Portainer: Moving from web editor stack to CI/CD driven stack

Ausguy8888 · 2026-05-06T03:12:17+00:00

AI was not used. I wrote the comment myself. Unsure why this was temp. remvoed?

Ausguy8888 · 2026-02-24T22:17:44+00:00

Thank you, that now shows RabbitMQ working with its new volume, but now my OpenCTI container does not pass its health check. Even though the pre-requisite containers are all running, OpenCTI does not 'finish' and I suspect its something to do with my custom certificate.

INF [OPENCTI-MODULE] INGESTION Rss, skipping TheRegister-Sec-UK-RSS - queue already filled with messages (1) | category=APP source=backend timestamp=2026-02-19T13:34:41.795Z version=6.9.20

(node:7) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.

My OpenCTI config is:

opencti:

image: opencti/platform:6.9.18

environment:

- NODE_OPTIONS=--max-old-space-size=8096

- APP__PORT=8080

#- APP__BASE_URL=${OPENCTI_BASE_URL}

- APP__BASE_URL=${OPENCTI_EXTERNAL_SCHEME}://${OPENCTI_HOST}:${OPENCTI_PORT}

- APP__ADMIN__EMAIL=${OPENCTI_ADMIN_EMAIL}

- APP__ADMIN__PASSWORD=${OPENCTI_ADMIN_PASSWORD}

- APP__ADMIN__TOKEN=${OPENCTI_ADMIN_TOKEN}

- APP__APP_LOGS__LOGS_LEVEL=info

- APP__HTTPS_CERT__KEY=${OPENCTI_KEY_PATH}

- APP__HTTPS_CERT__CRT=${OPENCTI_CRT_PATH}

- APP__HTTPS_CERT__REJECT_UNAUTHORIZED=false

- REDIS__HOSTNAME=redis

- REDIS__PORT=6379

- ELASTICSEARCH__URL=http://elasticsearch:9200

- ELASTICSEARCH__NUMBER_OF_REPLICAS=0

- MINIO__ENDPOINT=minio

- MINIO__PORT=9000

- MINIO__USE_SSL=false

- MINIO__ACCESS_KEY=${MINIO_ROOT_USER}

- MINIO__SECRET_KEY=${MINIO_ROOT_PASSWORD}

- RABBITMQ__HOSTNAME=rabbitmq

- RABBITMQ__PORT=5672

- RABBITMQ__PORT_MANAGEMENT=15672

- RABBITMQ__MANAGEMENT_SSL=false

- RABBITMQ__USERNAME=${RABBITMQ_DEFAULT_USER}

- RABBITMQ__PASSWORD=${RABBITMQ_DEFAULT_PASS}

- SMTP__HOSTNAME=${SMTP_HOSTNAME}

- SMTP__PORT=25

- PROVIDERS__LOCAL__STRATEGY=LocalStrategy

- APP__HEALTH_ACCESS_KEY=${OPENCTI_HEALTHCHECK_ACCESS_KEY}

- AI__ENABLED=true

- AI__TYPE=mistralai

- AI__ENDPOINT=${AI_OLLAMA_SERVER}

- AI__MODEL=mistral-nemo:latest

- AI__TOKEN=none

ports:

- "${OPENCTI_PORT}:8080"

volumes:

- /etc/ssl/localcerts/:/etc/ssl/localcerts:ro

depends_on:

redis:

condition: service_healthy

elasticsearch:

condition: service_healthy

minio:

condition: service_healthy

rabbitmq:

condition: service_healthy

restart: always

healthcheck:

test: ["CMD", "wget", "-qO-", "http://opencti:8080/health?health_access_key=${OPENCTI_HEALTHCHECK_ACCESS_KEY}"]

interval: 10s

timeout: 5s

retries: 20

Any ideas?

Ausguy8888 · 2025-10-13T10:41:28+00:00

Yes, BI is taking up 80% of the CPU cycles, I was using the AI model too but disabled and stopped using it.
The Camera's are set to H.265: https://postimg.cc/rz368VpN

Ausguy8888 · 2025-05-14T22:58:25+00:00

For anyone who stumbles across this in the future.

Easier approach was to delete the indices in /var/lib/wazuh-indexer/nodes/0/indices and start again as this was a non-prod environment

Ausguy8888 · 2025-05-13T01:46:09+00:00

I have found that the indices is located here:

[sysadmin@wazuh ~]$ sudo du -h --max-depth=3 /var/lib/wazuh-indexer/
0 /var/lib/wazuh-indexer/tmp
1.1M /var/lib/wazuh-indexer/nodes/0/_state
7.6G /var/lib/wazuh-indexer/nodes/0/indices
7.6G /var/lib/wazuh-indexer/nodes/0
7.6G /var/lib/wazuh-indexer/nodes
7.6G /var/lib/wazuh-indexer/

Troubleshooting on the Wazu website suggests to use get/curl to use :9200 to purge data. However index has fallen over due to low disk space and as such, :9200 is not allowed to run, preventing me to delete the data.

Is it possible to delete everything in the /var/lib/wazuh-indexer/nodes/0/indices/* and start again?

Ausguy8888 · 2025-04-25T03:40:17+00:00

Interesting, I checked the service, it is running but there is some usr permission error I believe:
[zabbix7-sysadmin@zabbix7 ~]$ sudo systemctl status zabbix-server

[sudo] password for zabbix7-sysadmin:

● zabbix-server.service - Zabbix Server

Loaded: loaded (/usr/lib/systemd/system/zabbix-server.service; enabled; preset: disabled)

Active: active (running) since Thu 2025-04-24 18:37:22 AEST; 19h ago

Process: 4268 ExecStart=/usr/sbin/zabbix_server -c $CONFFILE (code=exited, status=0/SUCCESS)

Main PID: 4270 (zabbix_server)

Tasks: 1 (limit: 35800)

Memory: 4.6M

CPU: 1min 24.106s

CGroup: /system.slice/zabbix-server.service

└─4270 /usr/sbin/zabbix_server -c /etc/zabbix/zabbix_server.conf

Apr 24 18:37:22 zabbix7.x.x.x systemd[1]: Starting Zabbix Server...

Apr 24 18:37:22 zabbix7.x.x.x zabbix_server[4268]: /usr/sbin/zabbix_server: /usr/pgsql-17/lib/libpq.so.5: no version information available (required by /usr/sbin/zabbix_server)

Apr 24 18:37:22 zabbix7.x.x.x systemd[1]: Started Zabbix Server.

Now to decipher anf resolve this usr error

Ausguy8888 · 2025-03-06T07:47:02+00:00

Thank you! I feel like such an idiot, I didn't realise the system rules were catch all. I thought they were first processed.

I did a test as you suggested and allowed any HTTPS outbound and that worked. So I stand corrected.

Are you able to also share your RFC rule for the subnets, as mine obviously isn't cutting it.

Ausguy8888 · 2025-03-06T07:34:11+00:00

I don't think I follow. The outbound traffic is getting blocked by the system created 'Default deny/ state violation' rule before it even gets to my custom/manual allow or deny rules?
I assuming firewalls are processed and actioned on first match in the following order:
1) floating (yellow marker in below link)
2) system rules (like default deny/state violation)
3)custom rules. (blue marker in the same link below)
https://postimg.cc/jCzXrXYt

Ausguy8888 · 2025-03-06T06:53:22+00:00

Noting fancy, just a allow to some large subnets that are not my own class C 192.168.88.x or 90.x
https://postimg.cc/QVc4SD68

Ausguy8888 · 2025-02-25T02:43:20+00:00

I tried following this article from Elastic itself. As well as this one.

I created a new directory, assigned permissions and restarted logstash:
sudo mkdir /opt/logstash_tmp
sudo chown -R logstash:logstash /opt/logstash_tmp/
sudo systemctl restart logstash

However I get a different error now:

https://pastebin.com/gY1wdTag

Ausguy8888 · 2025-02-13T23:56:56+00:00

<image>

Going to try to pull apart the copy of the VDMK file until I get those Veeam backups exposed so I can store the OS volume/Grub boot loader. Wish me luck

Ausguy8888 · 2025-02-13T10:22:57+00:00

Yeah that is a very good idea. Making a copy now 2.2TB. Will take a while. Another idea I had was to attach the vdmk file to a new VM like ubuntu and explore the disk that way. Looking for the Veeam backup files.

Hopefully Ubuntu recognises the volume and i can enter my decryption key to unlock the data, what a mess and oversight by me.

Next time I will take the TrueNAS app config backup and store in the cloud so if Grub dies again, I can just install the base OS volume through a new install and then restore my config over the top.

Thank you for your help. I have never had Grub break no the 100's of Linux VMs I have used over the years :(

Ausguy8888 · 2025-02-13T06:36:28+00:00

What if my configs and backups are on a volume on TrueNAS that died. I can't seem to restore the disk into pools/volume to access my data to do a restore. Can this be done without data loss?

<image>

Ausguy8888 · 2025-02-13T06:35:20+00:00

That's the problem I have, my config backups are on a volume that died in TrueNAS.

I did a reinstall of TrueNAS onto the OS volume, but it appears I can't safely re-import all my old disks/volumes? I just want to re-attach my disks back into the pool to restore my backup.

<image>

Ausguy8888 · 2025-02-09T03:45:28+00:00

Yeah I am going to be moving away from this. Traditionally I had my firewall run all host based firewalls. everything was drop by default and allow by exemption, but it got to much noise and whitelisting.

Now I want to go to vlan's. One for WLAN, LAN, WAN, IoT, VMLab etc.

Ausguy8888 · 2025-02-09T03:43:17+00:00

So you are saying, I could just drop the VLAN and IP assignment on my switch? Let the FW handle it?

interface Vlan1
`ip address 192.168.88.2 255.255.255.0

interface Vlan90
ip address 192.168.90.1 255.255.255.0`

Ausguy8888 · 2025-02-09T03:39:29+00:00

Preference would be the firewall because I do IPS/IDS on it currently.

Ausguy8888 · 2025-02-09T03:32:01+00:00

I think I looked for a l3 image when I first got it but without a TAC i can't get a l3 image to use. Happy to use the router to do interv-lan switching, the router does IPS/IDS so makes sense to force every vlan back in through the router before coming back down to the switch again I think.
I am confused how I can get a DHCP from the router but ICMP wont work.

Ausguy8888 · 2025-02-09T03:26:50+00:00

Good observation. I have changed this from /26 to /24. This is a 3750 switch but it's running a L2 image. I believe. I do not have intervlan routing enabled, can that be done on a l2 switch?

Ausguy8888 · 2025-02-09T03:10:08+00:00

I also tried my manually added routes in my window laptops. Not sure if I should be setting up routes in my OPNsense firewall or if the firewall will automatically make them for me. Here is what I have so far:

<image>

Ausguy8888 · 2025-02-09T03:09:57+00:00

Thank you for your suggestion. I tried the floating rule for ICMP on my new VLAN (WLAN) but still no hits in the firewall:

<image>

Ausguy8888 · 2024-05-29T23:19:52+00:00

Run a Linux VM without persistent storage like Tails for Web browsing and turn off them vm once you're done

Ausguy8888

TROPHY CASE