-
Notifications
You must be signed in to change notification settings - Fork 13
Adding multirepos configuration doc included trusted feature #360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
c704790
Adding multirepos configuration doc included trusted feature
yockgen 1754cde
Merge branch 'main' into pg-dev-doc
yockgen 32f84dd
Update docs/tutorial/configure-multiple-package-repositories.md
yockgen 09b4c86
Update docs/tutorial/configure-multiple-package-repositories.md
yockgen 659aaeb
Update docs/tutorial/configure-multiple-package-repositories.md
yockgen File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
315 changes: 315 additions & 0 deletions
315
docs/tutorial/configure-multiple-package-repositories.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,315 @@ | ||
| # Configuring Multiple Package Repositories | ||
|
|
||
| ## Overview | ||
|
|
||
| The OS Image Composer supports adding multiple custom package repositories to your image builds through the `packageRepositories` section in image template files. This feature allows you to include packages from additional repositories beyond the default OS repositories, enabling you to integrate specialized software, proprietary packages, or packages from specific vendors into your custom images. | ||
|
|
||
| ## How It Works | ||
|
|
||
| Package repositories are configured during the image build process and are added to the package manager configuration before any packages are installed. This ensures that packages from custom repositories are available during the package installation phase, allowing you to install packages from multiple sources in a single build. | ||
|
|
||
| ## Configuration Structure | ||
|
|
||
| The `packageRepositories` section should be placed at the root level of your image template YAML file, alongside other top-level configuration sections: | ||
|
|
||
| ```yaml | ||
| image: | ||
| name: your-image-name | ||
| version: "1.0" | ||
|
|
||
| target: | ||
| os: ubuntu | ||
| dist: ubuntu24 | ||
| arch: x86_64 | ||
| imageType: raw | ||
|
|
||
| # Package repositories are configured before any other operations | ||
| packageRepositories: | ||
| - codename: "EdgeAI" | ||
| url: "https://yum.repos.intel.com/edgeai/" | ||
| pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg" | ||
|
|
||
| disk: | ||
| name: .... | ||
| # .... other disk configuration | ||
|
|
||
| systemConfig: | ||
| name: .... | ||
| packages: | ||
| - ubuntu-minimal | ||
| - edge-ai-package # This package comes from the EdgeAI repository | ||
| # .... other packages | ||
| ``` | ||
|
|
||
| ## Repository Configuration Properties | ||
|
|
||
| Each repository entry supports the following properties: | ||
|
|
||
| - **codename** (required): A unique identifier for the repository | ||
| - **url** (required): The base URL of the package repository | ||
| - **pkey** (strongly recommended): URL to the GPG public key for repository authentication. Technically this field is optional, but omitting it (or using `[trusted=yes]` to bypass GPG verification) should be limited to explicitly trusted internal repositories, as it disables signature verification and reduces security. | ||
|
|
||
| ## Complete Template Structure | ||
|
|
||
| Here's how the packageRepositories section fits within a complete image template: | ||
|
|
||
| ```yaml | ||
| image: | ||
| name: multi-repo-image | ||
| version: "1.0" | ||
|
|
||
| target: | ||
| os: ubuntu | ||
| dist: ubuntu24 | ||
| arch: x86_64 | ||
| imageType: raw | ||
|
|
||
| # Multiple package repositories configuration | ||
| packageRepositories: | ||
| - codename: "EdgeAI" | ||
| url: "https://yum.repos.intel.com/edgeai/" | ||
| pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg" | ||
|
|
||
| - codename: "edge-base" | ||
| url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/3.0/base" | ||
| pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY" | ||
|
|
||
| disk: | ||
| name: .... | ||
| # .... disk configuration | ||
|
|
||
| systemConfig: | ||
| name: .... | ||
| description: .... | ||
|
|
||
| packages: | ||
| - ubuntu-minimal | ||
| - openvino-toolkit # From OpenVINO repository | ||
| - edge-ai-runtime # From EdgeAI repository | ||
| - microvisor-base # From edge-base repository | ||
| # .... other packages from various repositories | ||
|
|
||
| kernel: | ||
| version: .... | ||
| # .... kernel configuration | ||
|
|
||
| configurations: | ||
| # .... custom configurations | ||
| ``` | ||
|
|
||
| ## Real-World Example | ||
|
|
||
| A comprehensive multi-repository configuration for edge computing and AI workloads: | ||
|
|
||
| ```yaml | ||
| packageRepositories: | ||
| - codename: "EdgeAI" | ||
| url: "https://yum.repos.intel.com/edgeai/" | ||
| pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg" | ||
|
|
||
| - codename: "edge-base" | ||
| url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/3.0/base" | ||
| pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY" | ||
|
|
||
| - codename: "OpenVINO" | ||
| url: "https://yum.repos.intel.com/openvino/" | ||
| pkey: "https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB" | ||
|
|
||
| - codename: "mariner" | ||
| url: "https://packages.microsoft.com/yumrepos/cbl-mariner-2.0-prod-extended-x86_64/" | ||
| pkey: "https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/repodata/repomd.xml.key" | ||
| ``` | ||
|
|
||
| ## Repository Configuration Examples | ||
|
|
||
| ### Intel Edge AI Stack | ||
|
|
||
| ```yaml | ||
| packageRepositories: | ||
| - codename: "EdgeAI" | ||
| url: "https://yum.repos.intel.com/edgeai/" | ||
| pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg" | ||
|
|
||
| - codename: "OpenVINO" | ||
| url: "https://yum.repos.intel.com/openvino/" | ||
| pkey: "https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB" | ||
|
|
||
| systemConfig: | ||
| packages: | ||
| - openvino-toolkit | ||
| - edge-ai-runtime | ||
| - intel-media-driver | ||
| # .... | ||
| ``` | ||
|
|
||
| ### Microsoft and Intel Integration | ||
|
|
||
| ```yaml | ||
| packageRepositories: | ||
| - codename: "mariner" | ||
| url: "https://packages.microsoft.com/yumrepos/cbl-mariner-2.0-prod-extended-x86_64/" | ||
| pkey: "https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/repodata/repomd.xml.key" | ||
|
|
||
| - codename: "edge-base" | ||
| url: "https://files-rs.edgeorchestration.intel.com/files-edge-orch/microvisor/rpms/3.0/base" | ||
| pkey: "https://raw.githubusercontent.com/open-edge-platform/edge-microvisor-toolkit/refs/heads/3.0/SPECS/edge-repos/INTEL-RPM-GPG-KEY" | ||
|
|
||
| systemConfig: | ||
| packages: | ||
| - mariner-base-packages | ||
| - microvisor-runtime | ||
| - edge-orchestration-tools | ||
| # .... | ||
| ``` | ||
|
|
||
| ### Development Environment | ||
|
|
||
| ```yaml | ||
| packageRepositories: | ||
| - codename: "docker-ce" | ||
| url: "https://download.docker.com/linux/ubuntu" | ||
| pkey: "https://download.docker.com/linux/ubuntu/gpg" | ||
|
|
||
| - codename: "nodejs" | ||
| url: "https://deb.nodesource.com/node_18.x" | ||
| pkey: "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" | ||
|
|
||
| systemConfig: | ||
| packages: | ||
| - docker-ce | ||
| - docker-ce-cli | ||
| - nodejs | ||
| - npm | ||
| # .... | ||
| ``` | ||
|
|
||
| ### Trusted Repository (No GPG Verification) | ||
|
|
||
| ```yaml | ||
| # WARNING: "[trusted=yes]" disables signature verification. | ||
| # Only use this for repositories fully controlled by your organization, | ||
| # typically in development or testing, and never for public or third-party repos. | ||
| packageRepositories: | ||
| - codename: "internal-repo" | ||
| url: "https://internal.company.com/packages" | ||
| pkey: "[trusted=yes]" # Bypasses GPG verification; ONLY for internal, organization-controlled repos. | ||
|
|
||
| - codename: "test-repo" | ||
| url: "https://test.example.com/packages" | ||
| pkey: "[trusted=yes]" # No signature verification; for internal dev/test only, not public/third-party repos. | ||
|
|
||
| systemConfig: | ||
| packages: | ||
| - internal-package | ||
| - test-package | ||
| # .... | ||
| ``` | ||
|
|
||
| ## Execution Process | ||
|
|
||
| ### Repository Setup Phase | ||
|
|
||
| The build process follows this sequence when multiple repositories are configured: | ||
|
|
||
| 1. **Repository Configuration**: All repositories in `packageRepositories` are added to the package manager | ||
| 2. **GPG Key Import**: Public keys are downloaded and imported for repository authentication (skipped for `[trusted=yes]` repositories) | ||
| 3. **Repository Refresh**: Package lists are updated from all configured repositories | ||
| 4. **Package Installation**: Packages from all repositories become available for installation | ||
|
|
||
| ### Package Resolution | ||
|
|
||
| When packages are installed: | ||
|
|
||
| - The package manager searches all configured repositories | ||
| - Dependencies can be resolved across multiple repositories | ||
| - Repository priority may affect package selection when conflicts exist | ||
|
|
||
| ## Best Practices | ||
|
|
||
| ### 1. Always Include GPG Keys | ||
|
|
||
| Include GPG keys for repository authentication and security: | ||
|
|
||
| ```yaml | ||
| packageRepositories: | ||
| # Good - includes GPG key for security | ||
| - codename: "secure-repo" | ||
| url: "https://example.com/packages" | ||
| pkey: "https://example.com/gpg-key.pub" | ||
|
|
||
| # Use trusted=yes only for internal/trusted repositories | ||
| - codename: "internal-repo" | ||
| url: "https://internal.company.com/packages" | ||
| pkey: "[trusted=yes]" | ||
|
|
||
| # Avoid - missing pkey entirely reduces security | ||
| - codename: "insecure-repo" | ||
| url: "https://example.com/packages" | ||
| ``` | ||
|
|
||
| ### 2. Use Descriptive Codenames | ||
|
|
||
| Choose clear, descriptive codenames that indicate the repository purpose: | ||
|
|
||
| ```yaml | ||
| packageRepositories: | ||
| # Good - descriptive codenames | ||
| - codename: "EdgeAI" | ||
| - codename: "OpenVINO" | ||
| - codename: "docker-ce" | ||
|
|
||
| # Avoid - unclear codenames | ||
| - codename: "repo1" | ||
| - codename: "custom" | ||
| ``` | ||
|
|
||
| ### 3. Verify Repository URLs | ||
|
|
||
| Ensure repository URLs are correct and accessible: | ||
|
|
||
| ```yaml | ||
| packageRepositories: | ||
| # Verify these URLs are accessible during build | ||
| - codename: "EdgeAI" | ||
| url: "https://yum.repos.intel.com/edgeai/" | ||
| pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg" | ||
| ``` | ||
|
|
||
| ### 4. Document Repository Sources | ||
|
|
||
| Add comments to document repository purposes: | ||
|
|
||
| ```yaml | ||
| packageRepositories: | ||
| # Intel Edge AI packages for computer vision and inference | ||
| - codename: "EdgeAI" | ||
| url: "https://yum.repos.intel.com/edgeai/" | ||
| pkey: "https://yum.repos.intel.com/edgeai/GPG-PUB-KEY-INTEL-DLS.gpg" | ||
|
|
||
| # Microsoft CBL-Mariner extended packages | ||
| - codename: "mariner" | ||
| url: "https://packages.microsoft.com/yumrepos/cbl-mariner-2.0-prod-extended-x86_64/" | ||
| pkey: "https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/repodata/repomd.xml.key" | ||
| ``` | ||
|
|
||
| ## Security Considerations | ||
|
|
||
| ### Repository Trust | ||
|
|
||
| - Only add repositories from trusted sources | ||
| - Always include GPG keys for repository authentication when available | ||
| - Use `pkey: "[trusted=yes]"` only when GPG keys are unavailable and the repository is under your organization's direct control | ||
| - Regularly review and update repository configurations | ||
| - Be cautious with repositories that don't provide GPG keys | ||
|
|
||
| ### Network Security | ||
|
|
||
| - Use HTTPS URLs when available | ||
| - Consider using local repository mirrors for improved security and performance | ||
| - Validate GPG key fingerprints when possible | ||
|
|
||
| ## Related Documentation | ||
|
|
||
| - [Image Template Format](../architecture/image-template-format.md) | ||
| - [Understanding the OS Image Build Process](../architecture/os-image-composer-build-process.md) | ||
| - [Configuring Custom Commands During Image Build](configure-additional-actions-for-build.md) | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.