General description

The NAICE system is distributed as container images intended for deployment using the Docker containerization and application management platform. All system components are managed using the Docker Compose plugin, which is designed for orchestrating multi-container applications.

Ansible playbooks are used to automate the installation process.

Installation

Below is the procedure for performing a single-host installation.

Instructions for deploying NAICE in a high-availability configuration are provided in v1.1_3.4 High-availability installation (using VRRP) and v1.1_3.5 High-availability installation (without VRRP).


Both online and offline installation are available.

Online installation is supported on all supported operating systems and is described below. 

Offline installation (isolated network) is described in section v1.1_3.3.1 Installation in an isolated network (stand-alone).

Preparing the VM for running Ansible playbooks

Requirements for the host OS running Ansible playbooks

To run Ansible playbooks, use a VM running Ubuntu 24, RedOS 8.0.2, or Astra Linux 1.8.6

Installing Ansible

Official Ansible installation documentation is available online.

Install the Ansible package along with all dependencies and other required software.

sudo apt install ansible-core=2.16.3-0ubuntu2 sshpass -y
sudo apt install ansible-core=2.15.10-1 sshpass -y
sudo yum install ansible python3-netaddr sshpass

If Astra Linux 1.7.X is used as the target OS for NAICE deployment, ensure that the Ansible version is not higher than 2.17:

$ ansible --version

Installation is not supported on newer Ansible versions, as Astra Linux 1.7.X uses Python 3.7, which is not supported.

If necessary, reinstall Ansible and downgrade to the required version.

Install community.docker Ansible collection version 4.7.0. To do this, download and place the file community-docker-4.7.0.tar.gz.

wget https://cloud.eltex-co.ru/index.php/s/9Hv6p4yz611fDXb/download -O community-docker-4.7.0.tar.gz

Install the collection using the following command (without sudo):

ansible-galaxy collection install community-docker-4.7.0.tar.gz

Verify the installed collection version:

ansible-galaxy collection list | grep community.docker
community.docker                         4.7.0  
community.docker                         X.X.X

Obtaining files for running the playbook 

NAICE is a licensed product; activating its functionality requires a valid license. See v1.1_2. Licensing for details.

At the time of installation, the license is not required, the product can be installed without activation.

Until a license is activated, NAICE operates in demo mode, in which the maximum number of network devices, active endpoints, and active guest endpoints is limited to 15 each.

To deploy the system in online mode, download the latest version archive from the v1.1_1.5 Stable versions page and place it on the host from which the playbook will be executed.

wget https://cloud.eltex-co.ru/index.php/s/YzNqFaudVREka44/download -O ansibleNaice-v1.1.1-27-03-2026.tar.gz

Extract the archive:

tar xzvf ansibleNaice-v1.1.1-27-03-2026.tar.gz

Go to the playbook directory:

cd ansibleNaice-v1.1.1-27-03-2026

Configuring access to target hosts for installation

Using login/password authentication

To configure the host on which NAICE will be deployed, edit the file: inventory/hosts.yml. In the variable ansible_host, specify the IP address or domain name of the target host, as well as the username, password, and sudo password:

---
common:
  hosts:
    # Host for performing a stand-alone NAICE installation
    common_host:
      ansible_host: <IP address or domain name of the NAICE host> 
      ansible_user: <username>
      ansible_ssh_pass: <user password>
      ansible_become_pass: <sudo password>


The specified IP address or domain name will be added to the Subject Alternative Name (SAN) field when generating a self-signed certificate during NAICE service installation.


Using SSH key authentication

By default, login/password authentication is assumed. If SSH key authentication is used (the key must be generated and placed on the target host beforehand), update ansible.cfg:

[defaults]
inventory = hosts.yml
host_key_checking = True
private_key_file = <path to the SSH key file>
deprecation_warnings = False

Then specify access parameters in hosts.yml:

---
common:
  hosts:
    common_host:
      ansible_host: <IP address or domain name of the NAICE host>
      ansible_user: <username>
      ansible_become_pass: <sudo password>
Verifying access configuration

To verify the correctness of the configured access parameters and check connectivity to the remote host, run:

ansible all --list-hosts  # check the list of hosts
ansible all -m ping       # check access to hosts

Example output when access is configured correctly:

common_host | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "ping": "pong"
}

Configuring variables in the file group_vars/all.yml

Variable settings are defined in the file group_vars/all.yml and are used for configuring system services. The system will operate correctly when using the default variable values. Below are the most commonly used configuration variables.

Configuring the time zone (TZ)

To ensure correct time display in NAICE, the following parameter must be set in the group_vars/all.yml configuration file.

Variable format:

time_zone: "Region/City"

Examples:
time_zone: "Europe/Moscow"

or:
time_zone: "Asia/Novosibirsk"

Replacing default certificates for EAP-PEAP operation

  1. To use the EAP-PEAP authentication method (username/password), NAICE must have a valid RADIUS server certificate. A default public certificate is included in the naice-radius container and is ready for use. If required, it can be replaced. For correct installation, you will need:

    1. Root CA certificate; 

    2. NAICE server certificate;

    3. Private key of the NAICE server certificate.

  2. Certificates must be placed in: roles/docker/files/tls.

  3. In the group_vars/all.yml playbook variable section responsible for EAP-PEAP certificate installation, enable integration by setting:

# certificate parameters
# required ONLY if a third-party server certificate is planned for use in RADIUS
# before running the playbook, you must create a certificate directory on the target host and place all required certificates into it
# to enable installation of certificates for the EAP protocol, place the server certificate files in the ansible/roles/docker/files/tls directory
radius_cert_dir_copy: false   # enable copying certificates from ansible/roles/docker/files/tls
radius_certs_ca_cert_file: trusted_server.crt   # CA certificate filename
radius_certs_private_key_file: trusted_server.k   # server certificate private key file name 
radius_certs_private_key_password:   # server certificate private key file password (leave empty if key is not encrypted)
radius_certs_certificate_file: trusted_server_chain.crt   # server certificate filename


Description of parameters for EAP-PEAP operation:

ParameterDescription
radius_cert_dir_copyA variable that controls copying certificates from the directory to the target host and using them in the naice-radius service.
radius_certs_ca_cert_fileThe filename of the root CA certificate.
radius_certs_private_key_fileThe filename of the server certificate’s private key.
radius_certs_private_key_password

The password for the server private key file. If not specified, no password is assumed. The password must not contain the following characters: $, ', ", `, parentheses, or spaces.

radius_certs_certificate_fileThe filename of the certificate that will be used by naice-radius when a user connects using the EAP-PEAP protocol.


Adding certificates for EAP-TLS operation  

  1. To use EAP-TLS authentication, a certificate intended for NAICE must be issued and placed on the host where the Ansible playbook will be executed. For correct installation, it is required:

    1. Root CA certificate;

    2. NAICE server certificate;

    3. Private key of the NAICE server certificate.

  2. Certificates must be placed in: roles/docker/files/eap-tls.

  3. In the group_vars/all.yml variable section responsible for EAP-TLS certificate installation, enable integration by setting:

# parameters for EAP-TLS authentication
# certificate parameters
# to enable installation of certificates for the EAP-TLS protocol, place the server certificate files in ansible/roles/docker/files/eap-tls
radius_eap_tls_cert_dir_copy: false # enable (true) or disable (false) copying certificates from ansible/roles/docker/files/eap-tls
radius_eap_tls_certs_ca_cert_file: trusted_server.crt # filename of the root CA certificate
radius_eap_tls_certs_private_key_file: trusted_server.k # filename of the server certificate’s private key
radius_eap_tls_certs_private_key_password:  # password for the server private key file (leave empty if the key is not encrypted)
radius_eap_tls_certs_certificate_file: trusted_server_chain.crt # filename of the server certificate
# OCSP certificate revocation checking settings
radius_eap_tls_ocsp_enable: 'true' # enable certificate revocation status checking via OCSP
radius_eap_tls_ocsp_override_url: 'true' # use the OCSP service URL from the certificate
radius_eap_tls_ocsp_url: 'http://100.110.2.12/ocsp' # URL of the OCSP service
radius_eap_tls_ocsp_softfail: 'true' # soft-fail mode: if OCSP is unavailable, authentication continues
radius_eap_tls_ocsp_timeout: 0 # timeout for OCSP requests
radius_eap_tls_ocsp_use_nonce: 'true' # include a nonce in OCSP requests (may also appear in the response)

Description of parameters for EAP-TLS operation

ParameterDescription
radius_eap_tls_cert_dir_copyA variable that controls copying certificates from the directory to the target host and using them in the naice-radius service.
radius_eap_tls_certs_ca_cert_fileThe filename of the root CA certificate.
radius_eap_tls_certs_private_key_fileThe filename of the server certificate’s private key.
radius_eap_tls_certs_private_key_password

The password for the server private key file. If not specified, no password is assumed. The password must not contain the following characters: $, ', ", `, parentheses, or spaces.

radius_eap_tls_certs_certificate_fileThe filename of the certificate that will be used by naice-radius when a user connects using the EAP-TLS protocol.
radius_eap_tls_ocsp_enableEnables certificate revocation status checking via the OCSP protocol (false | true). Default: false (checking disabled).
radius_eap_tls_ocsp_override_url

Source of the OCSP server URL: false — use the URL from the client certificate; true — use the URL specified in radius_eap_tls_ocsp_url. Default: false.

radius_eap_tls_ocsp_urlThe URL of the OCSP responder (HTTP only).
radius_eap_tls_ocsp_softfailBehavior when the OCSP server is unavailable (false | true): false — terminate authentication if the OCSP server cannot be reached; true — continue authentication without revocation checking.
radius_eap_tls_ocsp_timeoutTimeout for contacting the OCSP server (in seconds). Default: 0.
radius_eap_tls_ocsp_use_nonce

Enables including a nonce value in OCSP requests to prevent replay attacks (false | true). Default: true.

Other variables (optional)

If necessary, modify additional environment variables in group_vars/all.yml. For example, you can change the NAICE service installation directory or specify an external NAICE address different from the management address.

NAICE installation 

For deploying NAICE services in a single-host installation, use the playbook install-naice.yml.

Run the install-naice.yml playbook to install the Docker containerization service, the Docker Compose plugin, and to start NAICE services via this plugin:

ansible-playbook install-naice.yml


During the installation of NAICE services, a self-signed certificate is automatically generated for the user interfaces lemmus, gavia, and larus. If you have your own trusted certificate, it can be installed after the services are deployed, replacing the default self-signed certificate. Detailed information on using security certificates can be found in the section.  Подробную информацию об использовании сертификатов безопасности можно найти в разделе v1.1_3.7 Использование сертификатов безопасности. ССЫЛКА


Because NAICE uses healthcheck mechanisms to verify successful startup, initializing the containers may take several minutes. Wait until the playbook execution is fully completed.

Checking service status after installation

To check whether the containers have started successfully, navigate to the NAICE installation directory (default: /etc/docker-naice/) and run the following command to view the list and status of containers: docker compose ps -a.

Пример показан для ОС Ubuntu 24.04 LTS и может отличаться для других ОС, в зависимости от версии docker compose:

$ sudo docker compose ps -a
NAME             IMAGE                                                           COMMAND                  SERVICE         CREATED         STATUS                   PORTS
epg-service      naice-build-hosted.registry.eltex.loc/naice/epg-service:1.1-3   "/bin/sh -e /usr/loc…"   epg-service     5 minutes ago   Up 5 minutes (healthy)   0.0.0.0:8100->8100/tcp, [::]:8100->8100/tcp
naice-aquila     naice-release.registry.eltex.loc/naice-aquila:1.1               "java -cp @/app/jib-…"   naice-aquila    5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8091->8091/tcp, [::]:8091->8091/tcp, 0.0.0.0:49->1049/tcp, [::]:49->1049/tcp
naice-bubo       naice-release.registry.eltex.loc/naice-bubo:1.1                 "java -cp @/app/jib-…"   naice-bubo      5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8093->8093/tcp, [::]:8093->8093/tcp
naice-castor     naice-release.registry.eltex.loc/naice-castor:1.1               "java -Djava.awt.hea…"   naice-castor    5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8095->8095/tcp, [::]:8095->8095/tcp
naice-cetus      naice-release.registry.eltex.loc/naice-cetus:1.1                "java -cp @/app/jib-…"   naice-cetus     5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8099->8099/tcp, [::]:8099->8099/tcp
naice-gavia      naice-release.registry.eltex.loc/naice-gavia:1.1                "java -cp @/app/jib-…"   naice-gavia     5 minutes ago   Up 3 minutes (healthy)   0.0.0.0:8080->8080/tcp, [::]:8080->8080/tcp
naice-gulo       naice-release.registry.eltex.loc/naice-gulo:1.1                 "java -cp @/app/jib-…"   naice-gulo      5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8089->8089/tcp, [::]:8089->8089/tcp
naice-lemmus     naice-release.registry.eltex.loc/naice-lemmus:1.1               "java -cp @/app/jib-…"   naice-lemmus    5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8083->8083/tcp, [::]:8083->8083/tcp
naice-lepus      naice-release.registry.eltex.loc/naice-lepus:1.1                "java -cp @/app/jib-…"   naice-lepus     5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8087->8087/tcp, [::]:8087->8087/tcp, 0.0.0.0:67->1024/udp, [::]:67->1024/udp
naice-mustela    naice-release.registry.eltex.loc/naice-mustela:1.1              "java -cp @/app/jib-…"   naice-mustela   5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8070->8070/tcp, [::]:8070->8070/tcp
naice-nats       naice-build-hosted.registry.eltex.loc/naice/nats:1.1.7          "docker-entrypoint.s…"   nats            5 minutes ago   Up 5 minutes (healthy)   4222/tcp, 6222/tcp, 7777/tcp, 0.0.0.0:8222->8222/tcp, [::]:8222->8222/tcp
naice-ovis       naice-release.registry.eltex.loc/naice-ovis:1.1                 "java -cp @/app/jib-…"   naice-ovis      5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8084->8084/tcp, [::]:8084->8084/tcp
naice-phoca      naice-release.registry.eltex.loc/naice-phoca:1.1                "java -cp @/app/jib-…"   naice-phoca     5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8097->8097/tcp, [::]:8097->8097/tcp
naice-postgres   naice-build-hosted.registry.eltex.loc/naice/postgres:1.1.6      "docker-entrypoint.s…"   postgres        6 minutes ago   Up 5 minutes (healthy)   5432/tcp
naice-radius     naice-release.registry.eltex.loc/naice-radius:1.1               "/docker-entrypoint.…"   naice-radius    5 minutes ago   Up 5 minutes (healthy)   0.0.0.0:1812-1813->1812-1813/udp, [::]:1812-1813->1812-1813/udp, 0.0.0.0:9812->9812/tcp, [::]:9812->9812/tcp
naice-sterna     naice-release.registry.eltex.loc/naice-sterna:1.1               "/docker-entrypoint.…"   naice-sterna    5 minutes ago   Up 3 minutes (healthy)   80/tcp, 0.0.0.0:8443->444/tcp, [::]:8443->444/tcp
naice-ursus      naice-release.registry.eltex.loc/naice-ursus:1.1                "java -cp @/app/jib-…"   naice-ursus     5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8081->8081/tcp, [::]:8081->8081/tcp
naice-vulpus     naice-release.registry.eltex.loc/naice-vulpus:1.1               "java -cp @/app/jib-…"   naice-vulpus    5 minutes ago   Up 4 minutes (healthy)   0.0.0.0:8086->8086/tcp, [::]:8086->8086/tcp
naice-web        naice-release.registry.eltex.loc/naice-web:1.1                  "/docker-entrypoint.…"   naice-web       5 minutes ago   Up 2 minutes (healthy)   80/tcp, 0.0.0.0:443->443/tcp, [::]:443->443/tcp, 0.0.0.0:80->4200/tcp, [::]:80->4200/tcp