Air-Gapped Image Mirroring
Air-Gapped Image Mirroring
AI Cluster RuntimeAir-Gapped Image Mirroring
Discover every container image and Helm chart a recipe needs, then mirror them into a private registry for air-gapped deployment. For the per-flag reference, see CLI reference: aicr mirror list. For the static image inventory across all registered components, see Container Image Inventory.
aicr mirror list renders each component’s Helm chart with recipe-resolved
values, scans embedded manifests, and produces a deduplicated list of container
images and chart references. The output is available in four formats — two
general-purpose (YAML, JSON) and two tool-specific (Hauler, Zarf).
Trust boundary: Discovery shells out to
helm template, which executes the full Go template engine (tpl,include,lookup). AICR recipes reference trusted, pinned charts from known repositories. Do not runmirror listagainst untrusted or unvetted recipe files — doing so executes arbitrary template code from those charts.
How this relates to chart vendoring: aicr bundle --vendor-charts embeds
Helm chart tarballs into a bundle so helm install needs no registry egress.
aicr mirror list discovers the container images those charts reference plus
the chart coordinates themselves. For a fully air-gapped deployment, use both:
mirror images and charts into your private registry, then deploy the vendored
bundle.
aicr CLI installed (see Installation)aicr recipe --output recipe.yaml) or query parametershelm v3+ on $PATH (required for chart rendering during discovery)hauler CLIzarf CLIFrom an existing recipe file:
Or resolve a recipe from query parameters:
Hauler syncs container images and Helm charts into a local store, then copies them to a target registry.
The output is a multi-document YAML with an Images document (and optionally a
Charts document):
To pull only a single platform (reduces download size):
For registries using plain HTTP (e.g., local test registries):
Zarf packages container images into a single distributable tarball that can be carried to an air-gapped environment and mirrored into a registry.
The output is a ZarfPackageConfig:
Place zarf.yaml in its own directory and create the package:
This pulls every listed image and produces a zarf-package-*.tar.zst file.
Transfer the tarball to the air-gapped environment, then mirror:
For registries using plain HTTP:
The --set flag overrides Helm values at discovery time, changing which images
appear in the output. This is useful when you know certain sub-components will
be disabled in your deployment and want to exclude their images from the mirror
list.
The override key format is component:path.to.field=value, where the component
name matches either the component name in the recipe or its valueOverrideKeys
alias from the registry (e.g., gpuoperator for gpu-operator).
The Container Image Inventory is a static reference
generated from recipes/registry.yaml with default values. It lists every
image across all registered components regardless of recipe.
aicr mirror list is recipe-specific: it renders charts with the actual
resolved values for your target configuration (service, accelerator, intent,
OS). The resulting image list is typically a subset of the full inventory,
limited to the components and sub-components your recipe enables.
Use the inventory for security audit and compliance. Use mirror list to
generate the exact manifest for a specific deployment.