Server requirements

For stable operation, the server must meet the following requirements:

• Linux operating system with Docker support: Ubuntu Server 20.04 (recommended) and newer, Astra Linux 1.7 (server), RedOS 7.3.1, Alt Server 10;

• 16 GB of RAM or more;

• CPU with virtualization support with at least 4 cores;
• free hard disk space from 200 GB;
• 1 Gbps network interface availability.

Obtaining sudo privileges without additional password input (optional)

As an unprivileged user, run the command:

echo "$(whoami)    ALL=(ALL) NOPASSWD: ALL" | sudo EDITOR='tee -a' visudo

Next, enter the password. After that, additional password entry is not required for executing sudo commands or switching to the superuser mode.

ECCM installation

Installation archive

The files needed to run the project are distributed as a tar archive. They can be obtained from the public cloud. Download the archive to the server and unpack it. It is recommended to unpack the archive into the pre-created separate directory.

Commands example:

wget "https://cloud.eltex-co.ru/index.php/s/P8xDfmyo3XyEs0g/download?path=%2F&files=eccm-2.6.tar.gz" -O eccm-2.6.tar.gz
mkdir eccm
tar -zxvf eccm-2.6.tar.gz -C eccm/

Docker and docker-compose installation

The easiest and fastest way to install is to switch to the directory where the installation archive was unpacked and use the compose-tools.sh script using the --install flag:

cd eccm/2.6
sudo ./compose-tools.sh --install

To check the installed docker, the following commands can be run:

docker --version

To check the installed docker-compose in Ubuntu, the following commands can be run:

docker compose version

When installing on Astra Linux, RedOS or Alt Server operating systems, the command to check the version of the installed docker-compose is:

docker-compose version

Running ECCM 

The ECCM project is distributed as a set of files that allows to run all necessary services using docker-compose. The project is divided into two docker-stacks:

• database (PostgreSQL 14.10);
• ECCM service stack. 

This separation is caused by the need to ensure horizontal scaling of the project and the possibility of integration with other projects of the company, such as Eltex.EDM.

Script for running ECCM

Due to the abundance of the system running parameters, a script was prepared that runs the project on one or more hosts with performance parameters that allow servicing about 100 devices. Actual performance depends on many factors, including hardware performance and the complexity of the network devices being serviced. To invoke the help information, navigate to the directory with the script and run the following command:

sudo ./compose-tools.sh -h

Running ECCM on a single host

To start the project, switch to the directory with the files of the installation archive and run the following command:

sudo ./compose-tools.sh --start <ECCM ADDRESS>

where **ECCM ADDRESS** is the IP address that is used for connection to the server. For example, if the server address is 100.110.2.2, the command will look as follows:

sudo ./compose-tools.sh --start 100.110.2.2

To stop the project, run the command:

sudo ./compose-tools.sh --stop

Running ECCM on a single host with Peeper integration

To monitor ECCM operating system parameters and application performance, it is recommended to deploy Peeper.

The files required to run the project are also distributed as a tar archive. You should extract the archive into a directory created in advance within the ECCM project.

Examples of commands:

cd eccm/2.6
wget "https://cloud.eltex-co.ru/index.php/s/n4RRd4rgx9pgxUO/download?path=%2F&files=peeper-client.tar" -O peeper-client.tar
tar -xvf peeper-client.tar -C peeper

Generate a token in the Grafana web interface (https://<Peeper Server address>:443). Go to the "Administration" menu → "Users and access" → "Service accounts" → "Add service account" → "Add service account token" → "Generate token".

In the peeper/.env file specify the following:

1. The IP address or domain name for connecting to the Peeper server in the PEEPER_HOST variable.
2. Set the PEEPER_EXTERNAL_MODE variable to true to avoid conflicts when creating an external network in Docker.
3. In the PEEPER_TOKEN variable, specify the token:

PEEPER_HOST="peeper.eltex.loc" # Domain name or IP address of the Peeper server
PEEPER_EXTERNAL_MODE="true" # false, if there is no external network in Docker on the server
PEEPER_TOKEN="" # Service account token created on the Peeper server

To collect information from the ECCM database, configure the peeper/.env.postgres file. An example of configuration is shown below:

POSTGRES_EXPORTER_ENABLED=true # Enable metrics collection from the PostgreSQL database
POSTGRES_HOST="100.110.2.2" # PostgreSQL database address for connecting and collecting metrics
POSTGRES_PORT="5432" # PostgreSQL database port for connecting and collecting metrics
POSTGRES_DB="" # Name of the PostgreSQL database to monitor
POSTGRES_USER="tester" # PostgreSQL database account for connecting and collecting metrics
POSTGRES_PASSWORD="tester" # Password for the $POSTGRES_USER account, required for collecting metrics

To run the ECCM project integrated with Peeper, add the --peeper command switch to the standard startup command:

sudo ./compose-tools.sh --start 100.110.2.2 --peeper

Running ECCM with a database on a separate server

• ECCM Application Server  – server on which an application is deployed that ensures the operation of the system and interaction with devices, as well as a web user interface;
• Database Server  – server with PostgreSQL 14 databases. It is possible to use one that already exists in the cluster infrastructure;
• Device Management Network  – IP network for managing equipment, through which ECCM has access via L3;
• Operator/Administrator  – system operator engaged in monitoring and configuration of the controlled equipment/system administrator of the company or Eltex technical support specialist, if remote access has been agreed upon.

If it is necessary to run ECCM on multiple servers (one server for the PostgreSQL database, the second server for the rest of the ECCM service stack), it is possible to use the multi-host installation option. To do this it is neccessary to:

1. Install Docker and Docker Compose on both servers.
2. Configure the server with databases:

2.1. To change login/password/temporary zone/RAM limits for working with the database, edit the postgres/.env file. To change parameters that affect database performance, edit the postgres/data/postgresql.conf file (the default settings are sufficient for a test run and support for about 100 devices).

2.2. Run the PostgreSQL database on the server with the database. To run the database, switch to the eccm/postgres directory and execute the command to run the container:

cd eccm/postgres
docker compose up -d

      3. Configure the server with applications:

3.1. To redefine the variables responsible for user authorization in the ECCM system and project behavior (web interface address, time zone, database address, login/password for database access, etc.), edit the “eccm/.env” file;

3.2. Run ECCM on the server with ECCM using the following command:

sudo ./compose-tools.sh --start <ECCM ADDRESS> --database-host <DB ADDRESS> --database-port <DB PORT>

where <DB ADDRESS> and <DB PORT> are the IP address and port to connect to the database server. For example, if the ECCM server address is 100.110.2.2, the database server address is 100.110.2.4, and the database server port is 5432, the command is as follows:

sudo ./compose-tools.sh --start 100.110.2.2 --database-host 100.110.2.4 --database-port 5432

Environment variables

The files required to run ECCM, containing environment and configuration variables, are located in the directory where the installation archive was extracted:

postgres/.env
postgres/data/postgresql.conf​
​eccm/.env

postgres/.env

The postgres/.env file contains variables that determine the behavior of the PostgreSQL database stack when it is launched in a container. The table below provides a description of these variables:

postgres/data/postgresql.conf

The file contains parameters that affect database performance. The default settings are sufficient for a test run and support for approximately 100 devices.

eccm/.env

The eccm/.env file contains variables that determine the behavior of the project. The table below provides a description of these variables:

./cert/server.crt

./cert/server.key

443

.env.cluster

The .env.cluster file contains variables that define the cluster's behavior when starting ECCM in a fault-tolerant system. The table below provides a description of these variables:

Web interface access

To connect to the ECCM web interface, open a browser and enter the following in the address bar:

http://<IP address of your server (ECCM_WEB_ADDRESS)>/

Options used by compose-tools.sh

Examples of use

To install Docker and Docker-compose on the host, run the command:

sudo ./compose-tools.sh --install

To update the images of all ECCM containers, run the command:

sudo ./compose-tools.sh --pull

To run the project, enter the directory containing the installation archive files and run the command:

sudo ./compose-tools.sh --start <ECCM ADDRESS>

To run and connect the project to a database installed on another host, run the command:

sudo ./compose-tools.sh --start <ECCM ADDRESS> --database-host <DB ADDRESS> --database-port <DB PORT>

To stop the project, run the command:

sudo ./compose-tools.sh --stop

To clean all containers, volumes, and ECCM networks, run the command:

sudo ./compose-tools.sh --clean

To run the project with the required logging level, add the --logging key to the launch line:

sudo ./compose-tools.sh --start <ECCM ADDRESS> --logging DEBUG

Since version 1.5, the project has a DHCP server with support for Zero Touch Provisioning (ZTP) functionality, which automatically adds devices to the system. The server is disabled by default. To activate, add the --dhcp key to the launch line.:

sudo ./compose-tools.sh --start <ECCM ADDRESS> --dhcp

To save all container images to archives .tar.gz run the command:

sudo ./compose-tools.sh --save

To convert archives with images (.tar.gz ) in docker images, run the command:

sudo ./compose-tools.sh --load

To convert a container with the new parameters, run the command (the container will be recreated according to the file.env of the corresponding compose project):

sudo ./compose-tools.sh --recreate-service monitoring-service

Known issues and solution methods

Possible errors during project installation

Error:

E: Cannot find the conntrack package

Possible reason: the system is configured with irrelevant package manager repositories.

Solution: add the actual repository to the /etc/apt/sources.list file and run the project installation:

echo "deb https://download.astralinux.ru/astra/stable/1.7_x86-64/repository-extended/ 1.7_x86-64 main contrib non-free" | sudo tee -a /etc/apt/sources.list
sudo ./compose-tools.sh --install

Possible errors during project launching

Error:

ERROR: Couldn't connect to Docker daemon at http+[docker://localhost](docker://localhost) - is it running?

Possible reason: docker daemon is not running. To check this, run the command:

sudo systemctl status docker

If the status in the Active line is different from Active (running), the cause is correctly determined.

Solution: run docker with the command:

sudo systemctl start docker

Error:

Got permission denied while trying to connect to the Docker daemon socket at [unix:///var/run/docker.sock]
(unix://intdocs.eltex.loc/var/run/docker.sock): Get http://%2Fvar%2Frun%2Fdocker.sock/v1.40/containers/json: 
dial unix /var/run/docker.sock: connect: permission denied

Possible reason: the launch was performed as an unprivileged user who was not added to the docker group.

Solution 1 (recommended): add the user to the docker group by the following command:

sudo usermod -aG docker $(whoami)

Solution 2: perform all operations with root privileges.

Error:

Services starting...
Creating network "eccm_eltex-internal" with the default driver
ERROR: Pool overlaps with other one on this address space

Possible reason: the subnet specified in ECCM_INTERNAL_SUBNETWORK, is already in use by docker.

Solution: select a different subnet in the .env file. It is possible to view subnets already created by docker using the command:

sudo docker network inspect $(docker network ls --filter "DRIVER=bridge" --format '{{ .Name }}')  -f '{{ .Name  }} {{ (index .IPAM.Config 0).Subnet }}'

Possible errors during the work of the project

Error: monitoring is not working correctly, device metrics are not collected.

Possible reason: the monitoring service does not have enough memory to work correctly. The monitoring-service logs contain entries like:

WARN  [b1a52920966f70af] [item-poll-executor  ] o.e.e.m.service.BackpressureController   : Batch size adjusted for job 'item polling': 100000 → 0 (adjustment factor: 0.000, memory usage: 97%)

Solution: increase the memory limit for the monitoring-service. To do this, increase the value of the ECCM_MONITORING_SERVICE_XMX variable in the eccm/.env file:

-ECCM_MONITORING_SERVICE_XMX=1G  <--- old value
+ECCM_MONITORING_SERVICE_XMX=2G  <--- new value

Possible errors when stopping a project

Error:

ERROR: error while removing network: network eccm_eltex-internal id 324bd72dd9c107cf2ea48effb75d9e7ad2dfbc8f5f7317b89cd7f318d61d5c4b has active endpoints

Possible cause: docker did not completely clear the cache.

Solution: restart docker using the command:

sudo systemctl restart docker 

Possible authentication errors

Error: Unable to authenticate with an LDAP account.

Possible cause: incorrect LDAP server connection configuration.

Solution: set the AUTH_ECCM_AUTHENTICATION_ENABLED=true variable in the eccm/.env file and restart the identity-provider service:

sudo ./compose-tools.sh --recreate-service identity-provider

Local account authentication will then be available.

Recommendations for ECCM technical support requests

Contact the company's Service Center for advice on system operation. Refer to the last page of this manual for contact methods.

For faster and more convenient interaction with ECCM technical support specialists, please provide the following information when contacting:

1. The installed version of ECCM and the license used;
2. Whether there is access to the Internet from the server where the firmware is deployed (no access, direct access, via NAT, via Proxy, etc.);
3. The time the issue occurred (preferably as accurate as possible);
4. Screenshot or video file if the issue occurred in the browser GUI;
5. Device information (this could be device IP address, device model) if the problem was related to some device.

Defining the ECCM version and license

It is possible to determine the installed version of ECCM using one of the following methods:

1. When downloading a release archive, look for version information in its name, eccm-2.6.tar.gz.
2. If the original tar.gz archive has been deleted, the version information can be found in the configuration file $ECCM_ROOT/eccm/.env (in a line like: ECCM_TAG=2.6).
3. Check the version information in the lower left corner of the web interface screen of the running ECCM:

1 – ECCM version;
2 – validity period of the issued license.

The license can be attached from the source file or uploaded from the ECCM web interface.

Information collection script

The script automates the collection of metrics from the ECCM system, and then packages them into a compressed archive for more convenient transportation. Designed to run on Linux/Ubuntu OS.

Running the script:

1. Enter the ~/eccm/<ECCM version> directory/:

cd ~/eccm/<ECCM version>/

2. Run the following command:

sudo ./technical_support.sh

3. Wait for the script to collect the information;
4. The <date_time>-technical_support.tar.gz archive will be loaded into the directory.

This archive can be sent to the technical support specialists to familiarize them with all the necessary information.