Orchestrator Maintenance

should I be running docker prune commands regularly on my Orchestrator? If so, how frequent and what prunes? image, container, volume, network?
What other maintenance should be run to keep it running smooth.

Hi @brandon_mcclure,

The main use case for running a prune would be to clean up action containers for plugins that are no longer in use by active workflows. While trigger containers are actively managed by the orchestrator, action containers are not so if a workflow had plugins that were updated the containers for the prior version of the plugin (actions) would not be removed. To clean these up, you could do the following:

  1. Stop the orchestrator service: sudo systemctl stop rapid7-orchestrator
  2. Stop the docker service: sudo systemctl stop docker
  3. Start the orchestrator service: sudo systemctl start rapid7-orchestrator
  4. Once the orchestrator service is started, prune containers/images: sudo docker system prune --all

The --all flag here will also prune images that aren’t associated with containers. If there were any containers that had not started yet (perhaps the action hadn’t been needed by an active workflow yet), they will be cleaned up but will be downloaded and started by the orchestrator the next time that they’re needed.

The frequency with which this should be done is pretty subjective. If you are plugins that are frequently updated, then perhaps once a month or ever other month would be fine. The determining factor there would be storage space and resource availability on the orchestrator. Doing the above steps without the docker prune would solve for CPU/Memory utilization by containers that are no longer in use. The docker prune would mostly be to free some storage space.

Other than that, the orchestrator will do its thing without much maintenance (even the above steps would be optional for many users). Logs for the orchestrator are rotated by the system so that is also taken care of for you. On OVA installations, updates to the orchestrator package and security updates are checked for nightly (via cron), so the system should stay up to date. If you’re running on a script install, I would recommend periodically checking for updates via whatever mechanism your organization has in place for management of Linux systems. :slight_smile:

Hope that helps!

1 Like