stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
42d9d2d860f82a18b1ac989986857d6851ba6d93
git.stella-ops.org/docs/24_OUK_ADMIN_GUIDE.md

197 lines
7.6 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#24 · Offline UpdateKit (OUK) Administration Guide —StellaOps
# OfflineUpdateKit(OUK) — AdministratorGuide
StellaOps is designed for *offlinefirst* deployments—e.g. regulated datacentres that cant call out to GitHub or NVD.
The **OfflineUpdateKit (OUK)** bundles *all* mutable security data (Trivy DB, NVD JSON, OSV feeds, UI locales, policy bundles) into a signed, singlefile archive so you can refresh an isolated cluster in minutes.
---
## 0Quick Start (TL;DR)
1. **Download** the latest release asset
```bash
curl -L -O https://git.stella-ops.ru/stella/ops/-/releases/latest/download/ouk-20250715.tar.gz
curl -L -O https://git.stella-ops.ru/stella/ops/-/releases/latest/download/ouk-20250715.tar.gz.sig
```
2. **Verify** the Cosign signature
```bash
cosign verify-blob \
--key cosign.pub \
--signature ouk-20250715.tar.gz.sig \
ouk-20250715.tar.gz
```
3. **JWT Refresh** the tarball already contains a **`client.jwt`** file valid
for **30 days**. Importing the OUK automatically refreshes the token used for
quota accounting in offline mode.
4. **UI →Settings →OfflineUpdates →Upload** the tarball
5. Wait for the toast: **“Feeds updated · TrivyDB20250714 · NVD20250715”**
6. Sub5s scans now use the fresh data—done!
---
## 1What the OUK Contains
| Component | Typical size |
|----------------------------------------|--------------|
| Trivy vulnerability DB (`vuln.db.tgz`) | 50MB |
| NVD JSON feed (all years) | 1.4GB |
| OSV JSON snapshots | 500MB |
| BDU XML feed (🇷🇺 optional) | 25MB |
| UI locale bundles | 100kB |
| Policy pack snapshots | 5kB |
| SBOM of the kit (`manifest.spdx.json`) | <1MB |
| Cosign signature (`*.sig`) | 1kB |
| ClientJWT (`client.jwt`) 30d | 2kB |
All files are **contentaddressed**; the SBOM references each SHA256 so auditors can trace provenance.
---
## 2Security Model
* Every tarball is signed with the **StellaOps project key** (`cosign.pub`, fingerprint `AB1234CD56EF…`).
* The backend refuses any archive that fails signature or digest checks.
* The embedded SBOM gives auditors full transparency into exact feed versions.
---
## 3Obtaining anOUK Tarball
### 3.1OfficialBuilds
* Produced automatically on the **first Friday of every month** by the Release pipeline (see *13_RELEASE_ENGINEERING_PLAYBOOK.md*).
* Stored under **GitLab →Releases →Assets** with the filename pattern `ouk-YYYYMMDD.tar.gz`.
* Example download via curl:
```bash
curl -L -O https://git.stella-ops.ru/stella/ops/-/releases/v2.3/downloads/ouk-20250715.tar.gz
curl -L -O https://git.stella-ops.ru/stella/ops/-/releases/v2.3/downloads/ouk-20250715.tar.gz.sig
```
---
## 4Uploading ViaUI
1. Log in as **system:admin** (role = Owner).
2. Navigate **Settings →OfflineUpdates**.
3. Press **Upload** and pick `ouk-YYYYMMDD.tar.gz`.
4. Backend workflow
1. Streams the file to `/tmp`.
2. Runs `cosign verify-blob`.
3. Extracts content into `var/lib/stella/db/` (readonly).
4. Flushes Redis cache.
> After Cosign verification the backend copies **`client.jwt`** into
> `/var/lib/stella/tokens/`, replacing the previous offline token and resetting
> its expiry countdown.
5. Audit log emits `ouk_update` event (actor, datetime, SHA256).
The UI toast now shows
> “Feeds updated + OfflineToken refreshed (validtill *17Aug 2025*)”.
---
## 5UploadingViaCLI (REST API)
No custom tool is required`curl` does the job.
```bash
ACCESS_TOKEN=$(cat token.txt) # bearer from OpenIddict
SIGNATURE_B64=$(base64 -w0 ouk-20250715.tar.gz.sig)
curl -X POST https://stella.local/api/admin/ouk \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-H "X-Signature: ${SIGNATURE_B64}" \
--data-binary @ouk-20250715.tar.gz
```
*HTTP 201* is success; any non2xx code means verification or extraction failed.
---
## 6Automated Sync (Advanced)
When outbound Internet is *allowed* but inbound isnt:
1. Deploy **StellaOps.Registry** (internal Docker registry) on a host that can reach the Internet.
2. Cron job pulls the latest OUK with curl, verifies it, stores in an internal S3 bucket.
3. Offline cluster fetches nightly via **MinIO Gateway** URL:
```bash
curl -L -O https://minio.infra/offline/ouk-latest.tar.gz
curl -L -O https://minio.infra/offline/ouk-latest.tar.gz.sig
# repeat verification and upload steps
```
Remember to propagate **`client.jwt`** together with the feeds if you split the
tarball into multiple artefacts; otherwise the offline cluster may hit
*“Token expired”* errors.
---
## 7RollbackStrategy
* The backend keeps the **last three OUK snapshots** in `/var/lib/stella/ouk-backup/`.
* UI OfflineUpdates **Restore** next to the desired date.
* Operation swaps a symlink—≈3s, no service restart.
---
## 8Troubleshooting
| Symptom | Likely cause | Fix |
|--------------------------------------|----------------------|----------------------------------------------|
| Signature verification failed | Wrong key/tampered | Redownload; compare key fingerprints |
| Feed age tile stays red | Redis cache stale | `stella admin redis flushall` |
| `io/fs: readonly file system` | Volume mounted RO | Remount RW or move OUK path |
| NVD import >10min | Slow disk | Move DB path to SSD/LVM cache |
| *“Token expired”* banner after OUK upload | `client.jwt` missing or outofdate | Rerun `ouk fetch`; ensure tarball contains fresh token. |
---
## 9NonCommercialUsage Rules (English)
1. **Free for internal assessments** by individuals or organisations.
2. **SaaS resale/rehosting is forbidden** without explicit written consent (AGPL§13).
3. If you redistribute a modified build you **must** publish complete source under the same licence and keep StellaOps attribution.
4. Thirdparty dependencies remain under their respective licences (MIT, Apache2.0, ISC, BSD).
5. Deployments in stateregulated or classified environments must follow **ФЗ187** and exportcontrol law.
---
## 10BestPracticesSnapshot
* Rotate OUK uploads at least **monthly**; weekly during high CVE activity.
* Store OUK assets in an **immutable bucket** (S3 WORM, Artifactoryrelease) to thwart tampering.
* Keep `cosign.pub` on an offline rootoftrust USB; rotate keys yearly.
* During audits, export `manifest.spdx.json` as evidence of feed provenance.
---
## 11FAQ
**Q:** *Does OUK update Docker base images?*
**A:** No—OUK is for **data** only. Refresh base images via internal registry or CI pipelines.
**Q:** *Why not bundle Grype DB too?*
**A:** Grype consumes Trivy DB format directly; duplication saved 500MB.
---
## 12Change Log
| Version | Date | Notes |
|---------|------|-------|
| v1.2 | 20250716 | Switched CLI to curl, removed DIY build, dropped “Location” column, clarified download example. |
| v1.1 | 20250715 | Added UI upload flow, MinIO sync, usage rules, Cosign commands. |
| v1.0 | 20250709 | Initial OUK admin guide |
*(End of Offline UpdateKit Administration Guide v1.0)*
Reference in New Issue View Git Blame Copy Permalink