System requirements
This page covers requirements for both deployment models. Read the section that matches your target environment.
Model A — On-premises standalone
Windows Server management host
The management host is the Windows Server 2025 machine that runs the CloudSmith control plane. It is not a node in the managed cluster — it is a dedicated or shared management machine that has network access to the clusters you want to manage.
Operating system:
- Windows Server 2025 (Standard or Datacenter edition)
- Hyper-V role installed and running (
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools) - PowerShell 7.4 or later
Hardware minimums:
| Resource | Minimum (lab / eval) | Recommended (production, 1–5 clusters) |
|---|---|---|
| CPU | 4 vCPU | 8 vCPU |
| RAM | 10 GB total | 20 GB total |
| OS disk | 60 GB | 60 GB |
| Data disk | 100 GB | 500 GB (dedicated, RAID 1 recommended) |
| Network | 1 Gbps NIC | 1 Gbps NIC (dedicated management VLAN recommended) |
The 10 GB RAM minimum accounts for 8 GB allocated to CloudSmith services inside the Linux VM plus approximately 2 GB of Linux guest OS overhead. The installer enforces this minimum and will not proceed if less than 10 GB is available.
Nested virtualization (VM-hosted management servers):
If the management host is itself a Hyper-V VM — for example, a management VM running on the same cluster you are about to manage — nested virtualization must be enabled on the parent host before running the installer:
# Run on the Hyper-V parent host (not inside the management VM)
Set-VMProcessor -VMName '<management-vm-name>' -ExposeVirtualizationExtensions $true
The installer detects the absence of nested virtualization and stops with an error. Do not bypass this check in production.
Linux guest VM (provisioned by the installer)
The installer creates a Hyper-V Generation 2 VM named cloudsmith-docker running Ubuntu 24.04 LTS. You do not provision this VM manually — these specs are provided for capacity planning.
| Setting | Value |
|---|---|
| VM name | cloudsmith-docker |
| Generation | 2 (UEFI) |
| RAM | 4 GB (dynamic memory; max 8 GB) |
| vCPU | 2 minimum |
| Hyper-V switch | cloudsmith-internal (internal switch, created by installer) |
| Static IP | 192.168.100.10 (default; configurable with --vm-ip) |
| VHDX default path | C:\ProgramData\CloudSmith\cloudsmith-docker.vhdx |
If C:\ProgramData is on a small OS disk, pass --vhdx-path to specify an alternate location.
Network and firewall
Inbound (to management host):
| Port | Protocol | Source | Purpose |
|---|---|---|---|
| 443 | HTTPS | Operator workstations | Portal and API access |
Only port 443 needs an inbound firewall rule. The installer creates this rule automatically. All other communication is outbound from the runner or internal to the Docker Compose network.
Outbound (from management host / runner):
| Destination | Port | Protocol | Purpose |
|---|---|---|---|
| Hyper-V hosts | 5986 | HTTPS | WinRM (PowerShell remoting — recommended) |
| Hyper-V hosts | 5985 | HTTP | WinRM (development / trusted LAN only) |
| BMC interfaces (iDRAC, XCC, iLO) | 443 | HTTPS | Redfish API — firmware and hardware inventory |
| Active Directory / LDAP | 636 | LDAPS | Keycloak user federation |
| ghcr.io | 443 | HTTPS | Container image pull (Online mode only) |
Outbound (from Linux VM — Online mode only):
| Destination | Port | Purpose |
|---|---|---|
| cloud-images.ubuntu.com | 443 | Ubuntu 24.04 cloud image download |
| ghcr.io | 443 | CloudSmith container image pull |
Bundled and Appliance modes do not require outbound internet access for the initial install. Post-install update checks require ghcr.io access unless you mirror images internally.
Model B — Azure PaaS
Azure subscription
| Requirement | Detail |
|---|---|
| Subscription role | Contributor + Role Based Access Control Administrator (or Owner) on the target subscription. Contributor alone is not sufficient because the Bicep template creates a role assignment for the Managed Identity. |
| Region | Must support both Azure Container Apps and Azure Database for PostgreSQL Flexible Server; verify before deploying: az provider show --namespace Microsoft.App and az provider show --namespace Microsoft.DBforPostgreSQL |
No Entra ID / Azure AD roles are required for the initial deployment. Entra ID SSO is optional and configured post-install. See Prerequisites for the full RBAC breakdown.
Local tooling
Install the following on the workstation from which you run azd up. Windows, macOS, and Linux are all supported.
| Tool | Minimum version | Install |
|---|---|---|
| Azure CLI | 2.60 | winget install Microsoft.AzureCLI |
| Azure Developer CLI (azd) | 1.9 | winget install Microsoft.Azd |
| PowerShell | 7.4 | Required only for optional post-deploy verification scripts |
# Verify versions before proceeding
az version
azd version
$PSVersionTable.PSVersion
Azure service availability
The Phase IV Bicep pack provisions the following Azure resources. Confirm each is available in your chosen region before running azd up:
| Resource | Tier / SKU (dev) | Tier / SKU (prod) |
|---|---|---|
| Azure Container Apps Environment | Consumption plan | Workload Profiles |
| Azure Container App — API | 0.5 vCPU / 1 GB | D4 (4 vCPU / 8 GB), min 1 replica |
| Azure Container App — Portal | 0.25 vCPU / 0.5 GB | D2 (2 vCPU / 4 GB), min 1 replica |
| Azure Database for PostgreSQL Flexible Server | Burstable B1ms, no HA | Standard_D2ds_v4, zone-redundant HA |
| Azure Key Vault | Standard, public endpoint | Standard, private endpoint |
| Log Analytics Workspace | Pay-per-GB | Pay-per-GB |
| Application Insights | Workspace-based | Workspace-based |
| User-assigned Managed Identity | — | — |
Note: Azure SignalR Service, Azure Service Bus, Azure Front Door, VNet integration, and private endpoints are not provisioned by the current Bicep pack — they are part of the production-hardening roadmap.
Heads-up: The resource set above is the current MVP. SKU defaults and the exact parameter surface may evolve; pin to a specific
cloudsmith-installerrelease tag when automating.
Entra ID SSO (optional — post-install)
Entra ID app registrations are not required to deploy CloudSmith. The platform starts with a first-run setup wizard that creates a local administrator account. You can add Entra ID (or another identity provider) after the platform is running, under Platform Management → Identity Providers.
If you plan to configure Entra SSO post-install, the person creating the app registration needs Application Administrator or Cloud Application Administrator in Entra ID. See Identity configuration for setup steps.