-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPIKE - OVA #119
Comments
Update ReportI've been reading what is the plan and documentating about how we are making the OVA right now. |
Update ReportI've been taking a look to the worflow and process we have right now for the creation of the OVA. |
Update Report@Enaraque and I have been working together on the possible of chaning the base operating system for OVA and AMI. In this case the goal is to use Amazon Linux 2023 as the base OS, looking for an improvement thanks to its continuous maintenance by AWS, thus allowing greater security. The problem we have right now is that AWS does not allow to import or export instances with AL2023 as OS, so it is necessary to find a way to do it. For this, other alternatives have been investigated:
These three options would allow us to reduce the export time since we would not depend on the EC2 export process. Simply when the In addition, they would allow that the subsequent tests to be developed could be executed in a more efficient and simple way. Once this research has been carried out, it would be necessary to carry out the necessary tests to see if it is possible and profitable to implement any of these options. To create a VM it is necessary to first create an AL2023 Vagrant box. For this, we have been following and testing the scripts discussed in this issue. |
Update ReportResearch and testing has continued in order to create the AL2023 VM on macStadium. With the Important All these tests have been done manually, the VM has not been created from the allocator. So an important part to implement would be to be able to deploy the al2023 VM in the macStadium. Once this is achieved, we will continue with the configuration of the OVA and the export to see if it is completed correctly. |
Update ReportAfter having the AL2023 VM in the macStadium it was time to install the Wazuh core components and make the pertinent configurations. For this, I cloned the Once the script was finished, I cleaned the machine in the same way as it is done in the workflow and proceeded to export it as OVA. Once exported I copied it to my local machine to later import it in VirtualBox. Finally, when importing it and turning on the machine we see several things.
Investigating, I think it may be due to the |
Update ReportI've been trying to understand why the network interface is not being correctly deployed. I tried to force the assignment of the network interface manually or with the Vagrantfile but it failed every time. I investigated if this could be coming because of the cloud-init but it does not seem to be the issue. Also, we checked the VboxGuestAdditions because we saw an error in the execution. When creating the base box of AL2023, it has a problem because it takes the kernel from our local machines instead of the kernel of AL2023. We tried to give it a solution but we were unable to because it's a VBox process that we cannot control or edit. Changing the perspective, I tried to launch the Vagrant box we deployed in the MacStadium in my local machine but we failed due to an unkown error. I investigated the error but the solutions I found did not work or have no sense in my case. So, tomorrow I will try to generate the base box again and repeat the creation of the OVA in my local machine so we discard that creating it in the MacStadium is what is generating the issues. |
Update ReportI generated again the box with Amazon Linux 2023 in it in my local machine. Then I started it but using the configuration in the Vagrantfile that we use in the Allocator does not seem to work properly. It's not assigning the correct IP in the Anyway, I tried to continue the process by installing the Wazuh components in the machine with the static So, as far as I have come I see that the process of creating our Vagrant box from the The following screenshot shows the initiation of the OVA we created: As it can be seen there is an error that displays that VBox had
If we run systemctl status commands of the different Wazuh central components we can see that they are installed and running:
But if we check the network interfaces we see that the Next workaroundI consider interesting to change and investigate if by changing the OS and using the |
Update ReportToday we've tried to make the First, we had to install VirtualBox, Vagrant and the scripts to WorkaroundThe workaround I have come is that we can try to add a network interface permanent in the system using Also, we have tried using the So, after observing this behavior we can assume that this might work in the macStadium as the process have not changed in that way. The next step will be to try the deploy the full |
Update ReportWe've been working on the proposed solution yesterday and exported a new OVA that was built in the macStadium. Next stepsYesterday, @Enaraque deployed the Wazuh 4.9.2 OVA and noticed that in the Then, the next paths we can try are two:
|
Update ReportI've been testing with the This machine didn't boot up with a reachable network interface as can be seen in the previous reports. Then, I halted the machine and added this configuration:
Note It might be possible that the And this worked so when I booted up the vm again it had the Wazuh central components installed and the IP was reachable. I could enter the Wazuh Dashboard via the web browser and it worked fine. So, this is not the final test but it's a proof that using the Now, there are two possible ways of implementing this in the OVA creation process:
Latest researchI've been reading and thinking about how we can add this to our script to be able to execute this on our MacStadium machines. The configuration I proposed uses the
This will create an hostonly network interface that has dhcp that can assign IPs from So, in conclusion, tomorrow I will test if the proposed solutions work in the MacStadium and doesn't break anything that we have working right now that is what I fear the most. 😟 |
Update ReportI started the day by testing the first option of the two proposed yesterday, that is, running these This option did not work so I opted to try the second option which is to use these commands once the VM where Wazuh is installed is stopped to proceed with the export as Before trying this option I made several tests because the results I was getting were quite strange and so I made tests configuring inside the VM The solution is to create a file Subsequently, I then tried combining the two solutions, i.e. using the Once this was done, I copied the OVA in VirtualBoxRunning
|
Update ReportThis morning I have been testing with So, in the tests done this morning I could check that the Running
|
Update ReportI have tried to follow the same steps using the macStadium Intel as base to create the OVA but when exported the OVA it did not have the Wazuh configuration and the network configration I did myself by hand. I still have the console logs opened of creating the needed file for the network configuration so I think something happened in the meanwhile. |
Update ReportToday, I retried the creation of the OVA using the macStadium as the base. I followed the steps carefully and made sure that at each step I got the expected response. Finally, I tested the exported OVA in VirtualBoxRunning
|
Update ReportDescription of the alternatives we have
For both first and second options, it would be needed to create a base Vagrant box with Amazon Linux 2023 as base operating system. This would cause us to host and maintain the scripts that creates that box. Then, that created box is the one we will use to create a virtual machine and install Wazuh in it. 1. Using the macStadium as baseWe can use our Intel macStadium to perform the OVA building process. The process would be something like this:
Note This is the general process I have been following to do the tests. This will require taking a look at it and refining the steps as necessary. Here we would have to discuss if creating the Vagrant box each time we create a new OVA is needed. The only purpose of renewing the existent Vagrant box would be to update the version of Amazon Linux 2023. Skipping this step would make the process a lot faster. So, in my personal opinion, there are two options to consider here:
I would go for the option two, because thinking in our release process, it would be rare for them to release a new AL2023 version between one of our stages. Eg: between Summarizing, the pros and cons of using this option are described below:
As can be seen the pros are that we no longer depend on AWS so that reduces both costs and time. Also, the definition and the completion of the tests should be easier because we can enter the instance and check that the configurations and the Wazuh installation is done. On the other hand, we would have a needed maintenance and host of the scripts used for the base Vagrant box with Amazon Linux 2023. This can cause some problems if something in the process changes and stops working. Also, we will have to define if we will be using the Allocator to deploy the instance or if we are going to directly connect to our macStadium through the workflow using a VPN making it easier for us to run the commands. Anyway, we would need direct connection with the macStadium to run the final configurations using 2. Using a metal AWS EC2 instanceThe process of using a metal EC2 instance is the same as explained for the macStadium except some previous installations. Here, we would also need to install VirtualBox and Vagrant in the instance. Also, we would have to copy the
The only thing we would need to change in the Allocator would be the addition of this type of instance in the 3. Keep using the EC2 export tool and think about changing the base OS to one supportedFinally, we can continue using the AWS EC2 tool to export an instance as OVA. At the moment, Amazon Linux 2023 is still not supported by AWS to export it. So here we have some options:
1. Maintain the process as we do right now, using AL2 as base OS
This option is the safer one, as we know it works but the process of creating the OVA is slow and the time may vary from one run to another and we can't do anything there. 2. Change the OS to a supported one.
Changing the base OS would require an extra job of checking that everything works as we intend to do for the user that downloads the Wazuh OVA. Also, it would require us to align the OS with the Wazuh AMI. This would also cause an extra job of testing that the AMI works fine in other OS. 3. Wait for AWS to support AL2023.
This would have been the preferred option for us because the process would be the same, we would not have to change how the workflows work, we would only have to add the tests. Unfortunately, this is still not available. TestingFor the testing task the tests to be done would be similar to the ones that we do in the Installation Assistant test. We could use Python to implement those tests, running the commands in the OVA machine and processing the output to know if all checks passed or there are new errors in the logs or some service is not working. And then, if some errors are found, we could upload an artifact to the workflow run with the logs that contains errors. |
Implementation PlanStore the scripts in the virtual machines repoThe Review the generation scripts and migrate to PythonIt’s neccessary to review the Install VirtualBox and VagrantThe installation of Vagrant and VirtualBox would be required in the AWS metal instance. For the VirtualBox installation we will have to download the installation script hosted in a URL like this
And then check that the kernel versions are the same using this commands:
Review the
|
Description
We need to analyze if we can improve/simplify the OVA generation. Aspects to analyze:
As a requirement, the OVA must not be built with the Installation assistant.
Additionally, we need to design and implement DevOps-owned OVA testing. Currently, there are no tests for the OVA. The goal is to create a GitHub Action (GHA) workflow that serves both as a PR check and an on-demand testing tool. The GHA should validate:
Implementation restrictions
Plan
The text was updated successfully, but these errors were encountered: