Air-Gap Deployment (Coming Soon)
Air-gap tarball deployment is planned for a future release. Currently, self-managed deployment uses Docker Compose on your own infrastructure. See the Architecture Overview for setup instructions.
This guide covers installing Control Zero Self-Managed in an air-gapped environment with no outbound internet connectivity.
Prerequisites
Before you begin, verify the target host meets these requirements:
| Requirement | Minimum |
|---|---|
| Docker | 24.0 or later |
| Docker Compose | 2.20 or later |
| Disk space | 10 GB available |
| RAM | 4 GB available |
| CPU | 2 cores |
| Operating system | Linux (x86_64 or arm64) |
| License key | Provided by your Control Zero account team |
The host does not need outbound internet access. All dependencies are bundled in the installation package.
Package Contents
The Control Zero Self-Managed package is a compressed tarball containing:
- Pre-built container images for all services (loaded via
docker load) - Docker Compose configuration files
- Installation script (
install.sh) - Preflight and postflight check scripts
- Default configuration templates
- This documentation (offline copy)
Installation Steps
1. Transfer the package
Copy the tarball to your air-gapped host using your approved transfer mechanism (USB, secure file transfer, or internal artifact repository).
# Example: copy via scp from a bastion host
scp controlzero-enterprise-<version>.tar.gz user@target-host:/opt/controlzero/
2. Extract the package
cd /opt/controlzero
tar xzf controlzero-enterprise-<version>.tar.gz
cd controlzero-enterprise-<version>
3. Run preflight checks
The preflight script verifies that Docker, disk space, memory, and CPU meet requirements before installation begins.
./scripts/preflight.sh
Review the output. All checks must pass before proceeding. See Preflight and Postflight Checks for details on each check.
4. Install with your license key
./install.sh --license-key <YOUR_LICENSE_KEY>
The installer will:
- Load container images into the local Docker daemon
- Validate the license key (offline validation, no network call)
- Generate service configuration from templates
- Start all services via Docker Compose
- Run postflight checks automatically
5. Verify the installation
After installation completes, run postflight checks manually to confirm all services are healthy:
./scripts/postflight.sh
Expected output for a healthy installation:
[pass] Gateway service is running
[pass] Policy engine is responding
[pass] Audit log database is accepting writes
[pass] Dashboard is accessible on configured port
[pass] License is valid (expires: YYYY-MM-DD)
[pass] All health endpoints returning 200
Network Configuration
No outbound internet required
All services communicate over the internal Docker network. No service makes outbound internet requests. DNS resolution is not required beyond the local host.
Internal ports
| Service | Default Port | Purpose |
|---|---|---|
| Dashboard | 443 | Web UI (HTTPS) |
| Gateway | 8443 | LLM proxy endpoint |
| API | 8080 | Management API |
| Audit DB | 9000 | Audit Database (internal only) |
Ports are configurable in the Docker Compose configuration file before or after installation.
Firewall rules
Only inbound traffic to the Dashboard and Gateway ports is required from your internal network. All inter-service communication stays on the Docker bridge network.
Certificate Setup
Using your organization's CA certificate
If your environment routes traffic through an SSL-inspecting proxy or requires trusted certificates from a custom CA:
- Place your CA certificate in PEM format at
config/certs/ca.pem - Update
config/gateway.ymlto reference the certificate:
tls:
ca_cert: /etc/controlzero/certs/ca.pem
- Restart the gateway service:
docker compose restart gateway
Generating a self-signed certificate
For environments without an existing CA, the installer can generate a self-signed certificate:
./install.sh --license-key <KEY> --generate-cert
This is suitable for testing. For production, use certificates issued by your organization's CA.
Post-Installation
- Configure policies in the dashboard at
https://<host>:443 - Point your LLM clients at the gateway endpoint:
https://<host>:8443 - Review Logging for log file locations and debug options
- Review Security Hardening for production readiness recommendations