akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
Files
e65dfa3979df9500c0d1617513a89efc8a966182
Charon/docs/plans/current_spec.md

46 lines
2.4 KiB
Markdown
Raw Blame History

# Fix CrowdSec Persistence & Offline Status
## Goal Description
The CrowdSec Security Engine is reported as "Offline" on the dashboard. This is caused by the lack of data persistence in the Docker container.
The `docker-entrypoint.sh` and `Dockerfile` currently configure CrowdSec to use ephemeral paths (`/etc/crowdsec` and `/var/lib/crowdsec/data`) which are not linked to the persistent volume `/app/data/crowdsec`.
Consequently, every container restart generates a new Machine ID and loses enrollment credentials, causing the dashboard to see the old instance as offline.
## User Review Required
> [!IMPORTANT]
> **Re-Enrollment Required**: After this fix is applied, the user will need to re-enroll their instance once. The new identity will persist across future restarts.
> **Mode Configuration**: The user must ensure `CERBERUS_SECURITY_CROWDSEC_MODE` is set to `local` in their environment or `docker-compose.yml`.
## Proposed Changes
### Docker & Scripts
#### [MODIFY] [docker-entrypoint.sh](file:///projects/Charon/docker-entrypoint.sh)
- Update CrowdSec initialization logic to map runtime directories to persistence:
- Check for `/app/data/crowdsec/config` and `/app/data/crowdsec/data`.
- If missing, populate from `/etc/crowdsec` (defaults).
- Use symbolic links or environment variables (`DATA`) to point to `/app/data/crowdsec/...`.
- Ensure `cscli` commands operate on the persistent configuration.
#### [MODIFY] [docker-compose.yml](file:///projects/Charon/docker-compose.yml)
- Update comments to explicitly recommend setting `CERBERUS_SECURITY_CROWDSEC_MODE=local` to avoid confusion.
## Verification Plan
### Manual Verification
1. **Persistence Test**:
- Deploy the updated container.
- Enter container: `docker exec -it charon sh`.
- Run `cscli machines list` and note the Machine ID.
- Modify a file in `/etc/crowdsec` (e.g., `touch /etc/crowdsec/test_persist`).
- Restart container: `docker restart charon`.
- Enter container again.
- Verify `cscli machines list` shows the **SAME** Machine ID.
- Verify `/etc/crowdsec/test_persist` still exists.
2. **Online Enrollment Test**:
- Enroll the instance: `cscli console enroll <enroll-key>`.
- Restart container.
- Check `cscli console status` (if available) or verify on Dashboard that it remains "Online".
### Automated Tests
- None (requires Docker runtime test, which is manual in this context).
Reference in New Issue View Git Blame Copy Permalink