Getting the Docker image

IAM Docker images can be obtained from Docker Hub or quay.io. Note that the image repository is private.

  • There are two ways to obtain Airlock IAM Docker images:
  • Via pull, directly from the repository.
  • As downloaded version for air-gapped installations.

In Spring 2024, all images will be migrated from Docker Hub to quay.io.

All customers that use Docker Hub for container image downloads must migrate until September 2024.

Step 1a - Gain access to the private repository on quay.io

The image repository on quay.io is private and requires an authorized user account to pull images.

  1. To gain access the following steps must be taken:
  2. Register an account on https://quay.io, if you do not yet have a Red Hat account.
  3. Create a support case on https://techzone.ergon.ch to communicate your Red Hat account to Ergon and ask to be added to https://quay.io.
  4. You will receive a notification through the ticket as soon as Airlock Support has approved your authorization.
  5. You can download the image from here, as soon as you have got access: https://quay.io/airlock/iam

  6. All commands require an authenticated session with quay.io. Use this command to login:
  7. docker login quay.io -u "${QUAY_USER}" -p "${QUAY_PASSWORD}"

Step 2a - Verify the image signature on quay.io

All images of Airlock IAM are signed and it is strongly recommended to verify these digital signatures. 

The following command uses the cosign tool to directly verify the digital signature of the Airlock IAM image on quay.io:

cosign verify quay.io/airlock/iam:${TARGET_TAG} --key https://docs.airlock.com/iam.pub --private-infrastructure

The output for running cosign verify on IAM 8.2 successfully should look like this:

Verification for quay.io/airlock/iam:8.2 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"quay.io/airlock/iam"},"image":{"docker-manifest-digest":"sha256:0ae041...34ccfb"},"type":"cosign container image signature"},"optional":null}]

Step 3a - Retrieve the image from quay.io

To obtain a container image of an IAM release, use the following command:

docker pull quay.io/airlock/iam:${TARGET_TAG}

Step 1b - Pull from Docker Hub (hub.docker.com)

Note that our image repository is private and you need an access token to pull the images.

  1. To gain access the following steps must be taken:
  2. Create a support ticket for "access to Airlock IAM on Docker Hub" on https://techzone.ergon.ch.
  3. You will receive an access token for the Docker-ID airlockcustomer.

You can download the image from here, as soon as you have got access token: Airlock IAM on Docker hub – airlock-iam

Step 2b - Configure Docker to verify digital signatures

All images of Airlock IAM are signed and it is strongly recommended to configure Docker to verify these digital signatures.  It is recommended to configure Docker to enforce digital signatures on all images.

This is achieved by setting the following environment variable:

Docker CLI

export DOCKER_CONTENT_TRUST=1

For more details on Docker content trust see Content trust in Docker.

You may inspect the signature using the docker trust  command:

Docker CLI

docker trust inspect --pretty docker.io/ergon/airlock-iam

Step 3b - Retrieve Docker image

Check the (Docker Hub) Airlock IAM Image repository page to see all available Tags.

To obtain the latest container image of an IAM release, for example, use the following command:

Docker CLI

docker login
docker pull docker.io/ergon/airlock-iam:8.2

For production, specific tags should be used, e.g. 8.x.0 or 8.x.1.

Alternatively: Download distribution of Docker image

This method allows for "air-gapped" installation, where the server doesn't connect to the Docker registry directly. A local/private Docker registry or other means of distributing the image as files to your machines are used instead.

The Docker image is published as an image file and has the file extension ".tar.gz".

The image file can be loaded and pushed to your local Docker registry:

Docker CLI

# load image
 docker load -i airlock-iam-docker-image-8.2.0.tar.gz
 
# Should list the loaded image
 docker images | grep airlock  

# Create alias matching the Docker Hub repository name for the 
# examples on this page to work 
 docker tag airlock-iam:8.2.0 ergon/airlock-iam:8.2.0# Show help to perform a quick check 
 docker run --rm ergon/airlock-iam:8.2.0 --help  

# Replace "docker.example.com" with the URL to your local
#  Docker registry 
 docker tag ergon/airlock-iam:8.2.0 docker.example.com/ergon/airlock-iam:8.2.0 

# Push the image to the local Docker registry 
  docker push docker.example.com/ergon/airlock-iam:8.2.0

If you don't have a local Docker registry you may skip the tagging and pushing steps.