Github container registry (GHCR)#
Todo
Remove following paragraph once the BSP is open-sourced.
You will first need to create a Github Personal Access Token (PAT)
More details about the process can be found here.
Note
Your token must have at least read:packages permission.
$ skopeo login -u <github login> ghcr.io # Password is the PAT created above
Container can be downloaded and installed using following commands :
$ export machine=$CONTAINER_HELPER_ARCH
$ export package=<image name> # E.g. simpleswitch-mosquitto
$ export tag=$RELEASE_VERSION # Change to download a specific version
$ container-helper pull ghcr.io ghcr.io/avnet-embedded/simpleswitch/${machine}/${package}:${tag}
$ container-helper genimage ghcr.io/avnet-embedded/simpleswitch/${machine}/${package}:${tag}
$ simpleswitch-helper install ${package}.simpleswitchpackage
$ simpleswitch-helper start ${package}
Note
It is advised to start the procedure described above from a location with enough disk space left.
A safe choice would be
$ mkdir /apps/_tmp && cd /apps/_tmp
$ ... # procedure described above
$ cd / && rm -rf /apps/_tmp
otherwise you could encounter unexpected No space on device error messages
Finally, one command to rule them all ! registry-install is a wrapper around all the previous commands :
$ export machine=$CONTAINER_HELPER_ARCH
$ export package=<image name> # E.g. simpleswitch-mosquitto
$ export tag=$RELEASE_VERSION # Change to download a specific version
$ container-helper registry-install ghcr.io ghcr.io/avnet-embedded/simpleswitch/${machine}/${package}:${tag}
$ simpleswitch-helper start ${package}
It is possible to list available containers on Tria ghcr.io :
$ container-helper list-remote
Note
Bash autocomplete is provided for container-helper and simpleswitch-helper subcommands. Then, for a smooth experience it is recommended to export the variable package, ie the name of the container. The other parameters will be set thanks to the autocomplete.
Access GHCR from a private network with no direct access to internet#
If:
the board is only part of a private network with no direct access to internet.
a computer with an SSH client is part of that private network.
that computer has access to internet through another network.
It is possible to create some SSH tunnels to reach GHCR from the board through the computer.
On the board, add the following mappings in /etc/hosts:
127.0.0.1 ghcr.io
127.0.1.1 pkg-containers.githubusercontent.com
127.0.2.1 api.github.com
This can be achieved through the following command:
$ cat >> /etc/hosts << EOL
127.0.0.1 ghcr.io
127.0.1.1 pkg-containers.githubusercontent.com
127.0.2.1 api.github.com
EOL
Then modify the configuration of the OpenSSH server. Open the file
/etc/ssh/sshd_config and set the argument GatewayPorts to
clientspecified. You should be able to do it thanks to the command:
$ sed -i "s/^#GatewayPorts no/GatewayPorts clientspecified/" /etc/ssh/sshd_config
Finally, on the computer create the following script
#! /usr/bin/bash
# SPDX-FileCopyrightText: (C) 2024 Avnet Embedded GmbH
# SPDX-License-Identifier: LicenseRef-Avnet-OSS-1.0
if [ -z "$1" ]; then
echo "Need to pass the IP of the target as first argument"
exit 1
fi
REMOTE_IP=$1
URLS=(
"ghcr.io"
"pkg-containers.githubusercontent.com"
"api.github.com"
)
i=0
for url in "${URLS[@]}"; do
ssh -Nf -R 127.0."${i}".1:443:"${url}":443 root@"${REMOTE_IP}"
i=$((i + 1))
done
and run
$ chmod +x start-tunnel.sh
$ ./start-tunnel.sh <IP of the board>
Now it should be possible to launch the skopeo and container-helper
commands above.
If you are running on a sourced SimpleSwitch™ SDK, you can also run
simpleswitch-reverse-tunnel <IP of the board>
to have the above described procedure setup automatically