fix group permission on database in crowdsec docker image
This commit is contained in:
parent
18ff3a3a30
commit
9250d7caa2
|
@ -16,6 +16,15 @@ if [ "$DISABLE_ONLINE_API" == "" ] && [ "$CONFIG_FILE" == "" ] ; then
|
|||
fi
|
||||
fi
|
||||
|
||||
# crowdsec sqlite database permissions
|
||||
if [ "$GID" != "" ]; then
|
||||
IS_SQLITE=$(yq eval '.db_config.type == "sqlite"' /etc/crowdsec/config.yaml)
|
||||
DB_PATH=$(yq eval '.db_config.db_path' /etc/crowdsec/config.yaml)
|
||||
if [ "$IS_SQLITE" == "true" ]; then
|
||||
chown :$GID $DB_PATH
|
||||
fi
|
||||
fi
|
||||
|
||||
## Install collections, parsers & scenarios
|
||||
cscli hub update
|
||||
cscli collections upgrade crowdsecurity/linux
|
||||
|
|
37
examples/docker-compose/README.md
Normal file
37
examples/docker-compose/README.md
Normal file
|
@ -0,0 +1,37 @@
|
|||
# Docker Compose
|
||||
|
||||
This example explains how to integrate Crowdsec in environment deployed with docker-compose. It set up multiple containers :
|
||||
|
||||
![Schema](schema.png)
|
||||
|
||||
This example contains multiple containers :
|
||||
* app : apache server serving index.html containing an `hello world`
|
||||
* reverse-proxy : nginx that serving this app from the host
|
||||
* crowdsec : it will read reverse-proxy logs from the shared volume
|
||||
* dashboard : we use [metabase](https://hub.docker.com/r/metabase/metabase) to display crowdsec database data.
|
||||
|
||||
We have chosen the simplest way to collect logs (by sharing volumes between containers), if you are in production, you are probably using logging-driver to centralize logs with rsyslog or another driver, so don't forget to adapt the crowdsec docker-compose configuration to read the logs properly.
|
||||
|
||||
**Prerequisites:** [Docker](https://docs.docker.com/engine/install/) / [Docker Compose](https://docs.docker.com/compose/install/)
|
||||
|
||||
## Step 1: Run all services in docker-compose.yml
|
||||
|
||||
[docker compose file](docker-compose.yml) contains the yaml configuration to deploy all the containers together by on command.
|
||||
|
||||
Deploy the stack using : `docker-compose up -d`
|
||||
|
||||
Then to see the status : `docker-compose ps`
|
||||
|
||||
## Step 2: Install & Configure bouncer on host
|
||||
|
||||
|
||||
## Step 3: Configure dashboard
|
||||
|
||||
The dashboard is deployed using static metabase.db ([explained here](https://docs.crowdsec.net/faq/#how-to-have-a-dashboard-without-docker)), so you have to use the defaults credentials to connect to the database, then update immediatly those credentials.
|
||||
|
||||
Then you need to update the crowdsec database path :
|
||||
* Go to `http://localhost:3003/` and connect with defaults credentials
|
||||
* Go to `http://localhost:3003/admin/databases/2` and modify the file path `/var/lib/crowdsec/data/crowdsec.db`
|
||||
* Save changes and go back to the home, you'll see the active decisions pulled from the online API.
|
||||
|
||||
## Step 4: Simulate an attack and check detection + prevention
|
1
examples/docker-compose/app/index.html
Normal file
1
examples/docker-compose/app/index.html
Normal file
|
@ -0,0 +1 @@
|
|||
Hello world !
|
4
examples/docker-compose/crowdsec/acquis.yaml
Normal file
4
examples/docker-compose/crowdsec/acquis.yaml
Normal file
|
@ -0,0 +1,4 @@
|
|||
filenames:
|
||||
- /var/log/nginx/example.*.log
|
||||
labels:
|
||||
type: nginx
|
3
examples/docker-compose/crowdsec/dashboard/Dockerfile
Normal file
3
examples/docker-compose/crowdsec/dashboard/Dockerfile
Normal file
|
@ -0,0 +1,3 @@
|
|||
FROM metabase/metabase
|
||||
|
||||
RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/
|
53
examples/docker-compose/docker-compose.yml
Normal file
53
examples/docker-compose/docker-compose.yml
Normal file
|
@ -0,0 +1,53 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
app:
|
||||
image: httpd:alpine
|
||||
restart: always
|
||||
volumes:
|
||||
- ./app/:/usr/local/apache2/htdocs/
|
||||
|
||||
reverse-proxy:
|
||||
image: nginx:alpine
|
||||
restart: always
|
||||
ports:
|
||||
- 8000:80
|
||||
depends_on:
|
||||
- 'app'
|
||||
volumes:
|
||||
- ./reverse-proxy/nginx.conf:/etc/nginx/nginx.conf
|
||||
- logs:/var/log/nginx
|
||||
|
||||
crowdsec:
|
||||
image: crowdsecurity/crowdsec:v1.0.7
|
||||
#build: ../..
|
||||
environment:
|
||||
COLLECTIONS: "crowdsecurity/nginx"
|
||||
GID: "${GID-1000}"
|
||||
depends_on:
|
||||
- 'reverse-proxy'
|
||||
volumes:
|
||||
- /home/hess/cs/crowdsec/docker/docker_start.sh:/docker_start.sh
|
||||
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
|
||||
- logs:/var/log/nginx
|
||||
- crowdsec-db:/var/lib/crowdsec/data/
|
||||
- crowdsec-config:/etc/crowdsec/
|
||||
|
||||
dashboard:
|
||||
build: ./crowdsec/dashboard
|
||||
ports:
|
||||
- 3003:3000
|
||||
environment:
|
||||
MB_DB_FILE: /data/metabase.db
|
||||
MGID: "${GID-1000}"
|
||||
depends_on:
|
||||
- 'crowdsec'
|
||||
volumes:
|
||||
- crowdsec-db:/metabase-data/
|
||||
links:
|
||||
- crowdsec
|
||||
|
||||
volumes:
|
||||
logs:
|
||||
crowdsec-db:
|
||||
crowdsec-config:
|
24
examples/docker-compose/reverse-proxy/nginx.conf
Normal file
24
examples/docker-compose/reverse-proxy/nginx.conf
Normal file
|
@ -0,0 +1,24 @@
|
|||
worker_processes 1;
|
||||
|
||||
events { worker_connections 1024; }
|
||||
|
||||
http {
|
||||
|
||||
sendfile on;
|
||||
|
||||
upstream docker-app {
|
||||
server app:80;
|
||||
}
|
||||
|
||||
access_log /var/log/nginx/example.access.log;
|
||||
error_log /var/log/nginx/example.error.log;
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
||||
location / {
|
||||
proxy_pass http://docker-app;
|
||||
proxy_redirect off;
|
||||
}
|
||||
}
|
||||
}
|
BIN
examples/docker-compose/schema.png
Normal file
BIN
examples/docker-compose/schema.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 46 KiB |
Loading…
Reference in a new issue