Skip to content

Deploy & Operate

Stand up the lab host plus a network enclosure around it. Three install guides plus a vendor-image walkthrough; pick the path that matches your scale.

Three bring-up guides cover a fresh Remote Lab host end-to-end: install and configure rootless Netlab + Containerlab, enclose the host in a network boundary so clients and CI can reach lab subnets without exposing the server, and decide which router/switch images to ship.

The VPN guides walk one opinionated path — self-hosted Headscale + Headplane — because that’s what the project’s reference deployment uses. Any equivalent enclosure works (managed Tailscale, WireGuard, IP allowlists, mTLS at a reverse proxy); see Other approaches on the quick-setup page for when each fits.

Follow the install guides in order — the Netlab side boots the actual labs; the network side gives you the private reachability the Remote Lab Manager’s X-Session-ID-only access boundary relies on for safety. The vendor page is reference material you can hop into any time you need to add a new device kind.

In this section

  •   Pick a deployment

    Decision tree for the four deployment shapes — local laptop, single shared VM, multi-tenant lab, CI runner pool. Routes you to the right starting point.

  •   Netlab host

    Install networklab on Ubuntu 24.04+, configure rootless Containerlab with clab_admins + setuid, stop netlab from wrapping Containerlab in sudo, validate with netlab test clab.

  •   Headscale: quick

    Five-command happy path through the project’s recommended enclosure — Headscale + Headplane via Docker Compose, the lab host as a subnet router, one client peer reaching the lab subnet. Alternatives in the page’s Other approaches section.

  •   Headscale reference

    Configuration surface for a deployed Headscale tailnet — ACL configuration, user and pre-auth key management, system settings, troubleshooting, and the full command summary.

  •   Vendor setup

    Per-vendor install walkthroughs — FRR auto-pull, Nokia SR Linux image pin, Cisco IOL vrnetlab build. Decision tree lives in Topology format.

  • Operator runbook — install the neops-remote-lab service itself once the host is ready, including the recommended systemd unit and the stale-lock recovery runbook.
  • Configuration — server CLI flags (--host, --port, --debug) and client environment variables.
  • REST API — the HTTP surface now protected by the tailnet.