Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuration files could be segregated better to reduce the number of changes between versions and to separate out OpenCTI configuration from the data storage configuration #376

Open
Roland-Rosier opened this issue Mar 10, 2025 · 1 comment
Open

Configuration files could be segregated better to reduce the number of changes between versions and to separate out OpenCTI configuration from the data storage configuration #376

Roland-Rosier opened this issue Mar 10, 2025 · 1 comment

Comments

@Roland-Rosier
Copy link

As per the description:

  • There is no separation between the configuration for the data storage and the OpenCTI configuration.
  • The version numbers of the OpenCTI images have to be edited in multiple places; in the image definition for each image.
  • With all the image definitions changing anyway, it is more difficult to see if non-version-related changes to the docker-compose file have happened.
  • The version number can't currently be interpolated because it needs to be in a globally-included .env file for it to be interpolated in the image definition lines.
  • The version number can't be put into the current .env file because that file can't be committed because it contains secrets.
  • The version number can't be put into another global .env file because that would mean changing the command used to call docker compose.
  • If the docker compose file is edited to add multiple additional connector descriptions, this lack of separation, encapsulation and interpolation makes the docker compose file rapdily become hard to manage.

A solution would be "include" a top-level include block, which puts all the opencti configuration into another file and also includes a second environment file, e.g.:

include:
  - path: docker-compose-opencti.yml
    env_file:
      - ./.env
      - ./.global.env
services:
  redis:
    image: redis:7.4.2
    ...
  (OpenCTI service defintions removed)
   ...
volumes:
  esdata:
  s3data:
  redisdata:
  amqpdata:

with a .global.env containing

OPENCTI_VER=6.5.5

and docker-compose-opencti.yml containing

services:
  opencti:
    image: opencti/platform:${OPENCTI_VER:?error}
    ...
  worker:
    image: opencti/worker:${OPENCTI_VER:?error}
    ...
  connector-export-file-stix:
    image: opencti/connector-export-file-stix:${OPENCTI_VER:?error}
    ...
  connector-export-file-csv:
    image: opencti/connector-export-file-csv:${OPENCTI_VER:?error}
    ...
  connector-export-file-txt:
    image: opencti/connector-export-file-txt:${OPENCTI_VER:?error}
    ...
  connector-import-file-stix:
    image: opencti/connector-import-file-stix:${OPENCTI_VER:?error}
    ...
  connector-import-document:
    image: opencti/connector-import-document:${OPENCTI_VER:?error}
    ...
  connector-analysis:
    image: opencti/connector-import-document:${OPENCTI_VER:?error}
    ...

In this way, OPENCTI_VER is interpolated and when OpenCTI is updated to a new version, the only edit needing making is editing the value in .global.env
@Roland-Rosier
Copy link
Author

I can currently create a pull request against the 6.5.5 release of the OpenCTI compose files to implement this, if desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Roland-Rosier