From 68bfea510c213493128e1fc2bcd3ee7280265f34 Mon Sep 17 00:00:00 2001 From: Ben Breard Date: Thu, 1 Feb 2024 15:15:07 -0600 Subject: [PATCH] Update usage.md for air-gapped & disconnected updates I added steps to move container image updates around with skopeo and apply them with bootc. Please double check that this is correc! It works really well on my side, but I'm unsure if bootc edit is a better option for changing where the update is pulled from. --- docs/usage.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/docs/usage.md b/docs/usage.md index 585526a..5e6fae4 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -57,6 +57,10 @@ First, one can disable the timer entirely as part of a container build: RUN systemctl mask bootc-fetch-apply-updates.timer ``` +This is useful for environments where manually updating the systems is +preferred, or having another tool perform schedule and execute the +updates, e.g. Ansible. + Alternatively, one can use systemd "drop-ins" to override the timer (for example, to schedule updates for once a week), create a file like this, named e.g. `50-weekly.conf`: @@ -74,6 +78,43 @@ RUN mkdir -p /usr/lib/systemd/system/bootc-fetch-apply-updates.timer.d COPY 50-weekly.conf /usr/lib/systemd/system/bootc-fetch-apply-updates.timer.d ``` +## Air-gapped and dissconnected updates + +For environments without a direct connection to a centralized container +registry, we encourage mirroring an on-premise registry if possible or manually +moving container images using `skopeo copy`. See [this blog](https://www.redhat.com/sysadmin/manage-container-registries) for example. + +For systems that require manual updates via USB drives, this procedure +describes how to use `skopeo` and `bootc switch`. + +Copy image to USB Drive: + +```skopeo copy docker://[registry]/[path to image] dir://run/media/$USER/$DRIVE/$DIR``` + +*note, Using the dir transport will create a number of files, +and it's recommended to place the image in it's own directory. +If the image is local the containers-storage transport will transfer +the image from a system directly to the drive: + +```skopeo copy containers-storage:[image]:[tag] dir://run/media/$USER/$DRIVE/$DIR``` + +From the client system, insert the USB drive and mount it: + +```mount /dev/$DRIVE /mnt``` + +`bootc switch` will direct the system to look at this mount point for future +updates, and is only necessary to run one time if you wish to continue +consuming updates from USB devices. note that if the mount point changes, +simply run this command to point to the alternate location. We recommend +using the same location each time to simplfy this. + +```bootc switch --transport dir /mnt/$DIR``` + +Finally `bootc upgrade` will 1) check for updates and 2) reboot the system +when --apply is used. + +```bootc upgrade --apply``` + ## Filesystem interaction and layout At "build" time, this image runs the same as any other OCI image where