dev
to obtain the corresponding versions ofextensions
andoverlays
images.- 2.2: Download the corresponding versions of the following images:
ghcr.io/siderolabs/extensions:${version}
ghcr.io/siderolabs/installer:${version}
ghcr.io/siderolabs/imager:${version}
Image signing certificates: I used CFSSL
to create an internal CA and issued the following certificates:
omni
cosign
cache-signing-key.key
Image signing: Images were signed using the command:
cosign sign --key "${COSIGN_KEY}" --cert "${COSIGN_CERT}" --cert-chain="${COSIGN_CERT_CHAIN}" --tlog-upload=false "${image}"
As a result, the setup can now run completely in an offline environment.
Thank you, that's an awesome write up!
Btw, crane cp
is way easier and works better than skopeo
.
I plan to deploy the Omni environment locally(airgap), but when running Image-factory locally, I encountered a problem:
Image-Factory,Docker-Compose.yml
Requesting help, does Image-Factory support local deployment, if so, is there any documentation or guidance for this.
I have also explored deploying sigstore locally, but I don't see those parameters/environment variables to use local sigstore.