Getting the Docker image

There are two ways to obtain Airlock IAM Docker images:

  • By pulling the image directly from the (private image repositories) quay.io or Docker Hub.
  • In Spring 2024, all IAM Docker images have been migrated from Docker Hub to quay.io. All customers that use Docker Hub for container image downloads must have migrated to quay.io until September 2024.

  • By downloading an image file from the Techzone download area, for air-gapped installations.

Pulling the IAM image from an image repository

IAM images can be pulled from a quay.io or Docker Hub private image repository, respectively.

  • To pull an IAM image from a private repository, you need to perform the following steps:
  • Gaining access to the private repository.
  • Verifying the signature of the image in the repository.
  • Retrieving the image from the repository.

The step details for quay.io differ from those for Docker Hub. Both options are described below.

Pulling from quay.io

Follow the instructions shown in the table below:

Gaining access to quay.io

  1. Proceed as follows:
  2. Register an account on https://quay.io (only necessary if you do not yet have a Red Hat account).
  3. Create a support case on Techzone - Airlock support process and ask access to the https://quay.io/airlock/iam repository. Add your Red Hat account to your support ticket.
  4. You will receive a notification via your ticket as soon as Airlock Support has approved your authorization.
  5. You can now access the quay.io private repository. To log in, run the following command in your Docker CLI:
  6. copy
    docker login quay.io -u "${QUAY_USER}" -p "${QUAY_PASSWORD}"

Verifying the image signature

All images of Airlock IAM are signed. We strongly recommend verifying these digital signatures. 

  1. Proceed as follows:
  2. Run the following command to directly verify the digital signature of the IAM image in the quay.io repository. Note that the command uses the cosign tool. Be sure to set the correct IAM release version.
  3. copy
    cosign verify quay.io/airlock/iam:8.1 --key https://docs.airlock.com/iam.pub --private-infrastructure
  4. On successful verification, the output should look like this:
  5. copy
    Verification for quay.io/airlock/iam:8.2 --
    The following checks were performed on each of these signatures:
      - The cosign claims were validated
      - The signatures were verified against the specified public key
    
    [{"critical":{"identity":{"docker-reference":"quay.io/airlock/iam"},"image":{"docker-manifest-digest":"sha256:0ae041...34ccfb"},"type":"cosign container image signature"},"optional":null}]
    

Retrieving the image

When the verification of the image signature was successful, it is okay to pull the image from the repository.

  1. Proceed as follows:
  2. Run the following command in your Docker CLI. Be sure to set the correct IAM release version.
copy
docker pull quay.io/airlock/iam:8.1

Pulling from Docker Hub

Follow the instructions shown in the table below:

Gaining access to Docker Hub

  1. Proceed as follows:
  2. Create a support case on Techzone - Airlock support process and ask for access to the Airlock IAM repository on Docker Hub.
  3. Upon approval, you will receive an access token for the Docker ID airlockcustomer.
  4. You can now access the IAM image repository on Docker Hub: Airlock IAM on Docker hub – airlock-iam.

Verifying the image signature

All images of Airlock IAM are signed. We strongly recommend configuring Docker to enforce digital signatures on all images, and verifying these digital signatures. 

  1. Proceed as follows:
  2. In your Docker CLI, set the DOCKER_CONTENT_TRUST environment variable to value 1 with the export command:
  3. copy
    export DOCKER_CONTENT_TRUST=1

    For more details on Docker content trust, see Content trust in Docker.

  4. To inspect the image signature, run the  docker trust command in your Docker CLI:
  5. copy
    docker trust inspect --pretty docker.io/ergon/airlock-iam

Retrieving the image

When the verification of the image signature was successful, it is okay to pull the IAM image from the IAM repository page on Docker Hub.

  1. Proceed as follows:
  2. Check the (Docker Hub) Airlock IAM Image repository page for all available images.
  3. Run the command below in your Docker CLI . Be sure to set the correct IAM release version. For production, use the long release version (e.g., 8.x.0 or 8.x.1, etc.)
  4. copy
    docker login
    docker pull docker.io/ergon/airlock-iam:8.1

Downloading the Docker image from the Techzone

As an alternative to pulling an IAM Docker image from a repository, you can download the image as a Docker image file from the Airlock Techzone. This method allows for "air-gapped" installations, in the case your server is not connected to the Docker repository directly.

Follow the instructions below to download an IAM Docker image as image file from the Airlock Techzone.

  1. Proceed as follows:
  2. Go to the IAM download area on the Airlock Techzone: https://techzone.ergon.ch/downloads/airlock-iam
  3. In the list with IAM release versions, click on the Details link next to the appropriate IAM release.
  4. Click on the image file with file name airlock-iam-docker-image-<8.x.x> and file extension tar.gz.
  5. The image file is downloaded.
  6. You can now load the image. For this, run the command below in your Docker CLI:
  7. copy
    # load image
     docker load -i airlock-iam-docker-image-8.1.0.tar.gz
     
    # Should list the loaded image
     docker images | grep airlock
    
  8. Next, push the image to your local Docker registry (if you have one). For this, run the following commands:
  9. copy
    # Create alias matching the Docker Hub repository name for the  
    # examples in this document to work  
     docker tag airlock-iam:8.1.0 ergon/airlock-iam:8.1.0 # Show help to perform a quick check  
     docker run --rm ergon/airlock-iam:8.1.0 --help   
     
    # Replace "docker.example.com" with the URL to your local 
    # Docker registry  
     docker tag ergon/airlock-iam:8.1.0 docker.example.com/ergon/airlock-iam:8.1.0  
     
    # Push the image to the local Docker registry  
     docker push docker.example.com/ergon/airlock-iam:8.1.0