Install Remediate in offline multi-network deployments

Puppet Remediate connects to security providers to discover hosts with vulnerabilities. To take action and fix the vulnerabilities, the system needs to connect directly to the hosts. If the host you want to fix is deployed in different network segments that are not directly accessible from where you installed Remediate, you can setup a multi-network deployment.

In a multi-network deployment, an edge service is deployed inside each network segment. Remediate instructs the edge to connect to the hosts when executing tasks, and then leverages Docker swarm to deploy an edge service on each swarm worker. Workers must have direct connectivity to the manager ⁠— the main node where you installed Remediate. For more information on workers and managers, see the Docker documentation.

Note: The following procedure assumes that you have already run docker swarm init on the main Remediate node as part of the installation process to designate it as swarm manager.
  1. On a node with internet connectivity:
    1. Download the offline Remediate image bundle (https://storage.googleapis.com/remediate/stable/latest/offline/images.tar.gz).
    Note: Skip this step if you are using your own custom Docker registry.
  2. Optionally, you can verify the image bundle file signature.
    With each Puppet Remediate release, a digital signature is created using the private key portion of an asymmetric key. You can manually validate the signature using the public key portion of the same asymmetric key.
    1. Download the image bundle signature, along with the public key to the same directory as your license file.
    2. Run the following command: 
      openssl dgst -sha256 -verify puppet-remediate-signing-key.pub -signature images_signature images.tar.gz

      If the signature is valid, you get the following response: 

      Verified Ok
  3. Copy the Remediate image bundle to the offline node where you want to install Remediate.
  4. Using the key output from the above command as the <TOKEN>, run the following command on each worker node: 
    docker swarm join --token <TOKEN>

    This command adds a worker to each network segment.

  5. On the manager node, follow the normal installation instructions for Remediate. The swarm automatically deploys the edge on the workers.
  6. After the installation is complete, verify the expected number of edges is running with the following command: 
    docker service ps remediate_remote-edge