akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
18868a47fc6b223882ed004186ad64a0d5cd0e4b
Charon/docs/plans/current_spec.md

2.4 KiB
Raw Blame History

Fix CrowdSec Persistence & Offline Status

Goal Description

The CrowdSec Security Engine is reported as "Offline" on the dashboard. This is caused by the lack of data persistence in the Docker container. The docker-entrypoint.sh and Dockerfile currently configure CrowdSec to use ephemeral paths (/etc/crowdsec and /var/lib/crowdsec/data) which are not linked to the persistent volume /app/data/crowdsec. Consequently, every container restart generates a new Machine ID and loses enrollment credentials, causing the dashboard to see the old instance as offline.

User Review Required

Important

Re-Enrollment Required: After this fix is applied, the user will need to re-enroll their instance once. The new identity will persist across future restarts. Mode Configuration: The user must ensure CERBERUS_SECURITY_CROWDSEC_MODE is set to local in their environment or docker-compose.yml.

Proposed Changes

Docker & Scripts

[MODIFY] docker-entrypoint.sh

  • Update CrowdSec initialization logic to map runtime directories to persistence:
    • Check for /app/data/crowdsec/config and /app/data/crowdsec/data.
    • If missing, populate from /etc/crowdsec (defaults).
    • Use symbolic links or environment variables (DATA) to point to /app/data/crowdsec/....
    • Ensure cscli commands operate on the persistent configuration.

[MODIFY] docker-compose.yml

  • Update comments to explicitly recommend setting CERBERUS_SECURITY_CROWDSEC_MODE=local to avoid confusion.

Verification Plan

Manual Verification

  1. Persistence Test:

    • Deploy the updated container.
    • Enter container: docker exec -it charon sh.
    • Run cscli machines list and note the Machine ID.
    • Modify a file in /etc/crowdsec (e.g., touch /etc/crowdsec/test_persist).
    • Restart container: docker restart charon.
    • Enter container again.
    • Verify cscli machines list shows the SAME Machine ID.
    • Verify /etc/crowdsec/test_persist still exists.

  2. Online Enrollment Test:

    • Enroll the instance: cscli console enroll <enroll-key>.
    • Restart container.
    • Check cscli console status (if available) or verify on Dashboard that it remains "Online".

Automated Tests

  • None (requires Docker runtime test, which is manual in this context).
Reference in New Issue View Git Blame Copy Permalink