Skip to content

Mirror factory workflow

Status: draft — sequencing and validation steps will be elaborated in upcoming versions.

This LLD describes how the connected environment prepares and validates all mirrors required for the disconnected build site.

Container registry

  • Deploy an HA registry (Harbor, Quay, or Docker Distribution) reachable from builders; enable TLS and optional content trust.
  • Pre-seed distro bases with digest pins: 
    skopeo copy docker://ubuntu:22.04 docker://registry.internal:5000/base/ubuntu:22.04 \
  --dest-creds "$REG_USER:$REG_PASS"
  • Keep immutable tags for base images used by Kolla and rotate only after validation.

OS package mirrors

  • Debian/Ubuntu: use aptly or debmirror with a curated list of pockets (main, updates, security). Snapshot repos before promoting them.
  • RHEL/Rocky/CentOS: use reposync or pulp to mirror required channels. Export repodata to simple HTTP or object storage for builders.

Python wheels

  • Mirror wheels with bandersnatch or pip download --dest /srv/wheels -r requirements.txt --constraint upper-constraints.txt.
  • Serve wheels via simple index (e.g., python3 -m http.server behind NGINX) and set PIP_INDEX_URL to the mirror.

Proxying and egress controls

  • During bootstrap, allow egress through a caching proxy while mirrors are populated.
  • Freeze manifests, snapshot mirrors, then disable external access. Track digests to detect drift.

Validation

  • From a Nodepool node, run package installs and docker pull using mirrored endpoints only; confirm firewall logs show zero external egress.
  • Include a Zuul job that periodically verifies mirror freshness and reports diffs in CVE content or package counts.