General description
The NAICE system is distributed as container images intended for deployment using the Docker containerization and application management platform. All system components are managed using the Docker Compose plugin, which is designed for orchestrating multi-container applications.
Ansible playbooks are used to automate the installation process.
Installation
Below is the procedure for performing a single-host installation.
Both online and offline installation are available.
Online installation is supported on all supported operating systems and is described below.
Preparing the VM for running Ansible playbooks
Requirements for the host OS running Ansible playbooks
To run Ansible playbooks, use a VM running Ubuntu 24, RedOS 8.0.2, or Astra Linux 1.8.6
Installing Ansible
Official Ansible installation documentation is available online.
Install the Ansible package along with all dependencies and other required software.
If Astra Linux 1.7.X is used as the target OS for NAICE deployment, ensure that the Ansible version is not higher than 2.17:
$ ansible --version
Installation is not supported on newer Ansible versions, as Astra Linux 1.7.X uses Python 3.7, which is not supported.
If necessary, reinstall Ansible and downgrade to the required version.
Install community.docker Ansible collection version 4.7.0. To do this, download and place the file community-docker-4.7.0.tar.gz.
wget https://cloud.eltex-co.ru/index.php/s/9Hv6p4yz611fDXb/download -O community-docker-4.7.0.tar.gz
Install the collection using the following command (without sudo):
ansible-galaxy collection install community-docker-4.7.0.tar.gz
Verify the installed collection version:
ansible-galaxy collection list | grep community.docker community.docker 4.7.0 community.docker X.X.X
Obtaining files for running the playbook
NAICE is a licensed product; activating its functionality requires a valid license. See v1.1_2. Licensing for details.
At the time of installation, the license is not required, the product can be installed without activation.
Until a license is activated, NAICE operates in demo mode, in which the maximum number of network devices, active endpoints, and active guest endpoints is limited to 15 each.
To deploy the system in online mode, download the latest version archive from the v1.1_1.5 Stable versions page and place it on the host from which the playbook will be executed.
wget https://cloud.eltex-co.ru/index.php/s/YzNqFaudVREka44/download -O ansibleNaice-v1.1.1-27-03-2026.tar.gz
Extract the archive:
tar xzvf ansibleNaice-v1.1.1-27-03-2026.tar.gz
Go to the playbook directory:
cd ansibleNaice-v1.1.1-27-03-2026
Configuring access to target hosts for installation
Using login/password authentication
To configure the host on which NAICE will be deployed, edit the file: inventory/hosts.yml. In the variable ansible_host, specify the IP address or domain name of the target host, as well as the username, password, and sudo password:
---
common:
hosts:
# Host for performing a stand-alone NAICE installation
common_host:
ansible_host: <IP address or domain name of the NAICE host>
ansible_user: <username>
ansible_ssh_pass: <user password>
ansible_become_pass: <sudo password>
The specified IP address or domain name will be added to the Subject Alternative Name (SAN) field when generating a self-signed certificate during NAICE service installation.
Using SSH key authentication
By default, login/password authentication is assumed. If SSH key authentication is used (the key must be generated and placed on the target host beforehand), update ansible.cfg:
[defaults] inventory = hosts.yml host_key_checking = True private_key_file = <path to the SSH key file> deprecation_warnings = False
Then specify access parameters in hosts.yml:
---
common:
hosts:
common_host:
ansible_host: <IP address or domain name of the NAICE host>
ansible_user: <username>
ansible_become_pass: <sudo password>
Verifying access configuration
To verify the correctness of the configured access parameters and check connectivity to the remote host, run:
ansible all --list-hosts # check the list of hosts ansible all -m ping # check access to hosts
Example output when access is configured correctly:
common_host | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
Configuring variables in the file group_vars/all.yml
Variable settings are defined in the file group_vars/all.yml and are used for configuring system services. The system will operate correctly when using the default variable values. Below are the most commonly used configuration variables.
Configuring the time zone (TZ)
To ensure correct time display in NAICE, the following parameter must be set in the group_vars/all.yml configuration file.
Variable format:
time_zone: "Region/City" Examples: time_zone: "Europe/Moscow" or: time_zone: "Asia/Novosibirsk"
Replacing default certificates for EAP-PEAP operation
- To use the EAP-PEAP authentication method (username/password), NAICE must have a valid RADIUS server certificate. A default public certificate is included in the naice-radius container and is ready for use. If required, it can be replaced. For correct installation, you will need:
Root CA certificate;
NAICE server certificate;
Private key of the NAICE server certificate.
Certificates must be placed in: roles/docker/files/tls.
In the
group_vars/all.ymlplaybook variable section responsible for EAP-PEAP certificate installation, enable integration by setting:
# certificate parameters # required ONLY if a third-party server certificate is planned for use in RADIUS # before running the playbook, you must create a certificate directory on the target host and place all required certificates into it # to enable installation of certificates for the EAP protocol, place the server certificate files in the ansible/roles/docker/files/tls directory radius_cert_dir_copy: false # enable copying certificates from ansible/roles/docker/files/tls radius_certs_ca_cert_file: trusted_server.crt # CA certificate filename radius_certs_private_key_file: trusted_server.k # server certificate private key file name radius_certs_private_key_password: # server certificate private key file password (leave empty if key is not encrypted) radius_certs_certificate_file: trusted_server_chain.crt # server certificate filename
Description of parameters for EAP-PEAP operation:
| Parameter | Description |
|---|---|
| radius_cert_dir_copy | A variable that controls copying certificates from the directory to the target host and using them in the naice-radius service. |
| radius_certs_ca_cert_file | The filename of the root CA certificate. |
| radius_certs_private_key_file | The filename of the server certificate’s private key. |
| radius_certs_private_key_password | The password for the server private key file. If not specified, no password is assumed. The password must not contain the following characters: $, ', ", `, parentheses, or spaces. |
| radius_certs_certificate_file | The filename of the certificate that will be used by naice-radius when a user connects using the EAP-PEAP protocol. |
Adding certificates for EAP-TLS operation
To use EAP-TLS authentication, a certificate intended for NAICE must be issued and placed on the host where the Ansible playbook will be executed. For correct installation, it is required:
Root CA certificate;
NAICE server certificate;
Private key of the NAICE server certificate.
Certificates must be placed in: roles/docker/files/eap-tls.
In the
group_vars/all.ymlvariable section responsible for EAP-TLS certificate installation, enable integration by setting:
# parameters for EAP-TLS authentication # certificate parameters # to enable installation of certificates for the EAP-TLS protocol, place the server certificate files in ansible/roles/docker/files/eap-tls radius_eap_tls_cert_dir_copy: false # enable (true) or disable (false) copying certificates from ansible/roles/docker/files/eap-tls radius_eap_tls_certs_ca_cert_file: trusted_server.crt # filename of the root CA certificate radius_eap_tls_certs_private_key_file: trusted_server.k # filename of the server certificate’s private key radius_eap_tls_certs_private_key_password: # password for the server private key file (leave empty if the key is not encrypted) radius_eap_tls_certs_certificate_file: trusted_server_chain.crt # filename of the server certificate # OCSP certificate revocation checking settings radius_eap_tls_ocsp_enable: 'true' # enable certificate revocation status checking via OCSP radius_eap_tls_ocsp_override_url: 'true' # use the OCSP service URL from the certificate radius_eap_tls_ocsp_url: 'http://100.110.2.12/ocsp' # URL of the OCSP service radius_eap_tls_ocsp_softfail: 'true' # soft-fail mode: if OCSP is unavailable, authentication continues radius_eap_tls_ocsp_timeout: 0 # timeout for OCSP requests radius_eap_tls_ocsp_use_nonce: 'true' # include a nonce in OCSP requests (may also appear in the response)
Description of parameters for EAP-TLS operation
| Parameter | Description |
|---|---|
| radius_eap_tls_cert_dir_copy | A variable that controls copying certificates from the directory to the target host and using them in the naice-radius service. |
| radius_eap_tls_certs_ca_cert_file | The filename of the root CA certificate. |
| radius_eap_tls_certs_private_key_file | The filename of the server certificate’s private key. |
| radius_eap_tls_certs_private_key_password | The password for the server private key file. If not specified, no password is assumed. The password must not contain the following characters: $, ', ", `, parentheses, or spaces. |
| radius_eap_tls_certs_certificate_file | The filename of the certificate that will be used by naice-radius when a user connects using the EAP-TLS protocol. |
| radius_eap_tls_ocsp_enable | Enables certificate revocation status checking via the OCSP protocol (false | true). Default: false (checking disabled). |
| radius_eap_tls_ocsp_override_url | Source of the OCSP server URL: false — use the URL from the client certificate; true — use the URL specified in radius_eap_tls_ocsp_url. Default: false. |
| radius_eap_tls_ocsp_url | The URL of the OCSP responder (HTTP only). |
| radius_eap_tls_ocsp_softfail | Behavior when the OCSP server is unavailable (false | true): false — terminate authentication if the OCSP server cannot be reached; true — continue authentication without revocation checking. |
| radius_eap_tls_ocsp_timeout | Timeout for contacting the OCSP server (in seconds). Default: 0. |
| radius_eap_tls_ocsp_use_nonce | Enables including a nonce value in OCSP requests to prevent replay attacks (false | true). Default: true. |
Other variables (optional)
If necessary, modify additional environment variables in group_vars/all.yml. For example, you can change the NAICE service installation directory or specify an external NAICE address different from the management address.
NAICE installation
For deploying NAICE services in a single-host installation, use the playbook install-naice.yml.
Run the install-naice.yml playbook to install the Docker containerization service, the Docker Compose plugin, and to start NAICE services via this plugin:
ansible-playbook install-naice.yml
During the installation of NAICE services, a self-signed certificate is automatically generated for the user interfaces lemmus, gavia, and larus. If you have your own trusted certificate, it can be installed after the services are deployed, replacing the default self-signed certificate. Detailed information on using security certificates can be found in the section. Подробную информацию об использовании сертификатов безопасности можно найти в разделе v1.1_3.7 Использование сертификатов безопасности. ССЫЛКА
Because NAICE uses healthcheck mechanisms to verify successful startup, initializing the containers may take several minutes. Wait until the playbook execution is fully completed.
Checking service status after installation
To check whether the containers have started successfully, navigate to the NAICE installation directory (default: /etc/docker-naice/) and run the following command to view the list and status of containers: docker compose ps -a.
Пример показан для ОС Ubuntu 24.04 LTS и может отличаться для других ОС, в зависимости от версии docker compose:
$ sudo docker compose ps -a NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS epg-service naice-build-hosted.registry.eltex.loc/naice/epg-service:1.1-3 "/bin/sh -e /usr/loc…" epg-service 5 minutes ago Up 5 minutes (healthy) 0.0.0.0:8100->8100/tcp, [::]:8100->8100/tcp naice-aquila naice-release.registry.eltex.loc/naice-aquila:1.1 "java -cp @/app/jib-…" naice-aquila 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8091->8091/tcp, [::]:8091->8091/tcp, 0.0.0.0:49->1049/tcp, [::]:49->1049/tcp naice-bubo naice-release.registry.eltex.loc/naice-bubo:1.1 "java -cp @/app/jib-…" naice-bubo 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8093->8093/tcp, [::]:8093->8093/tcp naice-castor naice-release.registry.eltex.loc/naice-castor:1.1 "java -Djava.awt.hea…" naice-castor 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8095->8095/tcp, [::]:8095->8095/tcp naice-cetus naice-release.registry.eltex.loc/naice-cetus:1.1 "java -cp @/app/jib-…" naice-cetus 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8099->8099/tcp, [::]:8099->8099/tcp naice-gavia naice-release.registry.eltex.loc/naice-gavia:1.1 "java -cp @/app/jib-…" naice-gavia 5 minutes ago Up 3 minutes (healthy) 0.0.0.0:8080->8080/tcp, [::]:8080->8080/tcp naice-gulo naice-release.registry.eltex.loc/naice-gulo:1.1 "java -cp @/app/jib-…" naice-gulo 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8089->8089/tcp, [::]:8089->8089/tcp naice-lemmus naice-release.registry.eltex.loc/naice-lemmus:1.1 "java -cp @/app/jib-…" naice-lemmus 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8083->8083/tcp, [::]:8083->8083/tcp naice-lepus naice-release.registry.eltex.loc/naice-lepus:1.1 "java -cp @/app/jib-…" naice-lepus 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8087->8087/tcp, [::]:8087->8087/tcp, 0.0.0.0:67->1024/udp, [::]:67->1024/udp naice-mustela naice-release.registry.eltex.loc/naice-mustela:1.1 "java -cp @/app/jib-…" naice-mustela 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8070->8070/tcp, [::]:8070->8070/tcp naice-nats naice-build-hosted.registry.eltex.loc/naice/nats:1.1.7 "docker-entrypoint.s…" nats 5 minutes ago Up 5 minutes (healthy) 4222/tcp, 6222/tcp, 7777/tcp, 0.0.0.0:8222->8222/tcp, [::]:8222->8222/tcp naice-ovis naice-release.registry.eltex.loc/naice-ovis:1.1 "java -cp @/app/jib-…" naice-ovis 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8084->8084/tcp, [::]:8084->8084/tcp naice-phoca naice-release.registry.eltex.loc/naice-phoca:1.1 "java -cp @/app/jib-…" naice-phoca 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8097->8097/tcp, [::]:8097->8097/tcp naice-postgres naice-build-hosted.registry.eltex.loc/naice/postgres:1.1.6 "docker-entrypoint.s…" postgres 6 minutes ago Up 5 minutes (healthy) 5432/tcp naice-radius naice-release.registry.eltex.loc/naice-radius:1.1 "/docker-entrypoint.…" naice-radius 5 minutes ago Up 5 minutes (healthy) 0.0.0.0:1812-1813->1812-1813/udp, [::]:1812-1813->1812-1813/udp, 0.0.0.0:9812->9812/tcp, [::]:9812->9812/tcp naice-sterna naice-release.registry.eltex.loc/naice-sterna:1.1 "/docker-entrypoint.…" naice-sterna 5 minutes ago Up 3 minutes (healthy) 80/tcp, 0.0.0.0:8443->444/tcp, [::]:8443->444/tcp naice-ursus naice-release.registry.eltex.loc/naice-ursus:1.1 "java -cp @/app/jib-…" naice-ursus 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8081->8081/tcp, [::]:8081->8081/tcp naice-vulpus naice-release.registry.eltex.loc/naice-vulpus:1.1 "java -cp @/app/jib-…" naice-vulpus 5 minutes ago Up 4 minutes (healthy) 0.0.0.0:8086->8086/tcp, [::]:8086->8086/tcp naice-web naice-release.registry.eltex.loc/naice-web:1.1 "/docker-entrypoint.…" naice-web 5 minutes ago Up 2 minutes (healthy) 80/tcp, 0.0.0.0:443->443/tcp, [::]:443->443/tcp, 0.0.0.0:80->4200/tcp, [::]:80->4200/tcp