-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker-compose.yml
doesn't contain important directives and definitions
#1106
Comments
do you have any sample of your full compose file with best practice setup? from that we can discuss either it suitable to use in production or not. |
Sure, here is my compose, based on the proposals and assumptions, listed above: version: '3.9'
services:
wazuh.manager:
image: wazuh/wazuh-manager:4.6.0
hostname: wazuh.manager
restart: unless-stopped
stop_grace_period: 30s
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 655360
hard: 655360
networks:
- wazuh_net
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
security_opt:
- seccomp:unconfined
- apparmor:unconfined
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=<password>
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-wui
- API_PASSWORD=<password>
devices:
- "/dev/dri:/dev/dri"
volumes:
- "/etc/localtime:/etc/localtime:ro" ## use timezone from host
- "/etc/timezone:/etc/timezone:ro" ## use timezone from host
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.indexer:
image: wazuh/wazuh-indexer:4.6.0
hostname: wazuh.indexer
restart: unless-stopped
stop_grace_period: 30s
networks:
- wazuh_net
ports:
- "9200:9200"
security_opt:
- seccomp:unconfined
- apparmor:unconfined
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
devices:
- "/dev/dri:/dev/dri"
volumes:
- "/etc/localtime:/etc/localtime:ro" ## use timezone from host
- "/etc/timezone:/etc/timezone:ro" ## use timezone from host
- wazuh-indexer-data:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
- ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
wazuh.dashboard:
image: wazuh/wazuh-dashboard:4.6.0
hostname: wazuh.dashboard
restart: unless-stopped
stop_grace_period: 10s
networks:
- wazuh_net
ports:
- "8443:5601"
security_opt:
- seccomp:unconfined
- apparmor:unconfined
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=<password>
- WAZUH_API_URL=https://wazuh.manager
- DASHBOARD_USERNAME=kibanaserver
- DASHBOARD_PASSWORD=<password>
- API_USERNAME=wazuh-wui
- API_PASSWORD=<password>
devices:
- "/dev/dri:/dev/dri"
volumes:
- "/etc/localtime:/etc/localtime:ro" ## use timezone from host
- "/etc/timezone:/etc/timezone:ro" ## use timezone from host
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
- wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
- wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
depends_on:
- wazuh.indexer
# condition: service_healthy
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
networks:
wazuh_net:
enable_ipv6: true
ipam:
config:
- subnet: 172.20.0.0/16
- subnet: 2001:0DB8::/64
volumes:
wazuh_api_configuration:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh_api_configuration'
wazuh_etc:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh_etc'
wazuh_logs:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh_logs'
wazuh_queue:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh_queue'
wazuh_var_multigroups:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh_var_multigroups'
wazuh_integrations:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh_integrations'
wazuh_active_response:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh_active_response'
wazuh_agentless:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh_agentless'
wazuh_wodles:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh_wodles'
filebeat_etc:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/filebeat_etc'
filebeat_var:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/filebeat_var'
wazuh-indexer-data:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh-indexer-data'
wazuh-dashboard-config:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh-dashboard-config'
wazuh-dashboard-custom:
driver: local
driver_opts:
type: 'none'
o: 'bind'
device: './volumes/wazuh-dashboard-custom' |
This YAML needs the next improvements (which require contribution of product experts):
|
I've just added 1 more useful proposal to the original issue and to the compose file:
|
Any updates regarding healthchecks? |
Hi Team,
I've recently deployed the product (4.6.0) using the docker-compose approach and had to make noticeable changes in the compose file, as it doesn't provide the best possible setup out of the box. Of course, we could negotiate in the comments about my next proposals, but I think that they are valuable enough to be mentioned here:
stable
tag for the latest LTS version, arelease
tag for the latest released one, and alatest
for the latest published one in your docker hub repo - this will allow those users, who want to always stay on some of the mentioned branches, follow corresponding tag in their setup configs and reduce the amount of human factor and manual work.restart: unless-stopped
would be much better thanalways
, as it works the same, except for the case when the service was stopped intentionally and shouldn't be restarted again.stop_grace_period: 30s
or some better value lets application components gracefully finish the execution before the container is stoppeddevices:
section might be useful to map some physical resources of the host (CPU, GPU, etc) and speed up the service. Of course, the application components need to utilize such hardware and work with the/dev/
directly - only in this case it would be usefulhealthcheck
defined in the compose file, not in theDockerfile
for images, so users couldn't use built-in functionality to monitor the health of the containers, and, more importantly, the dependency from the dashboard to indexer unable to ensure the application is ready, so, instead it checks only that the container is up and running.condition: service_healthy
under thewazuh.indexer
in thedepends_on:
section of the dashboard service ensures the app is ready by parsing the healthcheck results of the dependency containerOf course, the docker engine has to be configured to allow IPv6 communication by adding the next lines into the
/etc/docker/daemon.json
:Also, each service in the compose needs to have the same network connected by adding the next lines to the service definition:
volumes
section could be enhanced by specifying the path on the host, where the data is stored. It is much better than the default docker system location of all volumes because it is not hidden from the user and the user can manage where to store that files and how to backup them. The example:Of course, all mentioned paths have to exist before the 1st start of the solution.
Makefile
can be created with scripts for all typical use-cases, like volume paths creation, backup, and moreI could create a PR with such changes, but I'd like to know your point of view 1st to not do extra work, so, waiting for your replies)
The text was updated successfully, but these errors were encountered: