wazuh-docker
wazuh-docker copied to clipboard
wazuh
Can't deploy wazuh on OpenShift
Hi, I tried to deploy wazuh on the OpenShift platform as part of a monitoring of some servers following the documentation for deploying wazuh on kubernetes. Unfortunately, I was not able to deploy wazuh on OpenShift, since after my deployment, none of my pods were started and I still had this error message saying: /bin/bash: entrypoint.sh: Permission denied
Not understanding this problem, I started to do some research on the internet and I came across a document from OpenShift that explained that pods were starting with very restrictive rights on OpenShift, so I decided to pause the pod with the command : command: ["sh", "-c", "while true; do sleep 5; done"]
Indeed, I noticed that the pod was starting with a random user 1009430000 and we can see that the entrypoint.sh file is executable only by the wazuh-dashboard user.
From there, I used these resources:
- https://cloud.redhat.com/blog/understanding-service-accounts-sccs#:~:text=OpenShift%20provides%20security%20context%20constraints%20%28SCC%29%20that%20control,and%20what%20it%20has%20the%20ability%20to%20access.
- https://docs.openshift.com/container-platform/4.3/authentication/managing-security-context-constraints.html
- https://www.youtube.com/watch?v=ZEfg6K3GvbE&t=310s&ab_channel=TechTejendra
- https://www.youtube.com/watch?v=PzzFsvadZdY&t=369s&ab_channel=kubetrain
To allow my user 1009430000 to have the necessary permissions to perform my wazuh deployment but that didn't work either. Not finding any solution, I decided to re-build the wazuh project via the build-docker-image ( https://github.com/wazuh/wazuh-docker/tree/master/build-docker-images) by changing the group and the uid of the wazuh-dashboard user. So I made a modification in the dockerfile on the creation part of the wazuh-dashboard user like this:
After the build, I had the same problem on the indexer pod and I also modified the dockerfile of the indexer like this:
After these configurations, my pods were starting but I was facing a new problem with rights on files in the conf and cert directory and other problems.
kubectl get pod
For my dashboard pod :
For my indexer pod :
For my manager pod :
When I do the port forward, I also could not access the dashboard from the web interface, because the API cannot be contacted by the dashboard.
If you can figure out the problem, please let me know.
Thank you in advance!
Hello
We currently don't have Wazuh deployed configured or tested on openshift, but I can help you with some bugs you posted so they can help you fix it.
About this error:
You are having communication problems between pods, this message usually occurs due to several problems. First of all, you should check that the INDEXER_URL variable is pointing to the Wazuh indexer cluster endpoint, in our Kubernetes deployment the INDEXER_URL variable points to the name of pod 0 of the statefulset deployed for Wazuh indexer:
https://github.com/wazuh/wazuh-kubernetes/blob/3db7699f0ae11ce3ee0bb21c80bf451322d48ebd/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml#L61
If you are using the endpoint correctly, You should verify that the certificates are used correctly and that you have not modified the username and password of the admin user, which we have stored in a configmap in our Kubernetes deployment:
https://github.com/wazuh/wazuh-kubernetes/blob/3db7699f0ae11ce3ee0bb21c80bf451322d48ebd/wazuh/indexer_stack/wazuh-dashboard/dashboard-deploy.yaml#L63
About this error:
They are warnings instead of errors, it is recommended that the permission settings of the certificates be 600 instead of 700 as you are mounting them.
About this error:
In the entrypoint of the Wazuh manager image, the permissions of some files are corrected, so that the application does not have problems functioning, this may be because the container does not have root permissions and they are necessary to be able to start Wazuh manager.
About this error:
In addition to having problems connecting from the Wazuh dashboard to the Wazuh manager API, the No templates found problem appears, indicating that surely Filebeat, which runs inside the Wazuh manager pod, is not able to connect with Wazuh indexer, you should check all the connections between the pods, in addition to verifying that the certificates are correctly mounted in each of the paths.
Hello, thanks for your answer. Indeed, I tried to do what you recommended but it doesn't work unfortunately.
My indexer has :
For my manager pod, when I active root permissions, OpenShift blocks it, because it doesn't like this permissions
It forces me to disable this securitycontext :
When I do the port forward, now I also could not access the dashboard from the web interface, I just have this message :
Thank for your answer !
The error you have may be due to the fact that you have commented out the INDEXER_URL variable, that variable must carry the URL, service name or ip of the Wazuh indexer cluster, so you should check what is the name that Openshift assigns to node 0 of Wazuh indexer and complete it.
Regarding the Wazuh manager node, I know it should have root permissions, so you should find a way to have them assigned, we don't have any Openshift environment to check this error to help you with this. Feel free to open an issue requesting this compatibility and we will add it to our backlog and try to prioritize it.
Hello @vcerenu, sorry for my late. I tried all of solutions but doesn't work. I don't know if you have others ideas ?
Thank!
Hello @0xThegarlic
As I mentioned in the previous post, we don't have an implementation in OpenShift, so we can't test the implementation you're making. The above messages have been created based on bugs that are generated in other similar implementations, but apparently the OpenShift implementation requires some additional considerations that are not currently covered and we would need to do some development on it.
If there are considerations that could be taken into account for the deployment, I invite you to create a PR for us and it will be analyzed to add it to our repositories.