search

wazuh / wazuh-packages

Wazuh - Tools for packages creation
https://wazuh.com
GNU General Public License v2.0
100 stars 90 forks source link

ISM policy error in WIA AIO deployment #2781

Closed rauldpm closed 6 months ago

rauldpm commented 6 months ago

Description

Source issue: https://github.com/wazuh/wazuh/issues/21339

A problem has been encountered when performing a 4.8.0 AIO deployment in Debian 12, not being able to create an ISM policy

WIA install output ``` oot@debian12agent:/home/vagrant# curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 18/01/2024 14:29:02 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 18/01/2024 14:29:02 INFO: Verbose logging redirected to /var/log/wazuh-install.log 18/01/2024 14:29:04 INFO: --- Dependencies ---- 18/01/2024 14:29:04 INFO: Installing gawk. 18/01/2024 14:29:06 WARNING: Hardware and system checks ignored. 18/01/2024 14:29:06 INFO: Wazuh web interface port will be 443. 18/01/2024 14:29:07 INFO: --- Dependencies ---- 18/01/2024 14:29:07 INFO: Installing apt-transport-https. 18/01/2024 14:29:08 INFO: Installing software-properties-common. 18/01/2024 14:29:13 INFO: Installing gnupg. 18/01/2024 14:29:17 INFO: Wazuh development repository added. 18/01/2024 14:29:17 INFO: --- Configuration files --- 18/01/2024 14:29:17 INFO: Generating configuration files. 18/01/2024 14:29:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 18/01/2024 14:29:18 INFO: --- Wazuh indexer --- 18/01/2024 14:29:18 INFO: Starting Wazuh indexer installation. 18/01/2024 14:30:22 INFO: Wazuh indexer installation finished. 18/01/2024 14:30:22 INFO: Wazuh indexer post-install configuration finished. 18/01/2024 14:30:22 INFO: Starting service wazuh-indexer. 18/01/2024 14:30:30 INFO: wazuh-indexer service started. 18/01/2024 14:30:30 INFO: Initializing Wazuh indexer cluster security settings. 18/01/2024 14:33:05 WARNING: The Wazuh indexer cluster ISM policy could not be created. 18/01/2024 14:33:05 INFO: Wazuh indexer cluster initialized. 18/01/2024 14:33:05 INFO: --- Wazuh server --- 18/01/2024 14:33:05 INFO: Starting the Wazuh manager installation. 18/01/2024 14:34:04 INFO: Wazuh manager installation finished. 18/01/2024 14:34:04 INFO: Starting service wazuh-manager. 18/01/2024 14:34:19 INFO: wazuh-manager service started. 18/01/2024 14:34:19 INFO: Starting Filebeat installation. 18/01/2024 14:34:24 INFO: Filebeat installation finished. 18/01/2024 14:34:25 INFO: Filebeat post-install configuration finished. 18/01/2024 14:34:25 INFO: Starting service filebeat. 18/01/2024 14:34:25 INFO: filebeat service started. 18/01/2024 14:34:25 INFO: --- Wazuh dashboard --- 18/01/2024 14:34:25 INFO: Starting Wazuh dashboard installation. 18/01/2024 14:34:51 INFO: Wazuh dashboard installation finished. 18/01/2024 14:34:51 INFO: Wazuh dashboard post-install configuration finished. 18/01/2024 14:34:51 INFO: Starting service wazuh-dashboard. 18/01/2024 14:34:51 INFO: wazuh-dashboard service started. 18/01/2024 14:34:52 INFO: Updating the internal users. 18/01/2024 14:34:52 ERROR: The backup could not be created ```
Wazuh indexer cluster error ``` 1-18T14:30:30,871][ERROR][o.o.p.c.o.OSGlobals ] [node-1] Error in static initialization of OSGlobals with exception: java.security.AccessControlException: access denied ("java.io.FilePermission" "/p> java.security.AccessControlException: access denied ("java.io.FilePermission" "/proc/self/task" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:485) ~[?:?] at java.security.AccessController.checkPermission(AccessController.java:1068) ~[?:?] at java.lang.SecurityManager.checkPermission(SecurityManager.java:416) ~[?:?] at java.lang.SecurityManager.checkRead(SecurityManager.java:756) ~[?:?] at java.io.File.normalizedList(File.java:1171) ~[?:?] at java.io.File.listFiles(File.java:1269) ~[?:?] at org.opensearch.performanceanalyzer.commons.os.OSGlobals.enumTids(OSGlobals.java:75) ~[performance-analyzer-commons-1.1.0.jar:?] at org.opensearch.performanceanalyzer.commons.os.OSGlobals.(OSGlobals.java:34) [performance-analyzer-commons-1.1.0.jar:?] at org.opensearch.performanceanalyzer.commons.metrics_generator.linux.LinuxOSMetricsGenerator.getPid(LinuxOSMetricsGenerator.java:36) [performance-analyzer-commons-1.1.0.jar:?] at org.opensearch.performanceanalyzer.commons.jvm.ThreadList.(ThreadList.java:44) [performance-analyzer-commons-1.1.0.jar:?] at org.opensearch.performanceanalyzer.commons.util.ThreadIDUtil.getNativeThreadId(ThreadIDUtil.java:22) [performance-analyzer-commons-1.1.0.jar:?] at org.opensearch.performanceanalyzer.commons.util.ThreadIDUtil.getNativeCurrentThreadId(ThreadIDUtil.java:18) [performance-analyzer-commons-1.1.0.jar:?] at org.opensearch.performanceanalyzer.listener.PerformanceAnalyzerSearchListener.preQueryPhase(PerformanceAnalyzerSearchListener.java:112) [opensearch-performance-analyzer-2.10.0.0.jar:2.10.0.0] at org.opensearch.performanceanalyzer.listener.PerformanceAnalyzerSearchListener.onPreQueryPhase(PerformanceAnalyzerSearchListener.java:46) [opensearch-performance-analyzer-2.10.0.0.jar:2.10.0.0] at org.opensearch.index.shard.SearchOperationListener$CompositeListener.onPreQueryPhase(SearchOperationListener.java:162) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.search.SearchService$SearchOperationListenerExecutor.(SearchService.java:1746) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.search.SearchService$SearchOperationListenerExecutor.(SearchService.java:1735) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.search.SearchService.executeQueryPhase(SearchService.java:596) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.search.SearchService$2.lambda$onResponse$0(SearchService.java:566) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.action.ActionRunnable.lambda$supply$0(ActionRunnable.java:74) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.action.ActionRunnable$2.doRun(ActionRunnable.java:89) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.threadpool.TaskAwareRunnable.doRun(TaskAwareRunnable.java:78) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.TimedRunnable.doRun(TimedRunnable.java:59) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:908) [opensearch-2.10.0.jar:2.10.0] at org.opensearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:52) [opensearch-2.10.0.jar:2.10.0] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?] at java.lang.Thread.run(Thread.java:833) [?:?] ```
WIA log error ``` 18/01/2024 14:30:30 INFO: wazuh-indexer service started. 18/01/2024 14:30:30 INFO: Initializing Wazuh indexer cluster security settings. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to 127.0.0.1:9200 ... done ERR: An unexpected ConnectException occured: Connection refused Trace: java.net.ConnectException: Connection refused at org.opensearch.client.RestClient.extractAndWrapCause(RestClient.java:954) at org.opensearch.client.RestClient.performRequest(RestClient.java:333) at org.opensearch.client.RestClient.performRequest(RestClient.java:321) at org.opensearch.security.tools.SecurityAdmin.execute(SecurityAdmin.java:573) at org.opensearch.security.tools.SecurityAdmin.main(SecurityAdmin.java:163) Caused by: java.net.ConnectException: Connection refused at java.base/sun.nio.ch.Net.pollConnect(Native Method) at java.base/sun.nio.ch.Net.pollConnectNow(Net.java:672) at java.base/sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:946) at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvent(DefaultConnectingIOReactor.java:174) at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvents(DefaultConnectingIOReactor.java:148) at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor.execute(AbstractMultiworkerIOReactor.java:351) at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager.execute(PoolingNHttpClientConnectionManager.java:221) at org.apache.http.impl.nio.client.CloseableHttpAsyncClientBase$1.run(CloseableHttpAsyncClientBase.java:64) at java.base/java.lang.Thread.run(Thread.java:833) Will create 'wazuh' index template ERROR: 'wazuh' template creation failed Will create 'ism_history_indices' index template ERROR: 'ism_history_indices' template creation failed Will disable replicas for 'plugins.index_state_management.history' indices ERROR: cluster's settings update failed Will create index templates to configure the alias ERROR: 'wazuh-alerts' template creation failed ERROR: 'wazuh-archives' template creation failed ERROR: Indexer ISM initialization failed. Check /tmp/wazuh-indexer/ism-init.log for more information. ```

Resource

System info - Vagrant box: `debian/bookworm64` ``` root@debian12agent:/home/vagrant# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux 12 (bookworm)" NAME="Debian GNU/Linux" VERSION_ID="12" VERSION="12 (bookworm)" VERSION_CODENAME=bookworm ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" ```

Task

teddytpc1 commented 6 months ago

Update

I have tested it with a Debian 12 instance in AWS and with the same Vagrant box and was unable to reproduce the error:

AWS:

WIA install output ```LOG curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 18/01/2024 15:24:25 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 18/01/2024 15:24:25 INFO: Verbose logging redirected to /var/log/wazuh-install.log 18/01/2024 15:24:33 INFO: --- Dependencies ---- 18/01/2024 15:24:33 INFO: Installing gawk. 18/01/2024 15:24:37 INFO: Installing lsof. 18/01/2024 15:24:39 WARNING: Hardware and system checks ignored. 18/01/2024 15:24:39 INFO: Wazuh web interface port will be 443. 18/01/2024 15:24:44 INFO: --- Dependencies ---- 18/01/2024 15:24:44 INFO: Installing apt-transport-https. 18/01/2024 15:24:45 INFO: Installing software-properties-common. 18/01/2024 15:24:58 INFO: Installing gnupg. 18/01/2024 15:25:05 INFO: Wazuh development repository added. 18/01/2024 15:25:05 INFO: --- Configuration files --- 18/01/2024 15:25:05 INFO: Generating configuration files. 18/01/2024 15:25:08 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 18/01/2024 15:25:09 INFO: --- Wazuh indexer --- 18/01/2024 15:25:09 INFO: Starting Wazuh indexer installation. 18/01/2024 15:26:46 INFO: Wazuh indexer installation finished. 18/01/2024 15:26:46 INFO: Wazuh indexer post-install configuration finished. 18/01/2024 15:26:46 INFO: Starting service wazuh-indexer. 18/01/2024 15:27:11 INFO: wazuh-indexer service started. 18/01/2024 15:27:11 INFO: Initializing Wazuh indexer cluster security settings. 18/01/2024 15:27:25 INFO: The Wazuh indexer cluster ISM initialized. 18/01/2024 15:27:25 INFO: Wazuh indexer cluster initialized. 18/01/2024 15:27:25 INFO: --- Wazuh server --- 18/01/2024 15:27:25 INFO: Starting the Wazuh manager installation. ... ```

Vagrant:

WIA install output ```LOG curl -sO https://packages-dev.wazuh.com/4.8/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 18/01/2024 15:43:49 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 18/01/2024 15:43:49 INFO: Verbose logging redirected to /var/log/wazuh-install.log 18/01/2024 15:43:53 INFO: --- Dependencies ---- 18/01/2024 15:43:53 INFO: Installing gawk. 18/01/2024 15:43:55 WARNING: Hardware and system checks ignored. 18/01/2024 15:43:55 INFO: Wazuh web interface port will be 443. 18/01/2024 15:43:58 INFO: --- Dependencies ---- 18/01/2024 15:43:58 INFO: Installing apt-transport-https. 18/01/2024 15:43:59 INFO: Installing software-properties-common. 18/01/2024 15:44:08 INFO: Installing gnupg. 18/01/2024 15:44:16 INFO: Wazuh development repository added. 18/01/2024 15:44:16 INFO: --- Configuration files --- 18/01/2024 15:44:16 INFO: Generating configuration files. 18/01/2024 15:44:18 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 18/01/2024 15:44:18 INFO: --- Wazuh indexer --- 18/01/2024 15:44:18 INFO: Starting Wazuh indexer installation. 18/01/2024 15:46:40 INFO: Wazuh indexer installation finished. 18/01/2024 15:46:40 INFO: Wazuh indexer post-install configuration finished. 18/01/2024 15:46:40 INFO: Starting service wazuh-indexer. 18/01/2024 15:47:07 INFO: wazuh-indexer service started. 18/01/2024 15:47:07 INFO: Initializing Wazuh indexer cluster security settings. 18/01/2024 15:47:20 INFO: The Wazuh indexer cluster ISM initialized. 18/01/2024 15:47:20 INFO: Wazuh indexer cluster initialized. 18/01/2024 15:47:20 INFO: --- Wazuh server --- 18/01/2024 15:47:20 INFO: Starting the Wazuh manager installation. ... ```
Wazuh indexer service status ```LOG systemctl status wazuh-indexer ● wazuh-indexer.service - Wazuh-indexer Loaded: loaded (/lib/systemd/system/wazuh-indexer.service; enabled; preset: enabled) Active: active (running) since Thu 2024-01-18 15:47:07 UTC; 1h 39min ago Docs: https://documentation.wazuh.com Main PID: 4759 (java) Tasks: 73 (limit: 2308) Memory: 1.3G CPU: 4min 27.297s CGroup: /system.slice/wazuh-indexer.service └─4759 /usr/share/wazuh-indexer/jdk/bin/java -Xshare:auto -Dopensearch.networkaddress.cache.ttl=60 -Dopensearch.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.h ```