Understanding Omni's dependencies on remote services

[bauerjs1]

Dear Talosians,

To my understanding, Omni uses the image factory (factory.talos.dev or self-hosted) to create Talos installation media. Looking at the (very nice) Tutorial for air-gapped Omni, however, there is no factory deployed. Instead, Omni is pointed to installer and imager container images hosted somewhere accessible. Is that enough for Omni to provide the image creation feature?
If I do not provide these arguments, does Omni instead use factory.talos.dev?

I'm trying to understand which services Omni is dependent on, so I can decide about which connections to allow. I want it (the Omni machine) pretty well-isolated but probably don't need it to be 100% air-gapped.

Thanks very much!

[smira]

If you want to, you can build a registry mirror for factory.talos.dev as a container registry (please note that actual image layers might be served from the CDN (different hostname)).

That's the only thing Talos pulls itself on its own.

[bauerjs1]

Wow, that was quick, thanks!

That's the only thing Talos pulls itself on its own.

Do you mean Omni or the actual provisioned Talos nodes? My question is only about the Omni machine(s), I should make that clear.

In the tutorial, there is no registry mirror for the image factory, right? How does Omni create installation media there?

[smira]

It depends on what you want to be air-gapped exactly - Omni itself, or Talos machines.

Omni doesn't download images itself (you download them), Omni uses https://factory.talos.dev/ API to create schematics, inspect available versions, etc.

Also Omni lists version on the ghcr.io/siderolabs/kubelet image to know available Kubernetes versions.

The installation media is downloaded technically by your browser, not Omni.

Talos will only pull installer images from factory.talos.dev as a container registry, so you can potentially configure Talos to use it via a registry mirror of your own. Talos will still be pulling other images - e.g. kubelet, Kubernetes, etcd, etc.

But you can still redirect all of that via registry mirror configuration to the registry of your choice.

[bauerjs1]

Ah, I think I'm starting to get it sorted out in my head. So Omni actually just gets a tag index from ghcr.io/siderolabs/kubelet (or --kubernetes-registry), and queries https://factory.talos.dev/ API (but not its registry) or alternatively --talos-installer-registry.

Only Talos machines themselves download actual images from factory.talos.dev (installer), ghcr.io/siderolabs, Kubernetes registry, etc., probably via CDNs or some local mirror.

Installation media is downloaded by the user directly from the factory, Omni only provides the URL.

Is that correct or did I still miss something?

[smira]

Yes, this sounds accurate.

[bauerjs1]

Alright, thanks again for the detailed explanation!