Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Describe how to configure insecure registries #580

Merged
merged 1 commit into from
Jun 4, 2024
Merged

docs: Describe how to configure insecure registries #580

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
# Using bootc

- [Upgrade and rollback](upgrades.md)
- [Offline/disconnected updates](offline-updates.md)
- [Accessing registries and offline updates](registries-and-offline.md)
- [Booting local builds](booting-local-builds.md)
- [`man bootc`](man/bootc.md)
- [`man bootc-status`](man/bootc-status.md)
Expand Down
35 changes: 0 additions & 35 deletions docs/src/offline-updates.md
View file
Open in desktop

This file was deleted.

57 changes: 57 additions & 0 deletions docs/src/registries-and-offline.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# Accessing registries and disconnected updates

The `bootc` project uses the [containers/image](https://github.com/containers/image)
library to fetch container images (the same used by `podman`) which means it honors almost all
the same configuration options in `/etc/containers`.

## Insecure registries

Container clients such as `podman pull` and `docker pull` have a `--tls-verify=false`
flag which says to disable TLS verification when accessing the registry. `bootc`
has no such option. Instead, you can globally configure the option
to disable TLS verification when accessing a specific registry via the
`/etc/containers/registries.conf.d` configuration mechanism, for example:

```
# /etc/containers/registries.conf.d/local-registry.conf
[[registry]]
location="localhost:5000"
insecure=true
```

For more, see [containers-registries.conf](https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md).

## Disconnected and offline updates

It is common (a best practice even) to maintain systems which default
to being disconnected from the public Internet.

### Pulling updates from a local mirror

Everything in the section [remapping and mirroring images](https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#remapping-and-mirroring-registries)
applies to bootc as well.

### Performing offline updates via USB

In a usage scenario where the operating system update is in a fully
disconnected environment and you want to perform updates via e.g. inserting
a USB drive, one can do this by copying the desired OS container image to
e.g. an `oci` directory:

```bash
skopeo copy docker://quay.io/exampleos/myos:latest oci:/path/to/filesystem/myos.oci
```

Then once the USB device containing the `myos.oci` OCI directory is mounted
on the target, use

```bash
bootc switch --transport oci /var/mnt/usb/myos.oci
```

The above command is only necessary once, and thereafter will be idempotent.
Then, use `bootc upgrade --apply` to fetch and apply the update from the USB device.

This process can all be automated by creating systemd
units that look for a USB device with a specific label, mount (optionally with LUKS
for example), and then trigger the bootc upgrade.