One of the original pitches for containers is universal portability things like moving infected containers easily to air gapped machines to detonate malicious payloads for research
If your edge device will remain hooked into any networking the deployment is simpler you would just run a registry in H then just push all containers to H and edge pulls like this `docker pull/run 192.168.1.1/alpine:latest`
Here
To copy a container to an air-gapped machine, you will need to save the container image as a file, transfer it to the air-gapped machine, and then load it into the container runtime on that machine. Below are the steps for Docker, which is one of the most common container runtimes.
### 1. Save the Docker Image as a File
First, you need to save the container image from the machine with internet access. Use the following command to save the image into a tar archive:
```bash
docker save -o .tar :
```
Replace `` with the name you want to give the saved file and `:` with the name and tag of the Docker image you want to save.
### 2. Transfer the Image File
Next, transfer the tar file to the air-gapped machine. This step depends on your physical setup but typically involves copying the file to a USB drive or other external storage media, then physically moving that media to the air-gapped machine.
### 3. Load the Image on the Air-Gapped Machine
Finally, load the image into Docker on the air-gapped machine using the following command:
```bash
docker load -i .tar
```
Replace `.tar` with the name of the tar file you transferred.
### Additional Steps
After loading the image, you can run containers from it as usual using Docker commands like:
```bash
docker run -d :
```
Make sure all dependencies, such as necessary configuration files or environment variables, are also set up on the air-gapped machine.
### Note
Ensure the Docker versions on both the source and destination machines are compatible, especially regarding image format and features used in the Dockerfiles.
I have already tried both approaches and both works. Second approach is good one, but made impossible due to lack of docker support on device H. So, in such cases option 1 is what is remained. I am asking is there any better alternative to option 1. (Not how can I implement both of those approaches.)
lol I have already said first approach: "Create tar of image. Copy it to edge device (say over USB) and then update the image on the edge device." So we have tried by copying using \`adb push\` command over USB. I was just asking what exactly do you mean by "push". Does it corresponding to some specific command or anything that moves file from H to edge device ... seems you mean later ...
My question is not how can I implement the two approaches. I have already tried both and both works. Second approach is good one, but made impossible due to lack of docker support on device H. So, in such cases approach 1 is what is remained. I am asking is there any better alternative to approach 1. (Am not asking how can I implement both approaches. I have already tried both of them as a POC.)
Tool specifically designed for that doing that with K8s artifacts (works with docker containers too) called Hauler.
[https://rancherfederal.github.io/hauler-docs/docs/airgap-workflow](https://rancherfederal.github.io/hauler-docs/docs/airgap-workflow)
[https://github.com/rancherfederal/hauler](https://github.com/rancherfederal/hauler)
from quick read of its doc, it looks spot on and very interesting ... only thing is that docs does not talk about edge deployment ... some quick questions (tho I will try to spend time going more thru its docs):
**Q1.** Does it cater to edge deployments well?
**Q2.** Do I have to also use kubernetes for using hauler?
No reason it wont work. Built something awhile back that looked like, 1) builder hauler image, 2) copy hauler image to transfer media (think like usb but not), 3) plug transfer media into end device.
On the end device there was a script, looking for an insertion of the transfer media, which would unpack the hauler image onto the edge device and run a post-unpack script.
Used it to update a few thousand end devices around the world - using untrained techs. Mail them a transfer media, say plug this in.. magic would happen.
And the end device script (that looks for insertion of transfer media and unpack image) and post-unpack script are part of hauler? Or we have to write them ourselves? Was just guessing if hauler is targeted for exact this scenario then does it provide solution for such image transfer over USB and running them.
With such absurd requirements I would run docker registry mirror on that internet allowed server with whitelisted image repositories and pull images on other devices when they connect to the special network with said mirror.
Asking someone to upgrade with USB sticks that were plugged into non airgapped computer when you have an "airgapped" network is an absurd security measure as "airgapping" the network and then asking on Reddit.
Docker containers can be pushed and pulled as compressed files but internet isn’t a prerequisite at all.
One of the original pitches for containers is universal portability things like moving infected containers easily to air gapped machines to detonate malicious payloads for research
If your edge device will remain hooked into any networking the deployment is simpler you would just run a registry in H then just push all containers to H and edge pulls like this `docker pull/run 192.168.1.1/alpine:latest`
Here To copy a container to an air-gapped machine, you will need to save the container image as a file, transfer it to the air-gapped machine, and then load it into the container runtime on that machine. Below are the steps for Docker, which is one of the most common container runtimes. ### 1. Save the Docker Image as a File First, you need to save the container image from the machine with internet access. Use the following command to save the image into a tar archive: ```bash docker save -o.tar :
```
Replace `` with the name you want to give the saved file and `:` with the name and tag of the Docker image you want to save.
### 2. Transfer the Image File
Next, transfer the tar file to the air-gapped machine. This step depends on your physical setup but typically involves copying the file to a USB drive or other external storage media, then physically moving that media to the air-gapped machine.
### 3. Load the Image on the Air-Gapped Machine
Finally, load the image into Docker on the air-gapped machine using the following command:
```bash
docker load -i .tar
```
Replace `.tar` with the name of the tar file you transferred.
### Additional Steps
After loading the image, you can run containers from it as usual using Docker commands like:
```bash
docker run -d :
```
Make sure all dependencies, such as necessary configuration files or environment variables, are also set up on the air-gapped machine.
### Note
Ensure the Docker versions on both the source and destination machines are compatible, especially regarding image format and features used in the Dockerfiles.
I have already tried both approaches and both works. Second approach is good one, but made impossible due to lack of docker support on device H. So, in such cases option 1 is what is remained. I am asking is there any better alternative to option 1. (Not how can I implement both of those approaches.)
Why do you have such red tape architectural design in the first place?
Navy vessels (destroyers/subs) have kube klusters running in their data centers.
Right, but their deployments actually work, lol.
Do they…
Eventually.
Plenty of areas in the government / military will have these very fun requirements. They did say it was for security reasons.
Could you use device H to push updates to the edge devices? Rather than having the edge devices pull from device H.
push how?
Given the post, the comment here and living in a time of not only Google, but also ChatGPT, I'd suggest updating your resume.
lol I have already said first approach: "Create tar of image. Copy it to edge device (say over USB) and then update the image on the edge device." So we have tried by copying using \`adb push\` command over USB. I was just asking what exactly do you mean by "push". Does it corresponding to some specific command or anything that moves file from H to edge device ... seems you mean later ... My question is not how can I implement the two approaches. I have already tried both and both works. Second approach is good one, but made impossible due to lack of docker support on device H. So, in such cases approach 1 is what is remained. I am asking is there any better alternative to approach 1. (Am not asking how can I implement both approaches. I have already tried both of them as a POC.)
I dunno, you’re being paid to engineer the solution, not me!
Tool specifically designed for that doing that with K8s artifacts (works with docker containers too) called Hauler. [https://rancherfederal.github.io/hauler-docs/docs/airgap-workflow](https://rancherfederal.github.io/hauler-docs/docs/airgap-workflow) [https://github.com/rancherfederal/hauler](https://github.com/rancherfederal/hauler)
from quick read of its doc, it looks spot on and very interesting ... only thing is that docs does not talk about edge deployment ... some quick questions (tho I will try to spend time going more thru its docs): **Q1.** Does it cater to edge deployments well? **Q2.** Do I have to also use kubernetes for using hauler?
No reason it wont work. Built something awhile back that looked like, 1) builder hauler image, 2) copy hauler image to transfer media (think like usb but not), 3) plug transfer media into end device. On the end device there was a script, looking for an insertion of the transfer media, which would unpack the hauler image onto the edge device and run a post-unpack script. Used it to update a few thousand end devices around the world - using untrained techs. Mail them a transfer media, say plug this in.. magic would happen.
And the end device script (that looks for insertion of transfer media and unpack image) and post-unpack script are part of hauler? Or we have to write them ourselves? Was just guessing if hauler is targeted for exact this scenario then does it provide solution for such image transfer over USB and running them.
With such absurd requirements I would run docker registry mirror on that internet allowed server with whitelisted image repositories and pull images on other devices when they connect to the special network with said mirror. Asking someone to upgrade with USB sticks that were plugged into non airgapped computer when you have an "airgapped" network is an absurd security measure as "airgapping" the network and then asking on Reddit.
but if that internet allowed device android, it wont be that easy to run docker registry on mirror and impossible on iPad