Warnings about modified files during wazuh-indexer upgrade to 4.9.0

[AlexRuiz7]

Description

During the upgrade to [email protected], there are some configuration files that are modified. Depending on the package manager, it asks for actions from the user (apt) or continues creating backups (yum).

deb

root@server:/home/vagrant# apt-get install wazuh-indexer
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  wazuh-indexer
1 upgraded, 0 newly installed, 0 to remove and 207 not upgraded.
Need to get 850 MB of archives.
After this operation, 26.6 MB of additional disk space will be used.
Get:1 https://packages.wazuh.com/4.x/apt stable/main amd64 wazuh-indexer amd64 4.9.0-1 [850 MB]
Fetched 850 MB in 1min 10s (12.2 MB/s)                                                                                                                                                       
(Reading database ... 158706 files and directories currently installed.)
Preparing to unpack .../wazuh-indexer_4.9.0-1_amd64.deb ...
Running Wazuh Indexer Pre-Installation Script
Unpacking wazuh-indexer (4.9.0-1) over (4.8.2-1) ...
Setting up wazuh-indexer (4.9.0-1) ...
Installing new version of config file /etc/default/wazuh-indexer ...

Configuration file '/etc/init.d/wazuh-indexer'
 ==> Deleted (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** wazuh-indexer (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/init.d/wazuh-indexer ...

Configuration file '/etc/wazuh-indexer/jvm.options'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** jvm.options (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/wazuh-indexer/jvm.options ...
Installing new version of config file /etc/wazuh-indexer/log4j2.properties ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy ...

Configuration file '/etc/wazuh-indexer/opensearch-security/internal_users.yml'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** internal_users.yml (Y/I/N/O/D/Z) [default=N] ? N
Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles.yml ...
Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles_mapping.yml ...
Running Wazuh Indexer Post-Installation Script
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-indexer.service
### You can start wazuh-indexer service by executing
 sudo systemctl start wazuh-indexer.service
Scanning processes...                                                                                                                                                                         
Scanning linux images...                                                                                                                                                                      

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host

rpm

[root@rhel7 vagrant]# yum upgrade wazuh-indexer-4.9.0-1.x86_64.rpm
Failed to set locale, defaulting to C
Loaded plugins: product-id, search-disabled-repos
Examining wazuh-indexer-4.9.0-1.x86_64.rpm: wazuh-indexer-4.9.0-1.x86_64
Marking wazuh-indexer-4.9.0-1.x86_64.rpm as an update to wazuh-indexer-4.8.2-1.x86_64
Resolving Dependencies
--> Running transaction check
---> Package wazuh-indexer.x86_64 0:4.8.2-1 will be updated
---> Package wazuh-indexer.x86_64 0:4.9.0-1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================================================================================================
 Package                                      Arch                                  Version                                  Repository                                                    Size
================================================================================================================================================================================================
Updating:
 wazuh-indexer                                x86_64                                4.9.0-1                                  /wazuh-indexer-4.9.0-1.x86_64                                1.0 G

Transaction Summary
================================================================================================================================================================================================
Upgrade  1 Package

Total size: 1.0 G
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : wazuh-indexer-4.9.0-1.x86_64                                                                                                                                                 1/2 
warning: /etc/wazuh-indexer/jvm.options created as /etc/wazuh-indexer/jvm.options.rpmnew
warning: /etc/wazuh-indexer/opensearch-security/internal_users.yml saved as /etc/wazuh-indexer/opensearch-security/internal_users.yml.rpmsave
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-indexer.service
### You can start wazuh-indexer service by executing
 sudo systemctl start wazuh-indexer.service
  Cleanup    : wazuh-indexer-4.8.2-1.x86_64                                                                                                                                                 2/2 
  Verifying  : wazuh-indexer-4.9.0-1.x86_64                                                                                                                                                 1/2 
  Verifying  : wazuh-indexer-4.8.2-1.x86_64                                                                                                                                                 2/2 

Updated:
  wazuh-indexer.x86_64 0:4.9.0-1                                                                                                                                                                

Complete!
[root@rhel7 vagrant]# 

We need to carefully analyze the differences and whenever possible, command apt to use the new files by default, not asking for user input.

Plan

• Investigate how to mimic yum's behavior by backing up configuration files during the upgrade.

Functional requirements

Proposals to this problem must fit these requirements:

• The upgrade process must not be blocked for any reason (as per example, waiting for user's input).
• The user must be notified about older files being backed up.

[AlexRuiz7]

jvm.options diff

https://www.diffchecker.com/DKDFpu2N/

jvm.options - Diffchecker.pdf

internal_users.yml diff

https://www.diffchecker.com/lXVpvDV0/

internal_users - Diffchecker.pdf

/etc/init.d/wazuh-indexer

This file does not exist in 4.8.0, and is included in 4.9.0, like in upstream.

Details

#!/usr/bin/env bash
#
# wazuh-indexer <summary>
#
# chkconfig:   2345 80 20
# description: Starts and stops a single wazuh-indexer instance on this system
#

### BEGIN INIT INFO
# Provides: OpenSearch
# Required-Start: $network $named
# Required-Stop: $network $named
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: This service manages the wazuh-indexer daemon
# Description: OpenSearch is a very scalable, schema-free and high-performance search solution supporting multi-tenancy and near realtime search.
### END INIT INFO

set -e -o pipefail

#
# init.d / servicectl compatibility (openSUSE)
#
if [ -f /etc/rc.status ]; then
    . /etc/rc.status
    rc_reset
fi

#
# Source function library.
#
if [ -f /etc/rc.d/init.d/functions ]; then
    . /etc/rc.d/init.d/functions
fi

# Sets the default values for wazuh-indexer variables used in this script
OPENSEARCH_HOME="/usr/share/wazuh-indexer"
MAX_OPEN_FILES=65535
MAX_MAP_COUNT=262144
OPENSEARCH_PATH_CONF="/etc/wazuh-indexer"

PID_DIR="/run/wazuh-indexer"

# Source the default env file
OPENSEARCH_ENV_FILE="/etc/sysconfig/wazuh-indexer"
if [ -f "$OPENSEARCH_ENV_FILE" ]; then
    . "$OPENSEARCH_ENV_FILE"
fi

exec="$OPENSEARCH_HOME/bin/opensearch"
prog="wazuh-indexer"
pidfile="$PID_DIR/${prog}.pid"

export OPENSEARCH_JAVA_OPTS
export JAVA_HOME
export OPENSEARCH_PATH_CONF
export OPENSEARCH_STARTUP_SLEEP_TIME
export OPENSEARCH_JAVA_HOME

lockfile=/var/lock/subsys/$prog

if [ ! -x "$exec" ]; then
    echo "The wazuh-indexer startup script does not exists or it is not executable, tried: $exec"
    exit 1
fi

start() {
    [ -x $exec ] || exit 5

    if [ -n "$MAX_OPEN_FILES" ]; then
        ulimit -n $MAX_OPEN_FILES
    fi
    if [ -n "$MAX_LOCKED_MEMORY" ]; then
        ulimit -l $MAX_LOCKED_MEMORY
    fi
    if [ -n "$MAX_MAP_COUNT" -a -f /proc/sys/vm/max_map_count ] && [ "$MAX_MAP_COUNT" -gt $(cat /proc/sys/vm/max_map_count) ]; then
        sysctl -q -w vm.max_map_count=$MAX_MAP_COUNT
    fi

    # Ensure that the PID_DIR exists (it is cleaned at OS startup time)
    if [ -n "$PID_DIR" ] && [ ! -e "$PID_DIR" ]; then
        mkdir -p "$PID_DIR" && chown wazuh-indexer:wazuh-indexer "$PID_DIR"
    fi
    if [ -n "$pidfile" ] && [ ! -e "$pidfile" ]; then
        touch "$pidfile" && chown wazuh-indexer:wazuh-indexer "$pidfile"
    fi

    cd $OPENSEARCH_HOME
    echo -n $"Starting $prog: "
    # if not running, start it up here, usually something like "daemon $exec"
    daemon --user wazuh-indexer --pidfile $pidfile $exec -p $pidfile -d
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
}

stop() {
    echo -n $"Stopping $prog: "
    # stop it here, often "killproc $prog"
    killproc -p $pidfile -d 86400 $prog
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
}

restart() {
    stop
    start
}

reload() {
    restart
}

force_reload() {
    restart
}

rh_status() {
    # run checks to determine if the service is running or use generic status
    status -p $pidfile $prog
}

rh_status_q() {
    rh_status >/dev/null 2>&1
}


case "$1" in
    start)
        rh_status_q && exit 0
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    status)
        rh_status
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
        restart
        ;;
    *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
        exit 2
esac
exit $?

[f-galland]

Debian suggests two ways to avoid this type of issues:

• Using symlinks to files outside /etc
• Using maintainer scripts

Reference:

• https://www.debian.org/doc/manuals/maint-guide/dother.en.html#conffiles

[AlexRuiz7]

It has been decided that all configuration files must be kept, including the new configuration files from the packages, as independent files.

On an upgrade of the wazuh-indexer from 4.8 to 4.9, the following files are modified:

• opensearch.yml
• internal_user.yml
• config.yml
• roles-mapping.yml

yum by default does one of the following:

• generates a rpmsave file
• generates a rpmnew file

depending on whether these files are affected by the noreplace directive on the RPM spec file.

We want to model the packages' behavior to always generate the rpmnew files.

For Debian packages, we need to simulate the same behavior. The strategy for Debian packages is to name these configuration files as "new", and rename them on the postinst scripts if there are no such files on the system already.