- Software components setup and installation
Ubuntu 22 Runtime installation and configuration
Runtime in Ubuntu 22 runs as an unprivileged user to enhance cybersecurity by reducing the
cyberattack surface. Once you are sure that all the requirements are met, proceed with the
Runtime installation and configuration.
NOTE:
See Runtime configuration for
an overview of the available settings.
Requirements
For the installation of Runtime on Ubuntu 22, proceed as follows:
- Confirm that the kernel version running on your device or the linux-headers of the current kernel version is up to date.
- Confirm that .NET Runtime 8 is installed. If it is not installed yet and the device connects to the Internet, it will automatically be downloaded and installed during the Runtime installation.
- Install the X11 Window System to enable theRemote Desktopfeature. Instead, if Wayland is installed and enabled, disable it by editing the file:/etc/gdm3/custom.confor/etc/gdm3/daemon.confuncomment the following line by removing the #:#WaylandEnable=false
- Confirm that the system does not haveremoteaccess_runtimeas a username withuid=9879as a user ID, andgid=9879as a group ID for the standard unprivileged user that will run the Runtime.
- Install the following packages to run the installer and both the SetupHost and Runtime services:
- useraddandgroupadd: Install by typingsudo apt-get install passwd
- xdpyinfo: Install by typingsudo apt-get install x11-utils
- xhost: Install by typingsudo apt-get install x11-xserver-utils
- mknod,readlink,tr,who: Install by typingsudo apt-get install coreutils
- iptables: Install by typingsudo apt-get install iptables
- brctl: Install by typingsudo apt-get install bridge-utils
- dhclient: Install by typingsudo apt-get install isc-dhcp-client
- setcap: Install by typingsudo apt-get install libcap2-bin
- setfacl: Install by typingsudo apt-get install acl
- awk: Install by typingsudo apt-get install gawk
- systemd-run,systemctl,resolvectl,loginctl: Install by typingsudo apt-get install systemd
NOTE: Some scripts run by theFactoryTalkRemoteAccessSetupHost.serviceduring the host initialization phase require these commands to work with the host system. If any of these commands are missing, the script might stop running.
- Confirm that the default session user consists of a root folder user or a sudoers group user, and hassbinfolders in theirPATHenvironment variable. To add a user to the sudoers group, use the following commands:su -lusermod -aG sudo <UserToAdd>
Runtime installation and configuration
- Download theRuntime package related to the Ubuntu 22 distribution on the remote device and run the installation command:FactoryTalk® Remote Access™sudo apt install ./FactoryTalkRemoteAccessRuntime_Ubuntu22_<version>.deband replace the<version>with the actual version.NOTE: See Tools to download Runtime.IMPORTANT: If you are updating an older Runtime version, you might be prompted to activate specific security settings:File transfers security restrictionandProcesses security restriction. These settings are located in theSettingssection of the Runtime user interface.
- The system performs several checks and createsFactoryTalkRemoteAccessRuntimeService.serviceandFactoryTalkRemoteAccessSetupHost.service.
- Confirm that the created services stored in the/etc/systemd/systemappear as follows:[Unit] Description=FactoryTalkRemoteAccess Setup Host Service After=network-online.target Onsuccess=FactoryTalkRemoteAccessRuntimeService.service [Service] ExecStart=/opt/Rockwell_Automation/FactoryTalk_Remote_Access/Runtime/bin/setuphost.sh -v [OPTIONS] [Install] WantedBy=multi-user.target[Unit] Description=FactoryTalkRemoteAccess Runtime Service OnFailure=FactoryTalkRemoteAccessSetupHost.service [Service] ExecStart=/opt/Rockwell_Automation/FactoryTalk_Remote_Access/Runtime/bin/FactoryTalkRemoteAccessRuntimeService User=remoteaccess_runtime AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW [Install] WantedBy=multi-user.target
- InFactoryTalkRemoteAccessSetupHost.service, replace the[OPTIONS]as needed:--enable-vpn <adapter-list> Configure the host to enable VPN on the Runtime ad running time. The adapter-list is a single parameter that contains a list of adapter names separated by a comma (,). A conventional network bridge interface will be created on each of them to perform VPN. Example: --enable-vpn eth0,eth1 --enable-p2p-vpn Configure the host to enable Point-to-Point VPN on the Runtime at running time. -v, --verbose Print detailed logs for troubleshooting.Separate the interfaces mentioned in the<adapter-list>by using a comma. For example:eth0,eth1,eth2. The script establishes a standard network bridge interface for each specified interface.NOTE: During the establishment of a standard network bridge, the script appends both-tapand-bridgeto any interface listed in the<adapter-list>wherever tap and bridge are not already in place. The script abides by the 15-character limit imposed by Linux.
- Example without interface truncation:
- Adapter name (characters length 4):eth0
- Tap name (characters length 8):eth0-tap
- Bridge name (characters length 8):eth0-bridge
- Example with interface truncation:
- Adapter name (characters length 9):enp0s31f6
- Tap name (characters length 13):enp0s31f6-tap
- Bridge name (characters length15):enp0s31f-bridge. Considering the characters length limit, the adapter name truncation here consists of the elimination of the6digit.The maximum characters length limitation affects any bridge and tap interfaces with names that are equal to or longer than the name in the preceding example.
NOTE:
The Runtime binaries will be installed in the folder:
/opt/Rockwell_Automation/FactoryTalk_Remote_Access/Runtime/bin
And Runtime logs will be available in the folder:
/opt/Rockwell_Automation/FactoryTalk_Remote_Access/Runtime/log
Runtime Startup
- To start the Runtime, run thesudo systemctl start FactoryTalkRemoteAccessSetupHost.servicecommand in the/etc/systemd/systemfolder.
- Confirm that theFactoryTalkRemoteAccessRuntimeService.serviceservice is up and running by typingsudo systemctl status FactoryTalkRemoteAccessRuntimeService.service.
Connecting the Runtime to the FactoryTalk Remote Access network infrastructure
NOTE:
See the network infrastructure.
Settings
section in Runtime configuration to learn how to connect the Runtime
with the FactoryTalk®
Remote Access™
Runtime Configuration
NOTE:
See Runtime configuration
for information on this subject.
Serial passthrough configuration
NOTE:
This feature is not supported on Ubuntu 22.
To enable the remote use of a serial port, add a symlink to the interface in the path
/dev/serial<interface number>
.Example:
In a system equipped with a serial interface
/dev/ttyS0
, execute the
following command:ln -s /dev/ttyS0 /dev/serial0
Password setup
To help prevent any unauthorized users from accessing the Runtime, set up a password. Once
you have set up a password, a browser authentication page opens when you start the
Runtime.
To access the Runtime configuration, enter
https://localhost:5161
in your
browsing bar.
NOTE:
To set up a password, you must have
sudo
privileges.
NOTE:
If you do not set up a password to access the Runtime, every user
can access it and land directly onto the
Home
page.- Entersudo FactoryTalkRemoteAccessRuntimeCli --setRuntimePassword --password <runtime password>.
- Replace<runtime password>with a password.NOTE:Create a strong password to reduce cybersecurity risk.Your password must:
- Be at least eight characters long
- Include at least three of the following requirements:
- at least one uppercase character
- at least one lowercase character
- at least one numeric character
- at least one symbolic character
Use passphrases longer than eight characters to enhance password strength. Strong passwords increase the time needed to guess them.
NOTE:
To change the password, repeat the process.
Runtime update
Provide Feedback