using read_only_root_filesystem

[Paul Charran]

I have set the read_only_root_filesystem: True. This, of course, is causing havoc with logs and other files that Wazuh needs to write to. I have found help on the internet recommending mounting rw (Read/Write) directories for Wazuh to use. The problem is if I use the actual directory names as volumes in my properties.yaml, the directory is empty. It can be written to but the other files that were there have been deleted. 

I am proposing creating volumes with alternate names. My question is how to I re-route files like logs and conf files to these volumes? Do I need to hard code in the new rw volumes or is there some other method I am missing?

[Jorge Ardila]

Hi Paul.

I'm currently consulting with our internal team to ensure we provide you with the most accurate and appropriate solution for your scenario. I will get back to you as soon as I have an update.  

Thanks

[Jorge Ardila]

Hi Paul.

Regarding to your question and after investigate about it, using alternate directory names to move Wazuh files is not recommended. Wazuh paths are used internally, and changing them could break functionality or upgrades. 

Mounting a volume over an existing directory (like /var/ossec/logs) hides the original files. They are not deleted, just masked, so the directory looks empty but is writable. 

The best approach is to keep the default structure and mount only the subdirectories that need write access.   

Best regards.

[Paul Charran]

Jorge,

   Thank you for looking into this. I didn't know that Mounting a new volume only hid the original. Is there a way to preserve the original files / directory structure. Maybe copy/paste with a service? If I can find the original that is.

Sincerely,

  Paul

[Jorge Ardila]

Hi Paul.

Could you share the pod configuration you are using to replicate the scenario you are trying to deploy, either here or privately?

Thanks!