Getting the Docker image

There are two ways to obtain Airlock IAM Docker images:

  • By pulling the image directly from the (private image repository) quay.io.
  • In Spring 2024, all IAM Docker images have been migrated from Docker Hub to quay.io. All customers that use Docker Hub for container image downloads must have migrated to quay.io until September 2024.

  • By downloading an image file from the Techzone download area, for air-gapped installations.

Pulling the IAM image from an image repository

IAM images can be pulled from the quay.io private image repository.

  • You need to perform the following steps:
  • Gaining access to the private repository.
  • Verifying the signature of the image in the repository.
  • Retrieving the image from the repository.

The table below describes the details per step. Follow the instructions shown in the table:

Gaining access to quay.io

  1. Proceed as follows:
  2. Register an account on https://quay.io (only necessary if you do not yet have a Red Hat account).
  3. Create a support case on Techzone - Airlock support process and ask access to the https://quay.io/airlock/iam repository. Add your Red Hat account to your support ticket.
  4. You will receive a notification via your ticket as soon as Airlock Support has approved your authorization.
  5. You can now access the quay.io private repository. To log in, run the following command in your Docker CLI:
  6. copy
    docker login quay.io -u "${QUAY_USER}" -p "${QUAY_PASSWORD}"

Verifying the image signature

All images of Airlock IAM are signed. We strongly recommend verifying these digital signatures. 

  1. Proceed as follows:
  2. Run the following command to directly verify the digital signature of the IAM image in the quay.io repository. Note that the command uses the cosign tool. Be sure to set the correct IAM release version.
  3. copy
    cosign verify quay.io/airlock/iam:8.3 --key https://docs.airlock.com/iam.pub --private-infrastructure
  4. On successful verification, the output should look like this:
  5. copy
    Verification for quay.io/airlock/iam:8.3 --
    The following checks were performed on each of these signatures:
      - The cosign claims were validated
      - The signatures were verified against the specified public key
    
    [{"critical":{"identity":{"docker-reference":"quay.io/airlock/iam"},"image":{"docker-manifest-digest":"sha256:0ae041...34ccfb"},"type":"cosign container image signature"},"optional":null}]
    

Retrieving the image

When the verification of the image signature was successful, it is okay to pull the image from the repository.

  1. Proceed as follows:
  2. Run the following command in your Docker CLI. Be sure to set the correct IAM release version.
copy
docker pull quay.io/airlock/iam:8.3

Downloading the Docker image from the Techzone

As an alternative to pulling an IAM Docker image from a repository, you can download the image as a Docker image file from the Airlock Techzone. This method allows for "air-gapped" installations, in the case your server is not connected to the repository directly.

Follow the instructions below to download an IAM Docker image as image file from the Airlock Techzone.

  1. Proceed as follows:
  2. Go to the IAM download area on the Airlock Techzone: https://techzone.ergon.ch/downloads/airlock-iam
  3. In the list with IAM release versions, click on the Details link next to the appropriate IAM release version.
  4. Click on the image file with file name airlock-iam-docker-image-<8.x.x> and file extension tar.gz.
  5. The image file is downloaded.
  6. You can now load the image. For this, run the command below in your Docker CLI:
  7. copy
    # load image
     docker load -i airlock-iam-docker-image-8.3.0.tar.gz
     
    # Should list the loaded image
     docker images | grep airlock
    
  8. Next, push the image to your local Docker registry (if you have one). For this, run the following commands:
  9. copy
    # Create alias matching the Docker Hub repository name for the  
    # examples in this document to work  
     docker tag airlock-iam:8.3.0 ergon/airlock-iam:8.3.0 # Show help to perform a quick check  
     docker run --rm ergon/airlock-iam:8.3.0 --help   
     
    # Replace "docker.example.com" with the URL to your local 
    # Docker registry  
     docker tag ergon/airlock-iam:8.3.0 docker.example.com/ergon/airlock-iam:8.3.0  
     
    # Push the image to the local Docker registry  
     docker push docker.example.com/ergon/airlock-iam:8.3.0