stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Releases Wiki Activity
Files
b04557a92333a134669d42e604457d085cbb4234
git.stella-ops.org/docs/24_OFFLINE_KIT.md
master b04557a923 Initial commit
2025-08-30 21:05:34 +00:00

3.3 KiB
Executable File
Raw Blame History

Offline Update Kit (OUK) — AirGap Bundle

The Offline Update Kit packages everything StellaOps needs to run on a completely isolated network:

Component Contents
Merged vulnerability feeds OSV, GHSA plus optional NVD 2.0, CNNVD, CNVD, ENISA, JVN and BDU
Container images stella-ops, Zastava sidecar (x8664 &arm64)
Provenance Cosign signature, SPDX 2.3 SBOM, intoto SLSA attestation
Delta patches Daily diff bundles keep size <350MB

Scanner core: C# 12 on .NET{{ dotnet }}.
Imports are idempotent and atomic — no service downtime.

1·Download & verify

curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-<DATE>.tgz
curl -LO https://get.stella-ops.org/ouk/stella-ops-offline-kit-<DATE>.tgz.sig

cosign verify-blob \
  --key https://stella-ops.org/keys/cosign.pub \
  --signature stella-ops-offline-kit-<DATE>.tgz.sig \
  stella-ops-offline-kit-<DATE>.tgz

Verification prints OK and the SHA256 digest; crosscheck against the changelog.

2·Import on the airgapped host

docker compose --env-file .env \
  -f docker-compose.stella-ops.yml \
  exec stella-ops \
  stella admin import-offline-usage-kit stella-ops-offline-kit-<DATE>.tgz
  • The CLI validates the Cosign signature before activation.
  • Old feeds are kept until the new bundle is fully verified.
  • Import time on a SATA SSD: ≈25s for a 300MB kit.

3·Delta patch workflow

  1. Connected site fetches stella-ouk-YYYYMMDD.delta.tgz.
  2. Transfer via any medium (USB, portable disk).
  3. stella admin import-offline-usage-kit <delta> applies only changed CVE rows & images.

Daily deltas are <30MB; weekly rollup produces a fresh full kit.

4·Quota behaviour offline

The scanner enforces the same fairuse limits offline:

  • Anonymous: {{ quota_anon }} scans per UTC day
  • Free JWT: {{ quota_token }} scans per UTC day

Soft reminder at 200 scans; throttle above the ceiling but never block. See the detailed rules in 33_333_QUOTA_OVERVIEW.md.

5·Troubleshooting

Symptom Explanation Fix
could not verify SBOM hash Bundle corrupted in transit Redownload / recopy
Import hangs at Applying feeds… Low disk space in /var/lib/stella Free ≥2GiB before retry
quota exceeded same day after import Import resets counters at UTC 00:00 only Wait until next UTC day or load a JWT

6·Related documentation

  • Install guide: /install/#air-gapped
  • Sovereign mode rationale: /sovereign/
  • Security policy: /security/#reporting-a-vulnerability