diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-25 12:08:19 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-25 12:08:19 +0000 |
commit | e6baeabaa9651d90b03bb64ffce75a2c3cb89aab (patch) | |
tree | 85f3cbd6e437b17be59505cf3ac4794c1838609e /doc/topics | |
parent | 5064bf8c5647d4c4430cbb4d097cf1592416de29 (diff) | |
download | gitlab-ce-e6baeabaa9651d90b03bb64ffce75a2c3cb89aab.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/topics')
-rw-r--r-- | doc/topics/airgap/index.md | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/doc/topics/airgap/index.md b/doc/topics/airgap/index.md index fc92dd5519d..77c01863d47 100644 --- a/doc/topics/airgap/index.md +++ b/doc/topics/airgap/index.md @@ -13,3 +13,61 @@ If you plan to deploy a GitLab instance on a physically-isolated and offline net Follow these best practices to use GitLab's features in an offline environment: - [Operating the GitLab Secure scanners in an offline environment](../../user/application_security/offline_deployments/index.md). + +## Loading Docker images onto your air-gapped host + +To use many GitLab features, including +[security scans](../../user/application_security/index.md#working-in-an-offline-environment) +and [Auto Devops](../autodevops/), the GitLab Runner must be able to fetch the +relevant Docker images. + +The process for making these images available without direct access to the public internet +involves downloading the images then packaging and transferring them to the air-gapped host. +Here's an example of such a transfer: + +1. Download Docker images from public internet. +1. Package Docker images as tar archives. +1. Transfer images to air-gapped environment. +1. Load transferred images into air-gapped Docker registry. + +### Example image packager script + +```sh +#!/bin/bash +set -ux + +# Specify needed analyzer images +analyzers=${SAST_ANALYZERS:-"bandit eslint gosec"} +gitlab=registry.gitlab.com/gitlab-org/security-products/analyzers/ + +for i in "${analyzers[@]}" +do + tarname="${i}_2.tar" + docker pull $gitlab$i:2 + docker save $gitlab$i:2 -o ./analyzers/${tarname} + chmod +r ./analyzers/${tarname} +done +``` + +### Example image loader script + +This example loads the images from a bastion host to an air-gapped host. In certain configurations, +physical media may be needed for such a transfer: + +```sh +#!/bin/bash +set -ux + +# Specify needed analyzer images +analyzers=${SAST_ANALYZERS:-"bandit eslint gosec"} +registry=$GITLAB_HOST:4567 + +for i in "${analyzers[@]}" +do + tarname="${i}_2.tar" + scp ./analyzers/${tarname} ${GITLAB_HOST}:~/${tarname} + ssh $GITLAB_HOST "sudo docker load -i ${tarname}" + ssh $GITLAB_HOST "sudo docker tag $(sudo docker images | grep $i | awk '{print $3}') ${registry}/analyzers/${i}:2" + ssh $GITLAB_HOST "sudo docker push ${registry}/analyzers/${i}:2" +done +``` |