Installation

Prepare the host

Bring a Linux host to the known-good state the C21 Live Control and C21 Live Encoder installers expect.

The installers expect the host to be in a known starting state. This page describes the prerequisites and provides copy-pasteable commands that satisfy them on a stock Ubuntu 22.04 / 24.04 LTS host.

Run every step on every host before the installer. Both products share most of the prerequisites; the differences are called out where they apply.

1. Platform

ControlEncoder
Operating systemUbuntu 22.04 LTS or 24.04 LTSUbuntu 24.04 LTS
Kernelany≥ 6.8
Architecturex86_64x86_64
CPU2 cores minimum, 4+ recommended4 cores minimum, 8+ recommended
RAM4 GiB minimum, 8+ GiB recommended8 GiB minimum, 16+ GiB recommended
Disk free on /20 GiB50 GiB (more if recordings stay local)
Swaprecommend ≥ 4 GiB on hosts with < 8 GiB RAMrecommend ≥ 4 GiB on hosts with < 16 GiB RAM

Both products run on Ubuntu Pro without changes if your security policy requires it.

2. Outbound network

The installer downloads from CloudFront and Docker Hub. The host needs HTTPS egress to:

  • https://get.cires21.com/*
  • https://hub.docker.com/*, https://registry-1.docker.io/*, https://auth.docker.io/*, https://production.cloudflare.docker.com/*

If you operate behind a corporate proxy, allow-list the above and set https_proxy / http_proxy for your interactive shell and the sudo -E environment.

3. DNS — public resolver

Add a public resolver so the host can reach the Docker registry and the bootstrap CDN.

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/google.conf >/dev/null <<EOF
[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=
DNSStubListener=yes
EOF
sudo systemctl restart systemd-resolved
getent hosts get.cires21.com
getent hosts hub.docker.com

Substitute your own resolvers if your network has a stricter policy. Cloud VMs usually need this drop-in because they ship with the VPC resolver only.

4. NTP — accurate time

Docker registry TLS handshakes fail on clock skew. Set NTP before the installer.

Ubuntu Server cloud images ship with chrony active by default. Add the Cires21 NTP pool to the existing chrony configuration:

sudo timedatectl set-timezone Europe/Madrid
sudo tee /etc/chrony/sources.d/cires21.sources >/dev/null <<EOF
pool hora.cires21.com iburst maxsources 4
EOF
sudo systemctl restart chrony
chronyc sources -v

On hosts that ship with systemd-timesyncd instead of chrony, the equivalent drop-in is /etc/systemd/timesyncd.conf.d/cires21.conf with NTP=hora.cires21.com. The host needs to be within a few seconds of real time before the installer runs.

5. Firewall — ufw

Apply rules in this order to avoid locking yourself out of SSH:

sudo apt-get update -qq
sudo apt-get install -y ufw

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp comment 'SSH'

# Control host only — the operator UI + the API + the WebSocket relay + the MCP server
sudo ufw allow 9080/tcp comment 'Control HTTP (redirects to HTTPS)'
sudo ufw allow 9443/tcp comment 'Control HTTPS UI'
sudo ufw allow 3000/tcp comment 'Control NOC WebSocket relay'
sudo ufw allow 3100/tcp comment 'Control MCP server'

# Encoder host only — restrict to the Control host or its VPC subnet
sudo ufw allow from <control-ip-or-subnet> to any port 80 proto tcp comment 'Encoder HTTP from Control'
sudo ufw allow from <control-ip-or-subnet> to any port 443 proto tcp comment 'Encoder HTTPS from Control'
sudo ufw allow from <control-ip-or-subnet> to any port 8484 proto tcp comment 'Encoder c21publisher from Control'

sudo ufw --force enable
sudo ufw status verbose

For deployments where you want a public reverse-proxy in front of Control, terminate TLS on the proxy and forward to 127.0.0.1:9443. The ufw rules above cover the host-level fallback path.

6. Swap

If the host has less than the recommended RAM, add swap:

sudo fallocate -l 4G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
free -h

The installer pulls multiple GB of Docker images. Without swap on small hosts, apt install and Docker image pulls together can run out of memory.

7. Next step

With the host prepared, follow the product-specific installer page:

Copyright © 2026