Github container registry (GHCR)#

Todo

Remove following paragraph once the BSP is open-sourced.

You will first need to create a Github Personal Access Token (PAT)

More details about the process can be found here.

Note

Your token must have at least read:packages permission.

$ skopeo login -u <github login> ghcr.io # Password is the PAT created above

Container can be downloaded and installed using following commands :

$ export machine=$CONTAINER_HELPER_ARCH
$ export package=<image name>           # E.g. simpleswitch-mosquitto
$ export tag=$RELEASE_VERSION           # Change to download a specific version

$ container-helper pull ghcr.io ghcr.io/avnet-embedded/simpleswitch/${machine}/${package}:${tag}
$ container-helper genimage ghcr.io/avnet-embedded/simpleswitch/${machine}/${package}:${tag}
$ simpleswitch-helper install ${package}.simpleswitchpackage
$ simpleswitch-helper start ${package}

Note

It is advised to start the procedure described above from a location with enough disk space left.

A safe choice would be

$ mkdir /apps/_tmp && cd /apps/_tmp
$ ... # procedure described above
$ cd / && rm -rf /apps/_tmp

otherwise you could encounter unexpected No space on device error messages

Finally, one command to rule them all ! registry-install is a wrapper around all the previous commands :

$ export machine=$CONTAINER_HELPER_ARCH
$ export package=<image name>           # E.g. simpleswitch-mosquitto
$ export tag=$RELEASE_VERSION           # Change to download a specific version

$ container-helper registry-install ghcr.io ghcr.io/avnet-embedded/simpleswitch/${machine}/${package}:${tag}
$ simpleswitch-helper start ${package}

It is possible to list available containers on Tria ghcr.io :

$ container-helper list-remote

Note

Bash autocomplete is provided for container-helper and simpleswitch-helper subcommands. Then, for a smooth experience it is recommended to export the variable package, ie the name of the container. The other parameters will be set thanks to the autocomplete.

Access GHCR from a private network with no direct access to internet#

If:

the board is only part of a private network with no direct access to internet.
a computer with an SSH client is part of that private network.
that computer has access to internet through another network.

../../../../../../_images/private_network.png

It is possible to create some SSH tunnels to reach GHCR from the board through the computer.

On the board, add the following mappings in /etc/hosts:

0.0.1   ghcr.io
0.1.1   pkg-containers.githubusercontent.com
0.2.1   api.github.com

This can be achieved through the following command:

$ cat >> /etc/hosts << EOL
127.0.0.1   ghcr.io
127.0.1.1   pkg-containers.githubusercontent.com
127.0.2.1   api.github.com
EOL

Then modify the configuration of the OpenSSH server. Open the file /etc/ssh/sshd_config and set the argument GatewayPorts to clientspecified. You should be able to do it thanks to the command:

$ sed -i "s/^#GatewayPorts no/GatewayPorts clientspecified/" /etc/ssh/sshd_config

Finally, on the computer create the following script

#! /usr/bin/bash
# SPDX-FileCopyrightText: (C) 2024 Avnet Embedded GmbH
# SPDX-License-Identifier: LicenseRef-Avnet-OSS-1.0

if [ -z "$1" ]; then
	echo "Need to pass the IP of the target as first argument"
	exit 1
fi

REMOTE_IP=$1

URLS=(
   "ghcr.io"
   "pkg-containers.githubusercontent.com"
   "api.github.com"
)

i=0
for url in "${URLS[@]}"; do
	ssh -Nf -R 127.0."${i}".1:443:"${url}":443 root@"${REMOTE_IP}"
	i=$((i + 1))
done

and run

$ chmod +x start-tunnel.sh
$ ./start-tunnel.sh <IP of the board>

Now it should be possible to launch the skopeo and container-helper commands above.

If you are running on a sourced SimpleSwitch™ SDK, you can also run

simpleswitch-reverse-tunnel <IP of the board>

to have the above described procedure setup automatically