Scope and terms¶

Status: to be expanded — additional scope clarifications and terminology will be added in future revisions.

This document defines the audience, scope, and prerequisites for the air-gapped OpenStack image factory.

Audience and goals¶

Operators who need reproducible, offline OpenStack builds that can be validated and promoted via Zuul pipelines.
Teams with control over DNS, certificates, and firewall rules for internal registries and mirrors.

Core infrastructure:
Hosts or VMs for Zuul scheduler, executors, web, mergers, logserver, and at least one Nodepool launcher.
Highly available Zookeeper and SQL backends for Zuul state.
Object storage (Swift, S3, or NFS-backed web) for logs and build artifacts.
Security and networking:
TLS certificates for web endpoints and container registries (public CA or internal PKI).
Firewall policies that restrict egress while allowing access to internal mirrors and registries.
Distribution of your trusted CA bundle to all build images.
Tooling:
Docker or Podman available on builder images with enough disk (>= 80GB) for multi-service Kolla builds.
skopeo, buildah, qemu-img, and jq installed on build nodes for copying images and manipulating manifests.

Access to upstream source control (Gerrit/GitHub) long enough to replicate repositories into your mirrored control plane.
Temporary egress to seed base container images and populate package mirrors; plan to close these paths after validation.

DNS entries created for Zuul web, logs, registry, and mirror endpoints.
Certificates issued and stored for ingress/registry.
Storage allocated for mirrors (estimate at least 2x the total size of your desired images and packages).
Nodepool image baked with container tooling and CA certificates.
Firewall rules tested to ensure only mirrored endpoints are reachable from build nodes.