Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Take firewall into account during Docker deployment #736

Open
5 tasks
rauldpm opened this issue Oct 27, 2022 · 0 comments
Open
5 tasks

Take firewall into account during Docker deployment #736

rauldpm opened this issue Oct 27, 2022 · 0 comments

Comments

@rauldpm
Copy link
Member

rauldpm commented Oct 27, 2022

Description

Several users have reported a problem during the generation of the certificates due to the impossibility of generating them. After some investigation, it has been possible to reproduce the problem by enabling firewalld. It would be interesting to study how to perform a check prior to downloading the file so that the user is informed if there is any problem with the connection or with the firewall.

The steps to reproduce this issue are as follows:

  1. git clone https://github.com/wazuh/wazuh-docker.git -b v4.3.8 --depth=1
  2. cd wazuh-docker/single-node
  3. docker-compose -f generate-indexer-certs.yml run --rm generator
  4. rm -rf config/wazuh_indexer_ssl_certs/*
  5. apt install firewalld
  6. systemctl start firewalld
  7. docker-compose -f generate-indexer-certs.yml run --rm generator

This is because the Docker network was created before firewalld was installed and started.

Deployment output
root@ubuntu22:/home/vagrant# cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
root@ubuntu22:/home/vagrant# git clone https://github.com/wazuh/wazuh-docker.git -b v4.3.8 --depth=1
Cloning into 'wazuh-docker'...
remote: Enumerating objects: 99, done.
remote: Counting objects: 100% (99/99), done.
remote: Compressing objects: 100% (84/84), done.
remote: Total 99 (delta 16), reused 50 (delta 9), pack-reused 0
Receiving objects: 100% (99/99), 52.83 KiB | 3.77 MiB/s, done.
Resolving deltas: 100% (16/16), done.
Note: switching to 'f42b30b71d4b5713926772a28ee9842291d8b12a'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

root@ubuntu22:/home/vagrant# cd wazuh-docker/single-node
root@ubuntu22:/home/vagrant/wazuh-docker/single-node# docker-compose -f generate-indexer-certs.yml run --rm generator
Creating network "single-node_default" with the default driver
Pulling generator (wazuh/wazuh-certs-generator:0.0.1)...
0.0.1: Pulling from wazuh/wazuh-certs-generator
d7bfe07ed847: Pull complete
a6023cfa8265: Pull complete
6135753eefe9: Pull complete
9aaf0dae5d3f: Pull complete
Digest: sha256:6fc929d58d01b789d4a19c5da476c78cc267c0af07d1b22227ccae49acb084dc
Status: Downloaded newer image for wazuh/wazuh-certs-generator:0.0.1
Creating single-node_generator_run ... done
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 26847  100 26847    0     0   117k      0 --:--:-- --:--:-- --:--:--  117k
Cert tool exists in Packages bucket
27/10/2022 19:41:59 INFO: Admin certificates created.
27/10/2022 19:41:59 INFO: Wazuh indexer certificates created.
27/10/2022 19:41:59 INFO: Wazuh server certificates created.
27/10/2022 19:41:59 INFO: Wazuh dashboard certificates created.
Moving created certificates to destination directory
changing certificate permissions
Setting UID indexer and dashboard
Setting UID for wazuh manager and worker
root@ubuntu22:/home/vagrant/wazuh-docker/single-node# rm -rf config/wazuh_indexer_ssl_certs/*
root@ubuntu22:/home/vagrant/wazuh-docker/single-node# apt install firewalld
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  gir1.2-nm-1.0 ipset libipset13 libnftables1 libnm0 nftables python3-cap-ng python3-firewall
  python3-jsonschema python3-nftables python3-pyrsistent
Suggested packages:
  python-jsonschema-doc
The following NEW packages will be installed:
  firewalld gir1.2-nm-1.0 ipset libipset13 libnm0 python3-cap-ng python3-firewall python3-jsonschema
  python3-nftables python3-pyrsistent
The following packages will be upgraded:
  libnftables1 nftables
2 upgraded, 10 newly installed, 0 to remove and 131 not upgraded.
Need to get 1,686 kB of archives.
After this operation, 6,679 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 https://mirrors.edge.kernel.org/ubuntu jammy-updates/main amd64 nftables amd64 1.0.2-1ubuntu3 [67.2 kB]
Get:2 https://mirrors.edge.kernel.org/ubuntu jammy-updates/main amd64 libnftables1 amd64 1.0.2-1ubuntu3 [332 kB]
Get:3 https://mirrors.edge.kernel.org/ubuntu jammy-updates/main amd64 libnm0 amd64 1.36.6-0ubuntu2 [456 kB]
Get:4 https://mirrors.edge.kernel.org/ubuntu jammy-updates/main amd64 gir1.2-nm-1.0 amd64 1.36.6-0ubuntu2 [84.3 kB]
Get:5 https://mirrors.edge.kernel.org/ubuntu jammy/main amd64 python3-pyrsistent amd64 0.18.1-1build1 [55.5 kB]
Get:6 https://mirrors.edge.kernel.org/ubuntu jammy/main amd64 python3-jsonschema all 3.2.0-0ubuntu2 [43.1 kB]
Get:7 https://mirrors.edge.kernel.org/ubuntu jammy-updates/universe amd64 python3-nftables amd64 1.0.2-1ubuntu3 [11.5 kB]
Get:8 https://mirrors.edge.kernel.org/ubuntu jammy/universe amd64 python3-firewall all 1.1.1-1ubuntu1 [130 kB]
Get:9 https://mirrors.edge.kernel.org/ubuntu jammy/universe amd64 firewalld all 1.1.1-1ubuntu1 [394 kB]
Get:10 https://mirrors.edge.kernel.org/ubuntu jammy/main amd64 libipset13 amd64 7.15-1build1 [63.4 kB]
Get:11 https://mirrors.edge.kernel.org/ubuntu jammy/universe amd64 python3-cap-ng amd64 0.7.9-2.2build3 [17.1 kB]
Get:12 https://mirrors.edge.kernel.org/ubuntu jammy/main amd64 ipset amd64 7.15-1build1 [32.8 kB]      
Fetched 1,686 kB in 6s (276 kB/s)                                                                      
(Reading database ... 75285 files and directories currently installed.)
Preparing to unpack .../00-nftables_1.0.2-1ubuntu3_amd64.deb ...
Unpacking nftables (1.0.2-1ubuntu3) over (1.0.2-1ubuntu2) ...
Preparing to unpack .../01-libnftables1_1.0.2-1ubuntu3_amd64.deb ...
Unpacking libnftables1:amd64 (1.0.2-1ubuntu3) over (1.0.2-1ubuntu2) ...
Selecting previously unselected package libnm0:amd64.
Preparing to unpack .../02-libnm0_1.36.6-0ubuntu2_amd64.deb ...
Unpacking libnm0:amd64 (1.36.6-0ubuntu2) ...
Selecting previously unselected package gir1.2-nm-1.0:amd64.
Preparing to unpack .../03-gir1.2-nm-1.0_1.36.6-0ubuntu2_amd64.deb ...
Unpacking gir1.2-nm-1.0:amd64 (1.36.6-0ubuntu2) ...
Selecting previously unselected package python3-pyrsistent:amd64.
Preparing to unpack .../04-python3-pyrsistent_0.18.1-1build1_amd64.deb ...
Unpacking python3-pyrsistent:amd64 (0.18.1-1build1) ...
Selecting previously unselected package python3-jsonschema.
Preparing to unpack .../05-python3-jsonschema_3.2.0-0ubuntu2_all.deb ...
Unpacking python3-jsonschema (3.2.0-0ubuntu2) ...
Selecting previously unselected package python3-nftables.
Preparing to unpack .../06-python3-nftables_1.0.2-1ubuntu3_amd64.deb ...
Unpacking python3-nftables (1.0.2-1ubuntu3) ...
Selecting previously unselected package python3-firewall.
Preparing to unpack .../07-python3-firewall_1.1.1-1ubuntu1_all.deb ...
Unpacking python3-firewall (1.1.1-1ubuntu1) ...
Selecting previously unselected package firewalld.
Preparing to unpack .../08-firewalld_1.1.1-1ubuntu1_all.deb ...
Unpacking firewalld (1.1.1-1ubuntu1) ...
Selecting previously unselected package libipset13:amd64.
Preparing to unpack .../09-libipset13_7.15-1build1_amd64.deb ...
Unpacking libipset13:amd64 (7.15-1build1) ...
Selecting previously unselected package python3-cap-ng.
Preparing to unpack .../10-python3-cap-ng_0.7.9-2.2build3_amd64.deb ...
Unpacking python3-cap-ng (0.7.9-2.2build3) ...
Selecting previously unselected package ipset.
Preparing to unpack .../11-ipset_7.15-1build1_amd64.deb ...
Unpacking ipset (7.15-1build1) ...
Setting up libnftables1:amd64 (1.0.2-1ubuntu3) ...
Setting up nftables (1.0.2-1ubuntu3) ...
Setting up python3-cap-ng (0.7.9-2.2build3) ...
Setting up python3-firewall (1.1.1-1ubuntu1) ...
Setting up libnm0:amd64 (1.36.6-0ubuntu2) ...
Setting up python3-pyrsistent:amd64 (0.18.1-1build1) ...
Setting up libipset13:amd64 (7.15-1build1) ...
Setting up gir1.2-nm-1.0:amd64 (1.36.6-0ubuntu2) ...
Setting up ipset (7.15-1build1) ...
Setting up python3-jsonschema (3.2.0-0ubuntu2) ...
Setting up python3-nftables (1.0.2-1ubuntu3) ...
Setting up firewalld (1.1.1-1ubuntu1) ...
update-alternatives: using /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice
 to provide /usr/share/polkit-1/actions/org.fedoraproject.FirewallD1.policy (org.fedoraproject.FirewallD
1.policy) in auto mode
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /lib/systemd/system/fire
walld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /lib/systemd/system/fire
walld.service.
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for dbus (1.12.20-2ubuntu4) ...
Processing triggers for libc-bin (2.35-0ubuntu3) ...
Scanning processes...                                                                                   
Scanning linux images...                                                                                

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@ubuntu22:/home/vagrant/wazuh-docker/single-node# systemctl start firewalld
root@ubuntu22:/home/vagrant/wazuh-docker/single-node# docker-compose -f generate-indexer-certs.yml run --rm generator
Creating single-node_generator_run ... done
Cert tool does not exist in any bucket
ERROR: certificates were not created
ERROR: 1
root@ubuntu22:/home/vagrant/wazuh-docker/single-node# curl -X HEAD -i https://packages.wazuh.com/4.3/wazuh-certs-tool.sh
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the 
Warning: way you want. Consider using -I/--head instead.
HTTP/2 200 
content-type: application/x-sh
content-length: 26847
last-modified: Thu, 13 Oct 2022 10:43:32 GMT
x-amz-version-id: yalbjT_jrgAhclXTsnd2p256oMHkPmL7
accept-ranges: bytes
server: AmazonS3
date: Thu, 27 Oct 2022 12:40:55 GMT
etag: "374a94bed23448bdbb81bf3e68156777"
x-cache: Hit from cloudfront
via: 1.1 630aaa2a715d73fcf3b0d43858ff4de6.cloudfront.net (CloudFront)
x-amz-cf-pop: LHR50-P2
x-amz-cf-id: wrZPF2pZOsxYmKI3n4EctHqbsCOS9rd3VnJSASa5OXWn42IT-uV6Wg==
age: 26302

curl: (18) transfer closed with 26847 bytes remaining to read
root@ubuntu22:/home/vagrant/wazuh-docker/single-node# curl -O https://packages.wazuh.com/4.3/wazuh-certs-tool.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 26847  100 26847    0     0   107k      0 --:--:-- --:--:-- --:--:--  107k
root@ubuntu22:/home/vagrant/wazuh-docker/single-node# ls -l wazuh-certs-tool.sh 
-rw-r--r-- 1 root root 26847 Oct 27 19:59 wazuh-certs-tool.sh
root@ubuntu22:/home/vagrant/wazuh-docker/single-node#

Maybe it's of interest: wazuh/wazuh-packages#1224

Tasks

  • Add a checkpoint to validate that the file to be downloaded is accessible or not before downloading it.
  • Add a new message informing the user that the cause of the error may be in the host firewall.
  • Investigate if the firewall needs to be taken into account in the Docker deployment.
    • Add a section in the Docker deployment documentation about the firewall and how to configure it with the necessary.

Validation

  • The user is informed that there is a problem and that one of the possible causes is the firewall, so the user is asked to review it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants