Enabling Restart of Proxy Service Containers
The RDP Proxy, SSH Proxy and SQL Proxy Docker containers require periodic restarting (rotation) to eliminate the effects of memory, thread and handle leaks. In Axidian PAM, this is implemented by a special script that runs automatically according to a schedule. PAM does not stop working during a restart (user sessions are not interrupted).
By default, restart is disabled. To enable it, you need to do the following steps:
- Change the parameter value in the configuration file.
- Reinstall the Access Server components.
- Restart the Access Server.
Enabling Restart in the Configuration File
- Open the ./scripts/ansible/vars.yml file.
- In the proxy_recycling section, change the value of the enabled parameter from false to true.
- Go to the next step: reinstalling the Access Server components.
When using SELinux in Enforcing mode on the access server, you will need to manually add a context for the script, you will see a message about this:
TASK [Warn about SELinux mode] *************************
msg:
'Warning: SELinux is in enforcing mode. Add script context manually:'
semanage fcontext -a -t bin_t /etc/axidian/axidian-privilege/scripts/recycle-proxy.sh && restorecon -Fv /etc/axidian/axidian-privilege/scripts/recycle-proxy.sh
So run the following command:
semanage fcontext -a -t bin_t /etc/axidian/axidian-privilege/scripts/recycle-proxy.sh && restorecon -Fv /etc/axidian/axidian-privilege/scripts/recycle-proxy.sh
Additional Settings
In the ./scripts/ansible/vars.yml file, in the proxy_recycling section there are several more parameters. Specify their values (optional) or use the default values.
- replicas — the number of Master replicas (active replicas that accept connections). Default is 1.
- proxies — types of proxies for which the restart will be performed. It is an array of values. Default is [rdp,ssh].
- rotation_hours — replica rotation time in hours. Default is 168.
- session_hours — maximum session duration in hours for a replica in the DRAIN state (when the server does not accept new connections, but processes existing ones). Default is 24.
Reinstalling the Access Server Components
During the reinstalling the Access Server components PAM will be unavailable. All current sessions will be terminated.
If CIS Benchmark Docker security settings are applied, then run the installation script with the command:
sudo bash run-deploy.shIf CIS Benchmark Docker security settings are not applied, then run the installation script with the command:
sudo bash run-deploy.sh --bench-skipAt the Enter target IP step press ENTER.
When prompted, enter your local sudo user name (for example, root) and password.
Wait until the installation is complete
infoIf the script aborted with an error, send the log file to technical support.
Go to the next step: restarting the Access Server.
Restarting the Access Server
Run all the commands from the /etc/axidian/axidian-privilege folder.
To restart the Axidian Privilege Access Server components, use the following commands:
sudo docker compose -f docker-compose.access-server.yml down
sudo docker compose -f docker-compose.access-server.yml up -d
or
sudo docker-compose -f docker-compose.access-server.yml down
sudo docker-compose -f docker-compose.access-server.yml up -d
Example of Restarting the RDP Proxy Component
sudo docker compose -f docker-compose.access-server.yml up -d rdp-proxy --force-recreate
or
sudo docker-compose -f docker-compose.access-server.yml up -d rdp-proxy --force-recreate
Example of Restarting the SSH Proxy Component
sudo docker compose -f docker-compose.access-server.yml up -d ssh-proxy --force-recreate
or
sudo docker-compose -f docker-compose.access-server.yml up -d ssh-proxy --force-recreate
Example of Restarting the SQL Proxy Component
sudo docker compose -f docker-compose.access-server.yml up -d sql-proxy --force-recreate
or
sudo docker-compose -f docker-compose.access-server.yml up -d sql-proxy --force-recreate