Skip to content

Air-Gapped Implementation 1 — Network Connectivity Requirements (v2.0.0)

This document defines the required LAN connectivity between VM1 (Nexus), VM2 (Gerrit+Zuul), and VM3 (Runner host) to support the current deployment.

1) Nodes

  • VM1: Nexus (Artifacts Nexus + Images Nexus)
  • VM2: Gerrit + Zuul stack (scheduler/web/executor/merger/nodepool-launcher + ZooKeeper + PostgreSQL)
  • VM3: Static nodepool node implemented as an Ubuntu Jammy runner container on an Ubuntu Jammy host (SSH target), with Docker socket access

2) External (LAN) ports exposed by each VM

VM1 (Nexus)

  • TCP/8081: Nexus UI/API
  • TCP/8082: Nexus Proxy Docker repo endpoint
  • TCP/8083: Nexus Hosted Docker repo endpoint

VM2 (Gerrit + Zuul)

Gerrit

  • TCP/8080: Gerrit HTTP UI/REST
  • TCP/29418: Gerrit SSH (git + stream-events)

Zuul

  • TCP/9000: Zuul Web UI/API

ZooKeeper and PostgreSQL are expected to be internal to VM2 (Docker network).

VM3 (Runner access)

  • TCP/22: SSH endpoint to reach the runner VM
  • TCP/23389: SSH endpoint to reach the runner container

3) Required VM-to-VM connections (allowlist)

3.1 VM2 → VM1 (Control plane to Nexus)

Allow:

  • TCP/8081 (Nexus API/UI) — for validations and repository access during jobs (if used)
  • TCP/8082/8083 (Docker repo ports) — pull/push container images during build/publish (if jobs interact with the registry endpoint)

Purpose:

  • Zuul jobs (via executor/runner) and/or tooling on VM2 access artifacts and publish/pull images from Nexus.

3.2 VM3 → VM1 (Runner to Nexus)

Allow:

  • TCP/8081 — fetch artifacts (raw repos, pypi, etc.) as required by jobs
  • TCP/8082/8083 — pull base images and push built images (if using Nexus as registry)

Purpose:

  • The actual build runtime must retrieve dependencies and publish images to Nexus.

3.3 VM2 → VM3 (Zuul executor to runner)

Allow:

  • TCP/23389 — SSH for Ansible job execution

Purpose:

  • Zuul executor runs playbooks/tasks on the runner container (nodepool static node).

3.4 VM3 → VM2 (Runner to Gerrit)

Allow:

  • TCP/29418 — git operations over SSH
  • TCP/8080 — Gerrit REST/HTTP (rarely required for builds)

Purpose:

  • Jobs perform git fetch/clone directly from Gerrit during execution.

4) Connectivity diagram (logical)

  • VM2 (Zuul executor) --SSH--> VM3 (Runner)
  • VM3 (Runner) --HTTP/HTTPS--> VM1 (Nexus API/repos)
  • VM3 (Runner) --Docker registry--> VM1 (Nexus Docker repos)
  • VM2 (optional) --HTTP/registry--> VM1 (Nexus)
  • VM3 (Runner) --SSH/HTTP--> VM2 (Gerrit)
graph TD
  VM2["VM2: Gerrit + Zuul"] -- "SSH 23389" --> VM3["VM3: Runner"]
  VM3 -- "HTTP/HTTPS 8081" --> VM1["VM1: Nexus"]
  VM3 -- "Docker registry 8082/8083" --> VM1
  VM2 -- "HTTP 8081 / Registry 8082/8083" --> VM1
  VM3 -- "SSH 29418 / HTTP 8080" --> VM2

5) Notes / assumptions (explicit)

  • Internal communications between Zuul components (scheduler/merger/executor) and ZooKeeper/PostgreSQL occur inside VM2 (Docker network). They are not considered VM-to-VM requirements.

6) Minimal connectivity test commands

From VM2:

  • nc -vz <VM3_IP> 23389
  • nc -vz <VM1_IP> 8081
  • nc -vz <VM1_IP> 8082
  • nc -vz <VM1_IP> 8083

From VM3 (runner host or inside runner container, depending on your model):

  • nc -vz <VM1_IP> 8081
  • nc -vz <VM1_IP> 8082
  • nc -vz <VM1_IP> 8083
  • nc -vz <VM2_IP> 29418