LAA Overview for IT Departments

This document provides IT departments with a concise overview of the Linaro Automation Appliance (LAA), covering network requirements, physical setup, and security considerations.

What is the LAA?

The Linaro Automation Appliance (LAA) is an embedded device testing appliance that enables automated testing of hardware and firmware on target devices (called Devices Under Test, or DUTs). The LAA is cloud-managed via LMS (LAVA Managed Service) and requires minimal on-site configuration.

PSA Certified

The LAA has been certified to PSA Level 1. Certification evidence is available at PSA Certified Products.

Key LAA Features

• Pre-registered at factory - Ships ready to connect with no local software installation or configuration required

• Network isolation - Private network between LAA and DUT keeps test devices isolated from your lab network

• Automatic OTA updates - Software updates to the Yocto-based Linux OS are managed and deployed by Linaro with no IT intervention required

• Loaner-based model - Provided via subscription; Linaro handles hardware lifecycle management

Network Requirements

The LAA requires only outbound HTTPS connectivity. No inbound firewall rules are needed.

Requirement	Details
Protocol	HTTPS (port 443) outbound only
IP Assignment	DHCP preferred; static IP supported
Required Destinations	*.lavacloud.io (incl. wstunnel.lavacloud.io), LAVA servers (example ONELab)
Inbound Ports	None - LAA initiates all connections
Proxy Support	Standard HTTPS proxy compatible

Firewall Configuration

The LAA initiates all connections outbound over HTTPS. No ports need to be opened for inbound traffic on your firewall. There is no access from the public internet to the LAA.

The LAA polls Linaro servers approximately every 20 seconds to check for tasks and updates.

Additional external connections may be required depending on test job requirements:

• Debian APT repositories (when tests require additional packages)

• Docker Hub (when tests use container images)

• External repositories as specified in individual test job definitions

Note: These connections are test-dependent and not required for basic LAA operation.

Wstunnel (Optional DUT Internet Access)

By default, DUTs connected to the LAA are isolated on a private network with no internet access. For test scenarios that require cloud service access, the LAA supports wstunnel - a WebSocket-based tunnel that provides controlled internet access for the DUT. When wstunnel is enabled, DUT traffic does not access the local network where the LAA is connected; instead, all traffic is tunneled to a cloud-based server.

Aspect	Details
Protocol	WebSocket over HTTPS (port 443)
Destination	wstunnel.lavacloud.io
Direction	Outbound only - no additional firewall rules required
Activation	Optional; configuration depends on project requirements

Security Note

Wstunnel access is optional and may be enabled or disabled depending on project requirements. When enabled, DUT traffic is proxied through the LAA to Linaro’s managed wstunnel server using an authenticated, encrypted connection.

Physical Setup

The LAA requires minimal physical infrastructure:

Component	Requirement
Network	Single Ethernet cable to lab network (public port)
Power	DC power supply (2.1x5.5mm barrel connector); PSU included
Space	Compact form factor (approx. 21 x 21 x 6 cm)

Ethernet ports:

• Public port - Connects to your lab network for cloud communication

• Private port - Dedicated LAA-to-DUT connection; isolated from lab network

Private Network

The LAA creates an isolated private network (198.18.0.0/24) between itself and the DUT. This network is completely separate from your lab network.

Component	IP Address
LAA (gateway)	198.18.0.1
DUT	198.18.0.2 (single IP via DHCP)

The LAA provides the following services to the DUT on this private network:

• DHCP - Assigns a single IP (198.18.0.2) to the DUT

• DNS - Local DNS server for name resolution

• NTP - Time synchronization

• TFTP/NFS - For PXE boot and network filesystem access during testing

Complete Isolation

The DUT has no direct access to your lab network or the internet. All DUT network traffic stays within the private network unless wstunnel is enabled.

Automatic Registration

On first boot, the LAA automatically registers with the Linaro cloud infrastructure. No manual registration or configuration is required if DHCP is available.

Security Highlights

The LAA is designed with enterprise security requirements in mind:

• Outbound-only connections - All communication uses HTTPS (port 443) initiated by the LAA; no inbound connections required

• Network isolation - DUTs are connected via a private network and cannot access your lab network or the internet directly

• Role-based access control - Access to test results and device management is restricted to authenticated users with appropriate permissions

• No local data storage - Test results are stored in the cloud infrastructure, not on the LAA itself

Detailed Security Information

For comprehensive security documentation including network topology diagrams and LMS system architecture, see LAA & Security.

Quick Reference

Topic	Details
Network	Outbound HTTPS (443) only; DHCP or static IP
Physical	1x Ethernet, DC power supply, compact form factor
Updates	Automatic OTA via Linaro
Support	Via Linaro subscription
Certification	PSA Level 1

Related Documentation

• LAA Overview - Technical overview of LAA components

• LAA & Security - Detailed security documentation

• LAA Connectivity Guide - Network configuration including static IP setup