search

wazuh / wazuh-indexer

Wazuh indexer, the Wazuh search engine
https://opensearch.org/docs/latest/opensearch/index/
Apache License 2.0
10 stars 17 forks source link

[BUG] Wazuh indexer error when used with service on rhel-based systems #340

Closed fcaffieri closed 1 month ago

fcaffieri commented 1 month ago

Describe the bug

After analyzing the following issue https://github.com/wazuh/wazuh-jenkins/issues/6821, a problem was detected with the sysv service in the wazuh indexer packages for 4.9.0

Evidence:

OS: RedHat9 Wazuh Version: 4.9.0

[root@stack-redhat9 vagrant]# uname -a
Linux stack-redhat9 5.14.0-362.8.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Oct 3 11:12:36 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux
[root@stack-redhat9 vagrant]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.9.0"
WAZUH_REVISION="40903"
WAZUH_TYPE="server"
[root@stack-redhat9 vagrant]#

Testing with systemctl:

[root@stack-redhat9 vagrant]# systemctl status wazuh-indexer
● wazuh-indexer.service - wazuh-indexer
 Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled)
 Active: active (running) since Wed 2024-07-31 20:43:55 UTC; 30min ago

Tests with service:

[root@stack-redhat9 vagrant]# service wazuh-indexer status
The wazuh-indexer startup script does not exist or it is not executable, tried: /usr/share/wazuh-indexer/bin/wazuh-indexer
[root@stack-redhat9 vagrant]#

Then if we perform the same test but with a 4.8.1 package we obtain the following:

OS: RedHat9 WAzuh Version: 4.8.1

[root@stack-redhat9-2 vagrant]# uname -a
Linux stack-redhat9-2 5.14.0-362.8.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Oct 3 11:12:36 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux
[root@stack-redhat9-2 vagrant]# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.8.1"
WAZUH_REVISION="40817"
WAZUH_TYPE="server"
[root@stack-redhat9-2 vagrant]#

Testing with systemctl:

[root@stack-redhat9-2 vagrant]# systemctl status wazuh-indexer
● wazuh-indexer.service – Wazuh-indexer
 Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled)
 Active: active (running) since Wed 2024-07-31 21:22:40 UTC; 4min 14s ago

Tests with service:

[root@stack-redhat9-2 vagrant]# service wazuh-indexer status
Redirecting to /bin/systemctl status wazuh-indexer.service
● wazuh-indexer.service – Wazuh-indexer
 Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled)
 Active: active (running) since Wed 2024-07-31 21:22:40 UTC; 4min 25s ago

To Reproduce Steps to reproduce the behavior:

  1. Install Wazuh components version 4.9.0 into RedHat9 OS.
  2. Execute the command service wazuh-indexer status
  3. It will be displayed that the command does not work

Expected behavior It is possible to execute the start, stop and status actions with both systemd and sysv

Screenshots See description

Host/Environment (please complete the following information):

f-galland commented 1 month ago

It seems we are including a /etc/init.d/wazuh-indexer file in rpm packages for 4.9.0 that wasn't previously present. If we remove the file, the issue goes away:

[root@rhel9 ~]# service wazuh-indexer status
The wazuh-indexer startup script does not exists or it is not executable, tried: 

[root@rhel9 ~]# rm /etc/init.d/wazuh-indexer
rm: remove regular file '/etc/init.d/wazuh-indexer'? y

[root@rhel9 ~]# service wazuh-indexer status
Redirecting to /bin/systemctl status wazuh-indexer.service
● wazuh-indexer.service - wazuh-indexer
     Loaded: loaded (/usr/lib/systemd/system/wazuh-indexer.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-08-01 15:36:17 -03; 19min ago
       Docs: https://documentation.wazuh.com
   Main PID: 9323 (java)
      Tasks: 80 (limit: 50497)
     Memory: 1.4G
        CPU: 35.304s
     CGroup: /system.slice/wazuh-indexer.service
             └─9323 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch>

Aug 01 15:36:11 rhel9 systemd-entrypoint[9323]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensea>
Aug 01 15:36:11 rhel9 systemd-entrypoint[9323]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
Aug 01 15:36:11 rhel9 systemd-entrypoint[9323]: WARNING: System::setSecurityManager will be removed in a future release
Aug 01 15:36:11 rhel9 systemd-entrypoint[9323]: Aug 01, 2024 3:36:11 PM sun.util.locale.provider.LocaleProviderAdapter <clinit>
Aug 01 15:36:11 rhel9 systemd-entrypoint[9323]: WARNING: COMPAT locale provider will be removed in a future release
Aug 01 15:36:11 rhel9 systemd-entrypoint[9323]: WARNING: A terminally deprecated method in java.lang.System has been called
Aug 01 15:36:11 rhel9 systemd-entrypoint[9323]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearc>
Aug 01 15:36:11 rhel9 systemd-entrypoint[9323]: WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
Aug 01 15:36:11 rhel9 systemd-entrypoint[9323]: WARNING: System::setSecurityManager will be removed in a future release
Aug 01 15:36:17 rhel9 systemd[1]: Started wazuh-indexer.

I'm working on removing the file from rpm packages.

AlexRuiz7 commented 1 month ago

Removing a service file that OpenSearch uses looks like a risky move for me. We need to better understand this problem. I'm blocking the issue.