Merge pull request #2072 from wazuh/change/2693-delete-config-files

Exclude config files customized from image build

.env

@@ -1,11 +1,6 @@
 WAZUH_VERSION=main
 WAZUH_IMAGE_VERSION=main
 WAZUH_TAG_REVISION=1
-<<<<<<< HEAD
-FILEBEAT_TEMPLATE_BRANCH=v4.14.0
-WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.4.tar.gz
-=======
->>>>>>> 1e55bb13cadad97053c52747cdb7f57d54eee70b
 WAZUH_UI_REVISION=1
 WAZUH_REGISTRY=docker.io
 IMAGE_TAG=main

.github/workflows/Procedure_push_docker_images.yml

@@ -146,6 +146,8 @@ jobs:
           wazuh_agent_url_i386_msi: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/main/packages/wazuh-agent-5.0.0-${{ inputs.reference }}.i386.msi --expires-in 3600 --region us-west-1)"
           wazuh_agent_url_intel64_pkg: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/main/packages/wazuh-agent-5.0.0-${{ inputs.reference }}.intel64.pkg --expires-in 3600 --region us-west-1)"
           wazuh_agent_url_arm64_pkg: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/main/packages/wazuh-agent-5.0.0-${{ inputs.reference }}.arm64.pkg --expires-in 3600 --region us-west-1)"
+          wazuh_cert_tool: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/secondary/installation-assistant/5.0.0/wazuh-certs-tool.sh --expires-in 3600 --region us-west-1)"
+          wazuh_config_yml: "$(aws s3 presign s3://${{ vars.AWS_S3_BUCKET_DEV }}/development/wazuh/5.x/secondary/installation-assistant/5.0.0/config.yml --expires-in 3600 --region us-west-1)"
           EOF
       working-directory: ./build-docker-images
 

build-docker-images/build-images.yml

@@ -8,6 +8,8 @@ services:
         WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
         wazuh_manager_url_amd64_rpm: ${wazuh_manager_url_x86_64_rpm}
         wazuh_manager_url_arm64_rpm: ${wazuh_manager_url_aarch64_rpm}
+        wazuh_cert_tool: ${wazuh_cert_tool}
+        wazuh_config_yml: ${wazuh_config_yml}
     image: ${WAZUH_REGISTRY}/wazuh/wazuh-manager:${IMAGE_TAG}
     hostname: wazuh.manager
     restart: always
@@ -49,6 +51,8 @@ services:
         WAZUH_TAG_REVISION: ${WAZUH_TAG_REVISION}
         wazuh_indexer_url_amd64_rpm: ${wazuh_indexer_url_x86_64_rpm}
         wazuh_indexer_url_arm64_rpm: ${wazuh_indexer_url_aarch64_rpm}
+        wazuh_cert_tool: ${wazuh_cert_tool}
+        wazuh_config_yml: ${wazuh_config_yml}
     image: ${WAZUH_REGISTRY}/wazuh/wazuh-indexer:${IMAGE_TAG}
     hostname: wazuh.indexer
     restart: always
@@ -73,6 +77,8 @@ services:
         WAZUH_UI_REVISION: ${WAZUH_UI_REVISION}
         wazuh_dashboard_url_amd64_rpm: ${wazuh_dashboard_url_x86_64_rpm}
         wazuh_dashboard_url_arm64_rpm: ${wazuh_dashboard_url_aarch64_rpm}
+        wazuh_cert_tool: ${wazuh_cert_tool}
+        wazuh_config_yml: ${wazuh_config_yml}
     image: ${WAZUH_REGISTRY}/wazuh/wazuh-dashboard:${IMAGE_TAG}
     hostname: wazuh.dashboard
     restart: always

build-docker-images/wazuh-agent/Dockerfile

@@ -20,6 +20,7 @@ RUN URL_VAR="wazuh_agent_url_${TARGETARCH}_rpm" && \
     dnf install curl-minimal tar gzip procps -y &&\
     curl -o /wazuh-agent.rpm "${agent_url}" && \
     dnf install /wazuh-agent.rpm -y && \
+    rm -rf /wazuh-agent.rpm && \
     dnf clean all && \
     sed -i '/<authorization_pass_path>/d' /var/ossec/etc/ossec.conf && \
     curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \

build-docker-images/wazuh-dashboard/Dockerfile

@@ -8,6 +8,8 @@ ARG INSTALL_DIR=/usr/share/wazuh-dashboard
 ARG TARGETARCH
 ARG wazuh_dashboard_url_amd64_rpm
 ARG wazuh_dashboard_url_arm64_rpm
+ARG wazuh_cert_tool
+ARG wazuh_config_yml
 
 # Update and install dependencies
 RUN URL_VAR="wazuh_dashboard_url_${TARGETARCH}_rpm" && \
@@ -15,6 +17,7 @@ RUN URL_VAR="wazuh_dashboard_url_${TARGETARCH}_rpm" && \
     dnf install curl-minimal libcap openssl -y && \
     curl -o /wazuh-dashboard.rpm "${dashboard_url}" && \
     dnf install /wazuh-dashboard.rpm -y && \
+    rm -rf /wazuh-dashboard.rpm && \
     dnf clean all
 
 # Create and set permissions to data directories

build-docker-images/wazuh-dashboard/config/config.sh

@@ -7,51 +7,29 @@ export TARGET_DIR=${CURDIR}/debian/${NAME}
 export INSTALLATION_DIR=/usr/share/${NAME}
 export CONFIG_DIR=${INSTALLATION_DIR}/config
 
-## Variables
-CERT_TOOL=wazuh-certs-tool.sh
-CERT_CONFIG_FILE=config.yml
-CERT_TOOL_VERSION="${WAZUH_VERSION%.*}"
-PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/
-
+##############################################################################
+# Downloading Cert Gen Tool
+##############################################################################
+# Variables for certificate generation
+CERT_TOOL="wazuh-certs-tool.sh"
+CERT_CONFIG_FILE="config.yml"
 download_package() {
     local url=$1
     local package=$2
-    local output=$2
-    echo "Checking $url$package ..."
-    if curl -fsL "$url$package" -o "$output"; then
-        echo "Downloaded $package from $url"
+    if curl -fsL "$url" -o "$package"; then
+        echo "Downloaded $package"
         return 0
     else
+        echo "Error downloading $package from $url"
         return 1
     fi
 }
-
 # Download the tool to create the certificates
 echo "Downloading the tool to create the certificates..."
-# Try first the prod URL, if it fails try the dev URL
-if download_package "$PACKAGES_URL" "$CERT_TOOL"; then
-    :
-elif download_package "$PACKAGES_DEV_URL" "$CERT_TOOL"; then
-    :
-else
-    echo "The tool to create the certificates does not exist in any bucket"
-    echo "ERROR: certificates were not created"
-    exit 1
-fi
-
+download_package "$wazuh_cert_tool" $CERT_TOOL
 # Download the config file for the certificate tool
 echo "Downloading the config file for the certificate tool..."
-# Try first the prod URL, if it fails try the dev URL
-if download_package "$PACKAGES_URL" "$CERT_CONFIG_FILE"; then
-    :
-elif download_package "$PACKAGES_DEV_URL" "$CERT_CONFIG_FILE"; then
-    :
-else
-    echo "The config file for the certificate tool does not exist in any bucket"
-    echo "ERROR: certificates were not created"
-    exit 1
-fi
+download_package "$wazuh_config_yml" $CERT_CONFIG_FILE
 
 # Modify the config file to set the IP to localhost
 sed -i 's/  ip:.*/  ip: "127.0.0.1"/' $CERT_CONFIG_FILE

build-docker-images/wazuh-dashboard/config/entrypoint.sh

@@ -1,20 +1,81 @@
 #!/bin/bash
 # Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
 
-INSTALL_DIR=/usr/share/wazuh-dashboard
+# Run Wazuh dashboard, using environment variables to
+# set longopts defining Wazuh dashboard's configuration.
+#
+# eg. Setting the environment variable:
+#
+#       OPENSEARCH_STARTUPTIMEOUT=60
+#
+# will cause OpenSearch-Dashboards to be invoked with:
+#
+#       --opensearch.startupTimeout=60
+
+# Setup Home Directory
+export OPENSEARCH_DASHBOARDS_HOME=/usr/share/wazuh-dashboard
+export PATH=$OPENSEARCH_DASHBOARDS_HOME/bin:$PATH
 DASHBOARD_USERNAME="${DASHBOARD_USERNAME:-kibanaserver}"
 DASHBOARD_PASSWORD="${DASHBOARD_PASSWORD:-kibanaserver}"
 
 # Create and configure Wazuh dashboard keystore
 
-yes | $INSTALL_DIR/bin/opensearch-dashboards-keystore create --allow-root && \
-echo $DASHBOARD_USERNAME | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.username --stdin --allow-root && \
-echo $DASHBOARD_PASSWORD | $INSTALL_DIR/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root
+yes | $OPENSEARCH_DASHBOARDS_HOME/bin/opensearch-dashboards-keystore create --allow-root && \
+echo $DASHBOARD_USERNAME | $OPENSEARCH_DASHBOARDS_HOME/bin/opensearch-dashboards-keystore add opensearch.username --stdin --allow-root && \
+echo $DASHBOARD_PASSWORD | $OPENSEARCH_DASHBOARDS_HOME/bin/opensearch-dashboards-keystore add opensearch.password --stdin --allow-root
 
-##############################################################################
-# Start Wazuh dashboard
-##############################################################################
+opensearch_dashboards_vars=(
+    opensearch.hosts
+)
 
-/wazuh_app_config.sh $WAZUH_UI_REVISION
+function runOpensearchDashboards {
+    longopts=()
+    for opensearch_dashboards_var in ${opensearch_dashboards_vars[*]}; do
+        # 'opensearch.hosts' -> 'OPENSEARCH_URL'
+        env_var=$(echo ${opensearch_dashboards_var^^} | tr . _)
 
-/usr/share/wazuh-dashboard/bin/opensearch-dashboards -c /usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
+        # Indirectly lookup env var values via the name of the var.
+        # REF: http://tldp.org/LDP/abs/html/bashver2.html#EX78
+        value=${!env_var}
+        if [[ -n $value ]]; then
+            longopt="--${opensearch_dashboards_var}=${value}"
+            longopts+=("${longopt}")
+        fi
+    done
+
+    # Files created at run-time should be group-writable, for Openshift's sake.
+    umask 0002
+
+    # TO DO:
+    # Confirm with Mihir if this is necessary
+
+    # The virtual file /proc/self/cgroup should list the current cgroup
+    # membership. For each hierarchy, you can follow the cgroup path from
+    # this file to the cgroup filesystem (usually /sys/fs/cgroup/) and
+    # introspect the statistics for the cgroup for the given
+    # hierarchy. Alas, Docker breaks this by mounting the container
+    # statistics at the root while leaving the cgroup paths as the actual
+    # paths. Therefore, OpenSearch-Dashboards provides a mechanism to override
+    # reading the cgroup path from /proc/self/cgroup and instead uses the
+    # cgroup path defined the configuration properties
+    # cpu.cgroup.path.override and cpuacct.cgroup.path.override.
+    # Therefore, we set this value here so that cgroup statistics are
+    # available for the container this process will run in.
+
+    exec "$@" \
+        --ops.cGroupOverrides.cpuPath=/ \
+        --ops.cGroupOverrides.cpuAcctPath=/ \
+        "${longopts[@]}"
+}
+
+# Prepend "opensearch-dashboards" command if no argument was provided or if the
+# first argument looks like a flag (i.e. starts with a dash).
+if [ $# -eq 0 ] || [ "${1:0:1}" = '-' ]; then
+    set -- opensearch-dashboards "$@"
+fi
+
+if [ "$1" = "opensearch-dashboards" ]; then
+    runOpensearchDashboards "$@"
+else
+    exec "$@"
+fi

build-docker-images/wazuh-dashboard/config/wazuh_app_config.sh

@@ -32,13 +32,19 @@ do
     fi
 done
 
-cat << EOF >> $dashboard_config_file
-hosts:
-  - 1513629884013:
-      url: $wazuh_url
-      port: $wazuh_port
-      username: $api_username
-      password: $api_password
-      run_as: $api_run_as
-EOF
+grep -q 1513629884013 $dashboard_config_file
+_config_exists=$?
 
+if [[ $_config_exists -ne 0 ]]; then
+  cat << EOF >> $dashboard_config_file
+  hosts:
+    - 1513629884013:
+        url: $wazuh_url
+        port: $wazuh_port
+        username: $api_username
+        password: $api_password
+        run_as: $api_run_as
+  EOF
+else
+  echo "Wazuh APP already configured"
+fi

build-docker-images/wazuh-indexer/Dockerfile

@@ -6,6 +6,8 @@ ARG WAZUH_TAG_REVISION
 ARG TARGETARCH
 ARG wazuh_indexer_url_amd64_rpm
 ARG wazuh_indexer_url_arm64_rpm
+ARG wazuh_cert_tool
+ARG wazuh_config_yml
 
 COPY config/config.sh .
 
@@ -14,6 +16,7 @@ RUN URL_VAR="wazuh_indexer_url_${TARGETARCH}_rpm" && \
     dnf install curl-minimal openssl xz tar findutils shadow-utils -y &&\
     curl -o /wazuh-indexer.rpm "${indexer_url}" && \
     dnf install /wazuh-indexer.rpm -y && \
+    rm -rf /wazuh-indexer.rpm && \
     dnf clean all && \
     bash config.sh
 
@@ -69,4 +72,4 @@ EXPOSE 9200
 
 ENTRYPOINT ["/entrypoint.sh"]
 # Dummy overridable parameter parsed by entrypoint
-CMD ["opensearchwrapper"]
+CMD ["opensearch"]

build-docker-images/wazuh-indexer/config/config.sh

@@ -18,52 +18,26 @@ export CONFIG_DIR=${INSTALLATION_DIR}/config
 ##############################################################################
 # Downloading Cert Gen Tool
 ##############################################################################
-
-## Variables
-CERT_TOOL=wazuh-certs-tool.sh
-CERT_CONFIG_FILE=config.yml
-CERT_TOOL_VERSION="${WAZUH_VERSION%.*}"
-PACKAGES_URL=https://packages.wazuh.com/$CERT_TOOL_VERSION/
-PACKAGES_DEV_URL=https://packages-dev.wazuh.com/$CERT_TOOL_VERSION/
-
+# Variables for certificate generation
+CERT_TOOL="wazuh-certs-tool.sh"
+CERT_CONFIG_FILE="config.yml"
 download_package() {
     local url=$1
     local package=$2
-    local output=$2
-    echo "Checking $url$package ..."
-    if curl -fsL "$url$package" -o "$output"; then
-        echo "Downloaded $package from $url"
+    if curl -fsL "$url" -o "$package"; then
+        echo "Downloaded $package"
         return 0
     else
+        echo "Error downloading $package from $url"
         return 1
     fi
 }
-
 # Download the tool to create the certificates
 echo "Downloading the tool to create the certificates..."
-# Try first the prod URL, if it fails try the dev URL
-if download_package "$PACKAGES_URL" "$CERT_TOOL"; then
-    :
-elif download_package "$PACKAGES_DEV_URL" "$CERT_TOOL"; then
-    :
-else
-    echo "The tool to create the certificates does not exist in any bucket"
-    echo "ERROR: certificates were not created"
-    exit 1
-fi
-
+download_package "$wazuh_cert_tool" $CERT_TOOL
 # Download the config file for the certificate tool
 echo "Downloading the config file for the certificate tool..."
-# Try first the prod URL, if it fails try the dev URL
-if download_package "$PACKAGES_URL" "$CERT_CONFIG_FILE"; then
-    :
-elif download_package "$PACKAGES_DEV_URL" "$CERT_CONFIG_FILE"; then
-    :
-else
-    echo "The config file for the certificate tool does not exist in any bucket"
-    echo "ERROR: certificates were not created"
-    exit 1
-fi
+download_package "$wazuh_config_yml" $CERT_CONFIG_FILE
 
 # Modify the config file to set the IP to localhost
 sed -i 's/  ip:.*/  ip: "127.0.0.1"/' $CERT_CONFIG_FILE
@@ -85,7 +59,6 @@ cp -pr /wazuh-certificates/admin-key.pem ${CONFIG_DIR}/certs/admin-key.pem
 # Modify opensearch.yml config paths
 sed -i "s|/etc/wazuh-indexer|${CONFIG_DIR}|g" ${CONFIG_DIR}/opensearch.yml
 
-# Delete xms and xmx parameters in jvm.options
 sed -i 's/-Djava.security.policy=file:\/\/\/etc\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/-Djava.security.policy=file:\/\/\/usr\/share\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/g' /etc/wazuh-indexer/jvm.options
 
 chown -R ${USER}:${GROUP} ${CONFIG_DIR}

build-docker-images/wazuh-indexer/config/entrypoint.sh

@@ -1,93 +1,77 @@
-#!/usr/bin/env bash
-# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2)
-set -e
+#!/bin/bash
 
-umask 0002
+# Copyright OpenSearch Contributors
+# SPDX-License-Identifier: Apache-2.0
 
-export USER=wazuh-indexer
-export INSTALLATION_DIR=/usr/share/wazuh-indexer
-export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
-export JAVA_HOME=${INSTALLATION_DIR}/jdk
-export DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
-export CACERT=$(grep -oP "(?<=plugins.security.ssl.transport.pemtrustedcas_filepath: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml)
-export CERT="${OPENSEARCH_PATH_CONF}/certs/admin.pem"
-export KEY="${OPENSEARCH_PATH_CONF}/certs/admin-key.pem"
+# This script specify the entrypoint startup actions for opensearch
+# It will start both opensearch and performance analyzer plugin cli
+# If either process failed, the entire docker container will be removed
+# in favor of a newly started container
+
+# Export OpenSearch Home
+export OPENSEARCH_HOME=/usr/share/wazuh-indexer
+export OPENSEARCH_PATH_CONF=$OPENSEARCH_HOME/config
+export PATH=$OPENSEARCH_HOME/bin:$PATH
+
+
+# The virtual file /proc/self/cgroup should list the current cgroup
+# membership. For each hierarchy, you can follow the cgroup path from
+# this file to the cgroup filesystem (usually /sys/fs/cgroup/) and
+# introspect the statistics for the cgroup for the given
+# hierarchy. Alas, Docker breaks this by mounting the container
+# statistics at the root while leaving the cgroup paths as the actual
+# paths. Therefore, OpenSearch provides a mechanism to override
+# reading the cgroup path from /proc/self/cgroup and instead uses the
+# cgroup path defined the JVM system property
+# opensearch.cgroups.hierarchy.override. Therefore, we set this value here so
+# that cgroup statistics are available for the container this process
+# will run in.
+export OPENSEARCH_JAVA_OPTS="-Dopensearch.cgroups.hierarchy.override=/ $OPENSEARCH_JAVA_OPTS"
+
+# Start up the opensearch and performance analyzer agent processes.
+# When either of them halts, this script exits, or we receive a SIGTERM or SIGINT signal then we want to kill both these processes.
+function runOpensearch {
+    # Files created by OpenSearch should always be group writable too
+    umask 0002
+
+    if [[ "$(id -u)" == "0" ]]; then
+        echo "Wazuh indexer cannot run as root. Please start your container as another user."
+        exit 1
+    fi
+
+    # Parse Docker env vars to customize Wazuh indexer / OpenSearch configuration
+    #
+    # e.g. Setting the env var cluster.name=testcluster
+    # will cause Wazuh indexer to be invoked with -Ecluster.name=testcluster
+    opensearch_opts=()
+    while IFS='=' read -r envvar_key envvar_value
+    do
+        # OpenSearch settings need to have at least two dot separated lowercase
+        # words, e.g. `cluster.name`, except for `processors` which we handle
+        # specially
+        if [[ "$envvar_key" =~ ^[a-z0-9_]+\.[a-z0-9_]+ || "$envvar_key" == "processors" ]]; then
+            if [[ ! -z $envvar_value ]]; then
+            opensearch_opt="-E${envvar_key}=${envvar_value}"
+            opensearch_opts+=("${opensearch_opt}")
+            fi
+        fi
+    done < <(env)
+
+    # Start opensearch
+    exec "$@" "${opensearch_opts[@]}"
 
-run_as_other_user_if_needed() {
-  if [[ "$(id -u)" == "0" ]]; then
-    # If running as root, drop to specified UID and run command
-    exec chroot --userspec=1000:0 / "${@}"
-  else
-    # Either we are running in Openshift with random uid and are a member of the root group
-    # or with a custom --user
-    exec "${@}"
-  fi
 }
 
-# Allow user specify custom CMD, maybe bin/opensearch itself
-# for example to directly specify `-E` style parameters for opensearch on k8s
-# or simply to run /bin/bash to check the image
-if [[ "$1" != "opensearchwrapper" ]]; then
-  if [[ "$(id -u)" == "0" && $(basename "$1") == "opensearch" ]]; then
-    # Rewrite CMD args to replace $1 with `opensearch` explicitly,
-    # Without this, user could specify `opensearch -E x.y=z` but
-    # `bin/opensearch -E x.y=z` would not work.
-    set -- "opensearch" "${@:2}"
-    # Use chroot to switch to UID 1000 / GID 0
-    exec chroot --userspec=1000:0 / "$@"
-  else
-    # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?)
+# Prepend "opensearch" command if no argument was provided or if the first
+# argument looks like a flag (i.e. starts with a dash).
+if [ $# -eq 0 ] || [ "${1:0:1}" = '-' ]; then
+    set -- opensearch "$@"
+fi
+
+if [ "$1" = "opensearch" ]; then
+    # If the first argument is opensearch, then run the setup script.
+    runOpensearch "$@"
+else
+    # Otherwise, just exec the command.
     exec "$@"
-  fi
 fi
-
-# Allow environment variables to be set by creating a file with the
-# contents, and setting an environment variable with the suffix _FILE to
-# point to it. This can be used to provide secrets to a container, without
-# the values being specified explicitly when running the container.
-#
-# This is also sourced in opensearch-env, and is only needed here
-# as well because we use INDEXER_PASSWORD below. Sourcing this script
-# is idempotent.
-source /usr/share/wazuh-indexer/bin/opensearch-env-from-file
-
-if [[ -f bin/opensearch-users ]]; then
-  # Check for the INDEXER_PASSWORD environment variable to set the
-  # bootstrap password for Security.
-  #
-  # This is only required for the first node in a cluster with Security
-  # enabled, but we have no way of knowing which node we are yet. We'll just
-  # honor the variable if it's present.
-  if [[ -n "$INDEXER_PASSWORD" ]]; then
-    [[ -f /usr/share/wazuh-indexer/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create)
-    if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then
-      # keystore is unencrypted
-      if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then
-        (run_as_other_user_if_needed echo "$INDEXER_PASSWORD" | opensearch-keystore add -x 'bootstrap.password')
-      fi
-    else
-      # keystore requires password
-      if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" \
-          | opensearch-keystore list | grep -q '^bootstrap.password$') ; then
-        COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$INDEXER_PASSWORD")"
-        (run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password')
-      fi
-    fi
-  fi
-fi
-
-if [[ "$(id -u)" == "0" ]]; then
-  # If requested and running as root, mutate the ownership of bind-mounts
-  if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
-    chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs}
-  fi
-fi
-
-
-#if [[ "$DISCOVERY" == "single-node" ]] && [[ ! -f "/var/lib/wazuh-indexer/.flag" ]]; then
-  # run securityadmin.sh for single node with CACERT, CERT and KEY parameter
-#  nohup /securityadmin.sh &
-#  touch "/var/lib/wazuh-indexer/.flag"
-#fi
-
-run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD"

build-docker-images/wazuh-manager/Dockerfile

@@ -9,6 +9,10 @@ ARG S6_VERSION="v2.2.0.3"
 ARG TARGETARCH
 ARG wazuh_manager_url_amd64_rpm
 ARG wazuh_manager_url_arm64_rpm
+ARG wazuh_cert_tool
+ARG wazuh_config_yml
+
+COPY config/config.sh .
 
 RUN URL_VAR="wazuh_manager_url_${TARGETARCH}_rpm" && \
     manager_url="${!URL_VAR}" && \
@@ -16,7 +20,10 @@ RUN URL_VAR="wazuh_manager_url_${TARGETARCH}_rpm" && \
     dnf clean all && \
     curl -o /wazuh-manager.rpm "${manager_url}" && \
     dnf install /wazuh-manager.rpm -y && \
+    rm -rf /wazuh-manager.rpm && \
     dnf clean all && \
+    chmod 755 /config.sh && \
+    /config.sh && \
     curl --fail --silent -L https://github.com/just-containers/s6-overlay/releases/download/${S6_VERSION}/s6-overlay-amd64.tar.gz \
     -o /tmp/s6-overlay-amd64.tar.gz && \
     tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" && \

build-docker-images/wazuh-manager/config/config.sh

@@ -0,0 +1,39 @@
+##############################################################################
+# Downloading Cert Gen Tool
+##############################################################################
+# Variables for certificate generation
+CERT_TOOL="wazuh-certs-tool.sh"
+CERT_CONFIG_FILE="config.yml"
+CERT_DIR=/var/ossec/etc/certs/
+download_package() {
+    local url=$1
+    local package=$2
+    if curl -fsL "$url" -o "$package"; then
+        echo "Downloaded $package"
+        return 0
+    else
+        echo "Error downloading $package from $url"
+        return 1
+    fi
+}
+# Download the tool to create the certificates
+echo "Downloading the tool to create the certificates..."
+download_package "$wazuh_cert_tool" $CERT_TOOL
+# Download the config file for the certificate tool
+echo "Downloading the config file for the certificate tool..."
+download_package "$wazuh_config_yml" $CERT_CONFIG_FILE
+
+# Modify the config file to set the IP to localhost
+sed -i 's/  ip:.*/  ip: "127.0.0.1"/' $CERT_CONFIG_FILE
+
+chmod 700 "$CERT_CONFIG_FILE"
+# Create the certificates
+chmod 755 "$CERT_TOOL" && bash "$CERT_TOOL" -A
+
+# Copy Wazuh manager certs
+cp -pr /wazuh-certificates/wazuh-1.pem ${CERT_DIR}/wazuh-1.pem
+cp -pr /wazuh-certificates/wazuh-1-key.pem ${CERT_DIR}/wazuh-1-key.pem
+cp -pr /wazuh-certificates/root-ca.key ${CERT_DIR}/root-ca.key
+cp -pr /wazuh-certificates/root-ca.pem ${CERT_DIR}/root-ca.pem
+cp -pr /wazuh-certificates/admin.pem ${CERT_DIR}/admin.pem
+cp -pr /wazuh-certificates/admin-key.pem ${CERT_DIR}/admin-key.pem

build-docker-images/wazuh-manager/config/etc/cont-init.d/0-wazuh-init

@@ -152,18 +152,76 @@ set_custom_hostname() {
   sed -i 's/<node_name>to_be_replaced_by_hostname<\/node_name>/<node_name>'"${HOSTNAME}"'<\/node_name>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
 }
 
-##############################################################################
-# Allow users to set the container cluster key dynamically on
-# container start.
-#
-# To use this:
-# 1. Create your own ossec.conf file
-# 2. In your ossec.conf file, set to_be_replaced_by_cluster_key as your key
-# 3. Mount your custom ossec.conf file at $WAZUH_CONFIG_MOUNT/etc/ossec.conf
-##############################################################################
+function_configure_ossec_conf() {
+OSSEC_CONF="${WAZUH_INSTALL_PATH}/etc/ossec.conf"
 
-set_custom_cluster_key() {
-  sed -i 's/<key>to_be_replaced_by_cluster_key<\/key>/<key>'"${WAZUH_CLUSTER_KEY}"'<\/key>/g' ${WAZUH_INSTALL_PATH}/etc/ossec.conf
+# --------------------------
+# Defaults based on OSSEC_CONF
+# --------------------------
+if [[ -z "$WAZUH_CLUSTER_KEY" ]]; then
+    WAZUH_CLUSTER_KEY=$(sed -n '/<cluster>/,/<\/cluster>/s/.*<key>\(.*\)<\/key>.*/\1/p' "$OSSEC_CONF" | head -n1)
+fi
+
+# Node type logic
+if [[ "$WAZUH_NODE_TYPE" != "worker" ]]; then
+    WAZUH_NODE_TYPE="master"
+fi
+
+# Default node name → HOSTNAME if not defined
+WAZUH_NODE_NAME="${WAZUH_NODE_NAME:-$HOSTNAME}"
+
+# --------------------------
+# Replace Indexer Hosts
+# --------------------------
+if [[ -n "$WAZUH_INDEXER_HOSTS" ]]; then
+    TMP_HOSTS=$(mktemp)
+    {
+        echo "    <hosts>"
+        for NODE in $WAZUH_INDEXER_HOSTS; do
+            IP="${NODE%:*}"
+            PORT="${NODE#*:}"
+            echo "      <host>https://$IP:$PORT</host>"
+        done
+        echo "    </hosts>"
+    } > "$TMP_HOSTS";
+    sed -i -e '/<indexer>/,/<\/indexer>/{ /<hosts>/,/<\/hosts>/{ /<hosts>/r '"$TMP_HOSTS" \
+            -e 'd }}' "$OSSEC_CONF";
+    rm -f "$TMP_HOSTS";
+fi
+
+# --------------------------
+# Cluster: node_name
+# --------------------------
+sed -i "/<cluster>/,/<\/cluster>/ s|<node_name>.*</node_name>|<node_name>$WAZUH_NODE_NAME</node_name>|" "$OSSEC_CONF"
+
+# --------------------------
+# Cluster: node_type
+# --------------------------
+sed -i "/<cluster>/,/<\/cluster>/ s|<node_type>.*</node_type>|<node_type>$WAZUH_NODE_TYPE</node_type>|" "$OSSEC_CONF"
+
+# --------------------------
+# Cluster: key
+# --------------------------
+sed -i "/<cluster>/,/<\/cluster>/ s|<key>.*</key>|<key>$WAZUH_CLUSTER_KEY</key>|" "$OSSEC_CONF"
+
+# --------------------------
+# Cluster: nodes list
+# --------------------------
+if [[ -n "$WAZUH_CLUSTER_NODES" ]]; then
+    TMP_NODES=$(mktemp)
+    {
+        echo "    <nodes>"
+        for N in $WAZUH_CLUSTER_NODES; do
+            echo "        <node>$N</node>"
+        done
+        echo "    </nodes>"
+    } > "$TMP_NODES";
+    sed -i -e '/<cluster>/,/<\/cluster>/{ /<nodes>/,/<\/nodes>/{ /<nodes>/r '"$TMP_NODES" \
+            -e 'd }}' "$OSSEC_CONF";
+    rm -f "$TMP_NODES";
+fi
+
+echo "Wazuh manager config modified successfully."
 }
 
 ##############################################################################
@@ -221,8 +279,8 @@ main() {
   # Allow setting custom hostname
   set_custom_hostname
 
-  # Allow setting custom cluster key
-  set_custom_cluster_key
+  # Configure ossec.conf based on environment variables
+  function_configure_ossec_conf
 
   # Delete temporary data folder
   rm -rf ${WAZUH_INSTALL_PATH}/data_tmp

single-node/config/wazuh_cluster/entrypoint.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+set -xe
+
+OSSEC_CONF="ossec.conf"
+
+# --------------------------
+# Defaults based on OSSEC_CONF
+# --------------------------
+if [[ -z "$WAZUH_CLUSTER_KEY" ]]; then
+    WAZUH_CLUSTER_KEY=$(sed -n '/<cluster>/,/<\/cluster>/s/.*<key>\(.*\)<\/key>.*/\1/p' "$OSSEC_CONF" | head -n1)
+fi
+
+if [[ -z "$WAZUH_CLUSTER_PORT" ]]; then
+    WAZUH_CLUSTER_PORT=$(sed -n '/<cluster>/,/<\/cluster>/s/.*<port>\(.*\)<\/port>.*/\1/p' "$OSSEC_CONF" | head -n1)
+fi
+
+# Node type logic
+if [[ -z "$WAZUH_NODE_TYPE" ]]; then
+    if [[ "$HOSTNAME" == "manager" || "$HOSTNAME" == "aio_node" ]]; then
+        WAZUH_NODE_TYPE="master"
+    else
+        WAZUH_NODE_TYPE="worker"
+    fi
+fi
+
+# Default node name → HOSTNAME if not defined
+WAZUH_NODE_NAME="${WAZUH_NODE_NAME:-$HOSTNAME}"
+
+# --------------------------
+# Replace Indexer Hosts
+# --------------------------
+if [[ -n "$WAZUH_INDEXER_HOSTS" ]]; then
+    TMP_HOSTS=$(mktemp)
+    {
+        echo "    <hosts>"
+        for NODE in $WAZUH_INDEXER_HOSTS; do
+            IP="${NODE%:*}"
+            PORT="${NODE#*:}"
+            echo "      <host>https://$IP:$PORT</host>"
+        done
+        echo "    </hosts>"
+    } > "$TMP_HOSTS";
+    sed -i -e '/<indexer>/,/<\/indexer>/{ /<hosts>/,/<\/hosts>/{ /<hosts>/r '"$TMP_HOSTS" \
+            -e 'd }}' "$OSSEC_CONF";
+    rm -f "$TMP_HOSTS";
+fi
+
+# --------------------------
+# Cluster: node_name
+# --------------------------
+sed -i "/<cluster>/,/<\/cluster>/ s|<node_name>.*</node_name>|<node_name>$WAZUH_NODE_NAME</node_name>|" "$OSSEC_CONF"
+
+# --------------------------
+# Cluster: node_type
+# --------------------------
+sed -i "/<cluster>/,/<\/cluster>/ s|<node_type>.*</node_type>|<node_type>$WAZUH_NODE_TYPE</node_type>|" "$OSSEC_CONF"
+
+# --------------------------
+# Cluster: key
+# --------------------------
+sed -i "/<cluster>/,/<\/cluster>/ s|<key>.*</key>|<key>$WAZUH_CLUSTER_KEY</key>|" "$OSSEC_CONF"
+
+# --------------------------
+# Cluster: port
+# --------------------------
+sed -i "/<cluster>/,/<\/cluster>/ s|<port>.*</port>|<port>$WAZUH_CLUSTER_PORT</port>|" "$OSSEC_CONF"
+
+# --------------------------
+# Cluster: nodes list
+# --------------------------
+if [[ -n "$WAZUH_CLUSTER_NODES" ]]; then
+    TMP_NODES=$(mktemp)
+    {
+        echo "    <nodes>"
+        for N in $WAZUH_CLUSTER_NODES; do
+            echo "        <node>$N</node>"
+        done
+        echo "    </nodes>"
+    } > "$TMP_NODES";
+    sed -i -e '/<cluster>/,/<\/cluster>/{ /<nodes>/,/<\/nodes>/{ /<nodes>/r '"$TMP_NODES" \
+            -e 'd }}' "$OSSEC_CONF";
+    rm -f "$TMP_NODES";
+fi
+
+echo "Wazuh manager config modified successfully."

single-node/config/wazuh_indexer/wazuh.indexer.yml

@@ -6,12 +6,12 @@ path.logs: /var/log/wazuh-indexer
 discovery.type: single-node
 http.port: 9200-9299
 transport.tcp.port: 9300-9399
-plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
-plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
-plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
-plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
-plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
-plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
+plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
+plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
+plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
+plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.pem
+plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/wazuh.indexer.key
+plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem
 plugins.security.ssl.http.enabled: true
 plugins.security.ssl.transport.enforce_hostname_verification: false
 plugins.security.ssl.transport.resolve_hostname: false