Deploy Mideye Server 5 with Rootless Podman

Archived Documentation

This page documents Mideye Server version 5, which is no longer actively maintained. For current documentation, see Mideye Server v6.

Overview

Deploy Mideye Server 5 using Podman for rootless container security. This guide covers the critical networking configuration needed for RADIUS authentication (slirp4netns), persistent volume management, and container lifecycle commands.

What this guide covers:

• Rootless Podman networking with slirp4netns
• Solving RADIUS source IP forwarding issues
• Container creation and management
• Backup and restore procedures
• Firewall port configuration

Key Requirement

RADIUS authentication requires correct source IP forwarding. Use Podman v2.1.0+ with --net=slirp4netns:port_handler=slirp4netns to ensure RADIUS clients work correctly.

---

Mideye Server container image runs both on Docker and Podman. To get latest release check out Docker hub

Issues

rootlesskit

RADIUS requires the source IP to be matched against a shared secret for encrypting traffic between the RADIUS Client and the RADIUS Server. Wen running Podman in rootless mode the source IP will always be 10.0.2.100 this is due to Podman running with port_handler=rootlesskit by default.

Following workarounds are available for this issue.

• Run container in rootfull mode allows forwarding of source IP.
• Run container in rootfull with --net=host.
• Add 10.0.2.100 to the RADIUS Shared Secrets.
• Add a default 0.0.0.0 to the RADIUS Shared Secrets.
• RECOMENDED: Run rootless Podman v2.1.0 or later with slirp4netns port_handler instead of the default rootlesskit. This will forward the source IP to MideyeServer correctly. --net=slirp4netns:port_handler=slirp4netns

No listenport in podman-compose.

=== “Issue” It is possible to add the network mode port_handler to the docker-compose file. When doing this Podman stops listening to the ports specified. This seems to be a bug in current version Podman 3.2.0-rc3

=== “docker-compose.yml” version: '3' services: mideyeserver: image: docker.io/mideye/mideyeserver:5.6.1-final environment: SPRING_PROFILES_ACTIVE: prod SPRING_DATASOURCE_URL: jdbc:mariadb://MARIADB_SERVER:3306/mideyeserver SERVER_SSL_ENABLED: true SERVER_PORT: 8443 healthcheck: test: ["CMD", "curl", "--insecure","-sS", "https://localhost:8443/management/health"] interval: 30s timeout: 10s retries: 3 start_period: 40s ports: - "8443:8443/tcp" - "1812:1812/udp" - "1813:1813/udp" - "3799:3799/udp" volumes: - mideye_config:/home/mideye/config network_mode: "slirp4netns:port_handler=slirp4netns" volumes: mideye_config:

Podman Links

• Basic Networking Guide for Podman
• Slirp4netns
• Slirp4netns discussion

Start Mideye Server

Currently there is only one way to run MideyeServer 5 in Podman.

1. Start a database on another server with username, password and a database dedicated for mideye.
2. create a env.file with following content

   SPRING_PROFILES_ACTIVE=prod
   SPRING_DATASOURCE_URL=jdbc:mariadb://192.168.0.10:3306/mideyeserver
   SPRING_DATASOURCE_USERNAME=mideyeuser
   SPRING_DATASOURCE_PASSWORD=mideyeuserpassword
   SERVER_SSL_ENABLED=true
   SERVER_PORT=8443

3. Open Firewallports.

   firewall-cmd --get-active-zones
   firewall-cmd --zone=public --permanent --add-port=8443/tcp
   firewall-cmd --zone=public --permanent --add-port=1812/udp
   firewall-cmd --reload

4. Start Mideyeserver. Check Docker hub for latest version.

Manage MideyeServer

• Createm Persistent volume: podman volume create mideye_volume

• Create MideyeServer:

  podman run -d --name=mideyeserver \
                --net=slirp4netns:port_handler=slirp4netns \
                --env-file=env.file \
                -p 8443:8443 \
                -p 1812:1812/udp \
                -v mideye_volume:/home/mideye/config \
                docker.io/mideye/mideyeserver:5.6.1-final

• Stop MideyeServer: podman stop mideyeserver

• Start MideyeServer: podman start mideyeserver

• Restart MideyeServer: podman restart mideyeserver

• MideyeServer Logs: podman logs mideyeserver

• Follow logs: podman logs -f mideyeserver

• Verify MideyeServer is running: podman ps -a

• Verify Podman is forwarding ports: podman port -l

---

• Backup MideyeServer Config: podman cp mideyeserver:/home/mideye/config .

Note

remember the last . which means current directory

• Backup MideyeServer Database: mysqldump --all-databases > mideyeserver-databases.sql

---

• Restore MideyeServer Config: podman cp config/application-prod.yml mideyeserver:/home/mideye/config/application-prod.yml podman cp config/keystore.p12 mideyeserver:/home/mideye/config/keystore.p12
• Restore MideyeServer Database: mysql < mideyeserver-databases.sql
• Restart MideyeServer After Restore: podman restart mideyeserver

Setup

Check the MideyeServer logs to get the SETUP CHALLENGE.

podman logs mideye_mideyeserver_1 | grep 'SETUP CHALLENGE' | tail -1 | awk 'NF>1{print $NF}'

Connect to the webgui through a browser with url: https://server_ip:8443

Ports

If a new RADIUS Server is added in MideyeServer. Please restart the application and add a new port to docker-compose.yml

• 8443 is used for the webgui
• 1812/UDP is used for radius traffic.
• Setup a range of ports -p 1812-1818:1812-1818/udp

Persistent volumes

To keep configuration persistent between updates, the following persistent volumes are configured.

• mideye_config: contains certificates and application config

Update MideyeServer

Before updating mideyeserver make sure the config folder is backed up. and mideyeserver is running with persistent volume.

1. Stop mideyeserver podman stop mideyeserver

2. Remove mideyeserver podman rm mideyeserver

3. Start mideyeserver with updated version

   podman run -d --name=mideyeserver \
                 --net=slirp4netns:port_handler=slirp4netns \
                 --env-file=env.file \
                 -p 8443:8443 \
                 -p 1812:1812/udp \
                 -v mideye_volume:/home/mideye/config \
                 docker.io/mideye/mideyeserver:5.6.1-final