Docs / strategy for an air-gapped faasd configuration

[alexellis]

Expected Behaviour

We should provide docs for how to use faasd in an air-gapped configuration.

Possible Solution

Ideas:

A) a mode for faasd and containers where containers are never pulled, and are assumed to be in the local library
B) instructions for mirroring to a local registry, and then updating the docker.io references to the local registry IP instead. This will probably have to have a self-signed CA, so we will need to find a way to add it to the trust bundle
C) export tar images from a live faasd instance, copy them to the "offline" machine, then insert them into the containerd library and configure faasd to read them - goes with option A)

Steps to Reproduce (for bugs)

Install faasd, then "unplug the Internet", reboot faasd and try to use it.

I.e. use Multipass and a VM on your workstation, then disconnect from WiFi, reboot the VM.

[alexellis]

Rancher have an approach outlined for k3s here: https://rancher.com/docs/k3s/latest/en/installation/airgap/

[Waterdrips]

Can docker-import be used to untar files on the host into images to avoid needing any registry https://docs.docker.com/engine/reference/commandline/import/#import-from-a-local-directory

then if pull policy is Never it should use the locally imported images

[alexellis]

I think ctr has its own commands for importing images, however we are not using docker but containerd.

[pingberlin]

@Waterdrips ctr uses ctr image import.

To use on an airgapped system:

1. Set pull-policy in /usr/lib/systemd/system/faasd-provider.service:

ExecStart=/usr/local/bin/faasd provider --pull-policy IfNotPresent

2. Build with docker, import with ctr (and don't forget to use the openfaas-fn namespace):

docker build -t my-service-faas:latest frontend -f faasd/my-service/Dockerfile
docker save my-service-faas:latest | ctr -n openfaas-fn image import -

3. "Up" your setup:

faas-cli up --skip-push

---

Troubleshooting:

• Check your images with: ctr -n openfaas-fn i ls
• Check your stack.yaml to include the correct image name listed above, e.g.: image: my-service-faas:latest

[alexellis]

@pingberlin would you be open to writing up a short step-by-step blog post on this?

What about the initial installation and deployment of faasd and its containers in docker-compose.yaml?

[amongil]

I am currently struggling with this as I have to install faasd in an air-gapped server (banking industry). @pingberlin, if you could give some more insight on how you managed to first do a complete installation and then keep it runinng, I'll try to mirror on my end and then I can offer my help on testing and writing the docs, @alexellis .

[alexellis]

@amongil we will probably get to this eventually, but can't make any guarantees. OpenFaaS Ltd does offer paid consulting if you need it sooner and I'm sure we could help through a small project. Feel free to email [email protected] if that's of interest to you.