Best way to install openwisp2 with freeradius module.

[Racamier Stéphane]

Hi,

From 2 week i work to set up a server with openwisp2 and freeradius3. I saw several tutorials (ansible and python venv), I would like to install a stable version using ansible and deport the DB to a mariaDB server.

I found this in the mailing list:

- hosts: ra******5.*******.org
  roles:
    - openwisp.openwisp2

  vars:
    openwisp2_default_from_email: "advertise@ra******5.********.org"
    openwisp2_time_zone: Europe/Paris
    openwisp2_allowed_hosts:
        - ra*******5.********.org

    openwisp2_utils_pip: https://github.com/openwisp/openwisp-utils/tarball/master
    openwisp2_users_pip: https://github.com/openwisp/openwisp-users/tarball/master
    openwisp2_extra_python_packages:
      # monitoring
      - https://github.com/openwisp/openwisp-radius/tarball/master
      - django-cors-headers
    openwisp2_extra_django_settings_instructions:
      # monitoring settings
      - |
        # openwisp-radius, registration, CORS
        INSTALLED_APPS += [
          'corsheaders',
          'django_filters',
          'rest_framework.authtoken',
          'rest_auth',
          'rest_auth.registration',
          'openwisp_radius',
        ]
        OPENWISP_RADIUS_FREERADIUS_ALLOWED_HOSTS = ['ra*****5.******.org']

        # CORS
        MIDDLEWARE.insert(
            MIDDLEWARE.index('django.middleware.common.CommonMiddleware'),
            'corsheaders.middleware.CorsMiddleware'
        )
        CORS_ORIGIN_WHITELIST = ('comlight.org')
        CORS_ALLOW_METHODS = ('POST',)

        # REST API
        INSTALLED_APPS += [
            'drf_yasg',
        ]
        OPENWISP_USERS_AUTH_API = True
    openwisp2_extra_urls:
      - "url(r'^', include('openwisp_radius.urls'))"
      - "url(r'^api/v1/', include('openwisp_utils.api.urls'))"
      - "url(r'^api/v1/', include('openwisp_users.api.urls'))"
    freeradius_dir: /etc/freeradius/3.0
    freeradius_mods_available_dir: "{{ freeradius_dir }}/mods-available"
    freeradius_mods_enabled_dir: "{{ freeradius_dir }}/mods-enabled"
    freeradius_sites_available_dir: "{{ freeradius_dir }}/sites-available"
    freeradius_sites_enabled_dir: "{{ freeradius_dir }}/sites-enabled"
    freeradius_certs_dir: "{{ freeradius_dir }}/certs"
    freeradius_sql:
      driver: rlm_sql_mysql
      dialect: mysql
      host: ***.***.***.***
      port: 3306
      name: "******"
      user: "******"
      password: "*******"
    freeradius_rest:
      url: https://radius05.comlight.org/api/v1/freeradius
  pre_tasks:
    # openwisp-radius
    - name: Install cairo
      apt:
        name:
          - libcairo2
          - libpango-1.0-0
          - libpangocairo-1.0-0
          - libgdk-pixbuf2.0-0
          - shared-mime-info
        update_cache: yes
      tags: [openwisp2, radius]

    - name: Freeradius system packages
      apt:
        name:
          - freeradius
          - freeradius-mysql
          - freeradius-rest
        state: latest
      notify: restart freeradius
    - name: SQL Configuration
      template:
        src: freeradius/sql.j2
        dest: "{{ freeradius_mods_available_dir }}/sql"
        mode: 0640
        owner: freerad
        group: freerad
      notify: restart freeradius
    - name: Enable SQL module
      file:
        src: "{{ freeradius_mods_available_dir }}/sql"
        dest: "{{ freeradius_mods_enabled_dir }}/sql"
        state: link
        mode: 0640
        owner: freerad
        group: freerad
    - name: SQL Counter module
      template:
        src: freeradius/sqlcounter.j2
        dest: "{{ freeradius_mods_available_dir }}/sqlcounter"
        mode: 0640
        owner: freerad
        group: freerad
      notify: restart freeradius
    - name: Enable SQL Counter module
      file:
        src: "{{ freeradius_mods_available_dir }}/sqlcounter"
        dest: "{{ freeradius_mods_enabled_dir }}/sqlcounter"
        state: link
        mode: 0640
        owner: freerad
        group: freerad
    - name: Fix dailycounter.conf
      copy:
        src: freeradius/dailycounter.conf
        dest: "{{ freeradius_dir }}/mods-config/sql/counter/postgresql/dailycounter.conf"
        mode: 0640
        owner: freerad
        group: freerad
      notify: restart freeradius
    - name: REST Configuration
      template:
        src: freeradius/rest.j2
        dest: "{{ freeradius_mods_available_dir }}/rest"
        mode: 0640
        owner: freerad
        group: freerad
      notify: restart freeradius
    - name: Enable REST module
      file:
        src: "{{ freeradius_mods_available_dir }}/rest"
        dest: "{{ freeradius_mods_enabled_dir }}/rest"
        state: link
        mode: 0640
        owner: freerad
        group: freerad
    - name: Remove default site
      file:
        dest: "{{ freeradius_sites_enabled_dir }}/default"
        state: absent
    - name: Ensure inner-tunnel site is present
      file:
        src: "{{ freeradius_sites_available_dir }}/inner-tunnel"
        dest: "{{ freeradius_sites_enabled_dir }}/inner-tunnel"
        state: link
        mode: 0640
        owner: freerad
        group: freerad
    - name: Captive portal configuration
      template:
        src: freeradius/captiveportal.j2
        dest: "{{ freeradius_sites_available_dir }}/captiveportal"
        mode: 0640
        owner: freerad
        group: freerad
      notify: restart freeradius
      tags: [radius]
    - file:
        src: "{{ freeradius_sites_available_dir }}/captiveportal"
        dest: "{{ freeradius_sites_enabled_dir }}/captiveportal"
        state: link
        mode: 0640
        owner: freerad
        group: freerad
      tags: [radius]
    # openwisp-radius cron jobs
    - name: delete_old_radacct
      cron:
        name: delete_old_radacct
        day: "*"
        hour: 05
        minute: 30
        job: "/opt/openwisp2/env/bin/python /opt/openwisp2/manage.py delete_old_radacct 730"
      tags: [openwisp2, radius]
    - name: delete_old_postauth
      cron:
        name: delete_old_postauth
        day: "*"
        hour: 05
        minute: 0
        job: "/opt/openwisp2/env/bin/python /opt/openwisp2/manage.py delete_old_postauth 365"
      tags: [openwisp2, radius]
    - name: cleanup_stale_radacct
      cron:
        name: cleanup_stale_radacct
        day: "*"
        hour: 04
        minute: 0
        job: "/opt/openwisp2/env/bin/python /opt/openwisp2/manage.py cleanup_stale_radacct 1"
      tags: [openwisp2, radius]
    - name: deactivate_expired_users
      cron:
        name: deactivate_expired_users
        day: "*"
        hour: "*"
        minute: "*/5"
        job: "/opt/openwisp2/env/bin/python /opt/openwisp2/manage.py deactivate_expired_users"
      tags: [openwisp2, radius]
    - name: delete_old_users
     cron:
        name: delete_old_users
        day: "*"
        hour: "03"
        minute: "30"
        job: "/opt/openwisp2/env/bin/python /opt/openwisp2/manage.py delete_old_users"
      tags: [openwisp2, radius]

And i have this error:

root@ra******5:~/openwisp2-ansible-playbook# ansible-playbook -i hosts playbook.yml -k
SSH password:

PLAY [ra*****5.******.org] *************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************
ok: [ra******5.*****.org]

TASK [Install cairo] *********************************************************************************************************
ok: [ra********5.*******.org]

TASK [Freeradius system packages] ********************************************************************************************
ok: [ra******5.******.org]

TASK [SQL Configuration] *****************************************************************************************************
fatal: [ra******5.********.org]: FAILED! => {"changed": false, "msg": "Could not find or access 'freeradius/sql.j2'\nSearched in:\n\t/root/openwisp2-ansible-playbook/templates/freeradius/sql.j2\n\t/root/openwisp2-ansible-playbook/freeradius/sql.j2\n\t/root/openwisp2-ansible-playbook/templates/freeradius/sql.j2\n\t/root/openwisp2-ansible-playbook/freeradius/sql.j2 on the Ansible Controller.\nIf you are using a module and expect the file to exist on the remote, see the remote_src option"}

PLAY RECAP *******************************************************************************************************************
ra*****5.********.org      : ok=3    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

[Federico Capoano]

Welcome!

You need to add a template in templates/freeradius/sql.j2 and use a configuration that suits you.

Adding support for openwisp-radius to ansible-openwisp2 is in the works: https://github.com/openwisp/ansible-openwisp2/pull/223.

The example I shared on this ML is a base which can be used to build a configuration that works, but it's not a fully working configuration.

The playbooks I have contain sensitive information of my customers and I can't share those, so I shared only the parts I was allowed to share.

I hope this helps!

Best regards

Federico

--
You received this message because you are subscribed to the Google Groups "OpenWISP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openwisp+u...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/60bfa700-13e5-4000-a72c-c5b90adae853n%40googlegroups.com.

[Racamier Stéphane]

I changed my script to do my tests:

- hosts: ra*****.********.org
  roles:
    - openwisp.openwisp2

  vars:
    openwisp2_default_from_email: "advertise@ra*****.********.org"
    openwisp2_time_zone: Europe/Paris
    openwisp2_allowed_hosts:
        - ra*****.********.org

    openwisp2_utils_pip: https://github.com/openwisp/openwisp-utils/tarball/master
    openwisp2_users_pip: https://github.com/openwisp/openwisp-users/tarball/master
    openwisp2_extra_python_packages:
      # monitoring
      - https://github.com/openwisp/openwisp-radius/tarball/master
      - django-cors-headers
    openwisp2_extra_django_settings_instructions:
      # monitoring settings
      - |
        # openwisp-radius, registration, CORS
        INSTALLED_APPS += [
          'corsheaders',
          'django_filters',
          'rest_framework.authtoken',
          'rest_auth',
          'rest_auth.registration',
          'openwisp_radius',
        ]

        OPENWISP_RADIUS_FREERADIUS_ALLOWED_HOSTS = ['ra*****.********.org']

      name: "*******"

      user: "******"
      password: "*******"
    freeradius_rest:

      url: https://ra*****.********.org/api/v1/freeradius

  pre_tasks:
    # openwisp-radius
    - name: Install cairo
      apt:
        name:
          - libcairo2
          - libpango-1.0-0
          - libpangocairo-1.0-0
          - libgdk-pixbuf2.0-0
          - shared-mime-info
        update_cache: yes
      tags: [openwisp2, radius]

    - name: Freeradius system packages
      apt:
        name:
          - freeradius
          - freeradius-mysql
          - freeradius-rest
        state: latest

      notify: stop freeradius

Now my installation is running without ending, the last message is:

TASK [openwisp.openwisp2 : Install openwisp2 controller and its dependencies] **************************************************************

The full log:

PLAY [ra*****.********.org] *********************************************************************************************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [Install cairo] *****************************************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [Freeradius system packages] ****************************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [Stouts.postfix : include_tasks] ************************************************************************************************************************************************************************
included: /root/.ansible/roles/Stouts.postfix/tasks/postfix.yml for ra*****.********.org

TASK [Stouts.postfix : Install requirements (Debian)] ********************************************************************************************************************************************************
[DEPRECATION WARNING]: Invoking "apt" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying `name: "{{item}}"`, please use `name:
['postfix', 'ca-certificates', 'mailutils', 'libsasl2-modules']` and remove the loop. This feature will be removed in version 2.11. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
ok: [ra*****.********.org] => (item=['postfix', 'ca-certificates', 'mailutils', 'libsasl2-modules'])

TASK [Stouts.postfix : Install DKIM requirements (Debian)] ***************************************************************************************************************************************************
[DEPRECATION WARNING]: Invoking "apt" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying `name: "{{item}}"`, please use `name:
['opendkim', 'opendkim-tools']` and remove the loop. This feature will be removed in version 2.11. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
skipping: [ra*****.********.org] => (item=[])

TASK [Stouts.postfix : Install postfix-pcre] *****************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Install requirements (RedHat)] ********************************************************************************************************************************************************
skipping: [ra*****.********.org] => (item=postfix)
skipping: [ra*****.********.org] => (item=ca-certificates)
skipping: [ra*****.********.org] => (item=mailx)
skipping: [ra*****.********.org] => (item=libselinux-python)

TASK [Stouts.postfix : Install DKIM requirements (RedHat)] ***************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : create self-signed SSL cert] **********************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : set permissions for self-signed SSL cert] *********************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : set permissions for self-signed SSL key] **********************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Create DKIM directories] **************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Create DKIM directories] **************************************************************************************************************************************************************
skipping: [ra*****.********.org] => (item=ra*****.********.org)

TASK [Stouts.postfix : Generate DKIM key] ********************************************************************************************************************************************************************
skipping: [ra*****.********.org] => (item=ra*****.********.org)

TASK [Stouts.postfix : Change DKIM key permissions] **********************************************************************************************************************************************************
skipping: [ra*****.********.org] => (item=ra*****.********.org)

TASK [Stouts.postfix : Configure opendkim pt. 1] *************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Configure opendkim pt. 2] *************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Configure opendkim pt. 3] *************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Configure opendkim pt. 4] *************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Configure opendkim pt. 5] *************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Ensure /etc/postfix directory is owned by root user] **********************************************************************************************************************************
ok: [ra*****.********.org]

TASK [Stouts.postfix : Configure postfix pt. 1] **************************************************************************************************************************************************************
ok: [ra*****.********.org] => (item=main.cf)
ok: [ra*****.********.org] => (item=master.cf)

TASK [Stouts.postfix : Configure postfix pt. 2] **************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Configure postfix pt. 3] **************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Configure postfix pt. 4] **************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [Stouts.postfix : Configure postfix pt. 5] **************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Configure postfix pt. 6] **************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [Stouts.postfix : Configure postfix local user relay] ***************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Configure postfix sender canonical maps] **********************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Configure SystemD] ********************************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Ensure Postfix service is enabled (systemd)] ******************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [Stouts.postfix : Ensure Postfix is started] ************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Set supervisor path (Debian)] *****************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Set www user (Debian)] ************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Set spatialite_path (Ubuntu >= 18.04 or Debian >= 10)] ****************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Update APT package cache] *********************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Install system packages] **********************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Install redis 5 if available] *****************************************************************************************************************************************************
fatal: [ra*****.********.org]: FAILED! => {"cache_update_time": 1607350510, "cache_updated": false, "changed": false, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\"      install 'redis-server=5:5*'' failed: E: Version '5:5*' for 'redis-server' was not found\n", "rc": 100, "stderr": "E: Version '5:5*' for 'redis-server' was not found\n", "stderr_lines": ["E: Version '5:5*' for 'redis-server' was not found"], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information..."]}
...ignoring

TASK [openwisp.openwisp2 : Install redis 4 (fallback)] *******************************************************************************************************************************************************
fatal: [ra*****.********.org]: FAILED! => {"cache_update_time": 1607350510, "cache_updated": false, "changed": false, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\"      install 'redis-server=5:4*'' failed: E: Version '5:4*' for 'redis-server' was not found\n", "rc": 100, "stderr": "E: Version '5:4*' for 'redis-server' was not found\n", "stderr_lines": ["E: Version '5:4*' for 'redis-server' was not found"], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\n", "stdout_lines": ["Reading package lists...", "Building dependency tree...", "Reading state information..."]}

...ignoring         ------> Installed manualy with apt-get install redis* -y

TASK [openwisp.openwisp2 : set redis to listen on ipv4] ******************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Install spatialite] ***************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Install mod-spatialite (may fail on older linux distros)] *************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Install acl if acting as non-root user] *******************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : ensure supervisor is started] *****************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Install python2 packages] *********************************************************************************************************************************************************
skipping: [ra*****.********.org]

TASK [openwisp.openwisp2 : Install python3 packages] *********************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Install ntp] **********************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Update pip & related tools] *******************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Remove jsonfield2] ****************************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Set openwisp2_python_packages] ****************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Set custom package list] **********************************************************************************************************************************************************
skipping: [ra*****.********.org] => (item=False)
ok: [ra*****.********.org] => (item=https://github.com/openwisp/openwisp-users/tarball/master)
ok: [ra*****.********.org] => (item=https://github.com/openwisp/openwisp-utils/tarball/master)
skipping: [ra*****.********.org] => (item=False)
skipping: [ra*****.********.org] => (item=False)
skipping: [ra*****.********.org] => (item=False)
skipping: [ra*****.********.org] => (item=False)

TASK [openwisp.openwisp2 : Add network_topology to custom package list if set and enabled] *******************************************************************************************************************
skipping: [ra*****.********.org] => (item=False)

TASK [openwisp.openwisp2 : Install cryptography from pip] ****************************************************************************************************************************************************
ok: [ra*****.********.org]

TASK [openwisp.openwisp2 : Install openwisp2 controller and its dependencies] *******************************************************

[Federico Capoano]

We noticed this bug recently and fixed it in the development branch of ansible-openwisp2:

https://github.com/openwisp/ansible-openwisp2/commits/master

We're about to release it but there's 2 blockers pending right now, so for the time being I can only suggest to use the latest master.

To view this discussion on the web, visit https://groups.google.com/d/msgid/openwisp/f5354f2d-a7b3-414a-be6f-31e2db01ae8fn%40googlegroups.com.

[Federico Capoano]

To anyone interested in the RADIUS module of OpenWISP, the PR which adds official support to ansible-openwisp2 is ready to be tested!
Please see https://github.com/openwisp/ansible-openwisp2/pull/223.

[f.capoano]

Hi,

we prepared instruction that should help in setting up the upcoming version of OpenWISP, including the Monitoring and RADIUS modules.

Please refer to these instructions: https://github.com/openwisp/ansible-openwisp2/tree/dev#using-development-version

I hope this helps.

[Federico Capoano]

Here's the latest link, sorry for the noise: https://github.com/openwisp/ansible-openwisp2/tree/dev#deploying-the-upcoming-release-of-openwisp