fix group permission on database in crowdsec docker image

2021-02-23 12:55:36 +01:00 · 2021-02-23 12:55:36 +01:00 · 9250d7caa2
parent 18ff3a3a30
commit 9250d7caa2
8 changed files with 131 additions and 0 deletions
--- a/docker/docker_start.sh
+++ b/docker/docker_start.sh
@ -16,6 +16,15 @@ if [ "$DISABLE_ONLINE_API" == "" ] && [ "$CONFIG_FILE" == "" ] ; then
    fi
 fi

+# crowdsec sqlite database permissions
+if [ "$GID" != "" ]; then
+    IS_SQLITE=$(yq eval '.db_config.type == "sqlite"' /etc/crowdsec/config.yaml)
+    DB_PATH=$(yq eval '.db_config.db_path' /etc/crowdsec/config.yaml)
+    if [ "$IS_SQLITE" == "true" ]; then
+        chown :$GID $DB_PATH
+    fi
+fi
+
 ## Install collections, parsers & scenarios
 cscli hub update
 cscli collections upgrade crowdsecurity/linux
--- a/examples/docker-compose/README.md
+++ b/examples/docker-compose/README.md
@ -0,0 +1,37 @@
+# Docker Compose
+
+This example explains how to integrate Crowdsec in environment deployed with docker-compose. It set up multiple containers :
+
+![Schema](schema.png)
+
+This example contains multiple containers :
+* app : apache server serving index.html containing an `hello world`
+* reverse-proxy : nginx that serving this app from the host
+* crowdsec : it will read reverse-proxy logs from the shared volume
+* dashboard : we use [metabase](https://hub.docker.com/r/metabase/metabase) to display crowdsec database data.
+
+We have chosen the simplest way to collect logs (by sharing volumes between containers), if you are in production, you are probably using logging-driver to centralize logs with rsyslog or another driver, so don't forget to adapt the crowdsec docker-compose configuration to read the logs properly.
+
+**Prerequisites:** [Docker](https://docs.docker.com/engine/install/) / [Docker Compose](https://docs.docker.com/compose/install/)
+
+## Step 1: Run all services in docker-compose.yml
+
+[docker compose file](docker-compose.yml) contains the yaml configuration to deploy all the containers together by on command.
+
+Deploy the stack using : `docker-compose up -d`
+
+Then to see the status : `docker-compose ps`
+
+## Step 2: Install & Configure bouncer on host
+
+
+## Step 3: Configure dashboard
+
+The dashboard is deployed using static metabase.db ([explained here](https://docs.crowdsec.net/faq/#how-to-have-a-dashboard-without-docker)), so you have to use the defaults credentials to connect to the database, then update immediatly those credentials.
+
+Then you need to update the crowdsec database path :
+* Go to `http://localhost:3003/` and connect with defaults credentials
+* Go to `http://localhost:3003/admin/databases/2` and modify the file path `/var/lib/crowdsec/data/crowdsec.db`
+* Save changes and go back to the home, you'll see the active decisions pulled from the online API.
+
+## Step 4: Simulate an attack and check detection + prevention
--- a/examples/docker-compose/app/index.html
+++ b/examples/docker-compose/app/index.html
@ -0,0 +1 @@
+Hello world !
--- a/examples/docker-compose/crowdsec/acquis.yaml
+++ b/examples/docker-compose/crowdsec/acquis.yaml
@ -0,0 +1,4 @@
+filenames:
+ - /var/log/nginx/example.*.log
+labels:
+  type: nginx
--- a/examples/docker-compose/crowdsec/dashboard/Dockerfile
+++ b/examples/docker-compose/crowdsec/dashboard/Dockerfile
@ -0,0 +1,3 @@
+FROM metabase/metabase
+
+RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/
--- a/examples/docker-compose/docker-compose.yml
+++ b/examples/docker-compose/docker-compose.yml
@ -0,0 +1,53 @@
+version: '3'
+
+services:
+  app:
+    image: httpd:alpine
+    restart: always
+    volumes:
+      - ./app/:/usr/local/apache2/htdocs/
+
+  reverse-proxy:
+    image: nginx:alpine
+    restart: always
+    ports:
+      - 8000:80
+    depends_on:
+      - 'app'
+    volumes:
+      - ./reverse-proxy/nginx.conf:/etc/nginx/nginx.conf
+      - logs:/var/log/nginx
+  
+  crowdsec:
+    image: crowdsecurity/crowdsec:v1.0.7
+    #build: ../..
+    environment:
+      COLLECTIONS: "crowdsecurity/nginx"
+      GID: "${GID-1000}"
+    depends_on:
+      - 'reverse-proxy'
+    volumes:
+      - /home/hess/cs/crowdsec/docker/docker_start.sh:/docker_start.sh
+      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
+      - logs:/var/log/nginx
+      - crowdsec-db:/var/lib/crowdsec/data/
+      - crowdsec-config:/etc/crowdsec/
+  
+  dashboard:
+    build: ./crowdsec/dashboard
+    ports:
+      - 3003:3000
+    environment:
+      MB_DB_FILE: /data/metabase.db
+      MGID: "${GID-1000}"
+    depends_on:
+      - 'crowdsec'
+    volumes:
+      - crowdsec-db:/metabase-data/
+    links:
+      - crowdsec
+
+volumes:
+  logs:
+  crowdsec-db:
+  crowdsec-config:
--- a/examples/docker-compose/reverse-proxy/nginx.conf
+++ b/examples/docker-compose/reverse-proxy/nginx.conf
@ -0,0 +1,24 @@
+worker_processes 1;
+  
+events { worker_connections 1024; }
+
+http {
+
+    sendfile on;
+
+    upstream docker-app {
+        server app:80;
+    }
+
+    access_log /var/log/nginx/example.access.log;
+    error_log /var/log/nginx/example.error.log;
+    
+    server {
+        listen 80;
+ 
+        location / {
+            proxy_pass         http://docker-app;
+            proxy_redirect     off;
+        }
+    }
+}
--- a/examples/docker-compose/schema.png
+++ b/examples/docker-compose/schema.png