mmguero
commented
2 months ago in mmguero-dev/Malcolm@97ebeef, I did the following:
- remove ZEEK_CRON variable
- moved ZEEK_INTEL_REFRESH_CRON_EXPRESSION variable to zeek-offline.env for zeek-offline container only
- added ZEEK_INTEL_REFRESH_ON_ENTRYPOINT=false and ZEEK_INTEL_REFRESH_ON_DEPLOY=false
- ZEEK_INTEL_REFRESH_ON_ENTRYPOINT is set to true for the zeek-offline container only
- ZEEK_INTEL_REFRESH_ON_DEPLOY is only set to true on Hedgehog Linux installations (where we're not using Docker), in control_vars.conf
- zeek_intel_setup.sh now only sets up the crontab file for the container if ZEEK_INTEL_REFRESH_CRON_EXPRESSION is set
- zeek_deploy.sh checks ZEEK_INTEL_REFRESH_ON_DEPLOY before running zeek_intel_setup.sh
- zeek/scripts/docker_entrypoint.sh checks ZEEK_INTEL_REFRESH_ON_ENTRYPOINT before running zeek_intel_setup.sh
- supercronic runs in both containers, but only actually gets set up for Zeek intel pull when ZEEK_INTEL_REFRESH_CRON_EXPRESSION is set
- this is because there may be other things we want cron to do here in the future, for now with an empty crontab the zeek-live one will just sleep
The issue is right now all of the Zeek containers attempt to generate the intel file, although it's shared amongst all of them.
This is exacerbated in a Kubernetes deployment where you scale up the number of zeek-live containers.
Here are the changes we need to make: