fix group permission on database in crowdsec docker image
This commit is contained in:
parent
18ff3a3a30
commit
9250d7caa2
|
@ -16,6 +16,15 @@ if [ "$DISABLE_ONLINE_API" == "" ] && [ "$CONFIG_FILE" == "" ] ; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# crowdsec sqlite database permissions
|
||||||
|
if [ "$GID" != "" ]; then
|
||||||
|
IS_SQLITE=$(yq eval '.db_config.type == "sqlite"' /etc/crowdsec/config.yaml)
|
||||||
|
DB_PATH=$(yq eval '.db_config.db_path' /etc/crowdsec/config.yaml)
|
||||||
|
if [ "$IS_SQLITE" == "true" ]; then
|
||||||
|
chown :$GID $DB_PATH
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
## Install collections, parsers & scenarios
|
## Install collections, parsers & scenarios
|
||||||
cscli hub update
|
cscli hub update
|
||||||
cscli collections upgrade crowdsecurity/linux
|
cscli collections upgrade crowdsecurity/linux
|
||||||
|
|
37
examples/docker-compose/README.md
Normal file
37
examples/docker-compose/README.md
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# Docker Compose
|
||||||
|
|
||||||
|
This example explains how to integrate Crowdsec in environment deployed with docker-compose. It set up multiple containers :
|
||||||
|
|
||||||
|
![Schema](schema.png)
|
||||||
|
|
||||||
|
This example contains multiple containers :
|
||||||
|
* app : apache server serving index.html containing an `hello world`
|
||||||
|
* reverse-proxy : nginx that serving this app from the host
|
||||||
|
* crowdsec : it will read reverse-proxy logs from the shared volume
|
||||||
|
* dashboard : we use [metabase](https://hub.docker.com/r/metabase/metabase) to display crowdsec database data.
|
||||||
|
|
||||||
|
We have chosen the simplest way to collect logs (by sharing volumes between containers), if you are in production, you are probably using logging-driver to centralize logs with rsyslog or another driver, so don't forget to adapt the crowdsec docker-compose configuration to read the logs properly.
|
||||||
|
|
||||||
|
**Prerequisites:** [Docker](https://docs.docker.com/engine/install/) / [Docker Compose](https://docs.docker.com/compose/install/)
|
||||||
|
|
||||||
|
## Step 1: Run all services in docker-compose.yml
|
||||||
|
|
||||||
|
[docker compose file](docker-compose.yml) contains the yaml configuration to deploy all the containers together by on command.
|
||||||
|
|
||||||
|
Deploy the stack using : `docker-compose up -d`
|
||||||
|
|
||||||
|
Then to see the status : `docker-compose ps`
|
||||||
|
|
||||||
|
## Step 2: Install & Configure bouncer on host
|
||||||
|
|
||||||
|
|
||||||
|
## Step 3: Configure dashboard
|
||||||
|
|
||||||
|
The dashboard is deployed using static metabase.db ([explained here](https://docs.crowdsec.net/faq/#how-to-have-a-dashboard-without-docker)), so you have to use the defaults credentials to connect to the database, then update immediatly those credentials.
|
||||||
|
|
||||||
|
Then you need to update the crowdsec database path :
|
||||||
|
* Go to `http://localhost:3003/` and connect with defaults credentials
|
||||||
|
* Go to `http://localhost:3003/admin/databases/2` and modify the file path `/var/lib/crowdsec/data/crowdsec.db`
|
||||||
|
* Save changes and go back to the home, you'll see the active decisions pulled from the online API.
|
||||||
|
|
||||||
|
## Step 4: Simulate an attack and check detection + prevention
|
1
examples/docker-compose/app/index.html
Normal file
1
examples/docker-compose/app/index.html
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Hello world !
|
4
examples/docker-compose/crowdsec/acquis.yaml
Normal file
4
examples/docker-compose/crowdsec/acquis.yaml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
filenames:
|
||||||
|
- /var/log/nginx/example.*.log
|
||||||
|
labels:
|
||||||
|
type: nginx
|
3
examples/docker-compose/crowdsec/dashboard/Dockerfile
Normal file
3
examples/docker-compose/crowdsec/dashboard/Dockerfile
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
FROM metabase/metabase
|
||||||
|
|
||||||
|
RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/
|
53
examples/docker-compose/docker-compose.yml
Normal file
53
examples/docker-compose/docker-compose.yml
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
image: httpd:alpine
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- ./app/:/usr/local/apache2/htdocs/
|
||||||
|
|
||||||
|
reverse-proxy:
|
||||||
|
image: nginx:alpine
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- 8000:80
|
||||||
|
depends_on:
|
||||||
|
- 'app'
|
||||||
|
volumes:
|
||||||
|
- ./reverse-proxy/nginx.conf:/etc/nginx/nginx.conf
|
||||||
|
- logs:/var/log/nginx
|
||||||
|
|
||||||
|
crowdsec:
|
||||||
|
image: crowdsecurity/crowdsec:v1.0.7
|
||||||
|
#build: ../..
|
||||||
|
environment:
|
||||||
|
COLLECTIONS: "crowdsecurity/nginx"
|
||||||
|
GID: "${GID-1000}"
|
||||||
|
depends_on:
|
||||||
|
- 'reverse-proxy'
|
||||||
|
volumes:
|
||||||
|
- /home/hess/cs/crowdsec/docker/docker_start.sh:/docker_start.sh
|
||||||
|
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
|
||||||
|
- logs:/var/log/nginx
|
||||||
|
- crowdsec-db:/var/lib/crowdsec/data/
|
||||||
|
- crowdsec-config:/etc/crowdsec/
|
||||||
|
|
||||||
|
dashboard:
|
||||||
|
build: ./crowdsec/dashboard
|
||||||
|
ports:
|
||||||
|
- 3003:3000
|
||||||
|
environment:
|
||||||
|
MB_DB_FILE: /data/metabase.db
|
||||||
|
MGID: "${GID-1000}"
|
||||||
|
depends_on:
|
||||||
|
- 'crowdsec'
|
||||||
|
volumes:
|
||||||
|
- crowdsec-db:/metabase-data/
|
||||||
|
links:
|
||||||
|
- crowdsec
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
logs:
|
||||||
|
crowdsec-db:
|
||||||
|
crowdsec-config:
|
24
examples/docker-compose/reverse-proxy/nginx.conf
Normal file
24
examples/docker-compose/reverse-proxy/nginx.conf
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
worker_processes 1;
|
||||||
|
|
||||||
|
events { worker_connections 1024; }
|
||||||
|
|
||||||
|
http {
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
|
||||||
|
upstream docker-app {
|
||||||
|
server app:80;
|
||||||
|
}
|
||||||
|
|
||||||
|
access_log /var/log/nginx/example.access.log;
|
||||||
|
error_log /var/log/nginx/example.error.log;
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://docker-app;
|
||||||
|
proxy_redirect off;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
BIN
examples/docker-compose/schema.png
Normal file
BIN
examples/docker-compose/schema.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 46 KiB |
Loading…
Reference in a new issue