SPIKE - Wazuh Docker #1624
Assignees
Labels
Comments
DescriptionI've been looking into separating the Dockerfiles from the Docker images of each of the components of the Wazuh stack. By making a few changes it is possible to generate them. The deployment has been tested and works without problems: Wazuh manager$ docker build -t wazuh/wazuh-manager:4.9.2 .
[+] Building 145.1s (24/24) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 2.42kB 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2023 3.1s
=> [auth] library/amazonlinux:pull token for registry-1.docker.io 0.0s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> [14/17] ADD https://raw.githubusercontent.com/wazuh/wazuh/v4.9.2/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat 0.0s
=> [ 1/17] FROM docker.io/library/amazonlinux:2023@sha256:6c2c3bb2ce484e8496c83bd672a62528406b96c74594b195f70dc3d7b420c296 14.3s
=> => resolve docker.io/library/amazonlinux:2023@sha256:6c2c3bb2ce484e8496c83bd672a62528406b96c74594b195f70dc3d7b420c296 0.1s
=> => sha256:6c2c3bb2ce484e8496c83bd672a62528406b96c74594b195f70dc3d7b420c296 2.38kB / 2.38kB 0.0s
=> => sha256:896212a6eb4bac05279a901518ced7b04623652be4aed944e5a3f63fed0ec981 1.02kB / 1.02kB 0.0s
=> => sha256:77424cbe957ca5d9b174abd840881380567113c8e42acebdb0bd698b5dcdf166 575B / 575B 0.0s
=> => sha256:46453255c2f610c1cb9c8197635e6d542bbd326425a9898df0de76e5bb566461 52.38MB / 52.38MB 3.3s
=> => extracting sha256:46453255c2f610c1cb9c8197635e6d542bbd326425a9898df0de76e5bb566461 10.7s
=> [internal] load build context 0.1s
=> => transferring context: 27.79kB 0.0s
=> [ 2/17] RUN rm /bin/sh && ln -s /bin/bash /bin/sh 1.6s
=> [ 3/17] RUN yum install curl-minimal xz gnupg tar gzip openssl findutils procps -y && yum clean all 17.3s
=> [ 4/17] COPY config/check_repository.sh / 0.2s
=> [ 5/17] COPY config/filebeat_module.sh / 0.1s
=> [ 6/17] COPY config/permanent_data.env config/permanent_data.sh / 0.1s
=> [ 7/17] RUN chmod 775 /check_repository.sh 0.4s
=> [ 8/17] RUN source /check_repository.sh 1.4s
=> [ 9/17] RUN yum install wazuh-manager-4.9.2-1 -y && yum clean all && chmod 775 /filebeat_module.sh && source /filebeat_module.sh && rm /filebeat_module.sh & 96.3s
=> [10/17] COPY config/etc/ /etc/ 0.1s
=> [11/17] COPY --chown=root:wazuh config/create_user.py /var/ossec/framework/scripts/create_user.py 0.2s
=> [12/17] COPY config/filebeat.yml /etc/filebeat/ 0.1s
=> [13/17] RUN chmod go-w /etc/filebeat/filebeat.yml 0.5s
=> [14/17] ADD https://raw.githubusercontent.com/wazuh/wazuh/v4.9.2/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat 0.1s
=> [15/17] RUN chmod go-w /etc/filebeat/wazuh-template.json 0.4s
=> [16/17] RUN mkdir -p /var/ossec/var/multigroups && chown root:wazuh /var/ossec/var/multigroups && chmod 770 /var/ossec/var/multigroups && mkdir -p /var/ossec/age 1.5s
=> [17/17] RUN rm /etc/yum.repos.d/wazuh.repo 0.5s
=> exporting to image 6.3s
=> => exporting layers 6.2s
=> => writing image sha256:2e96d7e9c374afcb8b3b07d3aa0b9ba76a62d860dfe93569eda2bb2ae2d1b96e 0.0s
=> => naming to docker.io/wazuh/wazuh-manager:4.9.2 Wazuh indexer$ docker build -t wazuh/wazuh-indexer:4.9.2 .
[+] Building 118.6s (33/33) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 2.77kB 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2023 0.8s
=> [internal] load .dockerignore 0.1s
=> => transferring context: 2B 0.0s
=> CACHED [builder 1/13] FROM docker.io/library/amazonlinux:2023@sha256:6c2c3bb2ce484e8496c83bd672a62528406b96c74594b195f70dc3d7b420c296 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 19.34kB 0.0s
=> [stage-1 2/16] RUN yum install curl-minimal shadow-utils findutils hostname -y 22.6s
=> [builder 2/13] RUN yum install curl-minimal openssl xz tar findutils shadow-utils -y 13.3s
=> [builder 3/13] COPY config/check_repository.sh / 0.2s
=> [builder 4/13] RUN chmod 775 /check_repository.sh && source /check_repository.sh 1.1s
=> [builder 5/13] RUN yum install wazuh-indexer-4.9.2-1 -y && yum clean all 77.1s
=> [stage-1 3/16] RUN getent group wazuh-indexer || groupadd -r -g 1000 wazuh-indexer 0.6s
=> [stage-1 4/16] RUN useradd --system --uid 1000 --no-create-home --home-dir /usr/share/wazuh-indexer --gid wazuh-indexer 1.9s
=> [stage-1 5/16] WORKDIR /usr/share/wazuh-indexer 0.4s
=> [stage-1 6/16] COPY config/entrypoint.sh / 0.3s
=> [stage-1 7/16] COPY config/securityadmin.sh / 0.3s
=> [stage-1 8/16] RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh 1.1s
=> [stage-1 9/16] RUN chown 1000:1000 /*.sh 1.1s
=> [builder 6/13] COPY config/opensearch.yml / 0.1s
=> [builder 7/13] COPY config/config.sh . 0.1s
=> [builder 8/13] COPY config/config.yml / 0.1s
=> [builder 9/13] COPY config/action_groups.yml / 0.1s
=> [builder 10/13] COPY config/internal_users.yml / 0.1s
=> [builder 11/13] COPY config/roles_mapping.yml / 0.1s
=> [builder 12/13] COPY config/roles.yml / 0.1s
=> [builder 13/13] RUN bash config.sh 4.2s
=> [stage-1 10/16] COPY --from=builder --chown=1000:1000 /usr/share/wazuh-indexer /usr/share/wazuh-indexer 2.5s
=> [stage-1 11/16] COPY --from=builder --chown=1000:1000 /etc/wazuh-indexer /usr/share/wazuh-indexer 0.1s
=> [stage-1 12/16] COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd 0.1s
=> [stage-1 13/16] COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d 0.2s
=> [stage-1 14/16] COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d 0.2s
=> [stage-1 15/16] RUN chown -R 1000:1000 /usr/share/wazuh-indexer 7.7s
=> [stage-1 16/16] RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/waz 0.6s
=> exporting to image 5.0s
=> => exporting layers 5.0s
=> => writing image sha256:a110f44fbd70f5af2ba38be179269803a65f378cb7b44625fc8e3f4b6b4c91c6 0.0s
=> => naming to docker.io/wazuh/wazuh-indexer:4.9.2 Wazuh dashboard$ docker build -t wazuh/wazuh-dashboard:4.9.2 .
[+] Building 147.4s (30/30) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 3.23kB 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2023 1.7s
=> [auth] library/amazonlinux:pull token for registry-1.docker.io 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build context 0.1s
=> => transferring context: 10.19kB 0.0s
=> CACHED [builder 1/12] FROM docker.io/library/amazonlinux:2023@sha256:6c2c3bb2ce484e8496c83bd672a62528406b96c74594b195f70dc3d7b420c296 0.0s
=> [stage-1 2/13] RUN yum install shadow-utils -y 21.8s
=> [builder 2/12] RUN yum install curl-minimal libcap openssl -y 10.5s
=> [builder 3/12] COPY config/check_repository.sh / 0.2s
=> [builder 4/12] RUN chmod 775 /check_repository.sh && source /check_repository.sh 1.1s
=> [builder 5/12] RUN yum install wazuh-dashboard-4.9.2-1 -y && yum clean all 66.5s
=> [stage-1 3/13] RUN getent group wazuh-dashboard || groupadd -r -g 1000 wazuh-dashboard 0.7s
=> [stage-1 4/13] RUN useradd --system --uid 1000 --no-create-home --home-dir /usr/share/wazuh-dashboard --gid wazuh-dashboard 0.5s
=> [stage-1 5/13] COPY config/entrypoint.sh / 0.1s
=> [stage-1 6/13] COPY config/wazuh_app_config.sh / 0.1s
=> [stage-1 7/13] RUN chmod 700 /entrypoint.sh 0.7s
=> [stage-1 8/13] RUN chmod 700 /wazuh_app_config.sh 0.8s
=> [stage-1 9/13] RUN chown 1000:1000 /*.sh 0.8s
=> [builder 6/12] RUN mkdir -p /usr/share/wazuh-dashboard/data/wazuh && chmod -R 775 /usr/share/wazuh-dashboard/data/wazuh 0.4s
=> [builder 7/12] RUN mkdir -p /usr/share/wazuh-dashboard/data/wazuh/config && chmod -R 775 /usr/share/wazuh-dashboard/data/wazuh/config 0.4s
=> [builder 8/12] RUN mkdir -p /usr/share/wazuh-dashboard/data/wazuh/logs && chmod -R 775 /usr/share/wazuh-dashboard/data/wazuh/logs 0.4s
=> [builder 9/12] COPY config/wazuh.yml /usr/share/wazuh-dashboard/data/wazuh/config/ 0.1s
=> [builder 10/12] COPY config/config.sh . 0.1s
=> [builder 11/12] COPY config/config.yml / 0.1s
=> [builder 12/12] RUN bash config.sh 2.8s
=> [stage-1 10/13] COPY --from=builder --chown=1000:1000 /usr/share/wazuh-dashboard /usr/share/wazuh-dashboard 42.4s
=> [stage-1 11/13] RUN mkdir -p /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom 0.4s
=> [stage-1 12/13] RUN chown 1000:1000 /usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom 0.4s
=> [stage-1 13/13] WORKDIR /usr/share/wazuh-dashboard 0.1s
=> exporting to image 8.7s
=> => exporting layers 8.7s
=> => writing image sha256:f1ef95f13668c0f7a7bb4a102d46f3682277b1f6114e9dfbadc87013af4f611b 0.0s
=> => naming to docker.io/wazuh/wazuh-dashboard:4.9.2 Regarding the details of the spike, I have doubts regarding the modification of the build of the images, which require several changes and in many cases, adding functionalities that are not currently contemplated and that are necessary to be able to deploy the integrations that Wazuh currently has developed. |
|
I've been looking at the options we have with AWS ECR, both with a public and private repository. What permissions are required for its use, pushing images to use and I'm looking at which options are best for Kubernetes tests, since a private repository can be accessed from EKS. |
|
By performing several tests, it is possible to use private ECR registries in AWS. To use a private ECR repository in any VM where we are performing a test, it is necessary to have AWS cli installed, which we have in the VMs where we execute the GHA workflows, configure the keys of a user or assume a role with the necessary permissions and then we can run the docker login command to obtain the login credentials of the private ECR registry. After obtaining the login credentials, we can do without the login in AWS cli. Login in ECR: $ aws ecr get-login-password --region us-west-1 | docker login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.com
WARNING! Your password will be stored unencrypted in /home/vcerenu/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credential-stores
Login Succeededdocker-compose.yml and deploying with images hosted in the ECR private registry: $ cat docker-compose.yml
# Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
services:
wazuh.manager:
image: <account-id>.dkr.ecr.<region>.amazonaws.com/wazuh/wazuh-manager:4.9.2
hostname: wazuh.manager
restart: always
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 655360
hard: 655360
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
environment:
- INDEXER_URL=https://wazuh.indexer:9200
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- FILEBEAT_SSL_VERIFICATION_MODE=full
- SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
- SSL_CERTIFICATE=/etc/ssl/filebeat.pem
- SSL_KEY=/etc/ssl/filebeat.key
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- wazuh_api_configuration:/var/ossec/api/configuration
- wazuh_etc:/var/ossec/etc
- wazuh_logs:/var/ossec/logs
- wazuh_queue:/var/ossec/queue
- wazuh_var_multigroups:/var/ossec/var/multigroups
- wazuh_integrations:/var/ossec/integrations
- wazuh_active_response:/var/ossec/active-response/bin
- wazuh_agentless:/var/ossec/agentless
- wazuh_wodles:/var/ossec/wodles
- filebeat_etc:/etc/filebeat
- filebeat_var:/var/lib/filebeat
- ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager.pem:/etc/ssl/filebeat.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.manager-key.pem:/etc/ssl/filebeat.key
- ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
wazuh.indexer:
image: <account-id>.dkr.ecr.<region>.amazonaws.com/wazuh/wazuh-indexer:4.9.2
hostname: wazuh.indexer
restart: always
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.key
- ./config/wazuh_indexer_ssl_certs/wazuh.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh.indexer.pem
- ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
- ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
- ./config/wazuh_indexer/wazuh.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
- ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
wazuh.dashboard:
image: <account-id>.dkr.ecr.<region>.amazonaws.com/wazuh/wazuh-dashboard:4.9.2
hostname: wazuh.dashboard
restart: always
ports:
- 443:5601
environment:
- INDEXER_USERNAME=admin
- INDEXER_PASSWORD=SecretPassword
- WAZUH_API_URL=https://wazuh.manager
- DASHBOARD_USERNAME=kibanaserver
- DASHBOARD_PASSWORD=kibanaserver
- API_USERNAME=wazuh-wui
- API_PASSWORD=MyS3cr37P450r.*-
volumes:
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
- ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
- ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
- ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
- ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
- wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
- wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
depends_on:
- wazuh.indexer
links:
- wazuh.indexer:wazuh.indexer
- wazuh.manager:wazuh.manager
volumes:
wazuh_api_configuration:
wazuh_etc:
wazuh_logs:
wazuh_queue:
wazuh_var_multigroups:
wazuh_integrations:
wazuh_active_response:
wazuh_agentless:
wazuh_wodles:
filebeat_etc:
filebeat_var:
wazuh-indexer-data:
wazuh-dashboard-config:
wazuh-dashboard-custom:
$ docker compose up -d
[+] Running 47/35
✔ wazuh.manager Pulled 193.9s
✔ wazuh.indexer Pulled 254.2s
✔ wazuh.dashboard Pulled 306.6s
[+] Running 18/18
✔ Network single-node_default Created 0.3s
✔ Volume "single-node_filebeat_var" Created 0.0s
✔ Volume "single-node_wazuh_var_multigroups" Created 0.0s
✔ Volume "single-node_filebeat_etc" Created 0.0s
✔ Volume "single-node_wazuh_wodles" Created 0.0s
✔ Volume "single-node_wazuh-dashboard-config" Created 0.0s
✔ Volume "single-node_wazuh_active_response" Created 0.0s
✔ Volume "single-node_wazuh_logs" Created 0.0s
✔ Volume "single-node_wazuh-indexer-data" Created 0.0s
✔ Volume "single-node_wazuh_api_configuration" Created 0.0s
✔ Volume "single-node_wazuh_queue" Created 0.0s
✔ Volume "single-node_wazuh_integrations" Created 0.0s
✔ Volume "single-node_wazuh_agentless" Created 0.0s
✔ Volume "single-node_wazuh-dashboard-custom" Created 0.0s
✔ Volume "single-node_wazuh_etc" Created 0.0s
✔ Container single-node-wazuh.manager-1 Started 3.3s
✔ Container single-node-wazuh.indexer-1 Started 3.0s
✔ Container single-node-wazuh.dashboard-1 Started 1.9s
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c1a8543bd2fa <account-id>.dkr.ecr.<region>.amazonaws.com/wazuh/wazuh-dashboard:4.9.2 "/entrypoint.sh" 8 seconds ago Up 5 seconds 443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp single-node-wazuh.dashboard-1
f58aa0cdee35 <account-id>.dkr.ecr.<region>.amazonaws.com/wazuh/wazuh-indexer:4.9.2 "/entrypoint.sh open…" 10 seconds ago Up 6 seconds 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp single-node-wazuh.indexer-1
2ab0d8ec5dd3 <account-id>.dkr.ecr.<region>.amazonaws.com/wazuh/wazuh-manager:4.9.2 "/init" 10 seconds ago Up 6 seconds 0.0.0.0:1514-1515->1514-1515/tcp, :::1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, :::514->514/udp, 0.0.0.0:55000->55000/tcp, :::55000->55000/tcp, 1516/tcp single-node-wazuh.manager-1
$ I also performed tests on EKS with the private ECR repository and, without needing to add permissions after creating the cluster with eksctl, I was able to deploy without problems.. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
As part of the DevOps overhaul objective we need to conduct research, analyze alternatives, and design how to implement the following changes.
Implementation restrictions
Plan
The text was updated successfully, but these errors were encountered: