Upgrading Wallarm Native Node with Docker Image¶
These instructions describe the steps to upgrade the Native Node deployed from the Docker image.
Requirements¶
-
Docker installed on your host system
-
Inbound access to your containerized environment from your API management platform
-
Outbound access from your containerized environment to:
https://hub.docker.com/r/wallarm
to download the Docker images required for the deploymenthttps://us1.api.wallarm.com
orhttps://api.wallarm.com
for US/EU Wallarm Cloud-
IP addresses below for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers
-
In addition to the above, you should have the Administrator role assigned in Wallarm Console
1. Download the new Docker image version¶
2. Stop the running container¶
3. Run the container using the new image¶
Environment variable | Description | Required |
---|---|---|
WALLARM_API_TOKEN | API token with the Deploy role. | Yes |
WALLARM_LABELS | Sets the group label for node instance grouping, for example:WALLARM_LABELS="group=<GROUP>" will place node instance into the <GROUP> instance group (existing, or, if does not exist, it will be created). | Yes |
WALLARM_API_HOST | Wallarm API server:
api.wallarm.com . | No |
-
The
-p
option maps host and container ports:- The first value (
80
) is the host's port, exposed to external traffic. - The second value (
5050
) is the container's port, which should match theconnector.address
setting in thewallarm-node-conf.yaml
file.
- The first value (
-
The configuration file must be mounted as
/opt/wallarm/etc/wallarm/go-node.yaml
inside the container.For the configuration file, you can reuse the one used during the initial installation. Only add new parameters or modify existing ones if necessary - see the supported configuration options.
4. Verify the upgrade¶
To verify that the node is functioning correctly:
-
Check the logs for any errors:
- Logs are written to
/opt/wallarm/var/log/wallarm/go-node.log
by default, with additional output available in stdout. - Standard logs of the filtering node such as whether the data is sent to the Wallarm Cloud, detected attacks, etc. are located in the directory
/opt/wallarm/var/log/wallarm
inside the container.
- Logs are written to
-
Send the request with test Path Traversal attack to a protected resource address:
If traffic is configured to be proxied to
example.com
, include the-H "Host: example.com"
header in the request. -
Verify that the upgraded node operates as expected compared to the previous version.