Skip to content

Playbooks On-premises

To ensure enhanced security measures, our clients may find it necessary to execute Playbook actions within a local network that remains isolated from external internet access or rejects inbound connections. To answer this particular need, we offer a solution that allows users to select actions they want to perform on their local network directly from the Playbooks' user interface.

To harness the full potential of this security-enhancing feature, clients are required to undertake a short installation process. This process involves the installation of our dedicated agent and Docker onto a Linux machine positioned within their local network. This meticulous setup ensures that Playbook actions can be executed with the utmost reliability and security, maintaining the integrity of your local network environment.

Below, we provide detailed instructions on how to accomplish this installation process effectively.


This feature is currently in public beta. If you would like to try it, please contact us.


Host requirements

  • 16G RAM
  • 150G HD
  • 2 CPU minimum (4 CPU recommended)

Supported OS versions

Playbooks On-prem are designed to support Linux distributions based on a kernel version of 3.10 or later. Here's a non-exhaustive list of supported distributions:

  • Ubuntu 14.04 and newer
  • Debian 8 and newer
  • CentOS 7 and newer
  • Redhat 7 and newer


Playbooks On-prem rely on docker to execute actions. To ensure a seamless installation, please refer to the official installation instructions.


In certain Linux distributions, such as RHEL and CentOS, podman may come pre-installed, potentially preventing dockerfrom working correctly.

Plus, podman can also inadvertently intercept and execute docker commands if the podman-docker package is installed.

Because of this, it's important to note that the playbook runner agent requires not only the presence of the Docker client but also the Docker engine.

To uninstall podman and resolve any compatibility issues, you can follow the instructions below:

  1. Remove packages

    sudo yum remove buildah skopeo podman containers-common atomic-registries docker container-tools

  2. Remove any left-over artifacts and files

    sudo rm -rf /etc/containers/* /var/lib/containers/* /etc/docker /etc/subuid* /etc/subgid*

  3. Delete any associated container storage

    cd ~ && rm -rf /.local/share/containers/

Allowed domains

To ensure a bug-free installation, the Sekoia Endpoint Agent must be able to communicate with several external domains:

  • To pull module images:

  • To send execution results and store files:

    • ...

Testing the prerequisites

We have prepared a Docker image to facilitate the validation process, ensuring that the environment is properly configured for agent installation.

To initiate this validation, open a terminal and execute the following command:

docker run

This command will initiate the download of the image, effectively verifying whether the host system can successfully access the Docker registry and establish connectivity with

Here's an example of the expected output for your reference:

Checking container runs in Docker ... OK
Checking connectivity with APIs ...
  - Checking ... OK
  - Checking ... OK
Checking connectivity with the object storage ... OK


Proxy information can be passed to the docker command with the -e option: -e https_proxy={proxy_url}

Playbook runners

A playbook runner is a local relay that allows playbook actions to be launched on a local network. It can be used with any action in playbooks.

Create a playbook runner

To create a playbook runner, follow these steps:

  1. On the playbooks listing page, click on the Playbook runners button in the top right of the screen create playbook runner
  2. In the playbook runners page, click on + Set up a playbook runner or + Playbook runner
  3. Give a name to your playbook runner
  4. Follow the instructions displayed to install the playbook runner on your machine. playbook runner instructions
  5. Once the playbook runner has been installed, you can leave the instructions by clicking on "Back to playbook runners".

Your newly created playbook runner should now appear in the list. It will also show when configuring any playbook action.

Use a runner in a playbook action

playbook runner instructions

Playbook runners can be used in any action in the playbook catalog. They can be added in the configuration panel that shows when clicking on an action in the playbook.

To use a playbook runner for a specific action, you can follow these steps:

  1. Go to a playbook and click on the action that should be executed on-premises
  2. Open the configuration sidebar for this action and change "How to execute this action" to "On-premises"
  3. In the "Which playbook runner" section, select the runner you want to use to execute this action
  4. Once you've chosen the playbook runner and are satisfied with the configuration, save the playbook

Proxy support

If needed, the playbook runner can use a proxy server when executing actions.

If you want to enable this feature, edit the configuration file at /etc/endpoint-agent/config.yaml and add the following line:


The proxy URL should follow the format http://user:pass@host:port.

It is also possible to specify a list of domains that should not use the proxy:

  - localhost

Once the configuration has been changed, restart the agent by running the following command:

sudo systemctl restart SEKOIAEndpointAgent.service

Alternatively, if those variables are not set, the agent will check for the env variables http_proxy, https_proxy, all_proxy and no_proxy on the host and forward them to the running actions.

Custom CA bundle

In some cases, the service we contact will have a TLS certificate signed by a custom Certification Authority.

To avoid having errors during the TLS certificate validation step, it is possible to specify the path to a CA bundle containing a list of trusted certificates.

To enable this feature, follow these steps:

  1. Edit the configuration file at /etc/endpoint-agent/config.yaml and add the following line:

    CABundlePath: "path/to/bundle/cacert.pem"


    The bundle must contains the CA certificates allowing to communicate with

    Bundle format example

    The bundle usually contains a list of PEM encoded certificate to trust with optional comment lines starting with #. Here's an example of the content of such bundle:

    # Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
    # Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
    # Label: "GlobalSign Root CA"
    # Serial: 4835703278459707669005204
    # MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a
    # SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c
    # SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99
    -----END CERTIFICATE-----
    # Issuer: Certification Authority (2048) incorp. by ref. (limits liab.)/(c) 1999 Limited
    # Subject: Certification Authority (2048) incorp. by ref. (limits liab.)/(c) 1999 Limited
    # Label: " Premium 2048 Secure Server CA"
    # Serial: 946069240
    # MD5 Fingerprint: ee:29:31:bc:32:7e:9a:e6:e8:b5:f7:51:b4:34:71:90
    # SHA1 Fingerprint: 50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31
    # SHA256 Fingerprint: 6d:c4:71:72:e0:1c:bc:b0:bf:62:58:0d:89:5f:e2:b8:ac:9a:d4:f8:73:80:1e:0c:10:b9:c8:37:d2:1e:b1:77
    -----END CERTIFICATE-----
  2. Once the configuration has been changed, restart the agent by running the following command:

    sudo systemctl restart SEKOIAEndpointAgent.service