Radiator Server Documentation — latest

Containers

Operate Radiator container images

Table of Contents

Containers
Using the containerized Radiator
Running with Compose
Running manually

Containers

Radiator publishes minimal container images in the radiatorsoftware/radiator-server Docker Hub repository. These images include the radiator binary and the package-style default payload under /var/lib/radiator. They are designed to run with a read-only root filesystem and do not include a shell. Mount writable storage for logs under /var/log/radiator and optionally for configuration under /var/lib/radiator. If the configuration is not mounted, an existing configuration zip can be imported via GUI.

When mounting configuration, ensure that it is complete. It must contain all required .radconf files, any needed .json5 or .sqlite files, template files, any needed TLS certificates, management GUI files, and a license file. You can obtain a complete configuration, for example, from an existing Radiator GUI by selecting full export.

Using the containerized Radiator

By default, the minimal container does not include a ready-to-use service configuration for tasks such as authenticating users, and it does not contain a license. To obtain a license, send an email to sales@radiatorsoftware.com. Upload the license file from the Licenses page in the GUI. You can also deploy your configuration at the same time: in the GUI, select Files and then import. Deploy your license and configuration as usual.

If you mount configuration from external storage, provide a complete configuration that also includes the management side. Otherwise, the GUI will not start.

Export works normally with the Radiator container regardless of whether a mounted /var/lib/radiator is used.

Running with Compose

You can use the following Compose file as a starting point.

services:
  radiator:
    image: radiator-server:latest
    container_name: radiator-server
    volumes:
      - radiator-lib:/var/lib/radiator:rw
      - radiator-log:/var/log/radiator:rw
    environment:
      # Management UI admin password (required)
      # Example PBKDF2-SHA512 hash for the default password ChangeThisPassword!
      - MANAGEMENT_PASSWORD={pbkdf2-sha512}$pbkdf2-sha512$i=210000,l=64$OeYgC7RQgReLVYabjau9uQ$jqjyU0kmL8xacR90/tODj3d9OLyZIpHuAQOc2YwlHDd/ceKovdbnPr1hPvY26VnxCYvDnbVRZ9dSgYd5QyTjRQ
      # Export operations require writable temporary storage
      - TMPDIR=/var/lib/radiator/tmp
      # Additional environment variable options:
      # Override the default working directory (defaults to /var/lib/radiator)
      # - RADIATOR_SERVER_WORKING_DIR=/var/lib/radiator
      # Override the default configuration directory (defaults to /var/lib/radiator)
      # - RADIATOR_SERVER_CONFIG=/var/lib/radiator
    ports:
      # HTTP management API
      - "8443:8443/tcp"
      # Standard RADIUS authentication
      - "1812:1812/udp"
      # Standard RADIUS accounting
      - "1813:1813/udp"
      # RADIUS over TLS (RADSEC)
      - "2083:2083/tcp"
      # CoA and Disconnect Messages
      - "3799:3799/udp"
      # TACACS+
      - "49:49/tcp"
      # TACACS+ with TLS
      - "300:300/tcp"
      # Optional: Legacy RADIUS authentication port (RFC 2865)
      # - "1645:1645/udp"
      # Optional: Legacy RADIUS accounting port (RFC 2866)
      # - "1646:1646/udp"
      # Security capabilities needed for network functions
    cap_add:
      - NET_ADMIN # Required for network interface operations
      - NET_RAW # Required for raw socket access (for packet capture)
      - NET_BIND_SERVICE # Required to bind to privileged ports (<1024)
    # Drop all other capabilities for security hardening
    cap_drop:
      - ALL
    # Prevent container from gaining additional privileges
    security_opt:
      - no-new-privileges=true
    # Set container filesystem as read-only for additional security
    read_only: true
    deploy:
      resources:
        limits:
          memory: 1g
    restart: unless-stopped
    networks:
      - radiator-net

volumes:
  radiator-lib:
    name: radiator-lib
  radiator-log:
    name: radiator-log

networks:
  radiator-net:
    driver: bridge

Replace MANAGEMENT_PASSWORD before deployment. Encrypt the password, for example with PBKDF2-SHA512, instead of using plain text.

Running manually

You can also run the container manually:

docker run --rm \
  --volume radiator-lib:/var/lib/radiator:rw \
  --volume radiator-log:/var/log/radiator:rw \
  --name radiator-server \
  --read-only \
  --publish 8443:8443/tcp \
  --publish 1812:1812/udp \
  --publish 1813:1813/udp \
  --publish 2083:2083/tcp \
  --publish 3799:3799/udp \
  --publish 49:49/tcp \
  --publish 300:300/tcp \
  --memory 1g \
  --cap-add NET_ADMIN \
  --cap-add NET_RAW \
  --cap-add NET_BIND_SERVICE \
  --cap-drop ALL \
  --security-opt no-new-privileges=true \
  radiator-server:latest

Instead of radiator-server:latest, which always uses the latest release, you can choose to run a specific release such as radiator-server:10.33.3.

Use --platform linux/amd64 or --platform linux/arm64 if you need to run a container for a different architecture on a system that supports multiple architectures.

At minimum, expose 8443/tcp for the management GUI and 1812/udp for standard RADIUS authentication.

Table of Contents

Containers
Using the containerized Radiator
Running with Compose
Running manually

Navigation

Home

Navigation

Home