@@ -3,6 +3,7 @@ title: Run OBI as a standalone process
33linkTitle : Standalone
44description : Learn how to setup and run OBI as a standalone Linux process.
55weight : 5
6+ cSpell:ignore : cyclonedx
67---
78
89OBI can run as a standalone Linux OS process with elevated privileges that can
@@ -17,7 +18,20 @@ Each release includes:
1718
1819- ` obi-v<version>-linux-amd64.tar.gz ` - Linux AMD64/x86_64 archive
1920- ` obi-v<version>-linux-arm64.tar.gz ` - Linux ARM64 archive
20- - ` SHA256SUMS ` - Checksums for verification
21+ - ` obi-v<version>-linux-amd64.cyclonedx.json ` - CycloneDX SBOM for the AMD64
22+ archive
23+ - ` obi-v<version>-linux-arm64.cyclonedx.json ` - CycloneDX SBOM for the ARM64
24+ archive
25+ - ` obi-v<version>-source-generated.cyclonedx.json ` - CycloneDX SBOM for the
26+ source-generated archive
27+ - ` obi-java-agent-v<version>.cyclonedx.json ` - CycloneDX SBOM for the embedded
28+ Java agent and its Java dependencies
29+ - ` SHA256SUMS ` - Checksums for verification of the release archives and SBOM
30+ assets
31+
32+ Container images for the same release are also published. For image pull and
33+ signature verification instructions, see
34+ [ Run OBI as a Docker container] ( ../docker/ ) .
2135
2236Set your desired version and architecture:
2337
@@ -44,6 +58,18 @@ sha256sum -c SHA256SUMS --ignore-missing
4458tar -xzf obi-v${VERSION} -linux-${ARCH} .tar.gz
4559```
4660
61+ Successful verification prints an ` OK ` result for each downloaded file:
62+
63+ ``` text
64+ obi-v${VERSION}-linux-${ARCH}.tar.gz: OK
65+ ```
66+
67+ If verification fails, ` sha256sum ` reports ` FAILED ` . When that happens:
68+
69+ - confirm that ` VERSION ` matches the archive and ` SHA256SUMS ` you downloaded
70+ - remove any partially downloaded files and fetch them again
71+ - verify only the files you actually downloaded from that release
72+
4773The archive contains:
4874
4975- ` obi ` - Main OBI binary
@@ -66,6 +92,42 @@ The archive contains:
6692> (for example ` XDG_CACHE_HOME=/var/cache/obi sudo -E obi ... ` ) or configure an
6793> explicit cache path according to your environment.
6894
95+ ## SBOMs
96+
97+ CycloneDX SBOM files are optional metadata for supply-chain review and
98+ automation. They are not required to install or run OBI.
99+
100+ The published SBOMs describe the contents of the binary archives and embedded
101+ components in [ CycloneDX JSON format] ( https://cyclonedx.org/ ) . They can be used
102+ with standard SBOM tooling to inspect dependencies, licenses, and components
103+ without executing the binaries.
104+
105+ Download the SBOMs you want to inspect:
106+
107+ ``` sh
108+ # SBOM for the binary archive you downloaded
109+ wget https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/download/v${VERSION} /obi-v${VERSION} -linux-${ARCH} .cyclonedx.json
110+
111+ # SBOM for the embedded Java agent and its Java dependencies
112+ wget https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/download/v${VERSION} /obi-java-agent-v${VERSION} .cyclonedx.json
113+
114+ # Optional: verify the downloaded SBOM files against SHA256SUMS too
115+ sha256sum -c SHA256SUMS --ignore-missing
116+ ```
117+
118+ Example inspection commands:
119+
120+ ``` sh
121+ # List component names and versions from the archive SBOM
122+ jq ' .components[] | {name, version}' obi-v${VERSION} -linux-${ARCH} .cyclonedx.json
123+
124+ # Scan the SBOM with Grype
125+ grype sbom:obi-v${VERSION} -linux-${ARCH} .cyclonedx.json
126+
127+ # Inspect the Java agent dependency graph
128+ jq ' .components[] | {name, version}' obi-java-agent-v${VERSION} .cyclonedx.json
129+ ```
130+
69131## Install to system
70132
71133After extracting the archive, you can install the binaries to a location in your
0 commit comments