Change folder for persisting data leads to folder permission errors

General
1

Dear community,

I have a container with a behaviour that I don’t understand. I try to run Wazuh 4.8.0 in a Docker container. (Wazuh is a security tool that I want to test)

If I take the official documentation with the official compose.yml, everything works as expected.
This yml has foreseen some folders for persisting data, but I want to change the paths. I need all persisting data in a certain folder tree, which makes it easier for backup strategy.

If I change the location of folders, the folder permissions get changed and the tool does not work. I would like to understand, why this is so and how I can correct this.

Some details
In the original docker-compose.yml, there is this: (-> relative paths)

    ...
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
    ...

volumes:
  ...
  wazuh-indexer-data:
  ...
complete official wazuh yml 
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.7'

services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.8.0
    hostname: wazuh.manager
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf

  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.8.0
    hostname: wazuh.indexer
    restart: always
    ports:
      - "9200:9200"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
      - ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml

  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.8.0
    hostname: wazuh.dashboard
    restart: always
    ports:
      - 443:5601
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://wazuh.manager
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
    depends_on:
      - wazuh.indexer
    links:
      - wazuh.indexer:wazuh.indexer
      - wazuh.manager:wazuh.manager

volumes:
  wazuh_api_configuration:
  wazuh_etc:
  wazuh_logs:
  wazuh_queue:
  wazuh_var_multigroups:
  wazuh_integrations:
  wazuh_active_response:
  wazuh_agentless:
  wazuh_wodles:
  filebeat_etc:
  filebeat_var:
  wazuh-indexer-data:
  wazuh-dashboard-config:
  wazuh-dashboard-custom:

The only thing I have changed: I made the paths explicit.

    ...
    volumes:
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/indexer/wazuh-indexer-data:/var/lib/wazuh-indexer
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_idexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
    ...

volumes:
  [removed this part of the yml - is it necessary?]
my adapted complete version of the yml 
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
version: '3.8'
name: Wazuh

services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.8.0
    container_name: manager
    hostname: wazuh.manager
    user: "1000:1000"
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/wazuh_api_configuration:/var/ossec/api/configuration
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/wazuh_etc:/var/ossec/etc
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/wazuh_logs:/var/ossec/logs
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/wazuh_queue:/var/ossec/queue
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/wazuh_var_multigroups:/var/ossec/var/multigroups
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/wazuh_integrations:/var/ossec/integrations
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/wazuh_active_response:/var/ossec/active-response/bin
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/wazuh_agentless:/var/ossec/agentless
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/wazuh_wodles:/var/ossec/wodles
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/filebeat_etc:/etc/filebeat
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/manager/filebeat_var:/var/lib/filebeat
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf



  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.8.0
    container_name: indexer
    hostname: wazuh.indexer
    user: "1000:1000"
    restart: always
    ports:
      - "9200:9200"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/indexer/wazuh-indexer-data:/var/lib/wazuh-indexer
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_idexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml



  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.8.0
    container_name: dashboard
    hostname: wazuh.dashboard
    user: "1000:1000"
    restart: always
    ports:
      - 443:5601
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://wazuh.manager
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
    volumes:
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/dashboard/wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/dashboard/wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
    depends_on:
      - wazuh.indexer
    links:
      - wazuh.indexer:wazuh.indexer
      - wazuh.manager:wazuh.manager

I stopped the containers, changed the folder permissions and then rebooted the containers, but that did not help. It seems that the initial start of the containers does some copying of data, which is only done once.

Any insights are very welcome.

Chris

2

When you learn about something new, the best thing you can do is search for keywords in the documentation

You replaced a volume with a bind mount

It was until you replaced the volume with the bind mount. If you did what you did for easier backups, you can restore the original volume definition and extend the top level volume definition (the one you removed) with additional prameters to have a custom source path for the volume. I wrote about that here:

https://dev.to/rimelek/everything-about-docker-volumes-1ib0#avoid-accidental-data-loss-on-volumes

I recommend reading the previous sections as well to understand why that works.

3

Dear @rimelek,

as always, thank you very much for your quick response. I have already seen those pages, but obviously have not (yet) understood it. I will do my homework and come back, in case I need some more help.

Chris

4

Dear @rimelek,

I did a quick read through the documentation. I now have a better understanding, but I am still far away from understanding the technical details and bits and bits of it. (I wonder, if I really need to? :slight_smile: )

In the past, I used bind mounds, because I wanted to see the persistent data and to be able to write a little script, that shuts down a container, creates a tar-file of everything, moves it to a different folder and restarts the stack. After doing this to all the containers/stacks, the script copies all tar-files to my nas. Restoring the containers is very easy, as I only need to copy the content into a specific folder and start the container again and everything is up and running in no time.

So, in the volume documentation, I found a little section about backup and restore. I will probably be able to write a little script, that shuts down a stack, creates the tar of the volume into a different location and starts the stack again. Then does the same to the next stack.
What I am struggling with, is the restore process. I am not that good with the CLI for docker, as I usually use yml and portainer to manage my containers.
----------------------------------
What are my takeaways?

  • Don’t touch content of volumes.
  • I don’t want to change default location of volumes or event mount them from somewhere else.
  • I understand that volumes are easier, because the file permissions will be handled automatically. (-> what I obviously need for my Wazuh stack)
  • All the other points from the list of advantages seem not to apply to my case.
  • I need to familiarize with backup and restore of Volumes. (Have you any links to get me going?)
  • Is there a migration path to change from my existing bind mounts to volumes?

Chris

5

Why not? I don’t think I understand your goals. It seems to me you don’t want to choose a working solution or your goal is not what I thought.

What do you mean b migration path? If you define a volume with a custom path I recommended, you are done. Or you can copy all files into a container with an existing volume and set all permissions manually. Of course, if you want to make an already existing system work again instead of creating a new container with new data, that is the only option but custom path could still work. Otherwise you need to find out what user ids, and group ids the container requires for the data.

6

Is there a way to mount a volume from a defined location using a compose.yaml?

7

That is exactly what I shared.

8

Dear @rimelek,

please take my apologies. It was way after midnight, when I have read your blog page.

This is my finally working compose.yaml 
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
name: wazuh

services:
  wazuh.manager:
    image: wazuh/wazuh-manager:4.8.0
    container_name: manager
    hostname: wazuh.manager
    restart: unless-stopped
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 655360
        hard: 655360
    ports:
      - "1514:1514"
      - "1515:1515"
      - "514:514/udp"
      - "55000:55000"
    environment:
      - INDEXER_URL=https://wazuh.indexer:9200
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - FILEBEAT_SSL_VERIFICATION_MODE=full
      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
      - SSL_KEY=/etc/ssl/filebeat.key
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
      - TZ=Europe/Zurich
    volumes:
      - wazuh_api_configuration:/var/ossec/api/configuration
      - wazuh_etc:/var/ossec/etc
      - wazuh_logs:/var/ossec/logs
      - wazuh_queue:/var/ossec/queue
      - wazuh_var_multigroups:/var/ossec/var/multigroups
      - wazuh_integrations:/var/ossec/integrations
      - wazuh_active_response:/var/ossec/active-response/bin
      - wazuh_agentless:/var/ossec/agentless
      - wazuh_wodles:/var/ossec/wodles
      - filebeat_etc:/etc/filebeat
      - filebeat_var:/var/lib/filebeat
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
    networks:
      # macvlan60:
      #  ipv4_address: 192.168.60.8
      backend:
        ipv4_address: 10.10.14.2



  wazuh.indexer:
    image: wazuh/wazuh-indexer:4.8.0
    container_name: indexer
    hostname: wazuh.indexer
    restart: unless-stopped
    ports:
      - "9200:9200"
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
      - TZ=Europe/Zurich
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - wazuh-indexer-data:/var/lib/wazuh-indexer
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
    networks:
      backend:
        ipv4_address: 10.10.14.3



  wazuh.dashboard:
    image: wazuh/wazuh-dashboard:4.8.0
    container_name: dashboard
    hostname: wazuh.dashboard
    restart: unless-stopped
    ports:
      - 443:5601
    environment:
      - INDEXER_USERNAME=admin
      - INDEXER_PASSWORD=SecretPassword
      - WAZUH_API_URL=https://wazuh.manager
      - DASHBOARD_USERNAME=kibanaserver
      - DASHBOARD_PASSWORD=kibanaserver
      - API_USERNAME=wazuh-wui
      - API_PASSWORD=MyS3cr37P450r.*-
      - TZ=Europe/Zurich
    volumes:
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
      - /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
    depends_on:
      wazuh.indexer:
        condition: service_started
    links:
      - wazuh.indexer:wazuh.indexer
      - wazuh.manager:wazuh.manager
    networks:
      macvlan60:
        ipv4_address: 192.168.60.9
      backend:
        ipv4_address: 10.10.14.4



# Volumes für die Persistierung von Daten (https://dev.to/rimelek/everything-about-docker-volumes-1ib0#custom-volume-path-overview)
volumes:
  wazuh_api_configuration:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/wazuh_api_configuration
      o: bind
  wazuh_etc:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/wazuh_etc
      o: bind
  wazuh_logs:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/wazuh_logs
      o: bind
  wazuh_queue:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/wazuh_queue
      o: bind
  wazuh_var_multigroups:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/wazuh_var_multigroups
      o: bind
  wazuh_integrations:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/wazuh_integrations
      o: bind
  wazuh_active_response:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/wazuh_active_response
      o: bind
  wazuh_agentless:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/wazuh_agentless
      o: bind
  wazuh_wodles:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/wazuh_wodles
      o: bind
  filebeat_etc:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/filebeat_etc
      o: bind
  filebeat_var:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/manager/filebeat_var
      o: bind
  wazuh-indexer-data:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/indexer/wazuh-indexer-data
      o: bind
  wazuh-dashboard-config:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/dashboard/wazuh-dashboard-config
      o: bind
  wazuh-dashboard-custom:
    driver: local
    driver_opts:
      type: none
      device: /home/uadmin/Docker/Wazuh/wazuh-docker/single-node/config/dashboard/wazuh-dashboard-custom
      o: bind


# Network specifications
networks:
  macvlan60:
    external: true
  backend:
    internal: true
    ipam:
      driver: default
      config:
        - subnet: "10.10.14.0/24"
  • It utilises the Docker volume, combined with the mount-option, so that I don’t have to change my backup strategy.
  • I was able to define my own network settings.
    – the containers talk to each other via an internal docker network
    – the dashboard container is accessible via its own IP-address
  • I added a name, so that the Docker stack is not named after the folder, the compose.yaml is sitting in.

Please allow me a follow up question:
For the dashboard-container, there is a port mapping 443:5601. I expect to reach that container via https://192.168.60.9/. But that leads to a timeout. If I try https://192.168.60.9:5601/ I can reach the web interface. Isn’t 443 the public-facing port?

Chris

9

It is, but the IP address has to tbe the IP of the host. If port 5601 worked, that means you used the container ip. on MacVLAN, the IP is still the IP of the container and you don’t need port mapping.