General description

The NAICE system is distributed as container images intended for deployment using the Docker containerization and application management platform. All system components are managed using the Docker Compose plugin, which is designed for orchestrating multi-container applications.

Ansible playbooks are used to automate the installation process.

Installation

Below is the procedure for performing a single-host installation.

Instructions for deploying NAICE in a high-availability configuration are provided in v1.0_3.3 High-availability installation.

Online installation is supported on all supported operating systems and is described below.


Installing Ansible

To run the playbooks, Ansible must be installed on a host that has SSH access to the target host.

The recommended operating system for running the playbooks is Ubuntu 24.04.

The minimum Ansible version required for correct installation is 2.16.3.

For Astra Linux 1.7.5 / 1.7.6, the Ansible version must not exceed 2.17.12.

Official Ansible installation documentation is available online.

In addition to the methods described in the documentation, Ansible can be installed on a Linux host via the apt utility (including the required sshpass utility):

sudo apt install ansible sshpass -y

Packages are available in the default repositories of most Linux distributions.

If Ansible is installed on Ubuntu 22, it must be updated using pip3, the Python3 package manager.

Install the python3-pip package manager:

sudo apt install python3-pip -y

Install Ansible using pip3 (run without sudo, as the playbooks will be executed under this user):

pip3 install ansible==9.0.1



For correct installation on RedOS 7/8, it is necessary to manually update the Ansible community docker.

Install Ansible community.docker version 4.7.0. Download and place the community-docker-4.7.0.tar.gz file on the target host:

wget https://cloud.eltex-co.ru/index.php/s/9Hv6p4yz611fDXb/download -O community-docker-4.7.0.tar.gz

Install community using the command (without using sudo):

$ ansible-galaxy collection install community-docker-4.7.0.tar.gz

Check the community version:

For RedOS 7.3.4/7.3.5
$ ansible-galaxy collection list | grep community.docker
community.docker                         4.7.0  
community.docker              2.7.3  

For RedOS 8.0
$ ansible-galaxy collection list | grep community.docker
community.docker                         4.7.0  
community.docker                         3.7.0

Obtaining files for running the playbook

NAICE is a licensed product; activating its functionality requires a valid license. See v1.0_2. Licensing for details.

At the time of installation, the license is not required, the product can be installed without activation.

Until a license is activated, NAICE operates in demo mode, in which the maximum number of network devices, active endpoints, and active guest endpoints is limited to 15 each.

To deploy the system in online mode, download the archive ansibleNaice-v1.0.2-16-01-2026.tar.gz to the host from which the playbook will be executed:

wget https://cloud.eltex-co.ru/index.php/s/Stk6sfQV4JeITQR/download -O ansibleNaice-v1.0.2-16-01-2026.tar.gz

Extract the archive:

tar xzvf ansibleNaice-v1.0.2-16-01-2026.tar.gz

Go to the playbook directory:

cd ansibleNaice-v1.0.2-16-01-2026

Configuring access to target hosts for installation 

Using login/password authentication

To configure the host on which NAICE will be deployed, edit the file: inventory/hosts.yml. In the variable ansible_host, specify the IP address or domain name of the target host, as well as the username, password, and sudo password:

---
common:
  hosts:
    # Host for performing a stand-alone NAICE installation
    common_host:
      ansible_host: <IP address or domain name of the NAICE host> 
      ansible_user: <username>
      ansible_ssh_pass: <user password>
      ansible_become_pass: <sudo password>


The specified IP address or domain name will be added to the Subject Alternative Name (SAN) field when generating a self-signed certificate during NAICE service installation.


Using SSH key authentication

By default, login/password authentication is assumed. If SSH key authentication is used (the key must be generated and placed on the target host beforehand), update ansible.cfg:

[defaults]
inventory = hosts.yml
host_key_checking = True
private_key_file = <path to the SSH key file>
deprecation_warnings = False

Then specify access parameters in hosts.yml:

---
common:
  hosts:
    common_host:
      ansible_host: <IP address or domain name of the NAICE host>
      ansible_user: <username>
      ansible_become_pass: <sudo password>
Verifying access configuration

To verify the correctness of the configured access parameters and check connectivity to the remote host, run:

ansible all --list-hosts  # check the list of hosts
ansible all -m ping       # check access to hosts

Example output when access is configured correctly:

common_host | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}

Configuring variables in the file group_vars/all.yml

Variable settings are defined in the file group_vars/all.yml and are used for configuring system services. The system will operate correctly when using the default variable values. Below are the most commonly used configuration variables.

Configuring the time zone (TZ)

To ensure correct time display in NAICE, the following parameter must be set in the group_vars/all.yml configuration file.

Variable format:

time_zone: "Region/City"

Examples:
time_zone: "Europe/Moscow"

or:
time_zone: "Asia/Novosibirsk"

Checking connectivity to the central Eltex licensing server (Online ELM):

Network connectivity must be ensured between NAICE and the ELM server. To check accessibility, run the following command on the host where NAICE is deployed:

curl -k https://elm.eltex-co.ru:8099/elm/Hello

If the ELM server is available, the output will look like this:

{"status":2,"result":"OK","server-info":{"version":"1.5","build":"10","root":true,"serverType":"elm","daemonMode":"server","serverMode":"root","protocolSupported":2,"protocolActual":4,"server-type":"elm","protocol-supported":2,"protocol-actual":4}}

Configuring connection to the Online ELM licensing server via HTTP proxy

NAICE supports connecting to the Online ELM licensing server through an HTTP proxy server.

Supported connection modes:

To configure access through an HTTP proxy server, specify the following parameters in the group_vars/all.yml configuration file:

gulo_proxy_host: "<IP address of the HTTP proxy server>"
gulo_proxy_port: "<HTTP proxy server port>"
gulo_proxy_login: "<username for authentication on the HTTP proxy server>"
gulo_proxy_password: "<password for authentication on the HTTP proxy server>"

By default, all parameters are empty, which means the system will attempt a direct connection to the Online ELM server.

If authentication on the HTTP proxy is not required, leave gulo_proxy_login and gulo_proxy_password empty.

Stable network connectivity between NAICE and the HTTP proxy server that relays traffic to the Online ELM server must be ensured. To check accessibility of the Online ELM server through the HTTP proxy, run the following commands on the NAICE host:

curl -k -x http://<IP address of the HTTP proxy server>:<HTTP proxy server port> https://elm.eltex-co.ru:8099/elm/Hello
curl -k -x http://user:password@<IP address of the HTTP proxy server>:<HTTP proxy server port> https://elm.eltex-co.ru:8099/elm/Hello

If the Online ELM server is available, the output will look like this:

{"status":2,"result":"OK","server-info":{"version":"1.5","build":"10","root":true,"serverType":"elm","daemonMode":"server","serverMode":"root","protocolSupported":2,"protocolActual":4,"server-type":"elm","protocol-supported":2,"protocol-actual":4}}

Specifying the licensing server address (for Offline ELM licensing)

If the Offline ELM licensing model is used, specify the server address in the playbook variable file group_vars/all.yml:

gulo_elm_server_url: https://<Offline ELM IP address>:<Offline ELM port>

By default, Offline ELM runs on port 8099.

If licensing is performed through the central Eltex Online ELM server, this variable does not need to be changed.

Network connectivity between NAICE and the ELM server must be ensured. To check accessibility:

curl -k https://<ELM IP address>:<ELM port>/elm/Hello

If the ELM server is available, the output will look like this:

{"server-info":{"version":"1.4","build":"14","root":false,"serverType":"elm","daemonMode":"server","serverMode":"offline","protocolSupported":3,"protocolActual":3,"server-type":"elm","protocol-supported":3,"protocol-actual":3},"status":2,"result":"OK"}

Replacing default certificates for EAP-PEAP operation 

  1. To use the EAP-PEAP authentication method (username/password), NAICE must have a valid RADIUS server certificate. A default public certificate is included in the naice-radius container and is ready for use. If required, it can be replaced. For correct installation, you will need:

    1. Root CA certificate; 

    2. NAICE server certificate;

    3. Private key of the NAICE server certificate.

  2. Certificates must be placed in: roles/docker/files/tls.

  3. In the group_vars/all.yml playbook variable section responsible for EAP-PEAP certificate installation, enable integration by setting:

  4. # certificate parameters
# required ONLY if a third-party server certificate is planned for use in RADIUS
# before running the playbook, you must create a certificate directory on the target host and place all required certificates into it
# to enable installation of certificates for the EAP protocol, place the server certificate files in the ansible/roles/docker/files/tls directory
radius_cert_dir_copy: false   # enable copying certificates from ansible/roles/docker/files/tls
radius_certs_ca_cert_file: trusted_server.crt   # CA certificate filename
radius_certs_private_key_file: trusted_server.k   # server certificate private key file name 
radius_certs_private_key_password:   # server certificate private key file password (leave empty if key is not encrypted)
radius_certs_certificate_file: trusted_server_chain.crt   # server certificate filename


    Description of parameters for EAP-PEAP operation:

    ParameterDescription
    radius_cert_dir_copyA variable that controls copying certificates from the directory to the target host and using them in the naice-radius service.
    radius_certs_ca_cert_fileThe filename of the root CA certificate.
    radius_certs_private_key_fileThe filename of the server certificate’s private key.
    radius_certs_private_key_password

    The password for the server private key file. If not specified, no password is assumed. The password must not contain the following characters: $, ', ", `, parentheses, or spaces.

    radius_certs_certificate_fileThe filename of the certificate that will be used by naice-radius when a user connects using the EAP-PEAP protocol.


Adding certificates for EAP-TLS operation  

  1. To use EAP-TLS authentication, a certificate intended for NAICE must be issued and placed on the host where the Ansible playbook will be executed. For correct installation, it is required:

    1. Root CA certificate;

    2. NAICE server certificate;

    3. Private key of the NAICE server certificate.

  2. Certificates must be placed in: roles/docker/files/eap-tls.

  3. In the group_vars/all.yml variable section responsible for EAP-TLS certificate installation, enable integration by setting:

  4. # parameters for EAP-TLS authentication
# certificate parameters
# to enable installation of certificates for the EAP-TLS protocol, place the server certificate files in ansible/roles/docker/files/eap-tls
radius_eap_tls_cert_dir_copy: false # enable (true) or disable (false) copying certificates from ansible/roles/docker/files/eap-tls
radius_eap_tls_certs_ca_cert_file: trusted_server.crt # filename of the root CA certificate
radius_eap_tls_certs_private_key_file: trusted_server.k # filename of the server certificate’s private key
radius_eap_tls_certs_private_key_password:  # password for the server private key file (leave empty if the key is not encrypted)
radius_eap_tls_certs_certificate_file: trusted_server_chain.crt # filename of the server certificate
# OCSP certificate revocation checking settings
radius_eap_tls_ocsp_enable: 'true' # enable certificate revocation status checking via OCSP
radius_eap_tls_ocsp_override_url: 'true' # use the OCSP service URL from the certificate
radius_eap_tls_ocsp_url: 'http://100.110.2.12/ocsp' # URL of the OCSP service
radius_eap_tls_ocsp_softfail: 'true' # soft-fail mode: if OCSP is unavailable, authentication continues
radius_eap_tls_ocsp_timeout: 0 # timeout for OCSP requests
radius_eap_tls_ocsp_use_nonce: 'true' # include a nonce in OCSP requests (may also appear in the response)

    Description of parameters for EAP-TLS operation

    ParameterDescription
    radius_eap_tls_cert_dir_copyA variable that controls copying certificates from the directory to the target host and using them in the naice-radius service.
    radius_eap_tls_certs_ca_cert_fileThe filename of the root CA certificate.
    radius_eap_tls_certs_private_key_fileThe filename of the server certificate’s private key.
    radius_eap_tls_certs_private_key_password

    The password for the server private key file. If not specified, no password is assumed. The password must not contain the following characters: $, ', ", `, parentheses, or spaces.

    radius_eap_tls_certs_certificate_fileThe filename of the certificate that will be used by naice-radius when a user connects using the EAP-TLS protocol.
    radius_eap_tls_ocsp_enableEnables certificate revocation status checking via the OCSP protocol (false | true). Default: false (checking disabled).
    radius_eap_tls_ocsp_override_url

    Source of the OCSP server URL: false — use the URL from the client certificate; true — use the URL specified in radius_eap_tls_ocsp_url. Default: false.

    radius_eap_tls_ocsp_urlThe URL of the OCSP responder (HTTP only).
    radius_eap_tls_ocsp_softfailBehavior when the OCSP server is unavailable (false | true): false — terminate authentication if the OCSP server cannot be reached; true — continue authentication without revocation checking.
    radius_eap_tls_ocsp_timeoutTimeout for contacting the OCSP server (in seconds). Default: 0.
    radius_eap_tls_ocsp_use_nonce

    Enables including a nonce value in OCSP requests to prevent replay attacks (false | true). Default: true.


Other variables (optional)

If necessary, modify additional environment variables in group_vars/all.yml. For example, you can change the NAICE service installation directory or specify an external NAICE address different from the management address.

NAICE installation 

For deploying NAICE services in a single-host installation, use the playbook install-naice.yml.

Run the install-naice.yml playbook to install the Docker containerization service, the Docker Compose plugin, and to start NAICE services via this plugin:

ansible-playbook install-naice.yml


During the installation of NAICE services, a self-signed certificate is automatically generated for the user interfaces lemmus, gavia, and larus. If you have your own trusted certificate, it can be installed after the services are deployed, replacing the default self-signed certificate. Detailed information on using security certificates can be found in the corresponding section.


Because NAICE uses healthcheck mechanisms to verify successful startup, initializing the containers may take several minutes. Wait until the playbook execution is fully completed.

Checking service status after installation

To check whether the containers have started successfully, navigate to the NAICE installation directory (default: /etc/docker-naice/) and run the following command to view the list and status of containers: docker compose ps -a. The output should look similar to the following (minor differences are possible depending on the operating system):

$ cd /etc/docker-naice/
/etc/docker-naice$ sudo docker compose ps -a
NAME                IMAGE                                                           COMMAND                  SERVICE             CREATED             STATUS                        PORTS
epg-service         naice-build-hosted.registry.eltex.loc/naice/epg-service:1.1-2   "/bin/sh -e /usr/loc…"   epg-service         3 minutes ago       Up 3 minutes (healthy)        0.0.0.0:8100->8100/tcp, :::8100->8100/tcp
naice-aquila        naice-release.registry.eltex.loc/naice-aquila:1.0               "java -cp @/app/jib-…"   naice-aquila        3 minutes ago       Up 2 minutes (healthy)        0.0.0.0:49->49/tcp, :::49->49/tcp, 0.0.0.0:8091->8091/tcp, :::8091->8091/tcp
naice-bubo          naice-release.registry.eltex.loc/naice-bubo:1.0                 "java -cp @/app/jib-…"   naice-bubo          3 minutes ago       Up 2 minutes (healthy)        0.0.0.0:8093->8093/tcp, :::8093->8093/tcp
naice-castor        naice-release.registry.eltex.loc/naice-castor:1.0               "java -Djava.awt.hea…"   naice-castor        3 minutes ago       Up 2 minutes (healthy)        0.0.0.0:8095->8095/tcp, :::8095->8095/tcp
naice-gavia         naice-release.registry.eltex.loc/naice-gavia:1.0                "java -cp @/app/jib-…"   naice-gavia         3 minutes ago       Up About a minute (healthy)   0.0.0.0:8080->8080/tcp, :::8080->8080/tcp
naice-gulo          naice-release.registry.eltex.loc/naice-gulo:1.0                 "java -cp @/app/jib-…"   naice-gulo          3 minutes ago       Up 2 minutes (healthy)        0.0.0.0:8089->8089/tcp, :::8089->8089/tcp
naice-lemmus        naice-release.registry.eltex.loc/naice-lemmus:1.0               "java -cp @/app/jib-…"   naice-lemmus        3 minutes ago       Up 2 minutes (healthy)        0.0.0.0:8083->8083/tcp, :::8083->8083/tcp
naice-lepus         naice-release.registry.eltex.loc/naice-lepus:1.0                "java -cp @/app/jib-…"   naice-lepus         3 minutes ago       Up 3 minutes (healthy)        0.0.0.0:8087->8087/tcp, :::8087->8087/tcp, 0.0.0.0:67->1024/udp, :::67->1024/udp
naice-mustela       naice-release.registry.eltex.loc/naice-mustela:1.0              "java -cp @/app/jib-…"   naice-mustela       3 minutes ago       Up 2 minutes (healthy)        0.0.0.0:8070->8070/tcp, :::8070->8070/tcp
naice-nats          naice-build-hosted.registry.eltex.loc/naice/nats:0.7.1          "docker-entrypoint.s…"   nats                3 minutes ago       Up 3 minutes (healthy)        4222/tcp, 6222/tcp, 7777/tcp, 0.0.0.0:8222->8222/tcp, :::8222->8222/tcp
naice-ovis          naice-release.registry.eltex.loc/naice-ovis:1.0                 "java -cp @/app/jib-…"   naice-ovis          3 minutes ago       Up 2 minutes (healthy)        0.0.0.0:8084->8084/tcp, :::8084->8084/tcp
naice-postgres      naice-build-hosted.registry.eltex.loc/naice/postgres:1.0.6      "docker-entrypoint.s…"   postgres            3 minutes ago       Up 3 minutes (healthy)        5432/tcp
naice-radius        naice-release.registry.eltex.loc/naice-radius:1.0               "/docker-entrypoint.…"   naice-radius        3 minutes ago       Up 3 minutes (healthy)        0.0.0.0:1812-1813->1812-1813/udp, :::1812-1813->1812-1813/udp, 0.0.0.0:9812->9812/tcp, :::9812->9812/tcp
naice-sterna        naice-release.registry.eltex.loc/naice-sterna:1.0               "/docker-entrypoint.…"   naice-sterna        3 minutes ago       Up About a minute (healthy)   80/tcp, 0.0.0.0:8443->444/tcp, :::8443->444/tcp
naice-ursus         naice-release.registry.eltex.loc/naice-ursus:1.0                "java -cp @/app/jib-…"   naice-ursus         3 minutes ago       Up 3 minutes (healthy)        0.0.0.0:8081->8081/tcp, :::8081->8081/tcp
naice-vulpus        naice-release.registry.eltex.loc/naice-vulpus:1.0               "java -cp @/app/jib-…"   naice-vulpus        3 minutes ago       Up 2 minutes (healthy)        0.0.0.0:8086->8086/tcp, :::8086->8086/tcp
naice-web           naice-release.registry.eltex.loc/naice-web:1.0                  "/docker-entrypoint.…"   naice-web           3 minutes ago       Up About a minute (healthy)   80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 0.0.0.0:80->4200/tcp, :::80->4200/tcp