Ubuntu 22 Runtime installation and configuration

Runtime in Ubuntu 22 runs as an unprivileged user to enhance cybersecurity by reducing the cyberattack surface. Once you are sure that all the requirements are met, proceed with the Runtime installation and configuration.
NOTE: See Runtime configuration for an overview of the available settings.

Requirements

For the installation of Runtime on Ubuntu 22, proceed as follows:
  • Confirm that the kernel version running on your device or the linux-headers of the current kernel version is up to date.
  • Confirm that .NET Runtime 8 is installed. If it is not installed yet and the device connects to the Internet, it will automatically be downloaded and installed during the Runtime installation.
  • Install the X11 Window System to enable the
    Remote Desktop
     feature. Instead, if Wayland is installed and enabled, disable it by editing the file: 
    /etc/gdm3/custom.conf
    or
    /etc/gdm3/daemon.conf
    uncomment the following line by removing the #:
    #WaylandEnable=false
  • Confirm that the system does not have
    remoteaccess_runtime
     as a username with
    uid=9879
     as a user ID, and
    gid=9879
     as a group ID for the standard unprivileged user that will run the Runtime.
  • Install the following packages to run the installer and both the SetupHost and Runtime services:
    • useradd
       and
      groupadd
      : Install by typing
      sudo apt-get install passwd
    • xdpyinfo
      : Install by typing
      sudo apt-get install x11-utils
    • xhost
      : Install by typing
      sudo apt-get install x11-xserver-utils
    • mknod
      ,
      readlink
      ,
      tr
      ,
      who
      : Install by typing
      sudo apt-get install coreutils
    • iptables
      : Install by typing
      sudo apt-get install iptables
    • brctl
      : Install by typing
      sudo apt-get install bridge-utils
    • dhclient
      : Install by typing
      sudo apt-get install isc-dhcp-client
    • setcap
      : Install by typing
      sudo apt-get install libcap2-bin
    • setfacl
      : Install by typing
      sudo apt-get install acl
    • awk
      : Install by typing
      sudo apt-get install gawk
    • systemd-run
      ,
      systemctl
      ,
      resolvectl
      ,
      loginctl
      : Install by typing
      sudo apt-get install systemd
    NOTE: Some scripts run by the
    FactoryTalkRemoteAccessSetupHost.service
     during the host initialization phase require these commands to work with the host system. If any of these commands are missing, the script might stop running.
  • Confirm that the default session user consists of a root folder user or a sudoers group user, and has
    sbin
     folders in their
    PATH
     environment variable. To add a user to the sudoers group, use the following commands: 
    su -l
    usermod -aG sudo <UserToAdd>

Runtime installation and configuration

  1. Download the
    FactoryTalk® Remote Access
     Runtime package related to the Ubuntu 22 distribution on the remote device and run the installation command: 
    sudo apt install ./FactoryTalkRemoteAccessRuntime_Ubuntu22_<version>.deb
    and replace the
    <version>
     with the actual version.
    NOTE: See Tools to download Runtime.
    IMPORTANT: If you are updating an older Runtime version, you might be prompted to activate specific security settings:
    File transfers security restriction
     and
    Processes security restriction
    . These settings are located in the
    Settings
     section of the Runtime user interface.
  2. The system performs several checks and creates
    FactoryTalkRemoteAccessRuntimeService.service
     and
    FactoryTalkRemoteAccessSetupHost.service
    .
  3. Confirm that the created services stored in the
    /etc/systemd/system
     appear as follows: 
    [Unit]
Description=FactoryTalkRemoteAccess Setup Host Service
After=network-online.target
Onsuccess=FactoryTalkRemoteAccessRuntimeService.service
[Service]
ExecStart=/opt/Rockwell_Automation/FactoryTalk_Remote_Access/Runtime/bin/setuphost.sh -v [OPTIONS]

[Install]
WantedBy=multi-user.target
    [Unit]
Description=FactoryTalkRemoteAccess Runtime Service
OnFailure=FactoryTalkRemoteAccessSetupHost.service

[Service]
ExecStart=/opt/Rockwell_Automation/FactoryTalk_Remote_Access/Runtime/bin/FactoryTalkRemoteAccessRuntimeService
User=remoteaccess_runtime
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW

[Install]
WantedBy=multi-user.target
  4. In
    FactoryTalkRemoteAccessSetupHost.service
    , replace the
    [OPTIONS]
     as needed: 
    
--enable-vpn <adapter-list>    Configure the host to enable VPN on the Runtime ad running time. The adapter-list is a single parameter that contains a list of adapter names separated by a comma (,). 
                               A conventional network bridge interface will be created on each of them to perform VPN. Example: --enable-vpn eth0,eth1
--enable-p2p-vpn               Configure the host to enable Point-to-Point VPN on the Runtime at running time.

-v, --verbose                  Print detailed logs for troubleshooting.
    Separate the interfaces mentioned in the
    <adapter-list>
     by using a comma. For example:
    eth0,eth1,eth2
    . The script establishes a standard network bridge interface for each specified interface.
    NOTE: During the establishment of a standard network bridge, the script appends both
    -tap
     and
    -bridge
     to any interface listed in the
    <adapter-list>
     wherever tap and bridge are not already in place. The script abides by the 15-character limit imposed by Linux.
    • Example without interface truncation:
      • Adapter name (characters length 4):
        eth0
      • Tap name (characters length 8):
        eth0-tap
      • Bridge name (characters length 8):
        eth0-bridge
    • Example with interface truncation:
      • Adapter name (characters length 9):
        enp0s31f6
      • Tap name (characters length 13):
        enp0s31f6-tap
      • Bridge name (characters length15):
        enp0s31f-bridge
        . Considering the characters length limit, the adapter name truncation here consists of the elimination of the
        6
         digit.
        The maximum characters length limitation affects any bridge and tap interfaces with names that are equal to or longer than the name in the preceding example.
NOTE:
The Runtime binaries will be installed in the folder:
/opt/Rockwell_Automation/FactoryTalk_Remote_Access/Runtime/bin
And Runtime logs will be available in the folder:
/opt/Rockwell_Automation/FactoryTalk_Remote_Access/Runtime/log

Runtime Startup

  1. To start the Runtime, run the
    sudo systemctl start FactoryTalkRemoteAccessSetupHost.service
     command in the
    /etc/systemd/system
     folder.
  2. Confirm that the
    FactoryTalkRemoteAccessRuntimeService.service
     service is up and running by typing
    sudo systemctl status FactoryTalkRemoteAccessRuntimeService.service
    .

Connecting the Runtime to the FactoryTalk Remote Access network infrastructure

NOTE: See the
Settings
 section in Runtime configuration to learn how to connect the Runtime with the
FactoryTalk® Remote Access
 network infrastructure.

Runtime Configuration

NOTE: See Runtime configuration for information on this subject.

Serial passthrough configuration

NOTE: This feature is not supported on Ubuntu 22.
To enable the remote use of a serial port, add a symlink to the interface in the path
/dev/serial<interface number>
.
Example:
In a system equipped with a serial interface
/dev/ttyS0
, execute the following command:
ln -s /dev/ttyS0 /dev/serial0

Password setup

To help prevent any unauthorized users from accessing the Runtime, set up a password. Once you have set up a password, a browser authentication page opens when you start the Runtime.
To access the Runtime configuration, enter
https://localhost:5161
 in your browsing bar.
NOTE: To set up a password, you must have
sudo
 privileges.
NOTE: If you do not set up a password to access the Runtime, every user can access it and land directly onto the
Home
 page.
  1. Enter
    sudo FactoryTalkRemoteAccessRuntimeCli --setRuntimePassword --password <runtime password>
    .
  2. Replace
    <runtime password>
     with a password.
    NOTE:
    Create a strong password to reduce cybersecurity risk.
    Your password must:
    • Be at least eight characters long
    • Include at least three of the following requirements:
      • at least one uppercase character
      • at least one lowercase character
      • at least one numeric character
      • at least one symbolic character
    Use passphrases longer than eight characters to enhance password strength. Strong passwords increase the time needed to guess them.
NOTE: To change the password, repeat the process.

Runtime update

Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal