Arkime Docker image/container
This repository contains the files to build a Docker image of the Arkime software:
Ready to use Docker images can be pulled from https://hub.docker.com/r/mammo0/docker-arkime
To run this image a working OpenSearch environment is required. Please stick to their documentation for setting this up. (E.g. for Docker: https://opensearch.org/docs/latest/opensearch/install/docker)
Please note: This Docker image does currently NOT support
- SSL connections and
- user authentication
to OpenSearch nodes. Please enshure that the following environment variables are set for the OpenSearch nodes:
DISABLE_SECURITY_PLUGIN=true
DISABLE_INSTALL_DEMO_CONFIG=true
This image can be run with
docker run \
-e OS_HOST=opensearch \
-e OS_PORT=9200 \
-v <config_volume>:/data/config \
-v <pcap_volume>:/data/pcap \
-v <log_volume>:/data/logs \
mammo0/docker-arkime:<tag>
These parameters are available:
ENV VARIABLE | DEFAULT VALUE | NOTES |
---|---|---|
OS_HOST | opensearch | The hostname or IP address where OpenSearch is running. |
OS_PORT | 9200 | The port where OpenSearch is reachable. |
OS_USER | The user name for authentication to the OpenSearch instance. This feature is not tested yet! | |
OS_PASSWORD | The password for the OpenSearch user. This feature is not tested yet! | |
ARKIME_ADMIN_PASSWORD | admin | This is the password for the Arkime admin user that is needed for the first login. It can be changed afterwards. |
ARKIME_INTERFACE | eth0 | Network interface where capture process listens. This feature is not tested yet! |
ARKIME_HOSTNAME | localhost | With this hostname Arkime authenticates at OpenSearch. So if you change this you'll lose your OpenSearch configuration. |
CAPTURE | off | Set to "on" to activate the capture process. This feature is not tested yet! |
VIEWER | on | Set to "off" to deactivate the Arkime viewer. |
VOLUME | CONTAINER PATH | NOTES |
---|---|---|
config_volume | /data/config | In this directory the Arkime configuration is saved. |
pcap_volume | /data/pcap | In this directory the pcap files are saved that are generated by capture . |
log_volume | /data/logs | In this directory the Arkime log files are saved. |
You can use docker-compose
if you want to setup OpenSearch together with Arkime in one step.
-
Copy the file
env/docker-compose.env
to.env
before runningdocker-compose up
:cp env/docker-compose.env .env
You may want to change some of the variables inside. Each variable is documented there.
-
Check the settings in
env/arkime-compose.env
file. These are used for the Arkime container. The available settings and values are documented in theENV VARIABLE
table above. -
Ensure you have done this step (otherwise OpenSearch won't start): https://opensearch.org/docs/latest/opensearch/install/docker/#important-host-settings
To apply the setting on a live system, run:
sysctl -w vm.max_map_count=262144
Simply run
docker-compose up -d
It can take some time until the OpenSearch instance(s) is/are fully started.
The Arkime viewer instance can be accessed via
Assuming you don't changed the default port in the .env
file.
To import existing pcap files have a look at scripts/arkime-parse-pcap-folder.sh
script. It can be run within the running container:
docker exec -it <container_name> \
/data/arkime-parse-pcap-folder.sh -d <directory_with_pcap_files> -t <tag>
If parameter -d
is omitted, the script asks if you want to import the default directory /data/pcap
.