Air-Gap System Requirements
Purpose: For operators, provides OS, CPU, memory, disk, and network requirements for air-gap deployments.
Build Host (Zone A)
The build host downloads all dependencies and creates the Zarf artifact.
| Resource | Minimum | Recommended | Notes |
|---|---|---|---|
| OS | Ubuntu 22.04 or 24.04 | Ubuntu 24.04 | Other Debian-based may work |
| CPU | 4 cores | 8 cores | Compression is CPU-intensive |
| Memory | 8 GB | 16 GB | Image pulls and Zarf packaging |
| Disk | 100 GB free | 200 GB free | Images + packages + final artifact |
| Network | Outbound HTTPS | Outbound HTTPS | See Firewall Whitelist |
| Python | 3.10+ | 3.12 | For opencenter-airgap CLI |
| Git | 2.30+ | Latest | Repository cloning |
Required software
# Verify prerequisites
python3 --version # 3.10+
git --version # 2.30+
Optional (for final package creation):
zarf version # Zarf CLI
cosign version # Cosign for signing
Disk layout
| Directory | Estimated size | Contents |
|---|---|---|
build/ | 10–20 GB | Cloned repositories |
assets/images/ | 30–60 GB | Container image tarballs |
assets/repos/ | 5–10 GB | OS packages |
assets/python-wheels/ | 1–2 GB | Python dependencies |
assets/k8s-binaries/ | 500 MB | kubectl, kubelet, kubeadm |
assets/terraform-mirror/ | 200 MB | Terraform providers |
dist/ | 20–40 GB | Final compressed artifact |
Total: 70–130 GB typical. Allocate 200 GB to be safe.
Bastion Host (Zone C)
The bastion receives the Zarf artifact and serves dependencies to cluster nodes.
| Resource | Minimum | Recommended | Notes |
|---|---|---|---|
| OS | Ubuntu 24.04 | Ubuntu 24.04 | Must match target node OS family |
| CPU | 4 cores | 8 cores | Registry and nginx serving |
| Memory | 8 GB | 16 GB | Registry + concurrent pulls |
| Disk | 100 GB free | 200 GB free | Extracted artifact + registry storage |
| Network | Local subnet only | Local subnet only | No internet access |
| Podman | 4.0+ | Latest | Runs the OCI registry container |
Required ports
| Port | Service | Direction | Consumers |
|---|---|---|---|
| 35000 | Container registry | Inbound | Target nodes (containerd pulls) |
| 80 | Nginx file server | Inbound | Target nodes (apt, pip, binaries) |
| 22 | SSH | Outbound | Bastion → target nodes (Ansible) |
Disk layout
| Directory | Estimated size | Contents |
|---|---|---|
/opt/opencenter/ | 40–80 GB | Extracted Zarf components |
/var/lib/registry/ | 30–60 GB | OCI registry blob storage |
Target Cluster Nodes (Zone C)
| Resource | Minimum (worker) | Minimum (control plane) | Notes |
|---|---|---|---|
| OS | Ubuntu 24.04 | Ubuntu 24.04 | |
| CPU | 4 cores | 4 cores | |
| Memory | 8 GB | 8 GB | 16 GB recommended for control plane |
| Disk | 50 GB | 100 GB | etcd on control plane needs fast disk |
| Network | Access to bastion | Access to bastion | Ports 35000 and 80 |
Node count
| Role | Minimum | Recommended | Notes |
|---|---|---|---|
| Control plane | 1 | 3 | 3 for HA; must be odd number |
| Worker | 1 | 3+ | Scale based on workload |
| Bastion | 1 | 1 | Single bastion per site |
Network requirements between nodes
| Source | Destination | Ports | Purpose |
|---|---|---|---|
| All nodes | Bastion | 35000, 80 | Image pulls, package installs |
| Bastion | All nodes | 22 | Ansible/Kubespray provisioning |
| Control plane | Control plane | 2379-2380 | etcd peer communication |
| Control plane | All nodes | 6443 | Kubernetes API server |
| All nodes | All nodes | 10250 | kubelet API |
| All nodes | All nodes | 179 | Calico BGP (if using BGP mode) |
| All nodes | All nodes | VXLAN (4789) | Calico VXLAN overlay |
Transfer Media (Zone B)
| Media type | Minimum capacity | Notes |
|---|---|---|
| USB 3.0 drive | 64 GB | Sufficient for most builds |
| External SSD | 128 GB | Faster transfer, recommended |
| DVD/Blu-ray | Multiple discs | Write-once for tamper evidence |