mirror of
https://github.com/michivonah/docker.git
synced 2025-12-22 12:26:29 +01:00
add fleetdm
This commit is contained in:
parent
545e6a8418
commit
f6b66d9b3a
2 changed files with 221 additions and 0 deletions
122
fleetdm/docker-compose-traefik.yml
Normal file
122
fleetdm/docker-compose-traefik.yml
Normal file
|
|
@ -0,0 +1,122 @@
|
|||
services:
|
||||
mysql:
|
||||
image: mysql
|
||||
platform: linux/x86_64
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
|
||||
- MYSQL_DATABASE=${MYSQL_DATABASE}
|
||||
- MYSQL_USER=${MYSQL_USER}
|
||||
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
|
||||
volumes:
|
||||
- ./mysql:/var/lib/mysql
|
||||
cap_add:
|
||||
- SYS_NICE
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "mysqladmin ping -h 127.0.0.1 -u$$MYSQL_USER -p$$MYSQL_PASSWORD --silent || exit 1"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 12
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- fleet
|
||||
|
||||
redis:
|
||||
image: redis
|
||||
command: ["redis-server", "--appendonly", "yes"]
|
||||
volumes:
|
||||
- ./redis:/data
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "ping"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 12
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- fleet
|
||||
|
||||
fleet-init:
|
||||
image: alpine:latest
|
||||
volumes:
|
||||
- ./logs:/logs
|
||||
- ./data:/data
|
||||
- ./vulndb:/vulndb
|
||||
command: sh -c "chown -R 100:101 /logs /data /vulndb"
|
||||
networks:
|
||||
- fleet
|
||||
|
||||
fleet:
|
||||
image: fleetdm/fleet
|
||||
platform: linux/x86_64
|
||||
depends_on:
|
||||
mysql:
|
||||
condition: service_healthy
|
||||
redis:
|
||||
condition: service_healthy
|
||||
fleet-init:
|
||||
condition: service_completed_successfully
|
||||
command: sh -c "/usr/bin/fleet prepare db --no-prompt && /usr/bin/fleet serve"
|
||||
environment:
|
||||
# In-cluster service addresses (no hostnames/ports on the host)
|
||||
- FLEET_REDIS_ADDRESS=redis:6379
|
||||
- FLEET_MYSQL_ADDRESS=mysql:3306
|
||||
- FLEET_MYSQL_DATABASE=${MYSQL_DATABASE}
|
||||
- FLEET_MYSQL_USERNAME=${MYSQL_USER}
|
||||
- FLEET_MYSQL_PASSWORD=${MYSQL_PASSWORD}
|
||||
# Fleet HTTP listener
|
||||
- FLEET_SERVER_ADDRESS=${FLEET_SERVER_ADDRESS}:${FLEET_SERVER_PORT}
|
||||
- FLEET_SERVER_TLS=${FLEET_SERVER_TLS}
|
||||
# Secrets
|
||||
- FLEET_SERVER_PRIVATE_KEY=${FLEET_SERVER_PRIVATE_KEY} # Run 'openssl rand -base64 32' to generate
|
||||
- FLEET_LICENSE_KEY=${FLEET_LICENSE_KEY}
|
||||
# System tuning & other options
|
||||
- FLEET_SESSION_DURATION=${FLEET_SESSION_DURATION}
|
||||
- FLEET_LOGGING_JSON=${FLEET_LOGGING_JSON}
|
||||
- FLEET_OSQUERY_STATUS_LOG_PLUGIN=${FLEET_OSQUERY_STATUS_LOG_PLUGIN}
|
||||
- FLEET_FILESYSTEM_STATUS_LOG_FILE=${FLEET_FILESYSTEM_STATUS_LOG_FILE}
|
||||
- FLEET_FILESYSTEM_RESULT_LOG_FILE=${FLEET_FILESYSTEM_RESULT_LOG_FILE}
|
||||
- FLEET_OSQUERY_LABEL_UPDATE_INTERVAL=${FLEET_OSQUERY_LABEL_UPDATE_INTERVAL}
|
||||
- FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS=${FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS}
|
||||
- FLEET_VULNERABILITIES_DATABASES_PATH=${FLEET_VULNERABILITIES_DATABASES_PATH}
|
||||
- FLEET_VULNERABILITIES_PERIODICITY=${FLEET_VULNERABILITIES_PERIODICITY}
|
||||
# Optional S3 info
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_BUCKET=${FLEET_S3_SOFTWARE_INSTALLERS_BUCKET}
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID=${FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID}
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY=${FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY}
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE=${FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE}
|
||||
# Override FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL when using a different S3 compatible
|
||||
# object storage backend (such as Minio) or running S3 locally with localstack.
|
||||
# Leave this blank to use the default S3 service endpoint.
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL=${FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL}
|
||||
# Minio users must set FLEET_S3_SOFTWARE_INSTALLERS_REGION to any nonempty value (eg. minio),
|
||||
# as Minio does not support region discovery.
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_REGION=${FLEET_S3_SOFTWARE_INSTALLERS_REGION}
|
||||
ports:
|
||||
- "${FLEET_SERVER_PORT}:${FLEET_SERVER_PORT}" # UI/API
|
||||
- "8220:8220" # osquery enroll/TLS endpoint
|
||||
volumes:
|
||||
- ./data:/fleet
|
||||
- ./logs:/logs
|
||||
- ./vulndb:${FLEET_VULNERABILITIES_DATABASES_PATH}
|
||||
healthcheck:
|
||||
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:${FLEET_SERVER_PORT}/healthz"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 12
|
||||
restart: unless-stopped
|
||||
labels:
|
||||
- "traefik.enable=true"
|
||||
- "traefik.http.routers.fleet.entrypoints=web, websecure"
|
||||
- "traefik.http.routers.fleet.rule=Host(`example.com`)"
|
||||
- "traefik.http.routers.fleet.tls=true"
|
||||
- "traefik.http.routers.fleet.tls.certresolver=production"
|
||||
- "traefik.docker.network=traefik_default"
|
||||
networks:
|
||||
- traefik
|
||||
- fleet
|
||||
|
||||
networks:
|
||||
fleet:
|
||||
external: false
|
||||
traefik:
|
||||
name: traefik_default
|
||||
external: true
|
||||
99
fleetdm/docker-compose.yml
Normal file
99
fleetdm/docker-compose.yml
Normal file
|
|
@ -0,0 +1,99 @@
|
|||
services:
|
||||
mysql:
|
||||
image: mysql
|
||||
platform: linux/x86_64
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
|
||||
- MYSQL_DATABASE=${MYSQL_DATABASE}
|
||||
- MYSQL_USER=${MYSQL_USER}
|
||||
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
|
||||
volumes:
|
||||
- ./mysql:/var/lib/mysql
|
||||
cap_add:
|
||||
- SYS_NICE
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "mysqladmin ping -h 127.0.0.1 -u$$MYSQL_USER -p$$MYSQL_PASSWORD --silent || exit 1"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 12
|
||||
restart: unless-stopped
|
||||
|
||||
redis:
|
||||
image: redis
|
||||
command: ["redis-server", "--appendonly", "yes"]
|
||||
volumes:
|
||||
- ./redis:/data
|
||||
healthcheck:
|
||||
test: ["CMD", "redis-cli", "ping"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 12
|
||||
restart: unless-stopped
|
||||
|
||||
fleet-init:
|
||||
image: alpine:latest
|
||||
volumes:
|
||||
- ./logs:/logs
|
||||
- ./data:/data
|
||||
- ./vulndb:/vulndb
|
||||
command: sh -c "chown -R 100:101 /logs /data /vulndb"
|
||||
|
||||
fleet:
|
||||
image: fleetdm/fleet
|
||||
platform: linux/x86_64
|
||||
depends_on:
|
||||
mysql:
|
||||
condition: service_healthy
|
||||
redis:
|
||||
condition: service_healthy
|
||||
fleet-init:
|
||||
condition: service_completed_successfully
|
||||
command: sh -c "/usr/bin/fleet prepare db --no-prompt && /usr/bin/fleet serve"
|
||||
environment:
|
||||
# In-cluster service addresses (no hostnames/ports on the host)
|
||||
- FLEET_REDIS_ADDRESS=redis:6379
|
||||
- FLEET_MYSQL_ADDRESS=mysql:3306
|
||||
- FLEET_MYSQL_DATABASE=${MYSQL_DATABASE}
|
||||
- FLEET_MYSQL_USERNAME=${MYSQL_USER}
|
||||
- FLEET_MYSQL_PASSWORD=${MYSQL_PASSWORD}
|
||||
# Fleet HTTP listener
|
||||
- FLEET_SERVER_ADDRESS=${FLEET_SERVER_ADDRESS}:${FLEET_SERVER_PORT}
|
||||
- FLEET_SERVER_TLS=${FLEET_SERVER_TLS}
|
||||
# Secrets
|
||||
- FLEET_SERVER_PRIVATE_KEY=${FLEET_SERVER_PRIVATE_KEY} # Run 'openssl rand -base64 32' to generate
|
||||
- FLEET_LICENSE_KEY=${FLEET_LICENSE_KEY}
|
||||
# System tuning & other options
|
||||
- FLEET_SESSION_DURATION=${FLEET_SESSION_DURATION}
|
||||
- FLEET_LOGGING_JSON=${FLEET_LOGGING_JSON}
|
||||
- FLEET_OSQUERY_STATUS_LOG_PLUGIN=${FLEET_OSQUERY_STATUS_LOG_PLUGIN}
|
||||
- FLEET_FILESYSTEM_STATUS_LOG_FILE=${FLEET_FILESYSTEM_STATUS_LOG_FILE}
|
||||
- FLEET_FILESYSTEM_RESULT_LOG_FILE=${FLEET_FILESYSTEM_RESULT_LOG_FILE}
|
||||
- FLEET_OSQUERY_LABEL_UPDATE_INTERVAL=${FLEET_OSQUERY_LABEL_UPDATE_INTERVAL}
|
||||
- FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS=${FLEET_VULNERABILITIES_CURRENT_INSTANCE_CHECKS}
|
||||
- FLEET_VULNERABILITIES_DATABASES_PATH=${FLEET_VULNERABILITIES_DATABASES_PATH}
|
||||
- FLEET_VULNERABILITIES_PERIODICITY=${FLEET_VULNERABILITIES_PERIODICITY}
|
||||
# Optional S3 info
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_BUCKET=${FLEET_S3_SOFTWARE_INSTALLERS_BUCKET}
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID=${FLEET_S3_SOFTWARE_INSTALLERS_ACCESS_KEY_ID}
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY=${FLEET_S3_SOFTWARE_INSTALLERS_SECRET_ACCESS_KEY}
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE=${FLEET_S3_SOFTWARE_INSTALLERS_FORCE_S3_PATH_STYLE}
|
||||
# Override FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL when using a different S3 compatible
|
||||
# object storage backend (such as Minio) or running S3 locally with localstack.
|
||||
# Leave this blank to use the default S3 service endpoint.
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL=${FLEET_S3_SOFTWARE_INSTALLERS_ENDPOINT_URL}
|
||||
# Minio users must set FLEET_S3_SOFTWARE_INSTALLERS_REGION to any nonempty value (eg. minio),
|
||||
# as Minio does not support region discovery.
|
||||
- FLEET_S3_SOFTWARE_INSTALLERS_REGION=${FLEET_S3_SOFTWARE_INSTALLERS_REGION}
|
||||
ports:
|
||||
- "${FLEET_SERVER_PORT}:${FLEET_SERVER_PORT}" # UI/API
|
||||
- "8220:8220" # osquery enroll/TLS endpoint
|
||||
volumes:
|
||||
- ./data:/fleet
|
||||
- ./logs:/logs
|
||||
- ./vulndb:${FLEET_VULNERABILITIES_DATABASES_PATH}
|
||||
healthcheck:
|
||||
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:${FLEET_SERVER_PORT}/healthz"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 12
|
||||
restart: unless-stopped
|
||||
Loading…
Add table
Add a link
Reference in a new issue