150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
1.7 KiB
1.7 KiB
Bootstrap Pack (Airgap 56-004)
Guidance to build and install the bootstrap pack that primes sealed environments.
Contents
- Core images/charts for platform services (Authority, Excititor, Concelier, Export Center, Scheduler) with digests.
- Offline NuGet/npm caches (if permitted) with checksum manifest.
- Configuration defaults: sealed-mode toggles, trust roots, time-anchor bundle, network policy presets.
- Verification scripts: hash check, DSSE verification (if available), and connectivity probes to local mirrors.
Build steps
- Gather image digests and charts from trusted registry/mirror.
- Create
bootstrap-manifest.jsonwith:bundleId,createdAt(UTC),producer,mirrorGenerationfiles[](path, sha256, size, mediaType)- optional
dsseEnvelopeHash
- Package into tarball with deterministic ordering (POSIX tar, sorted paths, numeric owner 0:0).
- Compute sha256 for tarball; record in manifest.
Install steps
- Transfer pack to sealed site (removable media).
- Verify tarball hash and DSSE (if present) using offline trust roots.
- Load images/charts into local registry; preload caches to
local-nugets/etc. - Apply network policies (deny-all) and sealed-mode config.
- Register bootstrap manifest and mirrorGeneration with Excititor/Export Center.
Determinism & rollback
- Keep manifests in ISO-8601 UTC; no host-specific metadata in tar headers.
- For rollback, retain previous bootstrap tarball + manifest; restore registry contents and config snapshots.
Related
docs/airgap/mirror-bundles.md— mirror pack format and validation.docs/airgap/sealing-and-egress.md— egress enforcement used during install.