Skip to main content
Version: Axidian Privilege 2.10

Enabling Restart of Proxy Service Containers

The SSH Proxy and RDP Proxy Docker containers require periodic restarting (rotation) to eliminate the effects of memory, thread and handle leaks. In Axidian PAM, this is implemented by a special script that runs automatically according to a schedule. PAM does not stop working during a restart (user sessions are not interrupted).

By default, restart is disabled. To enable it, you need to change the parameter value in the configuration file and restart the access server.

Enabling Restart in the Configuration File

  1. Open the ./scripts/ansible/vars.yml file.
  2. In the proxy_recycling section, change the value of the enabled parameter from false to true.
  3. Go to the next step — restarting the access server.
caution

When using SELinux in Enforcing mode on the access server, you will need to manually add a context for the script, you will see a message about this:

TASK [Warn about SELinux mode] *************************

msg:

'Warning: SELinux is in enforcing mode. Add script context manually:'
semanage fcontext -a -t bin_t /etc/axidian/axidian-privilege/scripts/recycle-proxy.sh && restorecon -Fv /etc/axidian/axidian-privilege/scripts/recycle-proxy.sh

So run the following command:

semanage fcontext -a -t bin_t /etc/axidian/axidian-privilege/scripts/recycle-proxy.sh && restorecon -Fv /etc/axidian/axidian-privilege/scripts/recycle-proxy.sh

Additional Settings

In the ./scripts/ansible/vars.yml file, in the proxy_recycling section there are several more parameters. Specify their values (optional) or use the default values.

  • replicas — the number of Master replicas (active replicas that accept connections). Default is 1.
  • proxies — types of proxies for which the restart will be performed. It is an array of values. Default is [rdp,ssh].
  • rotation_hours — replica rotation time in hours. Default is 168.
  • session_hours — maximum session duration in hours for a replica in the DRAIN state (when the server does not accept new connections, but processes existing ones). Default is 24.

Restarting the Access Server

caution

Run all the commands from the /etc/axidian/axidian-privilege folder.

To restart the Axidian Privilege Access Server components, use the following commands:

sudo docker compose -f docker-compose.access-server.yml down
sudo docker compose -f docker-compose.access-server.yml up -d

or

sudo docker-compose -f docker-compose.access-server.yml down
sudo docker-compose -f docker-compose.access-server.yml up -d

Example of Restarting the RDP Proxy Component

sudo docker compose -f docker-compose.access-server.yml up -d Pam.RdpProxy.Service --force-recreate

or

sudo docker-compose -f docker-compose.access-server.yml up -d Pam.RdpProxy.Service --force-recreate

Example of Restarting the SSH Proxy Component

sudo docker compose -f docker-compose.access-server.yml up -d Pam.SshProxy.Service --force-recreate

or

sudo docker-compose -f docker-compose.access-server.yml up -d Pam.SshProxy.Service --force-recreate