Suricata container

Hello,

I’m trying to get a suricata container running using the directions here: Vyos firewall artificial intelligence support - Talks - VyOS Forums

Its failing to start. I cannot remove the external container storage overlay now. I get a “container not empty” when trying to force remove it. Using command “sudo podman container rm <container_id> -f”,

Below is the container config I’m using:

set container name suricata allow-host-networks
set container name suricata arguments '-q 1'
set container name suricata cap-add 'net-admin'
set container name suricata cap-add 'sys-admin'
set container name suricata image 'jasonish/suricata:6.0.18'
set container name suricata memory '8192'
set container name suricata volume ETC destination '/etc/suricata'
set container name suricata volume ETC source '/config/suricata/etc'
set container name suricata volume LOGS destination '/var/log/suricata'
set container name suricata volume LOGS source '/config/suricata/logs'
set container name suricata volume RULES destination '/var/lib/suricata'
set container name suricata volume RULES source '/config/suricata/rules'

I’ve created the directories under /config and have made the listed /config/suricata/etc/suricata.yaml config changes. Suricata fails to start and I’m not finding any specific logs as to why yet.

I am using zones in my FW config, not sure if that breaks the ACL entries in the linked help above.

thanks for any help

I manually deleted all the sub dirs of the external storage. Then removed the external container and that fixed my issue.

Using podman to stop|restart container caused the problem every time. Need to use the restart command. Prob not understanding the vyos way to work with containers though.

Suricata is working now.