wazuh-docker
wazuh-docker copied to clipboard
wazuh
Persistent files that should not be kept
Due to the need to maintain configurations made on files inside the /var/ossec directory and also to persist configuration files that can be added after starting Wazuh manager, in the deployment volumes have been added to different directories to persist all added and modified files. .
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
Due to the way docker mounts volumes on top of directories, the files that are part of the container are not accessible because the files that belong to the mounted volume appear in that directory. Between minor version changes this does not cause problems, but in the case of a major update, as is the case with 4.4.0, we have encountered some inconveniences:
- The files that already existed appear in the directory, but if they received changes they will not be reflected because the files of the mounted volume that are older appear.
- The new files do not appear in the corresponding directories as they do not exist on the previously mounted volume.
We proceed to verify the best way to correct this inconvenience, taking into account what actions are taken in the upgrade carried out by packages.
The solution that I followed was to step on all the configuration files of Wazuh manager within the volumes (which should be from the version 4.3 that was installed) by the files that Wazuh manager 4.4.0 brings, but leaving within the volumes any custom file that exists. This method is the one followed by the DEB installation and this leaves the Wazuh manager files by default.
The following guide is described for a single node deployment and the commands are to run inside the wazuh-docker repository directory.
To perform this action, it is first necessary to download the complete Wazuh stack:
# cd single-node
# docker-compose down
Maintaining the volumes, we proceed to change the tag for the new version of Wazuh manager:
# cd ..
# git checkout v4.4.0
#cd single-node
Inside the directory we proceed to modify the volumes mounted on the wazuh.manager service, this action can be done with the vi, nano or any other editor:
# vi docker-compose.yml
Within the file we proceed to comment all the lines where a docker volume is being mounted within the wazuh.manager service container. If they keep the same number of directories and the names of the default deployment, these are the lines to comment out:
# - wazuh_api_configuration:/var/ossec/api/configuration
# - wazuh_etc:/var/ossec/etc
# - wazuh_logs:/var/ossec/logs
# - wazuh_queue:/var/ossec/queue
# - wazuh_var_multigroups:/var/ossec/var/multigroups
# - wazuh_integrations:/var/ossec/integrations
# - wazuh_active_response:/var/ossec/active-response/bin
# - wazuh_agentless:/var/ossec/agentless
# - wazuh_wodles:/var/ossec/wodles
# - filebeat_etc:/etc/filebeat
# - filebeat_var:/var/lib/filebeat
With these commented lines we proceed to start the stack again:
# docker-compose up -d
Once it is up and running, we proceed to copy the container files to the corresponding docker volumes. The command used takes into account the name of the container and the path of the docker volumes within the server, if any of these have been modified, it is necessary to reflect this in the commands to be executed:
sudo docker cp single-node_wazuh.manager_1:/var/ossec/api/configuration/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_wazuh_api_configuration/_data/
sudo docker cp single-node_wazuh.manager_1:/var/ossec/etc/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_wazuh_etc/_data/
sudo docker cp single-node_wazuh.manager_1:/var/ossec/logs/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_wazuh_logs/_data/
sudo docker cp single-node_wazuh.manager_1:/var/ossec/queue/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_wazuh_queue/_data/
sudo docker cp single-node_wazuh.manager_1:/var/ossec/var/multigroups/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_wazuh_var_multigroups/_data/
sudo docker cp single-node_wazuh.manager_1:/var/ossec/integrations/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_wazuh_integrations/_data/
sudo docker cp single-node_wazuh.manager_1:/var/ossec/active-response/bin/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_wazuh_active_response/_data/
sudo docker cp single-node_wazuh.manager_1:/var/ossec/agentless/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_wazuh_agentless/_data/
sudo docker cp single-node_wazuh.manager_1:/var/ossec/wodles/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_wazuh_wodles/_data/
sudo docker cp single-node_wazuh.manager_1:/etc/filebeat/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_filebeat_etc/_data/
sudo docker cp single-node_wazuh.manager_1:/var/lib/filebeat/. - | sudo tar xf /dev/stdin -C /var/lib/docker/volumes/single-node_filebeat_var/_data/
These commands will copy all the 4.4.0 configuration files into the container, into the corresponding volumes, keeping the permissions and groups of the files and also keeping any custom files.
Once all the files have been copied, uncomment all the commented lines of the volumes and start the stack again.
Updating tests were carried out with the described method.
When carrying out the tests, it was noticed that when deploying the stack with the unmounted volumes, new alerts were created from that start that are not necessary, so we proceeded to comment on the volume mounting of the Wazuh indexer indexes so that they do not persist. that data and this worked fine.
- wazuh-indexer-data:/var/lib/wazuh-indexer
