Linux Offline Installation

AI Tools

This guide provides step-by-step instructions for installing MetaDefender Software Supply Chain and its dependencies on machines with limited or no internet connectivity.

A machine with internet access is required to download the dependencies manually and transfer them to the offline machine.

Installing Binary Packages

You will need to download and install the binary packages(found in Installation details) for your respective operating system:

Debian/Ubuntu

curl, openssl, sudo, apt-utils, ca-certificates, jq, gnupg-agent, iproute2, apt-transport-https, software-properties-common

RedHat/CentOS

curl, openssl, sudo, apt-utils, ca-certificates, jq, gnupg-agent, iproute2, apt-transport-https, software-properties-common
Info

Note: For detailed instructions, refer to the guide for Debian/Ubuntu or CentOS/RHEL

Installing Docker and Docker Compose

To be able to install the dependencies offline, you need a machine connected to the internet to download the required packages. Later, the packages will be copied to the offline machine.

To download the dependencies, follow the official guide for Docker Engine and Docker Compose

The compose plugin for docker can be installed only manually when in an offline environment using the following commands (also available in the official instructions in the link above):

mkdir -p /usr/local/lib/docker/cli-plugins/ curl -SL https://github.com/docker/compose/releases/download/v2.28.0/docker-compose-linux-x86_64 -o /usr/local/lib/docker/cli-plugins/docker-compose sudo chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
Warning

For RedHat based operating systems:

Since RedHat officially supports Podman as a container engine, skip Docker installation and follow our guide on Podman Configuration.

Installing MetaDefender Software Supply Chain package

After the prerequisites above have been set up, you can run the MetaDefender Software Supply Chain installer to setup the compose files and the mdssc command line.

Debian/Ubuntu

sudo dpkg -i <name of the file>.deb || sudo apt-get install -f

RedHat/CentOS

sudo yum install -y <name of the file>.rpm

Pulling the Docker Images

In offline environments, all required Docker images must be pulled on an internet-connected machine and transferred to the target system.

Required Images

MetaDefender Software Supply Chain requires:

  • MDSSC service images

  • OPSWAT platform services

  • Third-party infrastructure images (database, cache, messaging)

All images are versioned per release.

Use the following placeholders:

  • <MDSSC_VERSION> — e.g. 3.1.1

  • <PLATFORM_VERSION> — e.g. platform-2.x

Step 1: Pull Images (Online Machine)

docker pull docker.io/opswat/mdssc_api:3.3.1 docker pull docker.io/opswat/mdssc_frontend:3.3.1 docker pull docker.io/opswat/mdssc_binaries:3.3.1 docker pull docker.io/opswat/mdssc_sourcecode:3.3.1 docker pull docker.io/opswat/mdssc_containers:3.3.1 docker pull docker.io/opswat/mdssc_notifications:3.3.1 docker pull docker.io/opswat/mdssc_pgmigrations:3.3.1 docker pull docker.io/library/postgres:17 docker pull docker.io/library/rabbitmq:4.2.2-alpine docker pull docker.io/library/redis:8.4.0-alpine docker pull docker.io/opswat/mdcloudservices_commonservices:platform-2.3 docker pull docker.io/opswat/mdcloudservices_licensing:platform-2.3 docker pull docker.io/opswat/mdcloudservices_identityservice:platform-2.3
Info

Can be tried on the offline machine also with the Docker whitelist: Allowlist | Docker Docs

Step 2: Export Images

docker save \ opswat/mdssc_api:<MDSSC_VERSION> \ opswat/mdssc_frontend:<MDSSC_VERSION> \ opswat/mdssc_binaries:<MDSSC_VERSION> \ opswat/mdssc_sourcecode:<MDSSC_VERSION> \ opswat/mdssc_containers:<MDSSC_VERSION> \ opswat/mdssc_notifications:<MDSSC_VERSION> \ opswat/mdssc_mongomigrations:<MDSSC_VERSION> \ opswat/mdssc_pgmigrations:<MDSSC_VERSION> \ opswat/mdcloudservices_commonservices:<PLATFORM_VERSION> \ opswat/mdcloudservices_licensing:<PLATFORM_VERSION> \ mongo:<MONGO_VERSION> \ postgres:<POSTGRES_VERSION> \ redis:<REDIS_VERSION> \ rabbitmq:<RABBITMQ_VERSION> \ -o mdssc.tar

Step 3: Load Images (Offline Machine)

docker load -i mdssc.tar # Check result docker image ls

Alternative (Testing): Load images using the offline toolkit

Warning

This method is currently in testing. Use it only if instructed by OPSWAT support or if the manual pull/export flow is not feasible.

Download the offline toolkit on an internet-connected machine and transfer it to the offline machine:

Download it using the following command:

curl -O https://s3.eu-central-1.amazonaws.com/mdssc-toolkit-3.3.1.zip/mdssc-toolkit-3.3.1.zip

Then extract it and load the images:

Prerequisite

This alternative requires unzip to be installed on the machine where you extract the toolkit.

unzip mdssc-toolkit-3.3.1.zip cd mdssc-toolkit-3.3.1 tar -xzf mdssc-offline-3.3.1.tar.gz cd mdssc-offline-3.3.1 sudo ./mdssc.sh -u load_images

Podman Configuration

MDSSC can also run using the Podman container engine instead of the default Docker one on RHEL operating systems. Podman, podman-docker and docker-compose need to be installed and running before installing MDSSC.

After the installation is complete, MDSSC needs to be configured to skip the checks for the default Docker engine. This is done by setting SKIP_DOCKER_CHECKS=yes in the /etc/mdssc/customer.env file. The following commands can be used to install Podman and MDSSC on RHEL.

# install podman, podman-docker and docker-compose sudo yum install podman sudo yum install podman-docker sudo curl -SL https://github.com/docker/compose/releases/download/v2.15.1/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose sudo systemctl enable podman.socket sudo systemctl start podman.socket # disable SELinux temporarily setenforce 0 # to disable selinux permanetly 'SELINUX=disabled' needs to be set in the following config file sudo vim /etc/selinux/config # install additional MDSSC dependencies sudo subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm sudo yum install lvm2 sudo yum install wget # install MDSSC sudo rpm -i mdssc-x.x.x.noarch.rpm # edit customer.env and add SKIP_DOCKER_CHECKS=yes sudo vim /etc/mdssc/customer.env # start MDSSC sudo mdssc -c start

Starting MetaDefender Software Supply Chain

Finally, MDSSC can be started using the regular startup command:

sudo mdssc -c start

Next Steps

Once the MetaDefender Software Supply Chain services are running, a few additional steps are required before the system is fully operational:

  1. Activate your license You must upload and apply a valid license to enable functionality. For details, see offline license activation section from License Page.

  2. Configure a Scan Pool At least one scan instance is required to analyze source code, containers or artifacts. For details, see Scan Pools.