This document contains commands to deploy and manage PAC Reader using dux CLI.
Dux can be installed on Linux, Mac OS and Windows.
Dux for Linux (RHEL) can be installed using the package managers - yum or dnf.
Note: If you had installed the Beta version 2.0.0.3 earlier, please perform the following steps to cleanup before proceeding with installation:
# Remove dux.repo
sudo rm /etc/yum.repos.d/dux.repo
#Clean the package manager cache
sudo yum clean all
or
sudo dnf clean all
Create dux.repo and install
$ cat << EOF | sudo tee /etc/yum.repos.d/dux.repo
[dux]
name=Omnissa CLI - dux
baseurl=https://packages.omnissa.com/ws1-tunnel/dux
enabled=1
gpgcheck=0
EOF
#If using yum:
$ sudo yum install -y dux
# If using dnf
$ sudo dnf install -y dux
After installation the following directory structures will be created:
/opt/omnissa/dux/
/opt/omnissa/dux/images/
/opt/omnissa/dux/logs/
$ cd /opt/omnissa/
$ ls -ltr
drwxr-xr-x. 4 root root 32 Feb 16 17:59 dux
$ cd dux/
$ ls -ltr
total 0
drwxr-xr-x. 2 root root 6 Feb 16 13:27 logs
drwxr-xr-x. 2 root root 6 Feb 16 13:27 images
$ which dux
/usr/bin/dux
Download the dux rpm as per the architecture of the host from where dux would be executed (x86_64 for AMD/Intel or aarch64 for ARM/Apple M1).
For example, if OS is Linux and Arch is amd64, the rpm dux-
The url to download the rpms for Dux 3.0 is as follows:
For AMD64/Intel: https://packages.omnissa.com/ws1-tunnel/dux/3.0.0.641/dux-3.0.0.641-1.x86_64.rpm
For ARM64/Apple Silicon: https://packages.omnissa.com/ws1-tunnel/dux/3.0.0.641/dux-3.0.0.641-1.aarch64.rpm
# download and install manually
$ wget <url to download> Or download manually
$ sudo rpm -i dux-3.0.0.641-1.x86_64.rpm
installed
$ cd /opt/omnissa/
$ ls -ltr
drwxr-xr-x. 4 root root 32 Feb 16 17:59 dux
$ cd dux/
$ ls -ltr
total 0
drwxr-xr-x. 2 root root 6 Feb 16 13:27 logs
drwxr-xr-x. 2 root root 6 Feb 16 13:27 images
$ which dux
/usr/bin/dux
$ dux version
Omnissa CLI - dux
3.0.0.641
Note: If you had an older version of Dux package installed by rpm, please ensure to delete the package before installing
sudo rpm -e <package_name>
Dux can be installed on Mac OS using the package manager - brew.
$ brew tap wsonetunnel/tunnel
$ brew install dux
After installation the following directory structures will be created based on if you are using Mac on Intel (AMD64) or Mac on Apple Silicon (ARM):
For Mac OS on Intel/AMD64:
/usr/local/var/opt/omnissa/dux/
/usr/local/var/opt/omnissa/dux/images
/usr/local/var/opt/omnissa/dux/logs
For Mac OS on Apple Silicon/ARM64:
/opt/homebrew/var/opt/omnissa/dux/
/opt/homebrew/var/opt/omnissa/dux/images/
/opt/homebrew/var/opt/omnissa/dux/logs/`
# For example
$ cd /usr/local/var/opt/omnissa/dux/
$ ls -ltr
total 0
drwxr-xr-x. 2 root root 6 Feb 16 13:27 logs
drwxr-xr-x. 2 root root 6 Feb 16 13:27 images
$ which dux
/usr/local/bin/dux
The default path where dux looks for PAC Reader images is the directory images based on the platform as mentioned above.
The logs of execution of dux (dux.log, pacreader logs) are stored under the directory logs based on the platform as mentioned above.
To update the dux version for Mac OS if you had installed an older version earlier:
brew update
brew upgrade dux
To install Dux for Windows, download the msi installer from the url based on the architecture: to be updated
For AMD64/Intel: https://packages.omnissa.com/ws1-tunnel/dux/3.0.0.641/dux-windows-amd64.msi
For ARM64/Apple Silicon: https://packages.omnissa.com/ws1-tunnel/dux/3.0.0.641/dux-windows-arm64.msi
C:\Program Files\Omnissa\DuxAfter installation, the following directory structures will be created under the selected installation directory:
<INSTALL_DIR>\images
<INSTALL_DIR>\logs
If Dux is installed in a protected directory (e.g., C:\Program Files), you must run PowerShell or Command Prompt as an administrator to execute Dux commands.
Get the version of Dux cli deployed
$ dux version
Omnissa CLI - dux
3.0.0.641
$ dux help
CLI to deploy and manage containers based on the manifest file
Usage:
dux [command]
Available Commands:
eic CLI to deploy and manage EIC containers
pacreader CLI to deploy and manage PAC Reader container
seg CLI to deploy and manage SEG containers
tunnel CLI to deploy and manage Tunnel containers
version Get the version of dux
Flags:
-h, --help Print help information
Use "dux [command] --help" for more information about a command.
In the host/VM from where dux is to be installed and run:
a. AlmaLinux, CentOS/RHEL, macOS or Windows
b. SSH (Secure Shell) should be installed and running on your local Mac/Linux/Windows machine. You can verify this by opening a terminal and typing ssh followed by pressing Enter. If SSH is installed, you will see a list of available options. If not, please install SSH using the appropriate package manager for your system.
c. SSH keys need to be set up for users to log in to the remote VMs (where PAC Reader is to be deployed) securely without passwords. If you haven't set up SSH keys before, follow these steps:
i. Generate SSH keys using the command: For example: ssh-keygen -t rsa.
ii. Follow the prompts to create the SSH keys. By default in Linux and Mac OS, they will be saved in ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key) if RSA is chosen. In Windows, the default path for the keys will be in C:\Users<user_name>.ssh
iii. Copy the contents of the public key (id_rsa.pub) to the remote VM's ~/.ssh/authorized_keys file.
You can use the ssh-copy-id command for this purpose: ssh-copy-id username@remote_host.
Note that on Windows, PowerShell and Command Prompt do not include ssh-copy-id. Users must manually copy the public key using scp, sftp, or append/paste it manually to authorized_keys.
Please note that if using Git Bash or WSL on Windows, ssh-copy-id might be available.
d. If you wish to enable ssh_host_key_check in the ts_manifest.yml, ensure that the known_hosts file exists on your local machine.
This file is used to store information about host keys for SSH connections. If it doesn't exist, it will be created automatically when you connect to a remote host for the first time/when running dux commands.
If the known_hosts file does not exist, follow these steps to create it:
ssh username@remote_host.yes and press Enter to continue.known_hosts file on your local machine.e. PAC Reader docker image bundle (tar.gz) has to be downloaded and should be available in the host from where the cli will be run.
f. Ensure the image is available in the default path - This step is applicable only after dux is installed and the folder structure is created.
For dux on Linux:
Use /opt/omnissa/dux/images/
For dux on macOS
Use /usr/local/var/opt/omnissa/dux/images for macOS on Intel/AMD64
Use /opt/homebrew/var/opt/omnissa/dux/images/ for macOS on Apple Silicon/ARM64
For dux on Windows
Use <INSTALL_DIR>\images - where INSTALL_DIR is the directory chosen by user during installation of dux
The dux tool will use the container image from the above folder path by default. A custom folder may be used. Ensure the complete full directory path is provided in the manifest file if using a custom folder.
In the Linux VMs/hosts where PAC Reader container needs to be deployed:
a. SSH has to be enabled in the remote host/VM and SSH server daemon sshd has to be running in the remote host.
For example, in AlmaLinux check if sshd is running with the command: systemctl status sshd.
b. Docker/Podman/Podman-docker has to be installed and running in the Linux host/VM. Currently Snap docker (if ubuntu) is not supported.
Please ensure to install Docker CE/Podman/Podman-docker.
i. Dux commands perform docker operations using the 'docker' command. If Podman is installed on the VM, a symbolic link from podman to /usr/bin/docker is required to ensure compatibility.
The dry-run command (dux deploy -d) automatically creates this symlink if needed. Alternatively, the user can manually create it using the following command: `sudo ln -sf $(which podman) /usr/bin/docker`
c. Ensure that the user can do sudo without password in the remote VM/host where PAC Reader container needs to be deployed
i.e In the sudoers file in the remote host, add an entry to grant passwordless access to your desired user.
To allow users to execute commands with sudo privileges without entering a password on the remote VM, follow these steps:
i. SSH to the remote VM as a user with administrative privileges.
ii. Edit the sudoers file using the command: sudo visudo.
iii. Add the following line to the end of the file to grant sudo privileges without password prompt: Replace username with the actual username of the user.
username ALL=(ALL) NOPASSWD: ALL
iv. Save and exit the sudoers file.
d. Connectivity to UEM Console API.
e. Connectivity to AWCM.
f. If running cascade mode, Front-end to Back-end connection (direct or load-balanced) is required.
The dux CLI tool supports deploying and managing multiple types of containers, including PAC Reader, PAC (Proxy Auto Configuration) Reader, SEG (Secure Email Gateway), and EIC (Endpoint Integrity Check) policy engine.
This section explains how to use dux to deploy and manage different containers based on the container type.
The dux init command prompts the user to select the container type they want to initialize. Based on the selection, the CLI generates a manifest file template specific to the selected container type. This manifest file contains the necessary configuration parameters for deploying the container.
Example:
$ dux init
Select a container type to initialize:
1. Tunnel
2. EIC
3. PAC Reader
4. SEG
Enter the number of the container type: 3
PAC Reader manifest file successfully created at: /opt/omnissa/dux/pr_manifest.yml
The generated manifest file is stored in the default directory based on the platform as outlined in the Installation section.
** Behavior Based on Manifest Files **
If only one manifest file is present in the default directory, dux commands automatically use that manifest file.
If multiple manifest files are present, the user must select a container type or explicitly specify it in the command.
This flexibility allows users to manage multiple container types efficiently using the dux CLI tool.
If only one type of container is deployed (i.e., only one manifest file is present in the default directory), all dux commands work as usual without requiring the user to specify the container type.
Example (if only ts_manifest.yml was present in the default directory):
$ dux status
Status of PAC Reader container deployed
1. Host: 10.87.132.166 Status: Not Deployed
If multiple containers are deployed or multiple manifest files are present in the default directory, dux commands prompt the user to select a container type before executing the command.
Example:
Multiple manifests found. Please select a container type:
1. Tunnel (/opt/omnissa/dux/ts_manifest.yml)
2. PAC Reader (/opt/omnissa/dux/pr_manifest.yml)
3. EIC (/opt/omnissa/dux/eic_manifest.yml)
4. SEG (/opt/omnissa/dux/seg_manifest.yml)
Enter the number of the container: 2
Status of PAC Reader container deployed
1. Host: 10.87.132.166
Health check: 200 OK Version: 1.5
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
31bcf862040f pacreader 0.04% 53.14MiB / 7.503GiB 0.69% 0B / 0B 0B / 3.13MB 6
PAC Service Status: UP | PAC Last Upload: 2025-07-08T09:01:43Z | PAC Next Upload: 2025-07-08T09:08:23Z
To avoid prompts, you can explicitly specify the container type in the command using the format:
Example:
$ dux pacreader status
Status of PAC Reader container deployed
1. Host: 10.87.132.166
Health check: 200 OK Version: 1.5
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
31bcf862040f pacreader 0.04% 53.14MiB / 7.503GiB 0.69% 0B / 0B 0B / 3.13MB 6
PAC Service Status: UP | PAC Last Upload: 2025-07-08T09:01:43Z | PAC Next Upload: 2025-07-08T09:08:23Z
For PAC reader container commands, dux commands can be specified as dux pacreader <dux_command> <args>
This command creates a sample manifest file for configuring PAC Reader for deployment.
Note that the init command should be run the first time a container type is deployed, as it generates the manifest template file necessary for deployment.
This command creates a sample manifest (pr_manifest.yml) under the directory dux based on the platform (by default). If you wish to use a different path where the files need to be created the command "dux init <some_path>" can be given. Please ensure to specify the path of manifest with -m option in the other commands.
For example, in Linux VM where dux is installed:
$ dux init --help
Select a container type to initialize:
1. Tunnel
2. EIC
3. PAC Reader
4. SEG
Enter the number of the container type: 3
Create a manifest file for configuring PAC Reader details for deployment and management
Usage:
dux pacreader init [path] [flags]
Examples:
dux pacreader init # initialize manifest under default path (/opt/omnissa/dux/)
dux pacreader init /some/path # initialize manifest under the specified path
Global Flags:
-h, --help Print help information
-v, --verbose Show verbose logs
$ dux init
Select a container type to initialize:
1. Tunnel
2. EIC
3. PAC Reader
4. SEG
Enter the number of the container type: 3
Deployment manifest initialized successfully in /opt/omnissa/dux/
$cd /opt/omnissa/dux
abc@abc dux $ ls -ltr
total 16
drwxr-xr-x 3 abc xyz 96 Feb 16 18:12 images
-rw-r--r-- 1 abc xyz 2335 Feb 19 11:11 example.pfx
-rw-r--r-- 1 abc xyz 2335 Feb 19 11:11 example.pac
-rw-r--r-- 1 abc xyz 2335 Feb 19 11:11 pr_manifest.yml
drwxr-xr-x 9 abc xyz 288 Feb 19 11:11 logs
Edit pr_manifest.yml generated in an editor of your choice.
Please refer to the section "Points to be noted while editing pr_manifest.yml" under Troubleshooting section.
Here are a few parameters:
# Enter the filename of the image or the repo path to deploy below.
# File: This must match against the PAC Reader image filename from the default directory (refer to the note below) or the absolute path.
# example: 29-2023.06.14-22e04910.tar.gz or /home/admin/29-2023.06.14-22e04910.tar.gz
# Note: The default directory where the images are recommended to be present is:
# - for linux: /opt/omnissa/dux/images
# - for Mac OS on Intel/AMD64: /usr/local/var/opt/omnissa/dux/images/
# - for Mac OS on Apple Silicon/ARM64: /opt/homebrew/var/opt/omnissa/dux/images/
# Repository: Repository path of the image with the tag can be given as well:
# For example: your-local-repo.com/<path>/pac-reader:<tag>
#Copy the bundle to the working directory
# eg. in Linux: cp ~/Downloads/23.12.14-2023.12.12-95068395.tar.gz /opt/omnissa/dux/images/
$ ls -ltr /opt/omnissa/dux/images
total 735112
-rw-r--r--@ 1 abc xyz 376374902 Feb 16 18:12 23.12.14-2023.12.12-95068395.tar.gz
#image_name in manifest
image_name: 23.12.14-2023.12.12-95068395.tar.gz
Enter desired log level for PAC Reader container
# Default value - Info
## 0 - Off
## 1 - Error
## 2 - Warning
## 3 - Info
## 4 - Debug
log_level: 4
Enter desired pac file refresh interval for PAC Reader container
# Refresh interval in secs for server traffic rule
## Optional: Input the interval. Default value - 300 secs
refresh_interval: 200
Input the local path of PAC file location or URL where PAC file will be downloaded from.
# - Linux: /opt/omnissa/dux/proxy.pac
# - Mac OS on Intel/AMD64: /usr/local/var/opt/omnissa/dux/proxy.pac
# - Mac OS on Apple Silicon/ARM64: /opt/homebrew/var/opt/omnissa/dux/proxy.pac
pac_file: /opt/homebrew/var/opt/omnissa/dux/example.pac
If URL configured for pac file path, then enter desired port number for the PAC URL.
# 0 ( Default) Use pac_location HTTP (80) or HTTPS (443) to determine
# 1-65535 - Enter user defined port number for the PAC URL
# Leave as is for Default value
port: 5545
Input the path of PFX/P12 file for UEM console authentication.
# - Linux: /opt/omnissa/dux/pac.p12
# - Mac OS on Intel/AMD64: /usr/local/var/opt/omnissa/dux/pac.p12
# - Mac OS on Apple Silicon/ARM64: /opt/homebrew/var/opt/omnissa/dux/pac.p12
pfx_file: /opt/homebrew/var/opt/omnissa/dux/example.pfx
Configure authentication type used for proxy during pacreader deployment.
# Note: Set 1 to configure proxy authentication during deployment.
# Set 0 to disable configuration of proxy authentication.
# This will start an interactive shell using dux to set the required auth types
capture_proxy_auth: 0
Configure 3rd party pac service monitor address and port
# PAC Monitoring Service Alert Target (Optional)
# PAC reader sends PAC service alerts in CEE-enhanced syslog format (RFC5424) with JSON payload.
# Example format:
# <15> @cee: {"event": "pac_service_status", "status": "running/stopped", ... }
#
# Supported protocol is UDP.
# Example:
# pac_service_monitor_address: 192.168.10.100
# pac_service_monitor_port: 9191
pac_service_monitor_address:
pac_service_monitor_port:
# Input the API Token for authenticating with the API server.
# Example:
# - api_token: 35nm0Ie5kIhWCuOyxvdLTymlTOP9bhgqIUwkKz
api_token:
If all hosts have common authentication credentials, you may want to use the parameter - ssh_login_credentials.
However if you want to use different set of credentials for a host, the parameter host_info can be used. Refer to the sub-section which talks about hosts below.
For authentication, provide the ssh user name and ssh key path below
Please ensure to create a ssh key and copy the key to the remote VMs. Refer to https://linuxhint.com/generate-ssh-keys-on-linux/
For example:
ssh_login_credentials:
ssh_user: root
# Input the path of ssh key - e.g /home/admin/id_rsa
ssh_key_path: /home/admin/id_rsa
## Optional: Input the ssh port. Default value - 22
#ssh_port:
SSH (Secure Shell) host key checking is a crucial security measure that helps verify the authenticity of a remote server before establishing a connection. When a client connects to a server for the first time, SSH presents the server's host key to the client. The client then checks this key against its list of known host keys to ensure it matches.
If the host key presented by the server matches an entry in the client's known_hosts file, the connection proceeds without interruption. However, if there's no match, SSH prompts the user to confirm the authenticity of the server by displaying the key fingerprint. This fingerprint serves as a unique identifier for the server's key.
The purpose of SSH host key checking is to prevent man-in-the-middle attacks, where an attacker intercepts communication between the client and server, posing as the legitimate server. By verifying the host key, SSH ensures that the client is connecting to the intended server and not a malicious entity.
By default the option to check host keys of remote VMs is enabled and the user will be prompted. If you do not wish to receive the prompts, ssh_host_key_check can be set to 0 to disable the check.
# SSH Host key check - verify the identity of the remote host
# By default this is enabled and the user will be prompted to confirm the fingerprint of the public key of the remote host.
# If disabled, dux will connect similar to the ssh option StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null
# 1 - enable host key checking
# 0 - disable host key checking
ssh_host_key_check: 1
Fill in the IP address of a host where PAC Reader container needs to be deployed.
For example:
hosts:
# Enter IP address of the host below
- address: 1.2.3.4
If both ssh_key_path and ssh_password are provided, ssh_key_path is preferred. Note that for security reasons, giving password information in manifest is not recommended. But it is still provided as an option.
The values can be passed as environment variables.
If all hosts have common ssh credential info, you may use the global parameter: ssh_login_credentials mentioned in the section above.
If both host_info and ssh_login_credentials are given, the credentials under host_info are preferred.
For example:
host_info:
ssh_user: admin
## Input the path of ssh key - e.g /home/admin/id_rsa
ssh_key_path: /home/admin/id_rsa
## For security reasons, the ssh_password is not recommended.
#ssh_password:
## Input the ssh port. Default value - 22
#ssh_port:
If host entries need to be specified (e.g if outbound proxy is not in DNS in remote network ) in the remote host, specify the host names and ip addresses in this section.
# Add entries to the container hosts file to manually link FQDN to IP address
# Format:
## - host_name:
## ip_address:
host_entries:
- host_name: example.com
ip_address: 1.2.3.4
The details of UEM profile such as UEM url, Group Id/ tunnel configuration id of the OG needs to be input in this section.
If tunnel_config_id is left blank, the organization Group ID is used to fetch the configuration.
Note that the tunnel_config_id parameter is supported only if UEM console supports multi-tunnel configuration feature which is from UEM Console version-23.06 onwards. If you are using an older UEM console version, please user group_id field.
For example:
uem:
# The Workspace ONE UEM API server URL. The destination URL must contain the protocol and hostname or IP address
# Example: load-balancer.example.com
url: example.ssdevrd.com
# Input the API Token for authenticating with the API server.
# Example:
# - api_token: 35nm0Ie5kIhWCuOyxvdLTymlTOP9bhgqIUwkKz
api_token:
# Omnissa Tunnel Configuration ID configured in the Workspace ONE UEM Console.
# This field is supported only if the UEM console supports multi-tunnel configuration feature (from UEM Console version 23.06 onwards).
# If left blank, default configuration from the specified organization group will be fetched.
tunnel_config_id:
# The organization group ID in Workspace ONE UEM Console where Tunnel is configured.
group_id:
# - Linux: /opt/omnissa/dux/pac.p12
# - Mac OS on Intel/AMD64: /usr/local/var/opt/omnissa/dux/pac.p12
# - Mac OS on Apple Silicon/ARM64: /opt/homebrew/var/opt/omnissa/dux/pac.p12
pfx_file: /opt/homebrew/var/opt/omnissa/dux/example.pfx
Once the manifest is updated, deploy command can be run to deploy the PAC Reader container in the host specified.
$ dux pacreader deploy -h
Deploy PAC Reader container
Usage:
dux pacreader deploy [flags]
Flags:
-d, --dry-run Check if manifest is good to deploy
-p, --ip stringArray Hostname or IP as specified in the manifest to deploy on a single host
-m, --manifest-file string The manifest file used to deploy (default "/opt/omnissa/dux/pr_manifest.yml")
-u, --pfx-password string The password to authenticate with the Workspace ONE UEM API server.
-q, --quiet Quiet mode: interactive ssh password prompts are disabled
-y, --yes Auto accept all prompts
Global Flags:
-h, --help Print help information
-v, --verbose Show verbose logs
To catch if the manifest is syntactically correct, run "deploy --dry-run or -d ".
Following checks are done when dux pacreader deploy --dry-run command is run:
$ dux pacreader deploy -d
Manifest file syntax validation is successful
Verifying deployment prerequisites on 192.168.99.185
Verifying docker is installed and running on 192.168.99.185
Host 192.168.99.185 is good to deploy
Manifest file and host are good to deploy!
#In case of error in the manifest, for example, if tunnel_config_id was not filled up, you may get an error like below:
$ dux pacreader deploy -d
Manifest verification failed error="Incorrect data in manifest: the group_id field is required if tunnel_config_id is not populated"
For security requirements, when dux commands are executed, host key verification is done during the SSH handshake at the first time. If the host is unknown, a prompt is displayed to check the fingerprint of the host's key. If the user confirms the host key is correct, the host is added to known hosts.
If the fingerprint of the host changes, the user is prompted again to ensure there is no intruder attack.
The authenticity of host '192.168.99.185:22' can't be established.
Fingerprint of the host's key:SHA256:AOy8f1sChEM7xLJyYP190vjjVxDLYI9ORDaKZCNKzzE
Do you want to continue connecting? (yes/no):
This command deploys the pacreader container in the host as listed in manifest, and as per the UEM configuration defined. The image is copied to remote host which will take few minutes depending on the network connectivity.
Note:
#Sample run
$ dux pacreader deploy
Enter PFX file Password:
Enter API Token:
Preparing for PAC Reader container deployment on 10.87.132.186
Copying PAC Reader container image to remote. Please wait..
Progress 100% |██████████████████████████████████████████████████████████████████████████████████████| (376/376 MB, 7.5 MB/s)
Deploying new PAC Reader container on 10.87.132.186
PAC Reader container ID: 5a3cfd0f45741379e0a61e8c4847eebeb75043e94d2b74d5c1cf97015cfa0fdf
Deploy command has completed on 10.87.132.186
——
#### To use a different manifest
To use a manifest from a different path -m flag can be used. If not specified, pr_manifest.yml from the directory where dux is run from is used by default.
#For eg.
$ dux pacreader deploy -m ~/Downloads/pr_manifest_xyz.yml
#### To deploy PAC Reader container in specific remote host
To deploy PAC Reader container in a remote host specified by ip in manifest.
#For eg.
$ dux pacreader deploy -p 1.2.3.4
# To give PFX file password as command line option:
$ dux pacreader deploy -u <pfx_password>
Once the deployment of container is successful, other commands can be used to check status of deployment, fetch logs, stop, restart, and even destroy the deployments.
$ dux pacreader status -h
Get the status of the PAC Reader container deployed
Usage:
dux pacreader status [flags]
Flags:
-p, --ip stringArray Hostname or IP as specified in the manifest for filtering
-j, --json Get status of PAC Reader container in json format
-m, --manifest-file string Custom manifest file path (default "/opt/omnissa/dux/pr_manifest.yml")
-q, --quiet Quiet mode: interactive ssh password prompts are disabled
Global Flags:
-h, --help Print help information
-v, --verbose Show verbose logs
#To get status of all deployments - sample run. In this case, one of the deployments is not in Running state, hence shows Down as status
$ dux pacreader status
Status of PAC Reader container deployed
Host: 10.62.82.52 Version: n.feature_PPAT_2159_PAC_utility_Co.el9.90
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
88bc5a408286 pacreader 0.05% 29.18MiB / 7.503GiB 0.38% 0B / 0B 0B / 647kB 6
PAC Service Status: UP | PAC Last Upload: 2025-06-26T14:15:53Z | PAC Next Upload: 2025-06-26T14:20:53Z
#Get status of a host by IP
#Multiple ips can be specified too. eg. dux status -p 1.2.3.4 -p 1.2.3.5
$ dux pacreader status -p 10.87.132.110
Fetch logs from the deployed container. If the container deployment is down, the docker logs of the container are fetched.
Note that the logs are stored in the logs directory based on the platform.
For linux: /opt/omnissa/dux/logs/
For Mac OS on Intel (AMD64): /opt/omnissa/dux/logs
For Mac OS on Apple Silicon (ARM64): /opt/homebrew/var/opt/omnissa/dux/logs
For Windows: <INSTALL_DIR>\logs
The option -f can be used to continously view the docker logs output of a PAC Reader container deployed till Ctrl-C is given.
# logs help
$ dux pacreader logs -h
Get logs from the PAC Reader container deployed
Usage:
dux pacreader logs [flags]
Flags:
-f, --follow Follow/View logs of a PAC Reader container specified by ip (-p) option
-p, --ip stringArray Hostname or IP as specified in the manifest for filtering
-m, --manifest-file string Custom manifest file path (default "/opt/omnissa/dux/pr_manifest.yml")
-q, --quiet Quiet mode: interactive ssh password prompts are disabled
Global Flags:
-h, --help Print help information
-v, --verbose Show verbose logs
#Get logs of a container deployed as per manifest
#Sample run - Note if the deployment is not up, the container logs are fetched.
$ dux pacreader logs
Retrieve PAC Reader container logs from 10.87.132.186
Copy log bundle from Remote to Local machine..
Logs from 10.87.132.186 downloaded at: /opt/omnissa/dux/logs/pacreader.10.87.132.186_20240219184004.tar.gz
#Logs from a deployment can be obtained by specifying IP as per the manifest
#eg.
# dux pacreader logs -p 1.2.3.4
#To continuously view/follow the run logs of container , give -f option for the specific node/host ip
# dux pacreader logs -f
#Press Ctrl-C to stop viewing
In case a PAC Reader container needs to be stopped for some reason, dux pacreader stop command can be given.
# stop help
$ dux pacreader stop -h
Stop PAC Reader container on a given host from the manifest file. To restart the container again, you may use dux pacreader restart command.
Usage:
dux pacreader stop [flags]
Flags:
-p, --ip stringArray Hostname or IP as specified in the manifest for filtering
-m, --manifest-file string Custom manifest file path (default "/opt/omnissa/dux/pr_manifest.yml")
-q, --quiet Quiet mode: interactive ssh password prompts are disabled
-y, --yes Auto accept all prompts
Global Flags:
-h, --help Print help information
-v, --verbose Show verbose logs
# Stop all deployments
$ dux pacreader stop
Are you sure you want to stop the PAC Reader container deployed in host given in the manifest?
ip : 10.62.82.52
Please confirm (y/n):
PAC Reader container was successfully stopped on 10.87.132.186
#Deployment of PAC Reader container can be stopped by specifying IP as per the manifest
#eg.
# dux pacreader stop -p 1.2.3.4
#To auto accept all prompts for y/n , -y option can be given
#eg.
# dux pacreader stop -y
Stopped container can be restarted by "dux pacreader restart" command
#restart help
$ dux pacreader restart -h
Restart the PAC Reader container on a given host
Usage:
dux pacreader restart [flags]
Flags:
-p, --ip stringArray Hostname or IP as specified in the manifest for filtering
-m, --manifest-file string Custom manifest file path (default "/opt/omnissa/dux/pr_manifest.yml")
-q, --quiet Quiet mode: interactive ssh password prompts are disabled
-y, --yes Auto accept all prompts
Global Flags:
-h, --help Print help information
-v, --verbose Show verbose logs
#Restart all deployments
#Sample run
$ dux pacreader restart
Are you sure you want to restart PAC Reader deployment on 10.87.132.186 (y/n)?: n
Are you sure you want to restart PAC Reader deployment on 192.168.99.185 (y/n)?: y
PAC Reader container was successfully restarted on 192.168.99.185
#Deployment of PAC Reader container can be restarted by specifying IP as per the manifest
#eg.
# dux pacreader restart -p 1.2.3.4
#To auto accept all prompts for y/n , -y option can be given
#eg.
# dux pacreader restart -y
If you wish to start a shell with PAC Reader container you can use the command 'exec-shell'
$ dux pacreader exec-shell -h
Open interactive shell with PAC Reader container
Usage:
dux pacreader exec-shell [flags]
Flags:
-p, --ip stringArray Hostname or IP as specified in the manifest for filtering
-m, --manifest-file string Custom manifest file path (default "/opt/omnissa/dux/pr_manifest.yml")
-q, --quiet Quiet mode: interactive ssh password prompts are disabled
Global Flags:
-h, --help Print help information
-v, --verbose Show verbose logs
$ dux pacreader exec-shell
Starting the interactive shell with PAC Reader container in host: 10.62.82.52
[root@alma vpnd]# pwd
/opt/omnissa/tunnel/pacreader
To stop and remove the deployed container from the remote host, dux pacreader destroy command can be used.
#destroy command help
$ dux pacreader destroy -h
Destroy the PAC Reader container on a given host
Usage:
dux pacreader destroy [flags]
Flags:
-p, --ip stringArray Hostname or IP as specified in the manifest for filtering
-m, --manifest-file string Custom manifest file path (default "/opt/omnissa/dux/pr_manifest.yml")
-q, --quiet Quiet mode: interactive ssh password prompts are disabled
-y, --yes Auto accept all prompts
Global Flags:
-h, --help Print help information
-v, --verbose Show verbose logs
#Destroy all deployments
#Sample run
$ dux pacreader destroy
Are you sure you want to destroy the PAC Reader container deployed on a host given in the manifest?
ip : 10.62.82.52
Please confirm (y/n):
PAC Reader container was successfully destroyed on 10.87.132.186
#Deployment of PAC Reader can be destroyed by specifying IPs as per the manifest
#eg.
# dux pacreader destroy -p 1.2.3.4
#To auto accept all prompts for y/n , -y option can be given
#eg.
# dux pacreader destroy -y
Update deployed container from the remote PAC Reader host, dux pacreader update command can be used.
#update command help
$ dux pacreader update -h
Update the PAC Reader container on given host with new runtime values.
⚠️ NOTE: This command overrides the current container settings without modifying pr_manifest.yml.
To avoid rollback on the next deploy, update the manifest file manually after using this command.
Usage:
dux pacreader update [flags]
Flags:
-p, --ip stringArray Hostname or IP as specified in the manifest for filtering
-l, --log-level string Update log level for PAC Reader container (e.g., --log-level 4 [debug=4, info=3, warn=2, error=2, off=0])
-m, --manifest-file string Custom manifest file path (default "/opt/omnissa/dux/pr_manifest.yml")
-a, --proxy-auth Update proxy auth for PAC Reader container
-q, --quiet Quiet mode: interactive ssh password prompts are disabled
-r, --refresh int Update pac refresh interval in seconds for PAC Reader container
-y, --yes Auto accept all prompts
Global Flags:
-h, --help Print help information
-v, --verbose Show verbose logs
#Destroy all deployments
#Sample run
# Update the log level on PAC Reader container
$ dux pacreader update -l 4
Updating log level for PAC Reader container on 10.62.82.52 to level 5
PAC Reader container was successfully restarted on 10.62.82.52
# Update the refresh interval on PAC Reader container
$ dux pacreader update -r 300
Updating pac refresh interval for PAC Reader container on 10.62.82.52 to 300 seconds
PAC Reader container was successfully restarted on 10.62.82.52
# Update the proxy auth on PAC Reader container
$ dux pacreader update -a
If you wish to get verbose logs for any command, use the -v or --verbose option.
For example:
$ dux pacreader deploy -v
For any installation issues please refer to the package manager instructions (yum/dnf/brew) for the specific error.
For example, if you are using dnf and encounter issues with installing dux, check if the cache is updated. Try "dnf makecache" to update metadata cache.
Ensure "dux pacreader init" command is run the first time.
Do a dry-run before deploying to ensure there are no issues with the manifest, and to ensure that the deployment pre-requisites are met.
dux pacreader deploy -d
For any issues, please check the file dux.log under logs directory as per the platform - for e.g /opt/omnissa/dux/logs/dux.log in Linux.
If docker is installed with snap in the Linux system, you may encounter permission issues during deployment of PAC Reader container.
Ubuntu commonly uses snap to install packages.
If snap docker is used it is recommended to uninstall snap docker, and install docker as mentioned in https://docs.docker.com/engine/install/ubuntu/ .
sudo snap remove docker --purge
sudo reboot
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin
Note: Please check if there are other containers running in your VM with snap docker. While technically possible, running both Snap Docker and Docker CE on the same Ubuntu system is generally not recommended due to the potential for conflicts and complexity - wrt port usage, networking, system resources usage etc.
Please ensure the conditions in the Prerequisites section are met.
To avoid errors while editing the pr_manifest.yml, please refer to the following guide:
Open the YAML File
Understand YAML Syntax
: and then the corresponding value.image_name: PacReaderContainer_23.12.1.7.tar.gzMake Changes
#) in the YAML file as they provide context or explanations about specific entries.Save Changes
Ctrl + S (Linux) or Cmd + S (Mac)..yml extension to maintain its YAML format.Validate Changes (Optional)
Backup (Optional but Recommended)
Sample pr_manifest.yml file for reference
# Version number for the PAC Reader deployment manifest. This is auto generated and should not be altered.
version: "3.0.0.641"
pac_reader:
# Enter the filename of the image or the repo path to deploy below.
# File: This must match against the PAC Reader image filename from the default directory (refer to the note below) or the absolute path.
# example: 29-2023.06.14-22e04910.tar.gz or /home/admin/29-2023.06.14-22e04910.tar.gz
# Note: The default directory where the images are recommended to be present is:
# - for linux: /opt/omnissa/dux/images
# - for Mac OS on Intel/AMD64: /usr/local/var/opt/omnissa/dux/images/
# - for Mac OS on Apple Silicon/ARM64: /opt/homebrew/var/opt/omnissa/dux/images/
# Repository: Repository path of the image with the tag can be given as well:
# For example: your-local-repo.com/<path>/pac-reader:<tag>
image_name:
# Enter the desired log level while deploying the PAC Reader container
# Default value - Info
## 0 - Off
## 1 - Error
## 2 - Warning
## 3 - Info
## 4 - Debug
log_level:
# Refresh interval in secs for server traffic rule
## Optional: Input the interval. Default value - 300
#refresh_interval: 300
# Input the local path of PAC file location or URL where PAC file will be downloaded from
# Example:
# - Linux: /opt/omnissa/dux/proxy.pac
# - Mac OS on Intel/AMD64: /usr/local/var/opt/omnissa/dux/proxy.pac
# - Mac OS on Apple Silicon/ARM64: /opt/homebrew/var/opt/omnissa/dux/proxy.pac
pac_file:
# Enter the desired PAC file download port number
# 0 ( Default) Use pac_location HTTP (80) or HTTPS (443) to determine
# 1-65535 - Enter user defined port number for the PAC URL
# Leave as is for Default value
port:
# Capture Proxy Auth
# Note: Set 1 to configure proxy authentication during deployment.
# Set 0 to disable configuration of proxy authentication.
# This will start an interactive shell using dux to set the required auth types
capture_proxy_auth: 0
# PAC Monitoring Service Alert Target (Optional)
# PAC reader sends PAC service alerts in CEE-enhanced syslog format (RFC5424) with JSON payload.
# Example format:
# <15> @cee: {"event": "pac_service_status", "status": "running/stopped", ... }
#
# Supported protocol is UDP.
# Example:
# pac_service_monitor_address: 192.168.10.100
# pac_service_monitor_port: 9191
pac_service_monitor_address:
pac_service_monitor_port:
# If all hosts have common authentication credentials, you may want to use the parameter - ssh_login_credentials
# For authentication, provide the ssh user name and ssh key path below
# If all hosts use a different SSH port other than 22, uncomment the `ssh_port` parameter and enter the port number.
# If not provided, default value of 22 will be used.
ssh_login_credentials:
ssh_user:
# Input the path of ssh key - e.g /home/admin/id_rsa
ssh_key_path:
## Optional: Input the ssh port. Default value - 22
#ssh_port:
# SSH Host key check - verify the identity of the remote host
# By default this is enabled and the user will be prompted to confirm the fingerprint of the public key of the remote host.
# If disabled, dux will connect similar to the ssh option StrictHostKeyChecking=no and UserKnownHostsFile=/dev/null
# 1 - enable host key checking
# 0 - disable host key checking
ssh_host_key_check: 1
# Input docker host information for PAC Reader container deployment. Add an entry for each host.
hosts:
# Enter IP address of the host below
- address:
## For information specific to this host, uncomment 'host_info' and the parameters under it as needed.
## For authentication info specific to this host, uncomment the 'ssh_user' and 'ssh_key_path/ssh_password' as needed.
## If both 'ssh_key_path' and 'ssh_password' are provided, 'ssh_key_path' is preferred.
## The values can also be passed as environment variables.
## If all hosts have common ssh credential info/ssh port info, you may use the global parameter: 'ssh_login_credentials'
## If both 'host_info' and 'ssh_login_credentials' are given, the credentials under 'host_info' are preferred.
## SSH Port information
## If the host uses a different SSH port other than 22, uncomment the `ssh_port` parameter and enter the port number.
## If not provided, default value of 22 will be used.
#host_info:
#ssh_user:
## Input the path of ssh key - e.g /home/admin/id_rsa
#ssh_key_path:
## For security reasons, the ssh_password is not recommended.
#ssh_password:
## Input the ssh port. Default value - 22
#ssh_port:
# Add entries to the container hosts file to manually link FQDN to IP address
# Format:
## - host_name:
## - ip_address:
host_entries:
uem:
# The Workspace ONE UEM API Host server. The destination must contain the hostname or IP address
# Example: load-balancer.example.com
api_host: example.com
# Input the API Token for authenticating with the API server.
# Example:
# - api_token: 35nm0Ie5kIhWCuOyxvdLTymlTOP9bhgqIUwkKz
api_token:
# Omnissa Tunnel Configuration ID configured in the Workspace ONE UEM Console.
# This field is supported only if the UEM console supports multi-tunnel configuration feature (from UEM Console version 23.06 onwards).
# If left blank, default configuration from the specified organization group will be fetched.
tunnel_config_id:
# The organization group ID in Workspace ONE UEM Console where Tunnel is configured.
group_id:
# Input the path of PFX/P12 file for UEM console authentication
# Example:
# - Linux: /opt/omnissa/dux/pac.p12
# - Mac OS on Intel/AMD64: /usr/local/var/opt/omnissa/dux/pac.p12
# - Mac OS on Apple Silicon/ARM64: /opt/homebrew/var/opt/omnissa/dux/pac.p12
pfx_file: