New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIX: Prevent repeated creation of unused Docker volumes #9941
Comments
It looks like so-zeek has been updated in 2.3.230, but the problem still exists in other docker images. The problem: Between kratos, soc, and (all 3) redis containers, there are five unused docker volumes created at every call to highstate. That's 20/hour, 480/day, or 14,400/month! The solution: If you're using the generic redis:6-alpine docker image as I believe you are, you'll need to bind-mount a directory from the host to override the volume-mount for each of the images that use it as a base, including so-redis, so-strelka-gatekeeper and so-strelka-coordinator. That or build a custom redis image without it or actually use a persistent named docker volume in each. How to debug: How to verify: Dev Tip: |
mentioned in #11072 |
Thank you, @jertel, for fixing the soc and kratos images. I think a couple more file edits are needed. The stock redis:6-alpine image used by so-redis also has a VOLUME specified at https://github.com/docker-library/redis/blob/f2da8752a05b783eb805b67ad7a56a997a0fe91f/6.2/alpine/Dockerfile#L95 so this container: securityonion/salt/strelka/init.sls Line 199 in 3e5f354
this container: securityonion/salt/strelka/init.sls Line 212 in 3e5f354
and this container: securityonion/salt/redis/init.sls Line 57 in 3e5f354
will also need a bind entry to mount /data to some directory on the host in order to keep these containers from creating a docker volume on each instantiation. |
Running 'docker volume ls' on a node that has been running for some time shows many abandoned volumes, such as created by the so-zeek container. I believe this is due to the dockerfile Volume directive at https://github.com/Security-Onion-Solutions/securityonion-image/blob/70e29245f8b923fd03164ae3b0b80efa4eaff8fd/so-zeek/Dockerfile#L84. Run 'docker inspect so-zeek |grep -C2 _data' to see so-zeek's active volumes.
Of the local volumes listed there, "/nsm/zeek/logs" and "/nsm/zeek/spool" are bind-mounted from the host so their entry here has no effect, "/opt/zeek/share/bro" is not used (files are bound into /opt/zeek/share/zeek instead), and "/opt/zeek/etc/" contains some bound files but they can be bound into the ephemeral container instead of a local volume. If I understand it, you wouldn't need a volume directive in that dockerfile at all.
The so-strelka-gatekeeper, so-strelka-coordinator, and so-sensoroni containers also appear to create unused docker volumes on each run. so-redis stores its dumpfile in a local volume, but doesn't appear to reuse it on its next run. so-kratos (/kratos-conf volume) binds some host files into the volume, but doesn't use it otherwise.
These abandoned docker volumes are not removed and accumulate over time, cluttering the volume list and taking up hundreds of MB on the root volume after a few months. Run 'sudo du -hs /var/lib/docker/volumes' to see how much space is used.
The text was updated successfully, but these errors were encountered: