Management > Configuration (changes not persisting between Docker host reboots)
487 views
Skip to first unread message
Charles Havilland
Jun 10, 2024, 3:47:39 AM6/10/24
to Wazuh | Mailing List
Hi
-- Forgive me if this is a stupid newbie question, but I have googled and searched github for help and tried the guide at https://documentation.wazuh.com/current/deployment-options/docker/container-usage.html#wazuh-service-data-volumes.
So I created a yaml file:
Then tried running it:
(Wazuh guides assume I have a good grounding in Wazuh or Docker compose already)
Problem:
Changes I make to Wazuh configuration (via GUI) are not persisting after Docker host reboot.
Example:
I have Wazuh (single-node) installed in Docker (using the Wazuh Docker install guide: https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#wazuh-docker-deployment) and have the following persistent volumes:
All Wazuh logs and login details persist fine, but never the numerous edits I make to the configuration via the gui. I would like vulnerability scanning enabled and I also add things like slack alerting.
Any advice greatly appreciated! Thanks
Antonio David Gutiérrez
Jun 10, 2024, 7:37:44 AM6/10/24
to Wazuh | Mailing List
Assuming you are using the latest version available at the moment (`v4.7.5`) deployed through the `wazuh-docker` repository: https://github.com/wazuh/wazuh-docker, the configuration of the vulnerability scanning and the Slack integration is done in the Wazuh server (`wazuh.manager` Docker service defined on the `docker-compose.yml`) in the `/var/ossec/etc/ossec.conf` file. This file is persisted through the `wazuh_etc` named volume https://github.com/wazuh/wazuh-docker/blob/v4.7.5/single-node/docker-compose.yml#L33 that is affecting to the /var/ossec/etc` directory. Changing the configuration of Wazuh server through the Wazuh dashboard, causes the `/var/ossec/etc/ossec.conf` file is modified.
I tested with `v4.7.5` tag of `wazuh-docker` repository and I could replicate the problem https://github.com/wazuh/wazuh-docker/tree/v4.7.5/single-node
When the container of the `wazuh.manager` is started, there is a mechanism to copy the files on `/wazuh-config-mount` of the container to the installation directory of the Wazuh server `/var/ossec`. In the `docker-compose.yml` of single-node deployment, there is a volume that is mounting a host file into the container: https://github.com/wazuh/wazuh-docker/blob/v4.7.5/single-node/docker-compose.yml#L46. This mount causes when the container starts, the `/wazuh-config-mount/etc/ossec.conf` in the container is copied to the installation path `/var/ossec/etc/ossec.conf` replacing the previous content and losing any previous modification.
If the docker-compose.yml file has mounted a file on `/wazuh-config-mount/etc/ossec.conf`, with this configuration, the edition of the Wazuh server configuration through Wazuh dashboard will be lost if the container is restarted, because it copy a file that does not have the changes applyed from UI.
So, if you want to persist the configuration of `/var/ossec/etc/ossec.conf` when restarting the Wazuh server container, you have these options:
- if you want to use the container feature to copy the files located on `/wazuh-config-mount` to the installation directory:
volumes:
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
, then you should apply the editions to file located at `config/wazuh_cluster/wazuh_manager.conf` in the host. After the changes, you should restart the Wazuh server container to take effect.
-if you do not want to use the container feature to copy files located on `/wazuh-config-mount` to the installation directory, then you could remove the volume of wazuh.manager service:
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
Then restarting the Wazuh server container and ensures the volume is not mounted. Removing this volume and taking into account the wazuh_etc named volume is mounted into `/var/ossec/etc` should persist the data of the `/var/ossec/etc/ossec.conf` file
I tested with `v4.7.5` tag of `wazuh-docker` repository and I could replicate the problem https://github.com/wazuh/wazuh-docker/tree/v4.7.5/single-node
When the container of the `wazuh.manager` is started, there is a mechanism to copy the files on `/wazuh-config-mount` of the container to the installation directory of the Wazuh server `/var/ossec`. In the `docker-compose.yml` of single-node deployment, there is a volume that is mounting a host file into the container: https://github.com/wazuh/wazuh-docker/blob/v4.7.5/single-node/docker-compose.yml#L46. This mount causes when the container starts, the `/wazuh-config-mount/etc/ossec.conf` in the container is copied to the installation path `/var/ossec/etc/ossec.conf` replacing the previous content and losing any previous modification.
If the docker-compose.yml file has mounted a file on `/wazuh-config-mount/etc/ossec.conf`, with this configuration, the edition of the Wazuh server configuration through Wazuh dashboard will be lost if the container is restarted, because it copy a file that does not have the changes applyed from UI.
So, if you want to persist the configuration of `/var/ossec/etc/ossec.conf` when restarting the Wazuh server container, you have these options:
- if you want to use the container feature to copy the files located on `/wazuh-config-mount` to the installation directory:
volumes:
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
, then you should apply the editions to file located at `config/wazuh_cluster/wazuh_manager.conf` in the host. After the changes, you should restart the Wazuh server container to take effect.
-if you do not want to use the container feature to copy files located on `/wazuh-config-mount` to the installation directory, then you could remove the volume of wazuh.manager service:
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
Then restarting the Wazuh server container and ensures the volume is not mounted. Removing this volume and taking into account the wazuh_etc named volume is mounted into `/var/ossec/etc` should persist the data of the `/var/ossec/etc/ossec.conf` file
Antonio David Gutiérrez
Jun 10, 2024, 8:00:15 AM6/10/24
to Wazuh | Mailing List
If you removes the volume of
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
you could need to destroy the container of the Wazuh server at least.
You can destroy all the containers with:
docker-compose down
And create them with:
docker-compose up -d
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
you could need to destroy the container of the Wazuh server at least.
You can destroy all the containers with:
docker-compose down
And create them with:
docker-compose up -d
Reply all
Reply to author
Forward
0 new messages