Working indexer in Docker

docker/prod/Dockerfile

@@ -35,22 +35,21 @@ RUN yum install curl-minimal shadow-utils findutils hostname -y
 RUN getent group $GROUP || groupadd -r -g 1000 $GROUP
 
 RUN useradd --system \
-            --uid 1000 \
-            --no-create-home \
-            --home-dir $INSTALL_DIR \
-            --gid $GROUP \
-            --shell /sbin/nologin \
-            --comment "$USER user" \
-            $USER
+    --uid 1000 \
+    --no-create-home \
+    --home-dir $INSTALL_DIR \
+    --gid $GROUP \
+    --shell /sbin/nologin \
+    --comment "$USER user" \
+    $USER
 
 WORKDIR $INSTALL_DIR
 
 COPY entrypoint.sh /
 
-# COPY config/securityadmin.sh /
+COPY config/securityadmin.sh /
 
-RUN chmod 700 /entrypoint.sh
-# RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
+RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh
 
 RUN chown 1000:1000 /*.sh
 

docker/prod/config/config.sh

@@ -30,7 +30,7 @@ chmod 755 wazuh-certs-tool.sh && bash wazuh-certs-tool.sh -A
 
 # copy to target
 mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}
-mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
+# mkdir -p ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/ <-- empty dir
 mkdir -p ${TARGET_DIR}${CONFIG_DIR}
 mkdir -p ${TARGET_DIR}${LIB_DIR}
 mkdir -p ${TARGET_DIR}${LOG_DIR}
@@ -51,9 +51,7 @@ cp -pr /wazuh-certificates/root-ca.pem ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.
 cp -pr /wazuh-certificates/admin.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin.pem
 cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin-key.pem
 
-# Delete xms and xmx parameters in jvm.options
-sed '/-Xms/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options
-sed '/-Xmx/d' -i ${TARGET_DIR}${CONFIG_DIR}/jvm.options
+# Set path to indexer home directory
 sed -i 's/-Djava.security.policy=file:\/\/\/etc\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/-Djava.security.policy=file:\/\/\/usr\/share\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/g' ${TARGET_DIR}${CONFIG_DIR}/jvm.options
 
 chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs

docker/prod/config/securityadmin.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+# Initialize the `.opendistro_security` index.
+sleep 30
+bash "$INDEXER_HOME"/plugins/opensearch-security/tools/securityadmin.sh \
+    -cacert "$INDEXER_HOME"/config/certs/root-ca.pem \
+    -cert "$INDEXER_HOME"/config/certs/admin.pem \
+    -key "$INDEXER_HOME"/config/certs/admin-key.pem \
+    -cd "$INDEXER_HOME"/config/opensearch-security/ \
+    -nhnv \
+    -icl

docker/prod/entrypoint.sh

@@ -4,14 +4,17 @@ set -e
 
 umask 0002
 
-export USER=wazuh-indexer
-export INSTALLATION_DIR=/usr/share/wazuh-indexer
-export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
-export JAVA_HOME=${INSTALLATION_DIR}/jdk
-export DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
-export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
-export CERT="${OPENSEARCH_PATH_CONF}/certs/admin.pem"
-export KEY="${OPENSEARCH_PATH_CONF}/certs/admin-key.pem"
+# Constants
+INDEXER_HOME=/usr/share/wazuh-indexer
+OPENSEARCH_PATH_CONF=${INDEXER_HOME}/config
+JAVA_HOME=${INDEXER_HOME}/jdk
+
+# DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
+
+# Export variables to environment
+export INDEXER_HOME
+export OPENSEARCH_PATH_CONF
+export JAVA_HOME
 
 run_as_other_user_if_needed() {
   if [[ "$(id -u)" == "0" ]]; then
@@ -60,15 +63,15 @@ if [[ -f bin/opensearch-users ]]; then
   # honor the variable if it's present.
   if [[ -n "$INDEXER_PASSWORD" ]]; then
     [[ -f /usr/share/wazuh-indexer/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create)
-    if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then
+    if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent); then
       # keystore is unencrypted
       if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then
         (run_as_other_user_if_needed echo "$INDEXER_PASSWORD" | opensearch-keystore add -x 'bootstrap.password')
       fi
     else
       # keystore requires password
-      if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
-          | opensearch-keystore list | grep -q '^bootstrap.password$') ; then
+      if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" |
+        opensearch-keystore list | grep -q '^bootstrap.password$'); then
         COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$INDEXER_PASSWORD")"
         (run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password')
       fi
@@ -83,11 +86,13 @@ if [[ "$(id -u)" == "0" ]]; then
   fi
 fi
 
+# Initialize security
+nohup /securityadmin.sh &
 
 #if [[ "$DISCOVERY" == "single-node" ]] && [[ ! -f "/var/lib/wazuh-indexer/.flag" ]]; then
-  # run securityadmin.sh for single node with CACERT, CERT and KEY parameter
+# run securityadmin.sh for single node with CACERT, CERT and KEY parameter
 #  nohup /securityadmin.sh &
 #  touch "/var/lib/wazuh-indexer/.flag"
 #fi
 
-run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD"
+run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD"