Contents
Configuring KESL container
KESL container settings are initialized in several ways:
- By default (unless otherwise specified).
- From the configuration file. In this case, the values from the configuration file have a higher priority than the default values.
- The values can be passed to the KESL container upon startup as environment variables. Environment variables have a higher priority than the settings from the configuration file.
- In the scan request body. The settings in the request body have the highest priority, but they are valid only within a single request.
KESL container settings
KESL container settings and their default values are described in the following table.
KESL container settings
Setting description |
Available values |
Default value |
---|---|---|
Port for listening to REST API |
|
8085 |
Event severity level |
|
noset |
Authorization key |
If the |
|
Activation code or key file |
To activate a KESL container using an activation code, when running the KESL container specify the activation code in the configuration file or pass the activation code in an environment variable:
To activate a KESL container using a key file, when running the KESL container specify the key file in the configuration file or pass the key file in an environment variable:
To activate a KESL container using a key file, the /root/kesl-service/keys mount point is required. |
|
Additional scan settings |
The optional
where |
|
Additional update settings |
The optional
where |
|
Update the application databases when KESL container starts |
By default, the application databases are downloaded to the /var/opt/kaspersky/kesl/private/updates directory when the KESL container is started. To implement the joint operation of several KESL containers with one instance of the application databases and to speed up the launch of the KESL container, it is recommended to move this directory to the device where the KESL container is installed by means of mounting:
|
True |
Do not process the image if it already exists in the target repository. |
|
False |
Maximum time to wait for application commands to run, in seconds |
|
600 |
Maximum time to wait for application database update tasks to run, in seconds |
|
600 |
Name of the settings configuration file. |
|
kesl-service.config |
Environment variables
The following environment variables can be used to configure a KESL container:
- KRAS4D_PORT – port for listening to REST API.
- KRAS4D_LOGLEVEL – event severity level.
- KRAS4D_XAPIKEY – request authorization key.
- KRAS4D_ACTIVATION – activation code or key file name.
- KRAS4D_SCANOPTIONS – additional scan settings.
- KRAS4D_UPDATEOPTIONS – additional update settings.
- KRAS4D_FORCEUPDATE – update the application databases when KESL container starts.
- KRAS4D_SKIPIMAGEIFEXISTS – do not process the image if it already exists in the target repository.
- KRAS4D_GENERALTIMEOUT – maximum time to wait for application commands to run.
- KRAS4D_UPDTASKTIMEOUT – maximum time to wait for application database update tasks to run.
- KRAS4D_CFGNAME: name of the KESL container configuration file.
Configuration file
The KESL container configuration file uses the yaml format. To read the settings from the file, mount the /root/kesl-service/config/ path on the device where the KESL container is installed, and specify the name of the configuration file if it differs from the default one. Thus, you can specify individual configuration file for each set of KESL containers.
Example: starting a KESL container
|
The table below shows the configuration file settings and the corresponding environment variables.
Correspondence between the settings and the environment variables
Configuration file setting |
Environment variable |
---|---|
Common section |
|
port: <port for listening> |
# KRAS4D_PORT=8085 |
sqlpath: <full path to the database file that contains scan results> |
# KRAS4D_SQLPATH |
certdir: <path to the directory with registry certificates> |
# KRAS4D_CERTDIR |
keypath: <path to the directory with license keys> |
# KRAS4D_KEYPATH |
tmppath: <full path to the temporary directory> |
# KRAS4D_TMPPATH |
logpath: <full path to the event log> |
# KRAS4D_LOGPATH |
loglevel: [noset|debug|info|warning|error|critical] |
# KRAS4D_LOGLEVEL |
Control section |
|
xapikey: <request authorization key> |
# KRAS4D_XAPIKEY=None |
forceupdate: <forced database update at container start [True|False]> |
# KRAS4D_FORCEUPDATE |
activation: <activation code or key file name from /root/kesl-service/config/> |
# KRAS4D_ACTIVATION |
detectaction: [delete|skip] |
# KRAS4D_DETECTACTION |
scanoptions: <scan settings [ScanArchived=yes ScanSfxArchived=yes ...]> |
# KRAS4D_SCANOPTIONS |
skipimageifexist: <do not scan the image if it already exists on the server to which the scanned image is to be copied> |
# KRAS4D_SKIPIMAGEIFEXIST |
generaltimeout: <maximum time to wait for application commands to run> |
# KRAS4D_GENERALTIMEOUT |
updtasktimeout: <maximum time to wait for application database update tasks to run> |
# KRAS4D_UPDTASKTIMEOUT |
Repositories section |
|
<server>:<port>: address and port of the image registry that requires authorization when requesting for verification. |
|
Credentials subsection |
|
user: user name for authorization in the image registry |
|
pass: password for authorization in the image registry |
|
Example of a configuration file |
Available mount points
The following mount points are available for working with the KESL container:
- /root/kesl-service/data/scans.sqlite – path to the database file that contains scan results.
- /var/opt/kaspersky/kesl/private/updates – path to the application databases.
- /root/kesl-service/certificates – path to the directory that contains repository certificates.
- /root/kesl-service/keys – path to the directory that contains license keys.
- /var/log/kaspersky/ – path to the directory that contains event logs.
- /root/kesl-service/config/ – path to the configuration files.
- /var/lib/containers/vfs-storage – required mount point for the Podman utility to work correctly.