Listen to this Post

Introduction:
For years, DevOps teams have been locked into a duopoly—Sonatype Nexus with its EULA-enforced quotas and JFrog Artifactory with its proprietary, feature-bridged free tier. But what if you could host RPMs, Python packages, container images, Ansible collections, and more—without accepting a single commercial license or hitting an artificial limit? Pulp is a GPL-2.0 licensed artifact manager that doesn’t just compete; it offers a fundamentally different model: immutable versioning, plugin-based architecture, and complete software freedom. This article breaks down how to deploy Pulp in production-ready scenarios, from air-gapped environments to Kubernetes clusters, and how to build a DevSecOps-grade artifact pipeline with Trivy scanning, Cosign signing, and full backup/restore capabilities.
Learning Objectives:
- Objective 1: Deploy Pulp using Podman, Kubernetes Operator, and air-gapped configurations with internal TLS certificates.
- Objective 2: Configure OCI registry functionality, integrate Trivy vulnerability scanning, and implement Cosign/GPG signing for artifact integrity.
- Objective 3: Master Pulp’s RBAC model, content-guards, and end-to-end backup/restore procedures for disaster recovery.
You Should Know:
1. What Is Pulp and Why It Matters
Pulp is a platform for managing repositories of software packages and making them available to a large number of consumers. Unlike Nexus (Community Edition under EULA with quotas) and Artifactory (proprietary with a bridged free version), Pulp is published under GPL-2.0 for its core and plugins, and Apache-2.0 for its web interface. No EULA, no component limits, no request quotas—it’s free software in the strictest sense, governed by an open community.
Pulp’s architecture revolves around a core, pulpcore, and specialized plugins for each format. You don’t install a monolithic repository—you activate the plugins you need: pulp_rpm, pulp_deb, pulp_python, pulp_container, pulp_ansible, pulp_npm, pulp_maven, and more. This multi-format coverage in a single tool positions Pulp as a serious competitor to Nexus and Artifactory, without their licensing constraints.
Pulp’s content model uses four distinct objects—Remote, Repository, Publication, and Distribution—which provide immutable versioning and instant rollbacks. A Remote describes a remote source to synchronize (URL, filters, policy). A Repository contains artifacts; every change creates an immutable version. A Publication freezes a repository version into a consumable format. A Distribution exposes a publication at a stable URL. This separation lets you roll back instantly by pointing a distribution to another version and publish multiple views of the same repository without duplicating files.
2. Deploying Pulp: From Podman to Kubernetes
The recommended method for a quick start is the all-in-one `pulp/pulp` container with Podman:
podman run --detach --publish 8080:80 --1ame pulp \ --volume "$(pwd)/settings":/etc/pulp \ --device /dev/fuse \ docker.io/pulp/pulp:3.114
This single container embeds the API, workers, PostgreSQL, Redis, and nginx. Set the admin password:
podman exec pulp pulpcore-manager reset-admin-password --password "YourStrongPassword"
Then interact with Pulp using the CLI:
pulp admin user list
For Kubernetes deployments, the Pulp Operator is the recommended approach. The Operator is in beta and under active development, with the goal of providing a scalable and robust cluster for Pulp 3. To deploy:
kubectl create ns pulp-deployment kubectl config set-context --current --1amespace pulp-deployment git clone https://github.com/pulp/pulp-operator.git cd pulp-operator
The Operator manages Deployments for pulp-api, pulp-content, pulp-worker, and optionally `pulp-web` and pulp-redis. The `minimal.yaml` sample deploys a single replica of pulpcore pods with a random password for the admin user.
For air-gapped environments, Pulp supports offline installation with internal TLS certificates. The Pulp installer can configure TLS with user-provided certificates and keys, enabling HTTPS on port 443. By default, TLS is enabled with self-signed certificates if none are provided, with an automatic HTTP-to-HTTPS redirect.
3. OCI Registry, Trivy Scanning, and Cosign Signing
The `pulp_container` plugin transforms Pulp into an OCI-compliant container registry. It supports OCI artifacts beyond images, including Helm charts, Flatpak images, and Cosign signatures. Pulp can act as a pull-through cache for Docker Hub, reducing external dependencies and speeding up builds.
Vulnerability scanning is not built into Pulp natively. Instead, you integrate an external scanner like Trivy into your CI pipeline:
trivy image --exit-code 1 --severity CRITICAL \ localhost:8080/dockerhub/library/alpine:3.14
Pulp stores and distributes; Trivy decides what gets promoted. These two free bricks replace a paid curation function.
For artifact signing, Pulp natively hosts Cosign signatures stored as OCI images. You can push signatures via Cosign or Podman clients. GPG signing is also supported for RPMs and collections. This allows you to implement a full software supply chain security model: sign images at build (Cosign), verify signatures at admission (Sigstore policy controllers), use SBOMs (CycloneDX, SPDX) to track what’s in each image, and scan registries continuously.
4. RBAC, Content-Guards, and Security Hardening
Pulp provides fine-grained Role-Based Access Control (RBAC) with over 160 roles, and content-guards for protecting content. Content-guards are objects that restrict access to resources. Pulp supports several types:
– RBAC content-guard: Uses RBAC to protect content, with add and remove actions for managing permissions for users and groups to download content protected by this guard.
– Composite content-guard: Queries a list of content-guards for access permissions.
– Header and x509 guards: For authentication via headers or mutual TLS.
To associate a content-guard with a distribution, you use the Pulp API or CLI. This ensures that only authenticated and authorized users can access specific artifacts.
For synchronization security, Pulp supports filters with `–includes` and `–excludes` to create allowlists and blocklists. This prevents unwanted or vulnerable packages from entering your repository.
- Backup and Restore: The Real Disaster Recovery Test
The most important test is not whether Pulp starts, but whether it can recover from a complete failure. Pulp’s backup strategy consists of two main components: the database (PostgreSQL) and the artifact storage.
For container-based deployments, backup involves:
- Dumping the PostgreSQL database: `pg_dump -U pulp pulp > pulp_db.sql`
2. Backing up the artifact storage directory (typically mounted volumes)
3. Backing up encryption keys and configuration files
For Kubernetes deployments, the Pulp Operator provides a `PulpBackup` custom resource. This automates the backup of the database, artifacts, and keys. To restore:
1. Deploy a new Pulp instance
2. Restore the PostgreSQL database from the backup
3. Restore the artifact storage
4. Restart the Pulp services
This end-to-end scenario—deleting an entire instance and restoring it from backup—validates that Pulp can be a reliable component in a serious DevSecOps chain.
6. Linux and Windows Commands for Pulp Management
Linux (Podman/CLI):
Start Pulp container podman run --detach --publish 8080:80 --1ame pulp \ --volume "$(pwd)/settings":/etc/pulp \ --device /dev/fuse \ docker.io/pulp/pulp:3.114 Reset admin password podman exec pulp pulpcore-manager reset-admin-password --password "NewPass" Create a Python repository pulp python repository create --1ame my-pypi --remote pypi Synchronize a remote pulp python repository sync --1ame my-pypi Create a publication pulp python publication create --repository my-pypi Create a distribution pulp python distribution create --1ame my-pypi-dist --publication <publication-href> Install a package from your Pulp instance pip install --index-url http://localhost:8080/pypi/my-pypi-dist/simple/ requests
Windows (PowerShell with Podman Desktop or WSL2):
Using Podman on Windows (requires WSL2) podman run --detach --publish 8080:80 --1ame pulp ` --volume "$pwd/settings":/etc/pulp ` --device /dev/fuse ` docker.io/pulp/pulp:3.114 Access Pulp API via curl curl -u admin:password http://localhost:8080/api/v3/status/ Install pulp-cli via pip pip install pulp-cli Configure pulp-cli pulp config create --base-url http://localhost:8080 --username admin --password password
Kubernetes (kubectl):
Deploy Pulp Operator kubectl apply -f https://raw.githubusercontent.com/pulp/pulp-operator/main/deploy/operator.yaml Create a Pulp custom resource kubectl apply -f - <<EOF apiVersion: repo-manager.pulpproject.org/v1beta2 kind: Pulp metadata: name: pulp spec: api: replicas: 1 content: replicas: 1 worker: replicas: 1 database: postgres: storage_class: standard storage_size: 10Gi file_storage: storage_class: standard storage_size: 50Gi EOF Check status kubectl get pulp pulp -o yaml
7. What Undercode Say:
- Key Takeaway 1: Pulp is the only truly free and open-source artifact manager that can replace both Nexus and Artifactory without commercial licensing or artificial quotas. Its GPL-2.0 license ensures complete software freedom.
-
Key Takeaway 2: Pulp’s immutable versioning model—Remote → Repository → Publication → Distribution—provides instant rollbacks and multi-view publishing without duplicating files, a feature that commercial alternatives often charge premium prices for.
Analysis:
The artifact manager landscape has been dominated by two commercial players for over a decade. Sonatype Nexus offers a Community Edition but with EULA-enforced quotas that limit components and requests. JFrog Artifactory provides a free tier but it’s feature-bridged and proprietary. Pulp breaks this duopoly by offering a GPL-2.0 licensed alternative that doesn’t compromise on features. It supports RPM, DEB, Python, npm, Ansible collections, OCI images, Maven, gems, and more—all in a single instance.
The trade-offs are clear: Pulp’s UI is younger, its content model requires adaptation, and it doesn’t have native CVE quarantine like Nexus Firewall or Artifactory Xray. However, these “missing” features can be built with other open-source tools—Trivy for scanning, Cosign for signing, and RBAC for access control. This composable approach aligns perfectly with the DevSecOps philosophy of using best-of-breed tools rather than being locked into a single vendor’s ecosystem.
The real test, as Stephane Robert demonstrated, is not whether Pulp can start—it’s whether it can survive a full disaster recovery scenario. Deleting an entire instance and restoring it from backup validates that Pulp is ready for production. For teams that value software freedom, sovereignty, and budget control, Pulp is not just an alternative—it’s the future.
Prediction:
- +1 Pulp will see significant adoption in public sector and sovereign cloud initiatives over the next 18–24 months, driven by its GPL-2.0 license and absence of commercial vendor lock-in.
- +1 The Pulp Operator will reach general availability (GA) status by late 2026, making Kubernetes deployments the primary consumption model for enterprise users.
- -1 Pulp’s UI will remain a friction point for teams accustomed to Nexus or Artifactory’s mature interfaces, potentially slowing adoption in non-DevOps-centric organizations.
- +1 The integration of Trivy, Cosign, and Sigstore into Pulp workflows will create a fully open-source software supply chain security stack that rivals commercial offerings.
- -1 Without native CVE quarantine or a built-in policy engine, Pulp will require additional CI/CD pipeline engineering, which may deter teams with limited security automation resources.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Stephanerobert1 Artefacts – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


