Why is there UBA docker problem after changing IP?

philwong · ‎08-17-2023

I have to change my UBA instance IP because infra change.
After IP change was done, part of the UBA couldn't be brought up again.

I did health check and found it's jammed by docker sock.

Anyone has such experience how to fix it? I saw some solutions like adding user to /var/run/docker.sock permission group. But I'm curious user "caspida" is permitted to sudo ALL command already. So that's the problem?

In addition, all configuration I can see is per hostname. Not sure why IP change would have problem.

I'm runing single instance version 5.2

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

philwong · ‎08-21-2023

Thanks @sherma for such comprehensive guide!

I still couldn't bring up my UBA again, so I finally restore from vm snapshot and installed UBA again.
I wonder it's my new network address crashed with docker network interface, but I'm not 100% sure.

For someone who hit the same problem, may refer to this guide as well.
https://docs.splunk.com/Documentation/UBA/5.2.0/Admin/ChangeDockerIP

sherma · ‎08-18-2023

Hello @philwong,

I understand that you're facing issues after changing the IP of your UBA (User and Entity Behavior Analytics) instance due to infrastructure changes. It seems that a part of the UBA is not coming up properly, and you've identified that this might be due to a jammed state related to the Docker socket (`docker.sock`). While you've come across solutions suggesting adding the user to the `/var/run/docker.sock` permission group, you've also mentioned that the user "caspida" already has permission to execute all commands using `sudo`. This raises questions about whether this could be the root cause of the issue.

Additionally, you've noted that all configurations seem to be tied to the hostname rather than the IP, which makes you uncertain about why changing the IP would lead to these problems.

Considering your situation, here are some steps you might want to explore:

1. Follow Official Documentation: First and foremost, I recommend referring to the official documentation for changing IP in UBA, which can be found here: https://docs.splunk.com/Documentation/UBA/5.2.0/Admin/ChangeIP. This document should provide comprehensive guidance on handling IP changes.

2. Stop UBA Components: Before proceeding with any changes, ensure that you stop all UBA components by executing the following command:

/opt/caspida/bin/Caspida stop-all

3. Change IP: Use the provided utility script to change the IP:

/opt/caspida/bin/utils/change-uba-network-address.sh -s <old-ip> <new-ip>

If your UBA instance was running the UI on the old IP, consider recreating SSL certificates for the web server after the IP change using:

/opt/caspida/bin/CaspidaCert.sh

4. Containerization Setup: It seems you've identified the use of containerization in your UBA setup. To address the Docker socket issue, try the following steps:

/opt/caspida/bin/Caspida remove-containerization
/opt/caspida/bin/Caspida setup-containerization
/opt/caspida/bin/Caspida start-containers

5. Restart UBA Components: Finally, restart the UBA components:

/opt/caspida/bin/Caspida start-all

These steps should help in resolving the issue you're facing after changing the IP of your UBA instance. However, if the problem persists, it might be worth considering reaching out to UBA support for more personalized assistance based on your specific setup and configuration.

Why is there UBA docker problem after changing IP?

administration

configuration

using UBA

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases