Improve maintenance of upstream config files (#557)

* Remove security related config files and jvm.prod.options

Changes are appended to the original files instead

* Update performance-analyzer.service to 2.18.0

* Remove duplicated line

* Add PA settings

* Fix PA missing permissions on Deb packages

* Attempt to properly define OPENSEARCH_PATH_CONF in rpm.spec file

build-scripts/assemble.sh

@@ -158,13 +158,14 @@ function parse_args() {
 # Set up configuration files
 # ====
 function add_configuration_files() {
-    # swap configuration files
-    cp $PATH_CONF/security/* $PATH_CONF/opensearch-security/
-    cp $PATH_CONF/jvm.prod.options $PATH_CONF/jvm.options
-    cp $PATH_CONF/opensearch.prod.yml $PATH_CONF/opensearch.yml
+    # Add our settings to the configuration files
+    cat "$PATH_CONF/security/roles.wazuh.yml" >> "$PATH_CONF/opensearch-security/roles.yml"
+    cat "$PATH_CONF/security/roles_mapping.wazuh.yml" >> "$PATH_CONF/opensearch-security/roles_mapping.yml"
+
+    cp "$PATH_CONF/opensearch.prod.yml" "$PATH_CONF/opensearch.yml"
 
-    rm -r $PATH_CONF/security
-    rm $PATH_CONF/jvm.prod.options $PATH_CONF/opensearch.prod.yml
+    rm -r "$PATH_CONF/security"
+    rm "$PATH_CONF/opensearch.prod.yml"
 
     # Remove symbolic links and bat files
     find . -type l -exec rm -rf {} \;
@@ -187,9 +188,9 @@ function add_wazuh_tools() {
     local download_url
     download_url="https://packages-dev.wazuh.com/${version}"
 
-    curl -sL "${download_url}/config.yml" -o $PATH_PLUGINS/opensearch-security/tools/config.yml
-    curl -sL "${download_url}/wazuh-passwords-tool.sh" -o $PATH_PLUGINS/opensearch-security/tools/wazuh-passwords-tool.sh
-    curl -sL "${download_url}/wazuh-certs-tool.sh" -o $PATH_PLUGINS/opensearch-security/tools/wazuh-certs-tool.sh
+    curl -sL "${download_url}/config.yml" -o "$PATH_PLUGINS/opensearch-security/tools/config.yml"
+    curl -sL "${download_url}/wazuh-passwords-tool.sh" -o "$PATH_PLUGINS/opensearch-security/tools/wazuh-passwords-tool.sh"
+    curl -sL "${download_url}/wazuh-certs-tool.sh" -o "$PATH_PLUGINS/opensearch-security/tools/wazuh-certs-tool.sh"
 }
 
 # ====

distribution/build.gradle

@@ -609,8 +609,8 @@ subprojects {
       ],
 
       'error.file': [
-        'deb': "-XX:ErrorFile=/usr/share/wazuh-indexer/hs_err_pid%p.log",
-        'rpm': "-XX:ErrorFile=/usr/share/wazuh-indexer/hs_err_pid%p.log",
+        'deb': "-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log",
+        'rpm': "-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log",
         'def': "-XX:ErrorFile=logs/hs_err_pid%p.log"
       ],
 

distribution/packages/src/common/wazuh-indexer-performance-analyzer.service

@@ -1,22 +1,15 @@
-# Copyright OpenSearch Contributors
-# SPDX-License-Identifier: Apache-2.0
-#
-# The OpenSearch Contributors require contributions made to
-# this file be licensed under the Apache-2.0 license or a
-# compatible open source license.
-
 [Unit]
 Description=OpenSearch Performance Analyzer
+PartOf=wazuh-indexer.service
 
 [Service]
-Type=simple
 ExecStart=/usr/share/wazuh-indexer/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli
 Restart=on-failure
 User=wazuh-indexer
 Group=wazuh-indexer
 Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer
-Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer/
+Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
 WorkingDirectory=/usr/share/wazuh-indexer
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=wazuh-indexer.service

distribution/packages/src/deb/debian/postinst

@@ -32,6 +32,21 @@ chown -R wazuh-indexer:wazuh-indexer ${data_dir}
 chown -R wazuh-indexer:wazuh-indexer ${pid_dir}
 chown -R wazuh-indexer:wazuh-indexer ${tmp_dir}
 
+
+export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-${config_dir}}
+# Apply Performance Analyzer settings, as per https://github.com/opensearch-project/opensearch-build/blob/2.18.0/scripts/pkg/build_templates/current/opensearch/deb/debian/postinst#L28-L37
+if ! grep -q '## OpenSearch Performance Analyzer' "$OPENSEARCH_PATH_CONF/jvm.options"; then
+    CLK_TCK=$(/usr/bin/getconf CLK_TCK)
+    {
+        echo
+        echo "## OpenSearch Performance Analyzer"
+        echo "-Dclk.tck=$CLK_TCK"
+        echo "-Djdk.attach.allowAttachSelf=true"
+        echo "-Djava.security.policy=file://$OPENSEARCH_PATH_CONF/opensearch-performance-analyzer/opensearch_security.policy"
+        echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED"
+    } >> "$OPENSEARCH_PATH_CONF/jvm.options"
+fi
+
 # Reload systemctl daemon
 if command -v systemctl > /dev/null; then
     systemctl daemon-reload

distribution/packages/src/deb/debmake_install.sh

@@ -45,7 +45,6 @@ find "${buildroot}" -type f -exec chmod 640 {} \;
 systemd_files=()
 systemd_files+=("${buildroot}/${service_dir}/${name}.service")
 systemd_files+=("${buildroot}/${service_dir}/${name}-performance-analyzer.service")
-systemd_files+=("${buildroot}/${service_dir}/${name}-performance-analyzer.service")
 systemd_files+=("${buildroot}/etc/init.d/${name}")
 systemd_files+=("${buildroot}/usr/lib/sysctl.d/${name}.conf")
 systemd_files+=("${buildroot}/usr/lib/tmpfiles.d/${name}.conf")
@@ -81,6 +80,7 @@ fi
 
 binary_files=()
 binary_files+=("${buildroot}${product_dir}"/bin/*)
+binary_files+=("${buildroot}${product_dir}"/bin/opensearch-performance-analyzer/*)
 binary_files+=("${buildroot}${product_dir}"/jdk/bin/*)
 binary_files+=("${buildroot}${product_dir}"/jdk/lib/jspawnhelper)
 binary_files+=("${buildroot}${product_dir}"/jdk/lib/modules)

distribution/packages/src/rpm/wazuh-indexer.rpm.spec

@@ -180,18 +180,20 @@ set -e
 chown -R %{name}:%{name} %{config_dir}
 chown -R %{name}:%{name} %{log_dir}
 
-# Apply PerformanceAnalyzer Settings
-chmod a+rw /tmp
-if ! grep -q '## OpenSearch Performance Analyzer' %{config_dir}/jvm.options; then
-   # Add Performance Analyzer settings in %{config_dir}/jvm.options
-   CLK_TCK=`/usr/bin/getconf CLK_TCK`
-   echo >> %{config_dir}/jvm.options
-   echo '## OpenSearch Performance Analyzer' >> %{config_dir}/jvm.options
-   echo "-Dclk.tck=$CLK_TCK" >> %{config_dir}/jvm.options
-   echo "-Djdk.attach.allowAttachSelf=true" >> %{config_dir}/jvm.options
-   echo "-Djava.security.policy=file://%{config_dir}/opensearch-performance-analyzer/opensearch_security.policy" >> %{config_dir}/jvm.options
-   echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED" >> %{config_dir}/jvm.options
+export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{config_dir}}
+# Apply Performance Analyzer settings, as per https://github.com/opensearch-project/opensearch-build/blob/2.18.0/scripts/pkg/build_templates/current/opensearch/deb/debian/postinst#L28-L37
+if ! grep -q '## OpenSearch Performance Analyzer' "$OPENSEARCH_PATH_CONF/jvm.options"; then
+    CLK_TCK=$(/usr/bin/getconf CLK_TCK)
+    {
+        echo
+        echo "## OpenSearch Performance Analyzer"
+        echo "-Dclk.tck=$CLK_TCK"
+        echo "-Djdk.attach.allowAttachSelf=true"
+        echo "-Djava.security.policy=file://$OPENSEARCH_PATH_CONF/opensearch-performance-analyzer/opensearch_security.policy"
+        echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED"
+    } >> "$OPENSEARCH_PATH_CONF/jvm.options"
 fi
+
 # Reload systemctl daemon
 if command -v systemctl > /dev/null; then
     systemctl daemon-reload

distribution/src/config/security/roles.wazuh.yml

@@ -0,0 +1,19 @@
+
+# Wazuh monitoring and statistics index permissions
+manage_wazuh_index:
+  reserved: true
+  hidden: false
+  cluster_permissions: []
+  index_permissions:
+  - index_patterns:
+    - "wazuh-*"
+    dls: ""
+    fls: []
+    masked_fields: []
+    allowed_actions:
+    - "read"
+    - "delete"
+    - "manage"
+    - "index"
+  tenant_permissions: []
+  static: false