Skip to content

Installation of the Edge Gateway Docker

Importing the Docker image

Before you can create a Docker Edge Gateway container, you must import the Docker image. To do this, launch a shell from which the Docker commands are available to you, as well as the cleanroom-gateway-4.6.1-33-v2.tgz file. From the shell, run the following command, adjusting the path to the TGZ file if it is not in the current directory:

1
docker load --input cleanroom-gateway-4.6.1-33-v2.tgz

Then check that the import was successful with the following command:

1
docker inspect --type=image cleanroom-gateway:4.6.1-33-v2

The expected output is as follows. If this is not the case, then the import has failed:

1
2
3
4
5
6
[
    {
        "Id": "sha256:f95237b30c2407a652e5cf9ab84abc0446e04373a30cd83d39c878284c98950b",
        "RepoTags": [
            "cleanroom-gateway:4.6.1-33-v2"
        ],
Complete output 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
[
    {
        "Id": "sha256:f95237b30c2407a652e5cf9ab84abc0446e04373a30cd83d39c878284c98950b",
        "RepoTags": [
            "cleanroom-gateway:4.6.1-33-v2"
        ],
        "RepoDigests": [],
        "Parent": "",
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2025-08-27T11:32:41.903547412+02:00",
        "DockerVersion": "",
        "Author": "",
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 1260102017,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/b5779f969b41eff36cd25115a1884d4c1d0d7839bf22a728ed652c3e5ff7879b/diff:/var/lib/docker/overlay2/b7e2aa5de759fea2d2de49d36d20b77bcbdb6a83416c35aa5a6144624efa5ceb/diff:/var/lib/docker/overlay2/146ef698ff97270b28fbc5aa4baca1336ce6a01130336f61dfc4941de7a66eb9/diff:/var/lib/docker/overlay2/9c15ed99cfce6b7e14406da98cca769845ee0a20a0030b7352c8010bd0ed2584/diff:/var/lib/docker/overlay2/44a3abed0a932259b79c9e5e273749cc06bd8aca7d3adbfd1753a7b053dcae2f/diff:/var/lib/docker/overlay2/e3dfd4c7c4fe568ef731bd91314e69cc5c807ce717d5f4ea94f0d02cc11e70c5/diff:/var/lib/docker/overlay2/5acf2b56871d2537d95b9981c0498e16723a9eca20827f550366b48d8acf508f/diff:/var/lib/docker/overlay2/c732cd17c6501229b3a12c488d7f4c26f8634329211cac54ff1cf0d53055421f/diff:/var/lib/docker/overlay2/fd61cbda2a5e9a578c5a8eea67b63df3d31642588be3b6f2f7ebe6e10964f745/diff",
                "MergedDir": "/var/lib/docker/overlay2/5d797d8e6dcb91e62dc4aa23921ce0e46f6330338da2df57825b288392397b8f/merged",
                "UpperDir": "/var/lib/docker/overlay2/5d797d8e6dcb91e62dc4aa23921ce0e46f6330338da2df57825b288392397b8f/diff",
                "WorkDir": "/var/lib/docker/overlay2/5d797d8e6dcb91e62dc4aa23921ce0e46f6330338da2df57825b288392397b8f/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:4668f0f488e5ad4494fadff56ad585c514794b3a293e5e8d006410de9da08155",
                "sha256:782f6c5256575fbef0e518a1a1ce9188c457f1a0e9b88b733ed672f6e1be482d",
                "sha256:e09fd3e10e878ef6c812ccde0fa55b66cf4b9b593cf182c2760fec73649968c2",
                "sha256:e51c952c7bd89e0a3188c683d689eed81444d5513c14251f4b21cb9fd056d27d",
                "sha256:233ff67db52988898e3c1b4c2573b86c1c0c50d23f1f4b2365e3fc51abedbf9f",
                "sha256:0bf4e86419208151dcd5dc222ec43b4b655ecc6de2ab244b8320b069efc6d74e",
                "sha256:4e126ccbbb913bc105eac9d4ff68041fb460054c1756b46fff29654dcbffa480",
                "sha256:1077b827c22c9d088771d97eba65b28e397d3d1c3f2ca0208565fbccb80f80fb",
                "sha256:38554727254b2df680e419fd974eb50a518b48eea93071c5ac7fa9534931a90b",
                "sha256:937d5ffe755bf72c969e1ec525421c576d097ee984d1feca41e1feb859d95640"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        },
        "Config": {
            "Cmd": null,
            "Entrypoint": [
                "/entrypoint.sh"
            ],
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "DEBIAN_FRONTEND=noninteractive",
                "IMAGE_BUILD_DATE=20250827T112940",
                "IMAGE_BUILD_VERSION=4.6.1-33-v2",
                "IMAGE_IPDIPC=IPC-53702"
            ],
            "ExposedPorts": {
                "9080/tcp": {}
            },
            "Healthcheck": {
                "Interval": 300000000000,
                "Retries": 3,
                "Test": [
                    "CMD-SHELL",
                    "/usr/lib/nagios/plugins/IPdivaSensorGateway -a isConnected -g 127.0.0.1:9080"
                ],
                "Timeout": 10000000000
            },
            "Labels": {
                "maintainer": "contact@systancia.com",
                "org.label-schema.build-date": "20250827T112940",
                "org.label-schema.description": "Systancia Cleanroom Gateway",
                "org.label-schema.name": "Systancia Cleanroom 4.6.1-33-v2 Gateway",
                "org.label-schema.url": "http://systancia.com/",
                "org.label-schema.vendor": "Systancia",
                "version": "4.6.1-33-v2"
            },
            "OnBuild": null,
            "User": "root",
            "Volumes": {
                "/etc/ipdiva/": {},
                "/var/log/": {}
            },
            "WorkingDir": ""
        }
    }
]

Container configuration

Environment variables

Variables for deployment by pairing

Name Mandatory Default value Comment
ENV_MEDIATION YES Used for pairing connection.
Indication of cyberelements.io tenant or DNS name or IP address for connection to the web interface of a cyberelements Cleanroom platform.
ENV_TOKEN YES Used for pairing connection.
Indication of the pairing token to be used for connection to the Mediation Controller.
ENV_NO_CHECK_CERT NO false Used for pairing connections.
Whether or not to disable Mediation Controller web certificate checking, useful with cyberelements Cleanroom when accessing via IP address or when the web certificate is not a certificate recognized by the default public certification authorities.
Accepted values: true or false.

Variables for manual deployment

Name Mandatory Default value Comment
ENV_GW_CERT_NAME YES Used for connection with manual configuration.
Name of the certificate file for connecting to the SSL Router.
ENV_GW_CERT_PASSWORD YES Used for connection with manual configuration.
Certificate file password for connection to the SSL Router.
ENV_CARE_CERT_NAME NO Value of ENV_GW_CERT_NAME Used for connection with manual configuration.
Name of the certificate file for the recording service.
ENV_CARE_CERT_PASSWORD NO Value of ENV_GW_CERT_PASSWORD Used for connection with manual configuration.
Password for the recording service certificate file.
ENV_SSL_ROUTER_IP YES Used for connection with manual configuration.
IP address or DNS name of the SSL router to which the Edge Gateway will connect.
ENV_SSL_ROUTER_PORT NO 443 Used for connection with manual configuration.
Port on the SSL Router to which the Edge Gateway will connect.

Various variables

Name Mandatory Default value Comment
ENV_DISABLE_RSYSLOG NO false Service deactivation rsyslog.
Accepted values: true or false.
ENV_KERBEROS_CONFIG_ENABLE NO false Enable Kerberos settings to allow RDP applications to authenticate in agentless mode using Kerberos.
Accepted values: true or false.
If false the other Kerberos variables will be ignored.
ENV_KERBEROS_DEFAULT_REALM YES
(if Kerberos configuration is enabled)		 Kerberos realm name.
ENV_KERBEROS_DEFAULT_DOMAIN YES
(if Kerberos configuration is enabled)		 Kerberos domain name.
ENV_KERBEROS_CONTROLLER_ADDRESS YES
(if Kerberos configuration is enabled)		 Connection address to the Kerberos controller.

Volumes

Volume Comment
/etc/ipdiva/ Edge Gateway configuration volume.
We recommend mounting it on a named volume or on the host machine's file system.
/opt/certificates/ Volume containing the Edge Gateway certificate(s) in a configuration without pairing.
/var/lib/ipdiva/carerecord/archives/ Volume containing the graphic archives.
We recommend mounting it on a named volume or on the host machine's file system.
/var/ipdiva/care/sshrecord/ Volume containing the SSH archives.
We recommend mounting it on a named volume or on the host machine's file system.
/var/log/ Volume containing the Edge Gateway logs.

Ports

Port Comment
2222 (or any other available port chosen by the administrator) Listening port for the SSH/SFTP direct access service.
3389 Listening port for the RDP direct access service.
8443 Listening port for the recording service, to be exposed when using the Windows recording agent.

Deployment of the Edge Gateway Docker

Deployment with pairing

Prerequisites

Before deploying the Edge Gateway Docker, you must obtain a pairing token.

The deployment described below will use all available volumes (except /opt/certificates/ that is not useful in this context) and expose all ports.
The volumes will be mounted on the host machine's file system with the location EDGE_GATEWAY_REP. Inside this location are the following subdirectories:

  • config
  • graphical_archives
  • ssh_archives
  • log

You can customize the variables for the following commands:

Custom value Variable Comment
DOCKER_NAME Name of the Docker container.
EDGE_GATEWAY_REP Location on the file system to mount the volumes.
ENV_MEDIATION_VALUE Value of the ENV_MEDIATION environment variable.
ENV_TOKEN_VALUE Value of the ENV_TOKEN environment variable.
ENV_NO_CHECK_CERT_VALUE Value of the ENV_NO_CHECK_CERT environment variable.
ENV_KERBEROS_CONFIG_ENABLE_VALUE Value of the ENV_KERBEROS_CONFIG_ENABLE environment variable.
ENV_KERBEROS_DEFAULT_REALM_VALUE Value of the ENV_KERBEROS_DEFAULT_REALM environment variable.
ENV_KERBEROS_DEFAULT_DOMAIN_VALUE Value of the ENV_KERBEROS_DEFAULT_DOMAIN environment variable.
ENV_KERBEROS_CONTROLLER_ADDRESS_VALUE Value of the ENV_KERBEROS_CONTROLLER_ADDRESS environment variable.

Create the directory tree required for mounting volumes on the file system:

1
2
3
4
mkdir -p EDGE_GATEWAY_REP/config
mkdir EDGE_GATEWAY_REP/graphical_archives
mkdir EDGE_GATEWAY_REP/ssh_archives
mkdir EDGE_GATEWAY_REP/log

And finally, start a new container:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
docker run -d --restart unless-stopped --name "DOCKER_NAME" \
-e ENV_MEDIATION="ENV_MEDIATION_VALUE" \
-e ENV_TOKEN="ENV_TOKEN_VALUE" \
-e ENV_NO_CHECK_CERT="ENV_NO_CHECK_CERT_VALUE" \
-e ENV_KERBEROS_CONFIG_ENABLE="ENV_KERBEROS_CONFIG_ENABLE_VALUE" \
-e ENV_KERBEROS_DEFAULT_REALM="ENV_KERBEROS_DEFAULT_REALM_VALUE" \
-e ENV_KERBEROS_DEFAULT_DOMAIN="ENV_KERBEROS_DEFAULT_DOMAIN_VALUE" \
-e ENV_KERBEROS_CONTROLLER_ADDRESS="ENV_KERBEROS_CONTROLLER_ADDRESS_VALUE" \
-v "EDGE_GATEWAY_REP/config/:/etc/ipdiva/:rw" \
-v "EDGE_GATEWAY_REP/graphical_archives/:/var/lib/ipdiva/carerecord/archives/:rw" \
-v "EDGE_GATEWAY_REP/ssh_archives/:/var/ipdiva/care/sshrecord/:rw" \
-v "EDGE_GATEWAY_REP/log/:/var/log/:rw" \
-p 2222:2222 \
-p 3389:3389 \
-p 8443:8443 \
cleanroom-gateway:4.6.1-33-v2

The container logs can be viewed using the following command:

1
docker logs -f DOCKER_NAME

Manual deployment

Prerequisites

Before deploying the Edge Gateway Docker, you must have the required certificates for the Edge Gateway and the recording service.

The deployment described below will use all available volumes and expose all ports.
The volumes will be mounted on the host machine's file system with the location MANUAL_REP. Inside this location are the following subdirectories:

  • config
  • graphical_archives
  • ssh_archives
  • log
  • certificates

You can customize the variables for the following commands:

Custom value Variable Comment
MANUAL_NAME Name of the Docker container.
MANUAL_REP Location on the file system to mount the volumes.
ENV_GW_CERT_NAME_VALUE Value of the ENV_GW_CERT_NAME environment variable.
ENV_GW_CERT_PASSWORD_VALUE Value of the ENV_GW_CERT_PASSWORD environment variable.
ENV_CARE_CERT_NAME_VALUE Value of the ENV_CARE_CERT_NAME environment variable.
ENV_CARE_CERT_PASSWORD_VALUE Value of the ENV_CARE_CERT_PASSWORD environment variable.
ENV_SSL_ROUTER_IP_VALUE Value of the ENV_SSL_ROUTER_IP environment variable.
ENV_SSL_ROUTER_PORT_VALUE Value of the ENV_SSL_ROUTER_PORT environment variable.
ENV_KERBEROS_CONFIG_ENABLE_MANUAL_VALUE Value of the ENV_KERBEROS_CONFIG_ENABLE environment variable.
ENV_KERBEROS_DEFAULT_REALM_MANUAL_VALUE Value of the ENV_KERBEROS_DEFAULT_REALM environment variable.
ENV_KERBEROS_DEFAULT_DOMAIN_MANUAL_VALUE Value of the ENV_KERBEROS_DEFAULT_DOMAIN environment variable.
ENV_KERBEROS_CONTROLLER_ADDRESS_MANUAL_VALUE Value of the ENV_KERBEROS_CONTROLLER_ADDRESS environment variable.

Create the directory tree required for mounting volumes on the file system:

1
2
3
4
5
mkdir -p MANUAL_REP/config
mkdir MANUAL_REP/graphical_archives
mkdir MANUAL_REP/ssh_archives
mkdir MANUAL_REP/log
mkdir MANUAL_REP/certificates

Then place the certificates for the Edge Gateway and the recording service in MANUAL_REP/certificates.

Finally, start a new container:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
docker run -d --restart unless-stopped --name "MANUAL_NAME" \
-e ENV_GW_CERT_NAME="ENV_GW_CERT_NAME_VALUE" \
-e ENV_GW_CERT_PASSWORD="ENV_GW_CERT_PASSWORD_VALUE" \
-e ENV_CARE_CERT_NAME="ENV_CARE_CERT_NAME_VALUE" \
-e ENV_CARE_CERT_PASSWORD="ENV_CARE_CERT_PASSWORD_VALUE" \
-e ENV_SSL_ROUTER_IP="ENV_SSL_ROUTER_IP_VALUE" \
-e ENV_SSL_ROUTER_PORT="ENV_SSL_ROUTER_PORT_VALUE" \
-e ENV_KERBEROS_CONFIG_ENABLE="ENV_KERBEROS_CONFIG_ENABLE_MANUAL_VALUE" \
-e ENV_KERBEROS_DEFAULT_REALM="ENV_KERBEROS_DEFAULT_REALM_MANUAL_VALUE" \
-e ENV_KERBEROS_DEFAULT_DOMAIN="ENV_KERBEROS_DEFAULT_DOMAIN_MANUAL_VALUE" \
-e ENV_KERBEROS_CONTROLLER_ADDRESS="ENV_KERBEROS_CONTROLLER_ADDRESS_MANUAL_VALUE" \
-v "MANUAL_REP/config/:/etc/ipdiva/:rw" \
-v "MANUAL_REP/graphical_archives/:/var/lib/ipdiva/carerecord/archives/:rw" \
-v "MANUAL_REP/ssh_archives/:/var/ipdiva/care/sshrecord/:rw" \
-v "MANUAL_REP/log/:/var/log/:rw" \
-v "MANUAL_REP/certificates/:/opt/certificates/:ro" \
-p 2222:2222 \
-p 3389:3389 \
-p 8443:8443 \
cleanroom-gateway:4.6.1-33-v2

The container logs can be viewed using the following command:

1
docker logs -f MANUAL_NAME