►
Description
In this video Mo Khan a Senior Backend Engineer demos GitLab Security features in a Limited Connectivity Environment. The walkthrough also provides information on how to configure Secure tools in Offline/Limited Connectivity environments.
A
B
Okay,
so
we're
in
the
google
cloud
console
and
we
are
connected
to
the
group
secure.
I
think
it's
called
an
organization
or
group
okay
project
there.
We
go
so
we're
in
the
group
secure
project,
so
we
can
see
all
the
instances
that
are
run
by
our
this
project.
The
ones
that
are
all
related
to
offline
are
more
or
less
prefixed
with
get
lab
dash
air
gap.
B
Originally,
the
offline
project
was
called
air
gap,
and
so
there's
been
some
naming
changes,
but
we
haven't
updated
the
naming
of
the
instances
I'll
just
provide
a
little
overview
of
what
each
instance
is
starting
from
the
top
is
get
lab
dash
air
gap
dash
bastion.
So
this
was
meant
to
be
a
bastion
host
that
we
can
use
for
side
loading,
docker
images
that
are
in
development
from
gitlab.com
into
the
offline
environment.
B
We
set
up
the
offline
environment
so
that
the
actual
host
that's
running,
git
lab
is
unable
to
reach
out
to
the
public
internet
and
it
has
restricted
access
to
outbound
network
connections
within
the
environment.
The
network
that
we
created
for
each
of
these
hosts,
so
each
of
these
hosts
can
see
each
other,
but
they
can't
reach
out,
except
for
the
bastion,
so
the
bastion
can
reach
out
to
the
public
internet,
and
this
is
how
we
sideload
things.
B
A
So,
and,
and
not
not
for
this
particular
demo
that
I'm
creating,
but
for
the
next
one
I'm
going
to
show
how
to
actually
configure
like
add
images
or
update
the
update,
the
the
container
images
for
sas
stand
for
das
and
all
that.
So
for
that
I
will
need
to
use
bastion
correct,
because
that's
what
has
access
to
the
internet
so
bastion
will
go
ahead
and
download
the
newest
images
and
then
from
that,
for
example,
on
this
airgap
jvm
I'll
be
able
to
load
the
images
from.
B
B
You
can
almost
copy
and
paste
those
scripts,
but
they
will
pull
the
analyzers
from
the
gitlab.com
container
registry,
where
we
host
all
the
analyzers
and
then
push
them
to
your
offline
environment,
gitlab.com
container
registry
instance
or
you
can
push
it
to
your
own
container
registry
within
the
environment,
but
that's
sort
of
the
setup
we've
been
using
so
far.
So
the
git
lab
air
gap,
jvm
npm,
pi
pi.
All
three
of
these
instances
were
used
as
package
repositories,
so
jvm,
I
believe,
has
actually
an
instance
of
artifactory.
B
So
we
were
hosting
gradle
packages,
maven
packages
and
possibly
other
ones
that
I
just
don't
remember
off
the
top
of
my
head.
Npm
is
well,
I
can't
remember
which
tooling
we
use
for
that.
But
it
is
a
npm
package
repository.
So
it's
not
a
full
mirror,
but
we've
just
signed
or
we've
uploaded
a
certain
number
of
packages
that
are
hosted
on
that
and
what
that
emulates
is
like
during
the
scan.
B
Our
analyzers
in
some
cases
aren't
able
to
determine
all
the
information
they
need
without
the
packages
actually
being
installed
first,
so
they
will
pull
down
and
install
any
necessary
dependencies
that
your
project
may
have
so,
for
example,
if
you
have
an
npm
project
within
a
package.json
and
a
packagelock.json,
we
will
attempt
to
download
and
install
those
packages
so
that
we
can
do
whatever
analysis
we
need
to.
So
in
this
case,
in
a
lot
of
the
offline
environment
documentation,
we
describe
sourcing
your
project
dependencies
from
an
internal
npm
registry.
B
So
this
is
an
example
of
the
different
registries
within
where
we
can.
We
try
to
take
use
or
make
use
of
the
git
labs
package
registry
as
the
host
as
well.
In
some
cases,
we
set
up
separate
ones
before
they're,
ready
or
available,
so
jvm
npm
and
pi
pi
all
act
as
internal
package
registries
for
the
different
project
types
pi
pi
for
python,
npm
from
js
and
jvm
for
java.
B
Okay,
so
next
up
is
the
git
lab
air
gap
runner.
So
this
is
actually
just
a
dedicated
host
that
runs
all
the
ci
jobs.
We
have
we're
running
the
get
lab
docker
runner
on
there,
so
it
connects
to
our
internal
gitlab
instance
fetches
jobs
and
runs
them.
I
don't
remember
if
we
specified
any
specific
tags
in
total.
I
believe
there's
like
four
workers
or
four
runners
working
from
that
instance,
but
all
it
does
is
download
docker
images
and
executes
the
ci
jobs
and
then
push
those
results
back
up
to
the
gitlab
instance
gitlab
airgap-test.
B
A
B
B
If
I
said
this
on,
oh
go
ahead:
oh
no,
I'm
saying:
okay
yeah!
We
can
do
that
yeah.
So
a
few
several
months
ago
we
talked
about
cutting
costs
and
the
need
to
turn
off
instances
that
aren't
in
use.
So
we've
been
practicing
turning
these
into
on
and
off
as
we
need
them,
which
is
why
they're
currently
all
stopped
at
the
moment.
So
if
we
go
ahead
and
start
this
up,
we'll
show
you
the
steps
necessary
to
actually
connect
to
this
instance.
B
So,
let's
start
with
the
gitlab
air
gap
test,
we'll
just
bring
these
online
one
at
a
time
and
depending
on
what
we
do,
we
may
not
need
to
bring
them
all
on
and
we'll
just
start
it
back
up
now:
they're,
not
they
have
dynamically
assigned
ip
addresses,
so
they're
not
pinned
to
specific
external
ip,
which
makes
this
somewhat
tricky,
because
we
also
don't
have
or
control
public
dns
that
we
can
point
to
these
instances.
So
you'll
see
that
instance
just
came
online
with
an
external
ip
of
35.227.155.72.
B
So
in
order
for
us,
this
is
where
it
gets
a
little
bit
hairy.
It's
like,
in
order
for
us
to
be
able
to
connect
to
the
instances
what
we've
been
doing
is
we've
been
taking
the
internally
assigned
dns
names
which
are
suffix
with
the
dot
internal
domain
and
adding
entries
to
our
etsy
host
file
so
that
we
could
actually
connect
to
these
in
the
browser.
B
B
It
I
know
just
out
of
here
yeah
courtesy,
I'll,
look
away
all
right,
so,
let's
add
an
entry
for
that
particular
ip
address
which
I've
lost
it
now
yep.
So
if
you
copy
that
and
then
we'll
also
need
the
host
name,
so
the
fully
qualified
internal
dns
name,
I
think
you
can
find
when
you
click
on
the
instance
yeah
and
take
us
into
the
details.
B
B
B
I
wish
I
could
tell
you
that
off
the
top
of
my
head,
I
don't
know
so
I'll-
have
to
look
it
up,
but
it
looks
like
it's
a
conventional
path
based
on
the
project
name
and
the
region
or
zone
that
it,
the
instance,
is
hosted
in.
So
in
that
case,
it's
hosted
in
us
west
1b
and,
if
you
so,
the
path
is
the
instance
name
which
was
named
gitlab
dash
air
gap
test,
followed
by
the
region
that
the
host
is
hosted
in,
which
is
us-west
one
dash
b
and
then
followed
by.
B
A
B
So,
as
you
can
see
like
actually,
if
you
undo
that,
that's
that's
a
really
good
thing
to
point
out,
it's
like
each
time
that
we
start
and
stop
the
instance
the
ip
subject
to
change.
So,
even
if
you
had
it
working
once,
you'll
have
to
remember
that
the
ip
may
have
changed
if
we
restart
it
we're
not
pinning
to
or
like
a
specific
ip.
At
this
point,
I'm
pretty
sure
that
you
could.
I
know
I've
done
this
with
aws.
B
I'm
not
sure
what
the
procedure
is
for
doing
with
google
cloud,
but
at
the
moment
just
be
mindful
of
that
double
check
the
ips
of
the
actual
instances
when
they
come
back.
So
we
can
delete
that
now,
all
right.
So
if
you
save
that
at
the
moment,
what
we
should
have
is
a
git
lab
instance
running.
There
won't
be
any
ci
runners
connected
or
running
against
it,
but
you
should
be
able
to
connect
to
that
login
page
or
to
that
endpoint.
B
So
if
we
take
that
same
post
or
path
that
I
provided
and
go
to,
https
get
lab
dash
air
gap
and
that
full
name
that
we
entered
in
the
it's.
Yes,
you
got
it
okay,
so
you'll
get
the
scary
prompt,
and
what
this
is
saying
is
that
hey
you're,
attempting
to
connect
to
an
endpoint
the
x
509
certificate,
that's
being
served,
doesn't
actually
match
the
name
of
the
domain
that
we're
serving
or
connecting
to.
A
B
Go
and
if
we
look
at
the
certificate
detail,
oh
yeah,
we
could
see
the
mismatch
and
why
it
was
yeah.
It
wasn't
a
trusted
search
because
it
doesn't.
It
wasn't
signed
by
any
root
certificates
that
that
are
in
our
trust,
store
because
it's
self-signed
all
right.
So
at
this
point,
you're
now
connected
to
our
gitlab
instance,
that's
hosted
in
the
offline
network.
If
you've
already
got
an
account,
you
should
be
able
to
log
in.
A
B
So
then,
in
that
case,
what
I
can
do
is
I
can,
I
can
jump
into
the
admin
section
and
just
generate
an
account
for
you
and
I'll.
Send
you
a
talk
or
an
email,
so
you
can
change
the
credentials
if
you
don't
already
have
an
account.
Is
that
the
case
yeah?
That's
the
case.
Okay,
give
me
a
sec
to
get
that
ip
address
and
add
it
to
my
own
seos
file.
B
A
B
B
A
B
I'm
going
to
assign
a
password
for
this
account
and
are
you
familiar
with
the
default
password?
I'm
not
okay
for
the
development
account
and
what
I'll
do
is
I'll.
Just
generate
a
uuid,
that's
the
password
for
now
and
fire
that
to
by
which
I
could
say
signal
can't
say
signal,
though,
because
I
don't
have
you
on
signal,
so
we'll
do
slack
for
now.
That's
okay.
B
B
B
B
B
B
B
A
A
B
B
B
Okay,
so
at
this
point
you
can
see
these
are
all
the
runners
that
we
have
registered.
Currently,
none
of
them
are
online
and
the
reason
is
because
we
don't
have
the
runner
instance
up
so
the
next
step.
I
guess
if
we
go
back
to
the
google
cloud
console
and
we
can
turn
on
the
runner
instance
now.
This
has
had
some
problems
as
well,
because
in
some
cases,
when
it's
reconnecting,
it
had
been
attempted
attempted
to
connect
to
like
a
cached
version
of
the
dns
entry.
B
Yep
so
we'll
start
the
instance:
if
we're
lucky,
the
runners
will
come
online
and
we'll
be
able
to
start
picking
up
jobs
immediately
without
any
intervention,
and
we
should
be
able
to
see
that
from
the
admin
runners
at
app
or
yep
now
last
contact.
We
can
see
that
sort
of
the
thing
that
tells
us
when
it
last
connected
to
us.
So
if
we
keep
refreshing
this
page,
ideally
we'll
see
last
contact
like
several
seconds.
Oh
there
we
go
just
now,
okay,
so
they
seem
to
be
up
and
running
now.
B
B
So
if
you
go
to
project
explorer
project,
I
believe
they're
public
projects,
so
everyone
should
be
able
to
see
them.
Well,
you
can
see
all
the
different
integration
tests
and
then
scrolling
down
that
c,
where
it
says,
template,
slash,
c,
nuget.net
core,
it's
the
fifth
from
the
bottom
yeah.
So
there's
an
example
of
one
of
the
template
projects
that
we've
been
using
for
demoing
some
of
the
offline
capabilities,
and
this
is
just
one
project.
B
But
if
you
scroll
up
and
click
on
the
namespace,
us
templates,
yeah
you'll
be
able
to
see
all
the
other
different
types
of
template
projects
that
we
can
attempt
to
run
and
yeah.
Let's
pick
one
and
we
can
just
trigger
a
run.
In
some
cases
the
master
or
the
default
branch
doesn't
include
the
dependency
scanning
or
license
scanning
template
by
default.
So
you
may
have
to
open
up
an
mr
just
to
trigger
that
with
the
templates
included.
B
And
then,
if
we
go
to
pipelines,
we
can
actually
see
the
last
time
the
pipeline
for
this
project
was
run
and
if
we
just
trigger
one
now,
I'm
hoping
it'll
fail,
but
at
least
we'll
see
that
the
gitlab
runner
is
able
to
pull
the
project
and
run
it.
Oh
sorry,
so
this
is
an
example
of
one
of
the
projects
that
doesn't
actually
have
anything
in
the
master
branch.
So
we
can
start
a
new
web
or
a
new
merge
request
or
pick
a
different
project.
B
Okay,
so
it
doesn't
have
a
ci
configuration.
It
looks
like
there
is
a
merge
request
in
that
repo,
where
someone
was
testing.
So
if
you
click
on
the
left
hand
side,
it
says
merge
request,
let's
just
take
a
peek
get
what's
in
there,
okay,
so
this
is
example
of
someone
adding
the
gitlab
ci
yaml
and
trying
to
test
out
a
specific
feature.
If
you
click
on
the
changes
tab,
we
can
see.
Okay,
so
get
labs.
Yaml
was
added,
auto
devops
isn't
on
by
default.
B
A
B
And
you
can
see
it's
being
hosted
at
get
lab
dash
air
gap
test
us
west
one.
So
this
is
the
actual
instance
itself
that
it's
hosting
from
so
I
don't
know
we
could
try
re-uh
just
check
re-triggering.
This
particular
pipeline
click
on
the
pipelines,
tab,
oh
yeah,
or
go
this
way
and
let's
just
rerun
it,
and
I
just
want
to
make
sure
that
the
ci
jobs
are
getting
picked
up.
So
if
we
click
on
the
pipelines
tab,
we
can
see
the
most
recent
pipeline.
B
So
we'll
be
back
in
that
yet
and
11
seconds
ago.
Okay,
so
we
have
a
warning
and
if
you
drill
down,
let's
just
click
on
the
actual
pipeline
and
the
job
itself,
let's
see
what
happens.
Okay,
so
this
is.
This
is
what
I'm
talking
about
authenticating
with
credentials
from
job
payload
gitlab
registry
pulling
docker
image.
B
So
when
we
brought
the
docker
image
back
up,
it
said
that
it's
trying
to
pull
down
this
image,
gymnasium
2,
but
it
doesn't
appear
to
exist
anymore,
oh
so
that
analyzer
project
may
not
even
be
there
anymore.
So
again,
not
a
great
example,
but
it
looks
like
the
ci
runner
is
running.
Let's
try
another
one.
Let's
get
a
successful
one!
Let's
go
back
to
the
template
projects.
B
A
A
B
We
can
run
okay,
here's
an
example,
so
we
can
rerun
this
scan
job
and
I
think
in
this
case
the
license
scanning
job
is
in
the
default
branch,
so
we
can
just
rerun
it
from
here
or
in
the
default
branch,
and
if
you
click
on
the
job
details,
I
just
want
to
see
the
actual
job
running
so
click
on
okay.
That
was
really
quick,
but
click
on
the
past
yep
and,
let's
see
what
it
did.
B
Okay,
so
let's
go
just
try
a
new
pipeline:
oh
there,
we
go
all
right,
so
this
is
okay.
So
all
the
pieces
are
connected,
it
looks
like
the
gitlab
runner
was
able
to
connect
to
this
instance.
It
was
able
to
pull
down
an
image
which
was
likely
already
in
the
cache.
We
didn't
make
any
changes,
and
now
it's
actually
doing
a
fresh
scan
in
the
offline
environment
and
for
the
most
part,
this
is
like
the
offline
environment.
B
In
a
nutshell,
as
I
mentioned,
there
were
some
other
instances
that
we
didn't
bring
up
like
the
pie,
pie,
npm
and
jvm
instances,
and
those
are
specifically
for
testing
projects
that
need
to
source
packages
from
those
instances.
So
unless
you
need
them,
you
can
leave
them
off.
Otherwise,
you
should
be
able
to
test
a
lot
of
the
functionality
just
using
the
gitlab
offline
instance
and
its
own
gitlab
container
registry,
plus
its
own
gitlab
package,
registrates
for
npm,
pi,
pi,
nuget
and
conan,
I
think,
are
the
four
so.
B
They'll
be
needed
for
both
dependency
scanning
and
license
scanning
and
dependency
scanning
may
not
need
them
as
much
because
in
dependency
scanning.
If
the
project
contains
a
log
file,
the
log
file
usually
includes
enough
information
to
be
able
to
determine
the
dependencies,
but
for
the
licenses
we
do
need
the
actual
software
downloaded.
So
we
can
read
the
license
files.
A
B
And
that's
that's
it
yeah.
We
can
double
check
the
ingress
and
egress
rules
on
each
of
those
instances.
But
as
long
as
you
remember
what
you
just
said,
where
this
instance
can't
reach
out
to
the
internet,
that
that's
that's
the
biggest
constraint
and
also
the
biggest
requirement
that
we're
trying
to
adhere
to.
A
B
Yeah,
so
we
can
try
to
pick
on
this
one
again
if
we
want
we
can
go
just
use.
The
web
editor
make
a
change,
try
to
add
a
new
dependency
to
that.
I
think
it
was
in
the
cs:
proj
files
there's
actually
a
dot-net
cli
for
adding.
But
if
you
click
on
that
yeah
click
on
the
web,
api,
sorry
and
again
this
configuration
you
can
see
it's
also
adding
the
additional
ca,
cert
bundle
which
is
necessary
for
the
offline
environment.
B
So
if
you're
sourcing
your
packages
from
an
instance
hosted
within
the
network
and
it's
using
a
self-signed
certificate
or
a
certificate,
that's
signed
by
an
internal
authority,
we
do
need
the
bundle
for
the
authority,
so
we
can
verify
the
tls
certificate.
Excuse
me
so
yeah,
that's
so
there's
an
example
there.
But
let's,
let's
see
if
we
can
get
your
let's,
let's
actually
make
that
work.
If
you
click
on
source,
I
want
to
add
a
dependency,
create
a
merge
request
and
actually
see
the
dependencies
show
up.
So
what
are?
B
What
do
you
want
to
click
on
click
on
src,
on
the
left
hand,
side,
there's
a
tree
of
file,
yeah
click
on
web
api
click
on
cs,
proj,
the
web,
api
dot,
cs
project,
two
files
down
yep,
so
in
here
you
can
see
there's
one
package.
Reference
include
jive
jives.
The
name
of
package
also
happens
to
be
the
name
of
my
lovely
dog,
so
we
can
add
a
new
package
reference.
Let's
use
a
a
package
reference
of
your
favorite
nuget
package
and
let
me
just
find
a
popular
actual.
B
Let's
use
mvc
mailer
shout
out
to
the
author
of
mvc,
mailer
and
you'll
have
to
include
that
in
the
same
item
group
I
think
I'm
gonna
say
item
I
believe
so
yeah.
If
I
remember
correctly.
Typically,
you
do
this
through
like
the
dotnet
cli
and
then
it
will
do
the
addition
and
modification
of
this
file,
and
it,
I
believe
case,
is
important
here.
So
let
me
get
that
info
for
you.
B
All
right,
so
the
other
thing
to
take
into
account
here
is
if
we
just
crack
open
that
nuget.config
on
the
left-hand
side
in
that
tree,
yeah
you'll
see
that
we
added
a
key
to
source
so
line.
Five
is
where
we
added,
we
said
clear,
all
the
package
sources
so
clear,
all
the
default
package
sources,
which
is
typically
nuget.org,
we
say
clear
and
just
use
git
lab
as
our
own
package
source.
B
So
in
that
case,
it's
going
to
try
to
download
that
package
from
gitlab's
own
package
registry
using
the
credentials
that
are
provided
in
in
here,
which
is
stored
in
the
protected
variables,
so
it'll
attempt
to
download
and
install
nvc
mailer,
but
it
should
fail
because
in
this
case
mvc
mailer
won't
be
hosted
here.
So
let's
commit
this
to
a
branch
and
open
up
a
new
merge
request
and
a
new
branch
yeah
new
merch
request.
B
And
yep
you
can
just
submit
that
and
pipeline
should
be
going.
So
if
we
actually
want
to
follow
the
output,
we
can
click
on
the
running
icon,
yep,
and
here
we
can
see
it
running
again
this
time.
If
we
edited
that
file
properly-
and
that
means,
like
I
told
you
to
insert
the
node
in
the
right
place,
then
it
will
attempt
to
install
and
download
that
package
which
won't
exist
because
we
don't
have
it
in
our
package
registry.
On
the
left
hand,
side,
there's
a
packages
tab
if
you
click
on
that.
B
A
B
For
this
particular
case,
no,
it
will
detect
that
the
mvc
mailer
is
a
dependency,
but
we
won't
know
the
license
of
it
and
we
can
actually
publish
it
to
an
end
point
that
it
can
reach.
It
will,
however,
detect
the
license
of
jive,
because
jive
is
a
dependency
that's
available
at
that
end
point
so
this.
Let's
just
highlight
that,
although
we've
added
a
new
dependency,
we
may
not
be
able
to
detect
it
unless
it's
reachable
from
the
source
that
we've
asked
to
fetch
the
dependencies
from
so
you
can
see
we
try
to.
B
If
you
scroll
up
a
little
bit,
it
should
say
something
to
the
effect
about
mvc
mailer
that
it
couldn't
actually
down.
Okay,
so
installing
jive
that
worked
fine,
I've
got
log
levels
of
the
debugs.
You
can
see
way
more
info,
but
then
it
couldn't
find
mvc
mailer.index
it.
It
wasn't
found
because
it
wasn't
available
at
that
package
registry.
So
this
is
typically
where
most
of
the
issues
are
going
to
be
found
is
either
in
the
offline
environment,
we're
trying
to
reach
out
to
nuget.org
and
fetch
a
dependency.
B
But
we
can't,
because
we
can't
we
don't-
have
outbound
access
or
we've
configured
in
such
a
way
that
we're
trying
to
fetch
the
dependencies
from
our
internal
package
registry,
but
that
package
isn't
available.
But
if
we
go
to
the
merge
request,
if
everything
went
well,
we
should
still
be
able
to
detect
some
of
the
licenses.
B
A
B
A
B
Yep
totally
and
in
some
cases
like
that,
the
way
that
we
set
this
up
might
be
slightly
overkill
in
the
sense
that
we're
manually
copying
over
packages
from
the
internet.
I
imagine
in
some
other
setups
that
aren't
as
aggressive.
They
may
just
use
a
package
proxy
where
they
will
allow
outbound
connections
to
the
network
to
go
download.
The
actual
packages
do
some
sort
of
auditing
of
it,
whether
automated
or
not,
to
verify
that
those
packages
are
safe
and
then
serve
them
from
their
internal
package
registry.
B
B
B
You
may
see
some
odd
behavior
and
we
didn't
see
that
in
this
case,
but
you
may
have
to
go
in
and
actually
just
restart
the
runners
from
ssh
into
that
instance,
and
for
development
or
for
additional,
like
demos,
there's
a
side
loading
process
for
the
bastion,
and
I
can
explain
that
now
or
in
a
separate
call
either
yeah.
I
think
I
think
we
might
have.
A
B
Yep,
that's
one
ways
you
can
ssh
in
and
like
and
map
the
internet.
Another
way
is,
we
can
actually
look
at
the
firewall
rules.
So
if
you
click
on
that
instance,
there's
yeah
on
the
left,
just
click
on
the
name.
There
should
be
some
information
on
the
ingress
and
egress
rules.
For
that
instance,
and
I
believe
there
we
go
network
interfaces
scroll
down
a
little
bit
more
details.
B
View
details
so
the
way
that
the
routes
work.
I
I
can't
remember
off
the
top
of
my
head,
but
you
have
to
apply
different
tags
and
based
on
the
tags,
they
have
a
different
meaning.
So
in
this
case
you
can
see
perfect,
you
can
see
all
the
different
routes
that
are
applied,
so
the
first
route
default
allow
internal,
so
it
says
egress
apply
to
all
for
all
protocols.
All
ip
ranges
allow
and
then
disable
egress
number
two
is
egress
to
any
of
the
air
gap.
Instances
hang
on.
What
did
does
that
say?
B
Should
we
deny
everything
by
default
and
we
allow
ingress?
Ingress
is
fine.
Yeah
ingress
is
good
because
that's
how
we
were
able
to
connect
to
it
from
the
browser,
but
egress
I'm
a
little
bit
surprised
to
see,
allow
there
and
default
allow
internal.
Let's
take
a
look
at
each
of
them
and
see
yeah,
okay,
so
the
ip.
A
B
B
A
A
A
B
It
looked
like
to
me
from
within
the
network.
Google
was
actually
running
its
own
dns
server,
so
some
of
the
external
ips
are
resolvable,
but
you
can't
connect
to
them.
So
if
you're
confused
by
that,
just
you
know
help
me
out
help
me
understand
what's
going
on
there,
but
you
can
resolve
the
ips,
doesn't
necessarily
mean
you
can
actually
connect
to
them.
A
A
B
So
what
we
do
is
you
we'll
go
through
this
together
right
now,
okay,
but-
and
I
hope
that
makes
it
a
little
bit
more
clear
and
I'm
going
to
share
an
example
of
a
script
that
I've
been
using
for
license
scanning
and
I'm
trying
to
think
of
the
best
way
to
share
this.
Let
me
put
this
into
it.
Just
snippets
pardon
me.
B
B
It's
typically
so
this
is
generated
by
we
don't
actually
like
manage
ssh
directly.
It's
managed
by
google
cloud.
So
there's
like
the
g
cloud
cli
and
you
can
use
gcloud
to
connect
or
like
what.
Typically,
what
happens
is
when
you
install
gcloud
it'll,
set
up
a
rsa
key
pair
and
register
that
as
your
ssh
key
pair
for
your
account,
and
then
it
drops
it
into
something
like
dollar
sign,
home,
slash,
dot,
ssh
or
yeah.
Just
do
this
view
g
cloud
command.
B
A
A
B
Oh
yeah,
yeah,
that's
not
a
big
deal.
The
signature
is
fine.
The
shot
256
is
fine,
we're
not
going
to
cap
your
private
key
there
and
we
can
rotate
after
the
call
as
well,
okay,
so
you're
on
in
the
instance
before
we
do
anything.
If
you
don't
mind,
let's
just
go
back
to
that
script
and
I'll
just
sort
of
walk
you
through
the
script
and
what's
happening
there.
B
So
let
me
here
in
the
gist
yeah,
so
unless
this
is
the
script
that
I
just
run,
whenever
I
have
like,
I
we've
published
a
new
version
of
the
license
management
image
and
the
license
management
image
is
the
image
that's
used
for
license
scanning.
So
if
there's
a
new
image
available,
let's
say
on
gitlab.com,
I
need
to
be
able
to
transport
that
image
from
gitlab.com
into
the
offline
environment
and
the
way
you
do
that
is
well
line.
B
10
is
we're
pulling
the
actual
new
ins
new
tag
or
the
new
docker
image
in
line
10,
so
we
pull
it
into
the
bastion's
local
registry.
We
re-tag
it
so
that
the
new
destination
is
going
to
be
like
line
8.
The
git
lab
instance
in
the
offline
environment
and
we're
going
to
push
it
to
that
new
container
registry,
so
you
can
think
of
this
as
like
we're
pulling
from
gitlab.com
and
we're
pushing
to
get
lab
dash
air
gap
and
at
the
end
of
that
line
line
eight.
B
Now
you
can
actually
host
that
image
wherever
you
want
we're
just
using
that
particular
project
as
the
place
to
host
the
image.
So
in
order
for
the
scans
to
work,
we
need
the
container
registry
to
host
the
images
somewhere
and
to
get
those
images
into
that
container
registry,
we're
using
the
bastion
host
to
sideload
to
pull
from
gitlab.com
and
push
to
that
registry.
B
I'm
trying
to
read
your
face
fernando,
and
I
can't
I
can't
quite
read
you
so
I'm
not
sure
if
I'm
making
sense
or
if
oh,
no,
no,
it
makes
perfect
sense.
It
makes
for
okay
yeah,
because
even
it
doesn't
make
perfect
sense
to
me,
because
I
say
hello
yeah
I
get
it
okay,
and
so
that's
that
is,
that
is
a
side
load
and
so
for
the
most
part
you
have
to
do
this
for
each
of
the
analyzers
in
the
documentation,
there's
a
a
few
other
scripts
that
will
do
this
for
all
the
analyzers.
B
A
B
B
B
B
A
B
B
Yeah,
but
there
should
be
another
page.
I'm
sorry,
I
don't
remember
where
it
is
a
page
that
describes
like
how
to
actually
get
the
latest
tags.
But
the
short
answer
is
it's.
It
depends
on
the
analyzer.
Each
analyzer
has
a
different
major
version
that
it's
currently
pinned
on
and
all
the
analyzers
have
been
scoped
to
a
single
namespace,
so
they're
all
under
the
security
products,
slash
analyzer
namespace.
B
So
this
is
actually
actually
we'll
update
that
in
the
documentation.
So
it
is
still
at
the
old
location
here.
But
it's
all.
The
analyzers
have
been
moved
to
register.gitlab.com
gitlab,
org
security,
product,
slash,
analyzers
and
then
from
there.
Each
of
the
analyzer
projects
has
a
it's
hosting
its
own
version
of
the
container.
Now
one
improvement
we
could
make
is
we
could
actually
host
all
the
images
in
one
container
registry
rather
than
one
container
registry
per
project
or
per
analyzer.
B
B
B
Pardon
me
I
will
find
out
where
the
latest
version
is
here.
It
is
topics
offline,
so
offline
gitlab.
Let
me
pass
to
you,
okay,
so
loading
docker
images
onto
your
offline
host.
I
should
have
linked
directly
to
that
and
then,
if
you
scroll
down,
there's
some
instructions
on
how
to
port
them
over.
So
it
looks
like
we've
actually
improved
this
since
I
last
looked
at
it.
B
B
B
Then
yeah,
it's
not
gonna.
Love
me,
it
won't
be
rich,
get
rid
of
the
registry.gitlab
or
registry
dot
part
and
then
the
rest
can
stay
the
same
yeah
there
we
go,
so
these
will
be
all
the
different
analyzers,
so
you
can
see
license
finders
in
there
gymnasium
and
inside
of
each
of
those
projects.
There's
a
container
registry.
On
the
left
hand,
side
there
will
be
packages
and
registries
container
registry,
and
this
is
where
the
latest
version
of
that
analyzer.
B
A
B
A
B
A
B
Yeah,
so
if
you
go
all
the
way,
probably
I'm
going
to
guess
7
which
take
us
to
the
3.1s
and
then
in
there
we
should
start
to
see
the
teens.
So
that's
a
little
bit
confusing,
but
there
should
be
a
major
version
3,
which
should
be
the
latest
version
always
of
of
the
three
series,
which
is
why
you
can
see
on
line
six,
which
is
saying
tag
three,
because
that's
pulling
the
latest
major.
A
A
A
Yeah
so
I
have
yeah,
so
I
have
pretty
much
everything
nailed
down,
so
I
can.
I
cannot
shut
down
these
instances
and
then
I
can
I'll
start
you
going
through
this
same
process
tomorrow
and
I'm
what
I'm
going
to
do
is
I'm
going
to
post
this
recording
to
gitlab
unfiltered,
as
in
as
as
a
recording
that
not
everyone
can
access
that'll
be
internal.
Only
is
that
okay
yeah,
that's
absolutely
absolutely
yeah
posted
in
the
secure
channel.
That
way,
everyone
can
take
a
look
wow
thanks.
So
much.
B
A
Everyone
yeah,
thank
you.
I
mean
this.
This
is
great
and
and
what
I'm
gonna
do
with
with
this
information,
is
I'm
I'm
making
two
videos
I'm
giving
you
the
preface
before
at
the
end
of
the
day,
so
so
what
I'm
gonna
do
is
I'm
doing
two
demos
right,
one,
I'm
just
showcasing
that
gitlab
actually
has
support
for
limited
connectivity,
slash
offline
environments,
kind
of
talk
a
little
bit
about
how
it
works
and
show
that
the
environment
doesn't
allow
any
connections
and
just
kind
of
go
through
there
and
then
from
there.
A
What
I'm
going
to
do
is
I'm
going
to
give
like
a
brief
example
of
what
a
how
I
could
still
detect
licenses
with
that
project
and
kind
of
just
talk
a
little
bit
about
how
it
works,
and
then,
after
that,
I'm
going
to
work
on
a
second
video
that
goes
over
pretty
much
what
you
just
showed,
how
to
load
the
images
and
how
how
to
sweet,
how
to
configure
that.
So
it
shouldn't
be
anything
too
crazy.