Hello, We recently installed graylog as a container in Debian12 linux VM. I can see three containers i.e. Graylog, datanode and mongodb are running without any issues but to start with datanode, I need to complete the preflight setup manually.
Is there any way to automate the preflight configuration to assign the certificate to the datanode?
Hi @Super-Boy,
Yes, there is. If you configure selfsigned_startup=true in your graylog server configuration, the server will automatically create a selfsigned CA and configure automatic certificate renewal.
Datanodes connecting to a server with this configuration will then automatically obtain their certificates and fully start.
This should bypass the preflight configuration.
Another option is to manage all certificates externally, but this is much more complex task and makes sense only if you already have a trusted CA and want to use it for your setup.
Hello,
Thanks for your reply. Could you please share the path of this configuration? what exactly need to be done? I am using containers.
BTW I have gone through this post and didn’t understand where to do those changes.
Unattended installation - standalone - Graylog Central (peer support) - Graylog Community
If you are using containers, the easiest solution is to configure the server with environment properties. In this case, you’d set GRAYLOG_SELFSIGNED_STARTUP=true in the place where you configure your containers and their environment.
Otherwise you’d need to mount the graylog.conf file from outside and provide it to your container.
I am using docker compose file. I added GRAYLOG_SELFSIGNED_STARTUP in the environment section. Is this correct?
graylog:
hostname: “server”
image: “${GRAYLOG_IMAGE:-graylog/graylog:6.1}”
depends_on:
mongodb:
condition: “service_started”
datanode:
condition: “service_started”
entrypoint: “/usr/bin/tini – /docker-entrypoint.sh”
environment:
GRAYLOG_NODE_ID_FILE: “/usr/share/graylog/data/data/node-id”
# GRAYLOG_DATANODE_PASSWORD_SECRET and GRAYLOG_PASSWORD_SECRET MUST be the same value
GRAYLOG_PASSWORD_SECRET: “${GRAYLOG_PASSWORD_SECRET:?Please configure GRAYLOG_PASSWORD_SECRET in the .env file}”
GRAYLOG_ROOT_PASSWORD_SHA2: “${GRAYLOG_ROOT_PASSWORD_SHA2:?Please configure GRAYLOG_ROOT_PASSWORD_SHA2 in the .env file}”
GRAYLOG_HTTP_BIND_ADDRESS: “0.0.0.0:9000”
GRAYLOG_HTTP_EXTERNAL_URI: “http://localhost:9000/”
GRAYLOG_MONGODB_URI: “mongodb://mongodb:27017/graylog”
GRAYLOG_SELFSIGNED_STARTUP: true
ports:
- “5044:5044/tcp” # Beats
- “5140:5140/udp” # Syslog
- “5140:5140/tcp” # Syslog
The configuration looks good. But the selfsigned startup has been introduced only in graylog 6.2. You seem to be running an older version. I’d recommend to jump straight to current 6.3 if you are starting now.
