- Pre-Requisites
- Clone the Repository
- Configure the environment
- Memory Management Settings
- Run OpenCTI - Full-stack, including UI
- Run OpenCTI infrastructure with UI/GraphQL in development mode
Appendices:
- Appendix A: How to update your docker instances
- Appendix B: How to deploy behind a reverse proxy
- Appendix C: How to persist data
- Appendix D: Memory configuration: additional information
OpenCTI can be deployed using the docker-compose
command.
For production deployment, we advise you to deploy ElasticSearch manually in a dedicated environment and then to start the other components using Docker.
docker-compose
:
$ sudo apt-get install docker-compose
Download: https://www.docker.com/products/docker-desktop
$ mkdir -p /path/to/your/app && cd /path/to/your/app
$ git clone https://github.com/OpenCTI-Platform/docker.git
$ cd docker
Before running the docker-compose
command, the docker-compose.yml
file must be configured.
There are two ways to do that:
- Use environment variables as it is proposed and you have an exemple in the
.env.sample
file (ie.APP__ADMIN__EMAIL=${OPENCTI_ADMIN_EMAIL}
). - Directly set the parameters in the
docker-compose.yml
.
If setting within the environment, you can reference the methodology in the Environment setup on OpenCTI's Notion page - located below for ease:
sudo apt install -y jq
cd ~/docker
(cat <<EOF
OPENCTI_ADMIN_EMAIL=admin@opencti.io
OPENCTI_ADMIN_PASSWORD=CHANGEMEPLEASE
OPENCTI_ADMIN_TOKEN=$(cat /proc/sys/kernel/random/uuid)
MINIO_ROOT_USER=$(cat /proc/sys/kernel/random/uuid)
MINIO_ROOT_PASSWORD=$(cat /proc/sys/kernel/random/uuid)
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=guest
CONNECTOR_HISTORY_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_CSV_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_EXPORT_FILE_TXT_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_FILE_STIX_ID=$(cat /proc/sys/kernel/random/uuid)
CONNECTOR_IMPORT_DOCUMENT_ID=$(cat /proc/sys/kernel/random/uuid)
SMTP_HOSTNAME=localhost
EOF
) > .env
brew install jq
cd ~/docker
(cat <<EOF
OPENCTI_ADMIN_EMAIL=admin@opencti.io
OPENCTI_ADMIN_PASSWORD=CHANGEMEPLEASE
OPENCTI_ADMIN_TOKEN=$(uuidgen)
MINIO_ROOT_USER=$(uuidgen)
MINIO_ROOT_PASSWORD=$(uuidgen)
RABBITMQ_DEFAULT_USER=guest
RABBITMQ_DEFAULT_PASS=guest
CONNECTOR_HISTORY_ID=$(uuidgen)
CONNECTOR_EXPORT_FILE_STIX_ID=$(uuidgen)
CONNECTOR_EXPORT_FILE_CSV_ID=$(uuidgen)
CONNECTOR_EXPORT_FILE_TXT_ID=$(uuidgen)
CONNECTOR_IMPORT_FILE_STIX_ID=$(uuidgen)
CONNECTOR_IMPORT_DOCUMENT_ID=$(uuidgen)
SMTP_HOSTNAME=localhost
EOF
) > .env
cd ~/docker
# trick to export the .env
export $(cat .env | grep -v "#" | xargs)
For additional memory management information see the Memory configuration notes section
As OpenCTI has a dependency on ElasticSearch, you have to set the vm.max_map_count
before running the containers, as mentioned in the ElasticSearch documentation.
$ sudo sysctl -w vm.max_map_count=1048575
To make this parameter persistent, add the following to the end of your /etc/sysctl.conf
:
$ vm.max_map_count=1048575
After changing your .env
file run docker-compose
in detached (-d
) mode:
$ sudo docker-compose up -d
In order to have the best experience with Docker, we recommend using the Docker stack feature. In this mode you will have the capacity to easily scale your deployment.
If your virtual machine is not already part of a Swarm cluster, initialize a swarm:
$ sudo docker swarm init
Put your environment variables in the /etc/environment
:
# If you already exported your variables to .env from above:
$ sudo cat .env >> /etc/environment
$ sudo source /etc/environment
$ sudo docker stack deploy --compose-file docker-compose.yml opencti
You can now go to http://localhost:8080 and log in with the credentials configured in your environment variables.
In order to develop OpenCTI UI/GraphQL in the most efficient manner we have provided a docker-compose.dev.yml
which stands up the back-end/infrastructure of OpenCTI, with the expectation that you will run the OpenCTI front-end (React/GraphQL) separately.
This docker-compose exposes all necessary ports for the UI/GraphQL to attach to in order to support local development.
To run the services required for local development run:
$ sudo docker-compose up -f docker-compose.dev.yml -d
To configure/run the UI/GraphQL we would direct you to the Notion documentation
$ sudo docker-compose stop
$ sudo docker-compose pull
$ sudo docker-compose up -d
For each of services, you have to run the following command:
$ sudo docker service update --force service_name
If you want to use OpenCTI behind a reverse proxy with a context path, like https://myproxy.com/opencti
, please change the base_path configuration.
- APP__BASE_PATH=/opencti
By default OpenCTI use websockets so don't forget to configure your proxy for this usage, an example with Nginx
:
location / {
proxy_cache off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
chunked_transfer_encoding off;
proxy_pass http:/YOUR_UPSTREA_BACKEND;
}
The default for OpenCTI data is to be persistent.
If you do not wish the data to persist:
$ mv docker-compose.override.no-persist.yml docker-compose.override.yml
OpenCTI default docker-compose.yml
file does not provide any specific memory configuration. But if you want to adapt some dependencies configuration, you can find some links below.
OpenCTI platform is based on a NodeJS runtime, with a memory limit of 512MB by default. We do not provide any option to change this limit today. If you encounter any OutOfMemory
exception, please open a Github issue.
OpenCTI workers and connectors are Python processes. If you want to limit the memory of the process, we recommend to directly use Docker to do that. You can find more information in the official Docker documentation.
If you do not use Docker stack, think about --compatibility option.
ElasticSearch is also a JAVA process. In order to setup the JAVA memory allocation, you can use the environment variable ES_JAVA_OPTS
.
The minimal recommended option today is -Xms8G -Xmx8G.
You can find more information in the official ElasticSearch documentation.
Redis has a very small footprint and only provides an option to limit the maximum amount of memory that can be used by the process. You can use the option --maxmemory
to limit the usage.
You can find more information in the Redis docker hub.
MinIO is a small process and does not require a high amount of memory. More information are available for Linux here on the Kernel tuning guide.
The RabbitMQ memory configuration can be find in the RabbitMQ official documentation. RabbitMQ will consumed memory until a specific threshold, therefore it should be configure along with the Docker memory limitation.