Deploying GreenRadius on RedHat Enterprise Linux using Podman

Prerequisites

  • A target machine running RHEL 8 or 9
  • Adjust SELinux in a way that allows GreenRADIUS to function smoothly
  • A GreenRADIUS update package (v5.2.9.9 or later)

Deployment Instructions

  1. Log in with a user that has sudo access.
  2. Run sudo yum update
  3. Run sudo yum install -y yum-utils
  4. Run sudo yum update
  5. Run sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E '%{rhel}').noarch.rpm
  6. Run sudo yum -y install container-selinux
  7. Run sudo yum makecache --refresh
  8. Run sudo yum -y install fuse-overlayfs
  9. Run sudo yum -y install slirp4netns
  10. Run sudo dnf update
  11. Run sudo dnf install epel-release
  12. Run sudo dnf install --enablerepo="epel" ufw
  13. Run sudo yum remove docker-ce docker-ce-cli containerd.io
  14. Run sudo dnf install podman
  15. Run sudo dnf install podman-plugins
  16. Run sudo yum install python3
  17. Run sudo yum install python3-pip
  18. Run sudo pip3 install podman-compose
  19. Check where podman-compose has been installed by running sudo find / -name "podman-compose"
  20. Create a symlink to this path with sudo ln -s <path/where/podman-compose/is/installed> /usr/bin/podman-compose
  21. Run sudo yum install incron
  22. Run sudo yum install unzip
  23. Run sudo yum install net-tools
  24. Run sudo useradd -d /home/gradmin -m -G wheel -s /bin/bash gradmin
  25. Run sudo passwd gradmin and set the password for gradmin appropriately
  26. Run sudo chmod -R 750 /home/gradmin
  27. Run sudo chown -R gradmin:gradmin /home/gradmin
  28. Run sudo mkdir /home/gradmin/grs-podman-compose
  29. Run sudo service firewalld stop
  30. Run sudo systemctl disable firewalld
  31. Reboot and login as gradmin
  32. Copy the GreenRADIUS update package to the /tmp/ directory
  33. Run sudo unzip /tmp/GreenRADIUS_xxxx_Update.zip -d /tmp/ (Note: For this step and subsequent steps with "GreenRADIUS_xxxx_Update.zip", replace "xxxx" with the appropriate version number of the GreenRADIUS update package.)
  34. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/images.tgz -C /tmp/
  35. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/others.tgz -C /tmp/
  36. Run sudo cp /tmp/others/docker-compose.yml /home/gradmin/grs-podman-compose/
  37. Run sudo cp /tmp/others/podman-compose.override.yml /home/gradmin/grs-podman-compose/
  38. Run sudo mkdir -p /opt/grs/scripts
  39. Run sudo ls -lart /tmp/others/vm_incron_scripts_podman/
  40. Copy all the files listed using the previous instruction to /opt/grs/scripts/ using the following command: sudo cp /tmp/others/vm_incron_scripts_podman/<filename> /opt/grs/scripts
  41. Run cd /opt/grs/scripts && sudo chown root:root *.sh && sudo chmod 511 freeradius_restart.sh get_host_info.sh incron_script.sh openldap_cmd_template_3.sh openldap_restart.sh openldap_update_ca_certificates.sh rsyslog_restart.sh && cd -
  42. Run sudo bash -c "echo 'gradmin ALL=(root) NOPASSWD:/opt/grs/scripts/get_host_info.sh , /opt/grs/scripts/incron_script.sh , /opt/grs/scripts/rsyslog_restart.sh , /opt/grs/scripts/freeradius_restart.sh , /opt/grs/scripts/openldap_restart.sh , /opt/grs/scripts/openldap_update_ca_certificates.sh , /opt/grs/scripts/openldap_cmd_template_3.sh' > /etc/sudoers.d/grs"
  43. Run sudo mkdir -p /opt/grs/host-comm/request
  44. Run sudo mkdir -p /opt/grs/host-comm/response
  45. Run sudo chown -R gradmin:gradmin /opt/grs/host-comm
  46. Run sudo bash -c "echo 'gradmin' > /etc/incron.allow"
  47. Run sudo bash -c "echo '/opt/grs/host-comm/request IN_CLOSE_WRITE sudo /opt/grs/scripts/incron_script.sh \$#' > /var/spool/incron/gradmin"
  48. Run sudo systemctl enable incrond
  49. Run sudo service incrond restart
  50. Run sudo podman load -i /tmp/images/greenradius_xxxx_init_image
  51. Run sudo podman load -i /tmp/images/greenradius_xxxx_main_image
  52. Run sudo podman load -i /tmp/images/greenradius_xxxx_openldap_image
  53. Run sudo podman load -i /tmp/images/greenradius_xxxx_postgres_image
  54. Run sudo podman load -i /tmp/images/greenradius_xxxx_rsyslog_image
  55. Run sudo podman load -i /tmp/images/greenradius_xxxx_freeradius_image
  56. Run sudo podman load -i /tmp/images/greenradius_xxxx_grs_auth_app_image
  57. Run sudo chmod -R 750 /home/gradmin
  58. Run sudo chown -R gradmin:gradmin /home/gradmin
  59. Run sudo timedatectl set-timezone UTC
  60. Run sudo cp /tmp/others/scripts/get_system_timezone.sh /opt/grs/scripts/
  61. Run sudo sh +x /opt/grs/scripts/get_system_timezone.sh
  62. Run sudo sh +x /tmp/others/scripts/prerequisite_for_getting_system_timezone.sh
  63. Run cd /home/gradmin/grs-podman-compose
  64. Run sudo podman-compose -f docker-compose.yml -f podman-compose.override.yml up -d
  65. Run sudo podman exec -it GRS-POSTGRES bash -c "chown -R root:postgres /opt/grs/greenradius/certificates/postgres/server"
  66. Run sudo podman-compose stop. Wait or run the command multiple times to ensure that all containers have actually stopped.
  67. Run sudo podman-compose start
  68. Verify that the GreenRADIUS instance is accessible via the web. You should be able to visit https://<IP_address_of_GreenRADIUS>/admin in your browser to access the GreenRADIUS web admin interface.

Note: Whenever the timezone on the server will be changed, the server will have to be rebooted for the timezone to be reflected in the containers

Enabling auto-start of GreenRADIUS containers on boot

  1. Run sudo touch /tmp/grs-podman-compose-app.service
  2. Edit the /tmp/grs-podman-compose-app.service file in your editor of choice.
  3. Paste in the following:
# /etc/systemd/system/grs-podman-compose-app.service
[Unit]
Description=Podman Compose Application Service
Requires=podman.service
After=podman.service
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/home/gradmin/grs-podman-compose
ExecStart=/usr/bin/podman-compose up -d
ExecStop=/usr/bin/podman-compose down
TimeoutStartSec=0
[Install]
WantedBy=multi-user.target
  1. Run sudo cp /tmp/grs-podman-compose-app.service /etc/systemd/system/
  2. Run sudo systemctl enable grs-podman-compose-app

Applying Updates to Your GreenRADIUS Instance

  1. Run cd /home/gradmin/grs-podman-compose
  2. Run sudo podman-compose down
  3. Copy the latest update package for GreenRADIUS into the /tmp/ directory
  4. Run sudo unzip /tmp/GreenRADIUS_xxxx_Update.zip -d /tmp/ (where "xxxx" is the version number of the GreenRADIUS update package)
  5. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/images.tgz -C /tmp/
  6. Run sudo tar -xvzf /tmp/GreenRADIUS_xxxx_Update/others.tgz -C /tmp/
  7. Run sudo podman load -i /tmp/images/greenradius_xxxx_init_image
  8. Run sudo podman load -i /tmp/images/greenradius_xxxx_main_image
  9. Run sudo podman load -i /tmp/images/greenradius_xxxx_openldap_image
  10. Run sudo podman load -i /tmp/images/greenradius_xxxx_postgres_image
  11. Run sudo podman load -i /tmp/images/greenradius_xxxx_rsyslog_image
  12. Run sudo podman load -i /tmp/images/greenradius_xxxx_freeradius_image
  13. Run sudo podman load -i /tmp/images/greenradius_xxxx_grs_auth_app_image
  14. Edit /home/gradmin/grs-podman-compose/docker-compose.yml and replace every occurrence of the current version number with the version for your latest version of GreenRADIUS (e.g. 5122 for v5.1.2.2)
  15. Run cd /home/gradmin/grs-podman-compose
  16. Run sudo podman-compose -f docker-compose.yml -f podman-compose.override.yml up -d
  17. Confirm that the latest GreenRADIUS version is accessible via your browser at the same URL as before. On future startups, you will need to run sudo podman-compose -f docker-compose.yml -f podman-compose.override.yml up -d from the grs-podman-compose directory, as shown above, to launch the containers.
Updated 2024-07-31
© 2024 Green Rocket Security Inc. All rights reserved.