Skip to content

Upgrading Wallarm Native Node with Docker Image

These instructions describe the steps to upgrade the Native Node deployed from the Docker image.

View Docker image releases

Requirements

  • Docker installed on your host system

  • Inbound access to your containerized environment from your API management platform

  • Outbound access from your containerized environment to:

    • https://hub.docker.com/r/wallarm to download the Docker images required for the deployment
    • https://us1.api.wallarm.com or https://api.wallarm.com for US/EU Wallarm Cloud
    • IP addresses below for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers

      34.96.64.17
      34.110.183.149
      35.235.66.155
      34.102.90.100
      34.94.156.115
      35.235.115.105
      
      34.160.38.183
      34.144.227.90
      34.90.110.226
      
  • In addition to the above, you should have the Administrator role assigned in Wallarm Console

1. Download the new Docker image version

docker pull wallarm/node-native-aio:0.12.0

2. Stop the running container

docker stop <RUNNING_CONTAINER_NAME>

3. Run the container using the new image

docker run -d -e WALLARM_API_TOKEN='XXXXXXX' -e WALLARM_LABELS='group=<GROUP>' -e WALLARM_API_HOST='us1.api.wallarm.com' -v ./wallarm-node-conf.yaml:/opt/wallarm/etc/wallarm/go-node.yaml -p 80:5050 wallarm/node-native-aio:0.12.0
docker run -d -e WALLARM_API_TOKEN='XXXXXXX' -e WALLARM_LABELS='group=<GROUP>' -v ./wallarm-node-conf.yaml:/opt/wallarm/etc/wallarm/go-node.yaml -p 80:5050 wallarm/node-native-aio:0.12.0
Environment variable Description Required
WALLARM_API_TOKEN API token with the Deploy role. Yes
WALLARM_LABELS Sets the group label for node instance grouping, for example:
WALLARM_LABELS="group=<GROUP>" will place node instance into the <GROUP> instance group (existing, or, if does not exist, it will be created).
Yes
WALLARM_API_HOST Wallarm API server:
  • us1.api.wallarm.com for the US Cloud
  • api.wallarm.com for the EU Cloud
By default: api.wallarm.com.
No
  • The -p option maps host and container ports:

    • The first value (80) is the host's port, exposed to external traffic.
    • The second value (5050) is the container's port, which should match the connector.address setting in the wallarm-node-conf.yaml file.
  • The configuration file must be mounted as /opt/wallarm/etc/wallarm/go-node.yaml inside the container.

    For the configuration file, you can reuse the one used during the initial installation. Only add new parameters or modify existing ones if necessary - see the supported configuration options.

4. Verify the upgrade

To verify that the node is functioning correctly:

  1. Check the logs for any errors:

    • Logs are written to /opt/wallarm/var/log/wallarm/go-node.log by default, with additional output available in stdout.
    • Standard logs of the filtering node such as whether the data is sent to the Wallarm Cloud, detected attacks, etc. are located in the directory /opt/wallarm/var/log/wallarm inside the container.
  2. Send the request with test Path Traversal attack to a protected resource address:

    curl http://localhost/etc/passwd
    

    If traffic is configured to be proxied to example.com, include the -H "Host: example.com" header in the request.

  3. Verify that the upgraded node operates as expected compared to the previous version.