Docker-Compose → Kubernetes System Migration¶
This guide assumes you're moving from a vanilla Docker-based deployment to a Kubernetes deployment.
No processing on either system should be occurring during this migration process
Docker System¶
Create a Docker service for backups¶
Create a backup container that has access to the datastore's API and the filestore volume.
You can modify the docker-compose.yaml of your deployment type like the following:
# Add a new service called 'backup' to facilitate backing up Assemblyline
backup:
build:
context: privilege-core-image
args:
version: ${AL_VERSION}
registry: ${REGISTRY}
cache_from:
- cccs/assemblyline-core:${AL_VERSION}
image: ${COMPOSE_PROJECT_NAME}_scaler:${AL_VERSION}
privileged: true
env_file: [".env"]
volumes:
- ${COMPOSE_ROOT}/config/config.yml:/etc/assemblyline/config.yml:ro
- backup:/mount/backup:rw # Mount backup volume
- filestore:/data # Mount filestore volume
networks: [core]
command: "sleep 9999999999d" # Start up and keep running so we can shell into the container later
volumes:
...
backup: # Add a backup volume
Backup Datastore indices¶
Shell into your backup container, open the AL CLI tool, and backup the datastore data to the mount.
Info
The following indices will be backed up:
heuristic, service, service_delta, signature, user, user_avatar, user_favorites, user_settings, workflow
python -m assemblyline.run.cli
backup /mount/backup/al_system
ls /mount/backup/
All indices will be backed up
python -c "from assemblyline.run.cli import ALCommandLineInterface
cli = ALCommandLineInterface()
for index in cli.datastore.ds.get_models().keys():
# This will backup each index as a separate directory within the mounted backup folder
cli.do_backup(f'/mount/backup/al_{index} {index} force *:*')
"
Backup Filestore directories¶
Copy al-cache and al-storage to the backup volume
cp -r /data/ /mount/backup/filestore/
Kubernetes System¶
Restoring the Datastore¶
Mount your backup using coreVolumes and coreMounts¶
Edit your values.yaml as follows and then perform a helm upgrade:
coreVolumes:
- name: assemblyline-backup
hostPath:
path: /var/lib/docker/volumes/al_backup/_data
type: Directory
coreMounts:
- name: assemblyline-backup
mountPath: /mount/backup
Restore Datastore by using the Assemblyline CLI¶
Shell into one of the core containers (ie. scaler) and perform the following:
python -m assemblyline.run.cli
restore /mount/backup/al_system
Not all systems are equal
You will only need to restore with a subset of the folders listed below as your deployment isn't guaranteed to have data in every index (ie. alerts).
Performing an ls /mount/backup will confirm what you have backed up.
python -c "from assemblyline.run.cli import ALCommandLineInterface
import os
cli = ALCommandLineInterface()
dir = '/mount/backup'
for index in os.listdir(dir):
if os.path.isdir(f'{dir}/{index}'):
cli.do_restore(f'{dir}/{index}')
"
Migrating the Filestore¶
Edit Filestore Deployment in Kubernetes¶
Edit deployment and add the following hostpath mount:
spec:
...
template:
...
spec:
containers:
- name: filestore
...
volumeMounts:
...
- mountPath: /mount/backup
name: backup
...
volumes:
...
- hostPath:
path: /var/lib/docker/volumes/al_backup/_data
type: Directory
name: backup
Merge Filestore data with existing volume¶
Shell into the filestore pod and copy the files from backup:
cp -r /mount/backup/filestore/* /export/
Once transfer is complete, you can remove the volumeMount and volume relating to the backup from the deployment.
Migrate System Configuration¶
You can copy the contents of config.yml and place them in the configuration key of your values.yaml
Some configuration values are oriented towards the Docker-Compose appliance, so change values where applicable.
Extra Configurations!¶
If you want to use custom configurations to control tag safelisting or classification, you'll need to create a ConfigMap and modify your helm deployment to make use of them.
Let's say I want to add the following custom configurations to Kubernetes:
enforce: true
match:
network.dynamic.domain:
- localhost
You'll need to create a new file, say objects.yaml, with the following:
apiVersion: v1
kind: ConfigMap
metadata:
name: assemblyline-extra-config
data:
tag_safelist: |
match:
network.dynamic.domain:
- localhost
classification: |
enforce: true
kubectl apply -f objects.yaml -n <al_namespace>
Once the new ConfigMap has been created in your Kubernetes namespace, you can modify your values.yaml as follows:
coreEnv:
- name: CLASSIFICATION_CONFIGMAP
value: assemblyline-extra-config
- name: CLASSIFICATION_CONFIGMAP_KEY
value: classification
coreMounts:
- name: al-extra-config
mountPath: /etc/assemblyline/tag_whitelist.yml
subPath: tag_safelist
readOnly: true
- name: al-extra-config
mountPath: /etc/assemblyline/classification.yml
subPath: classification
readOnly: true
coreVolumes:
- name: al-extra-config
configMap:
name: assemblyline-extra-config
helm upgrade to apply the configurations.