Skip to content

Kolla offline enforcement

Status: to be elaborated — enforcement scenarios and reference configs will be filled in future updates.

This LLD documents how Kolla builds are configured to respect offline requirements.

Core configuration files

  • globals.yml: set openstack_release, base_distro, docker_registry, and push_images: true. Include registry credentials and CA paths.
  • kolla-build.conf: pin base images, registry endpoints, namespace, and tags. Use rpm_setup/deb_repo to point to internal mirrors.
  • Overrides in docker/ or kolla/docker/ to apply local patches to services.
  • Constraints and requirements files aligned with the target OpenStack release.

Sample kolla-build.conf

[DEFAULT]
base=ubuntu
base_tag=22.04
registry=registry.internal:5000
namespace=airgap/openstack
tag=2024.1
push=True
rpm_setup_config=/etc/yum.repos.d/airgap.repo
deb_repo=deb [trusted=yes] https://mirror.internal/ubuntu jammy main
squash=True
threads=8
profile=control

Build strategies

  • Split builds by profile (compute, control, infra) to reduce per-node disk pressure.
  • Use a persistent builder volume or registry-backed cache if security policy allows; otherwise rely on digest-pinned base layers.
  • Run kolla-build --profile <profile> from a Zuul job with DOCKER_CONFIG pointing to registry credentials.

Dependency control

  • Mirror pip wheels and set PIP_INDEX_URL/PIP_TRUSTED_HOST in the job environment.
  • Embed CA bundles into builder images and export REQUESTS_CA_BUNDLE/SSL_CERT_FILE for Python tooling.
  • Pin base image digests in configuration and track them in your BOM to detect unintended updates.