Docker compose is used to coordinate running the Docker containers. To start Malcolm, navigate to the directory containing
docker-compose.yml and run:
This will create the containers’ virtual network and instantiate them, then leave them running in the background. The Malcolm containers may take several minutes to start up completely. To follow the debug output for an already-running Malcolm instance, run:
You can also use
docker stats to monitor the resource utilization of running containers.
You can run
./scripts/stop to stop the Docker containers and remove their virtual network. Alternatively,
./scripts/restart will restart an instance of Malcolm. Because the data on disk is stored on the host in Docker volumes, performing these operations will not result in loss of data.
Malcolm can be configured to automatically restart when the Docker system daemon restarts (for example, on system reboot). This behavior depends on the value of the
restart: setting for each service in the
docker-compose.yml file. This value can be set by running
./scripts/configure and answering “yes” to “
Restart Malcolm upon system or Docker daemon restart?.”
To temporarily set the Malcolm user interfaces into read-only configuration, run the following commands from the Malcolm installation directory.
First, to configure Nginx to disable access to the upload and other interfaces for changing Malcolm settings, and to deny HTTP methods other than
docker compose exec nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
Second, to set the existing OpenSearch data store to read-only:
docker compose exec dashboards-helper /data/opensearch_read_only.py -i _cluster
These commands must be re-run every time Malcolm is restarted.
Note: after running these commands there may be an increase of error messages in the Malcolm containers’ output as various background processes will fail due to the read-only nature of the indices. Additionally, some features such as Arkime’s Hunt and building your own visualizations and dashboards in OpenSearch Dashboards will not function correctly in read-only mode.