Install Veirox Connect on an airgapped host
Target: Customer hosts that have no outbound access to the
Veirox backend during binary download but do need a one-time
connection at enrollment time. If your network has zero outbound at
any time, the reverse-tunnel architecture of Veirox Connect is
incompatible — use the MCP-server connector model instead.
The airgap installer pulls everything from a local tar.gz bundle you
ship to the customer ahead of time. The only network call made by
install-offline.sh is the final veirox-connector enroll --token ...
which hits /api/connectors/enroll on the Veirox backend.
Build the bundle (on a release host)
# Requires a cosign keypair at $HOME/.veirox/cosign.key make agent-offline-bundle # → agent/dist/bin/veirox-connector-0.2.0-x86_64.tar.gz
The Makefile target:
- Runs
make agent-manifestto regeneratemanifest.sha256. - Runs
make cosign-sign-manifestto write
manifest.sha256.sigsigned with$COSIGN_KEY. - Packages
veirox-connector,veirox-connector.service,
manifest.sha256,manifest.sha256.sig, and
install-offline.shinto a single tar.gz.
The resulting tar.gz is ~5 MB for -minimal builds and is
self-verifying.
Ship to the customer
Any out-of-band channel: encrypted USB, signed S3 URL, etc. The tar
contents are all verified against a pinned cosign key baked into
install-offline.sh — tampering during transit is caught at install
time.
Install (on the airgapped host)
# assume the bundle arrived at /tmp/veirox-connector-0.2.0-x86_64.tar.gz
sudo env \
VEIROX_BACKEND_URL=https://veirox.customer.com \
VEIROX_ENROLLMENT_TOKEN=veirox_enr_REPLACE_ME \
bash <(tar -xzOf /tmp/veirox-connector-0.2.0-x86_64.tar.gz \
veirox-connector-0.2.0-x86_64/install-offline.sh) \
/tmp/veirox-connector-0.2.0-x86_64.tar.gz
Or unpack first:
tar -xzf /tmp/veirox-connector-0.2.0-x86_64.tar.gz -C /tmp/ sudo env \ VEIROX_BACKEND_URL=https://veirox.customer.com \ VEIROX_ENROLLMENT_TOKEN=veirox_enr_REPLACE_ME \ /tmp/veirox-connector-0.2.0-x86_64/install-offline.sh \ /tmp/veirox-connector-0.2.0-x86_64
What the installer does
- Verifies
manifest.sha256.sigagainst the pinned cosign public
key usingcosign verify-blob(oropenssl dgst -verifyas a
fallback for hosts without cosign). - Verifies
veirox-connectorandveirox-connector.serviceagainst
the digests inmanifest.sha256. - Creates the
veirox-connectorsystem user. - Installs the binary + unit + drop-in with the backend URL.
- Runs
veirox-connector enroll --token ...— the ONLY network call. - Enables and starts the service.
Corporate TLS proxy
sudo env \ VEIROX_BACKEND_URL=https://veirox.customer.com \ VEIROX_ENROLLMENT_TOKEN=veirox_enr_xxx \ VEIROX_CONNECTOR_EXTRA_CA_BUNDLE=/etc/ssl/corp-ca.pem \ /tmp/veirox-connector-0.2.0-x86_64/install-offline.sh \ /tmp/veirox-connector-0.2.0-x86_64
The installer propagates VEIROX_CONNECTOR_EXTRA_CA_BUNDLE into the
systemd unit drop-in so the agent picks it up on every restart.
Verify
Run the verification checklist.
Upgrade
Build a new bundle on the release host, ship it, re-run
install-offline.sh. The existing cert triple is preserved; only
the binary and unit are replaced.
Uninstall
Same as the systemd guide:
sudo systemctl disable --now veirox-connector sudo rm -f /etc/systemd/system/veirox-connector.service sudo rm -rf /etc/systemd/system/veirox-connector.service.d sudo rm -rf /etc/veirox-connector /var/lib/veirox-connector sudo rm -f /usr/local/bin/veirox-connector sudo userdel veirox-connector sudo systemctl daemon-reload
Troubleshooting
| Symptom | Fix |
|---|---|
manifest signature verification FAILED |
The bundle was tampered, or the cosign public key in install-offline.sh doesn't match the release's signing key. Re-fetch from a trusted channel. |
neither cosign nor openssl is installed |
Install cosign (or openssl as a fallback) on the host before running the installer. |
enrollment failed: connection refused |
The host has no path to the backend. Airgapped and no enrollment access means you cannot use reverse-tunnel connectors — switch to the MCP-server connector model. |