Docker-Compose ElasticSearch incompatibility

[milesflo]

Docker-Compose ElasticSearch incompatibility

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	N/A (Only local testing)
OS version (client)	OSX
TheHive version / git hash	c44df9d (latest master at time of writing)
Package Type	Docker (docker-compose)
Browser type & version	If applicable

Problem Description

The docker compose file creates an ElasticSearch container that is incompatible with the rest of the deployment.

Steps to Reproduce

1. Pull/clone from master
2. cd to ./docker/thehive
3. run docker-compose up in this directory
4. Wait for ElasticSearch-related errors to appear.

Possible Solutions

Potentially, reverting this PR will remediate the issue. According to the docs, this project uses ElasticSearch5.0 for stateless storage. Despite this spec, the file was altered to have a major version bump.

Either way, the Docker file and documentation are out of sync.

Complementary information

Sample error. One of many, but I'm cropping out any PII.

cortex_1         | [error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/cortex_4/_search?
cortex_1         | StringEntity({"query":{"match":{"relations":{"query":"user"}}},"size":0},Some(application/json))
cortex_1         |  => ElasticError(index_not_found_exception,no such index,Some(_na_),Some(cortex_4),None,List(ElasticError(index_not_found_exception,no such index,Some(_na_),Some(cortex_4),None,null,None)),None)

[milesflo]

Experimenting with this hypothesis now

[milesflo]

Reverting seems pretty fruitless

[arnydo]

It looks like Cortex 3.0.0 and TheHive 3.4.0 are "supposed" to be compatible with ES 6+.
But following those versions along with the migration guide (to know what the configuration is supposed to look like) I still get the errors on a fresh install.

https://blog.thehive-project.org/2019/09/11/thehive-3-4-0-cortex-3-0-0-released/
https://github.com/TheHive-Project/TheHiveDocs/blob/master/migration-guide.md

[arnydo]

I was able to get it running with the following compose file (Removed the RC tags and used the latest stable versions).
I did end up deleting the index for TheHive after spinning up because it kept failing. After deleting the index and restarting the container I got right in and was able to run the "update database" process.

version: "2"
services:
  elasticsearch:
    image: elasticsearch:6.8.0
    environment:
      - http.host=0.0.0.0
      - cluster.name=hive
      - thread_pool.index.queue_size=100000
      - thread_pool.search.queue_size=100000
      - thread_pool.bulk.queue_size=100000
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
  cortex:
    image: thehiveproject/cortex:3.0.0
    ports:
      - "0.0.0.0:9001:9001"
  thehive:
    image: thehiveproject/thehive:3.4.0
    depends_on:
      - elasticsearch
      - cortex
   ports:
     - "0.0.0.0:9000:9000"

[milesflo]

@arnydo Nice. Would it be worth investigating a way to run a script to do this automatically on ElasticSearch container creation?

[arnydo]

Maybe. I'll have to see if I can replicate it. May have just been a fluke. If it's consistent then I don't see why not.

…

On Fri, Oct 11, 2019, 3:20 PM Miles Florence ***@***.***> wrote: @arnydo <https://github.com/arnydo> Nice. Would it be worth investigating a way to run a script to do this automatically on ElasticSearch container creation? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1140?email_source=notifications&email_token=ACY47VYUUK6CES6JB7VVXETQODGYLA5CNFSM4I7S2N72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBA65GI#issuecomment-541191833>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACY47VZOK437L543PEBMVFDQODGYLANCNFSM4I7S2N7Q> .

[milesflo]

@arnydo Is this it?

curl -X DELETE "http://172.18.0.2:9200/thehive"

EDIT:
Can you make this same request from within the new ES container itself? ex:

curl -X DELETE "http://localhost:9200/thehive"

[arnydo]

I think it was /the_hive_15....

…

On Fri, Oct 11, 2019, 3:29 PM Miles Florence ***@***.***> wrote: @arnydo <https://github.com/arnydo> Is this it? curl -X DELETE "http://172.18.0.2:9200/thehive" — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1140?email_source=notifications&email_token=ACY47VYBH4L443CAMT5D243QODHZBA5CNFSM4I7S2N72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBA7RMQ#issuecomment-541194418>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACY47V7CFEP46H272Q64NXTQODHZBANCNFSM4I7S2N7Q> .

[milesflo]

Hmm... What makes it 15?

It is hardcoded somewhere in the project? Is it the 15th container on your environment?

[arnydo]

Something with how it's setup in Elastic search 6 now. https://github.com/TheHive-Project/TheHiveDocs/blob/cea352d0614515791dda758dbca4aef2747da157/admin/upgrade_to_thehive_3_4_and_es_6_x.md

…

On Fri, Oct 11, 2019, 3:38 PM Miles Florence ***@***.***> wrote: Hmm... What makes it 15? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1140?email_source=notifications&email_token=ACY47V4TGU3TZXHI2AU7ASLQODI2JA5CNFSM4I7S2N72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBBAHOY#issuecomment-541197243>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACY47VYQYDJ6LSCF6R6SDOTQODI2JANCNFSM4I7S2N7Q> .

[milesflo]

Yeah, looks to be the hardcoded name they're going with. It's not immediately clear what the 15 signifies though. I'll take a stab at this and if it works I'll make a PR.

The subject of this ticket has changed, should I edit the original post or leave as is?

[aacgood]

the_hive_15 relates to the schema version. v3.2/3.3 were using 'the_hive_14' in elastic. https://github.com/TheHive-Project/TheHiveDocs/blob/master/admin/schema_version.md

…

On Sat., 12 Oct. 2019, 06:48 Miles Florence, ***@***.***> wrote: Yeah, looks to be the hardcoded name they're going with. It's not immediately clear what the 15 signifies though. I'll take a stab at this and if it works I'll make a PR. The subject of this ticket has changed, should I edit the original post or leave as is? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1140?email_source=notifications&email_token=AGWR3JCUGY67LHGSYCVF2NLQODKARA5CNFSM4I7S2N72YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBBBBMI#issuecomment-541200561>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGWR3JF4WGGDG2FQNTUDQ6DQODKARANCNFSM4I7S2N7Q> .

[milesflo]

Got back to this. Strange behavior when cUrl'ing from TheHive's container

➜  thehive git:(master) docker exec -it thehive_thehive_1 /bin/bash
daemon@bd0453c89034:/opt/thehive$ curl -X DELETE http://172.18.0.2:9200/the_hive_15
{"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_or_alias","resource.id":"the_hive_15","index_uuid":"_na_","index":"the_hive_15"}],"type":"index_not_found_exception","reason":"no such index","resource.type":"index_or_alias","resource.id":"the_hive_15","index_uuid":"_na_","index":"the_hive_15"},"status":404}

[milesflo]

Logs of starting up the compose and opening hxxp://localhost[:]9000/

thehive_1        | [error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/the_hive_15/_search?
thehive_1        | StringEntity({"query":{"match":{"relations":{"query":"user"}}},"size":0},Some(application/json))
thehive_1        |  => ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,List(ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,null,None)),None)
thehive_1        | [error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/the_hive_15/_search?
thehive_1        | StringEntity({"query":{"match":{"relations":{"query":"user"}}},"size":0},Some(application/json))
thehive_1        |  => ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,List(ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,null,None)),None)
thehive_1        | [error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/the_hive_15/_search?
thehive_1        | StringEntity({"version":"true","query":{"ids":{"values":["init"]}},"size":1},Some(application/json))
thehive_1        |  => ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,List(ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,null,None)),None)
thehive_1        | [info] o.e.ErrorHandler - GET /api/user/current returned 520
thehive_1        | org.elastic4play.IndexNotFoundException$: null
thehive_1        |      at org.elastic4play.IndexNotFoundException$.<clinit>(Errors.scala)
thehive_1        |      at org.elastic4play.database.DBConfiguration.$anonfun$execute$2(DBConfiguration.scala:145)
thehive_1        |      at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:303)
thehive_1        |      at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)
thehive_1        |      at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)
thehive_1        |      at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
thehive_1        |      at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
thehive_1        |      at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)
thehive_1        |      at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)
thehive_1        |      at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
thehive_1        | [error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/the_hive_15/_search?scroll=60000ms
thehive_1        | StringEntity({"version":"true","query":{"bool":{"must":[{"term":{"relations":{"value":"dblist"}}},{"term":{"dblist":{"value":"ui_settings"}}}]}},"from":0,"sort":[{"_id":{"order":"desc"}}]},Some(application/json))
thehive_1        |  => ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,List(ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,null,None)),None)
cortex_1         | [error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/cortex_4/_search?
cortex_1         | StringEntity({"query":{"match":{"relations":{"query":"user"}}},"size":0},Some(application/json))
cortex_1         |  => ElasticError(index_not_found_exception,no such index,Some(_na_),Some(cortex_4),None,List(ElasticError(index_not_found_exception,no such index,Some(_na_),Some(cortex_4),None,null,None)),None)
cortex_1         | [error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/cortex_4/_search?
cortex_1         | StringEntity({"version":"true","query":{"ids":{"values":["init"]}},"size":1},Some(application/json))
cortex_1         |  => ElasticError(index_not_found_exception,no such index,Some(_na_),Some(cortex_4),None,List(ElasticError(index_not_found_exception,no such index,Some(_na_),Some(cortex_4),None,null,None)),None)
cortex_1         | [info] o.t.c.s.ErrorHandler - GET /api/user/current returned 520
cortex_1         | org.elastic4play.IndexNotFoundException$: null
cortex_1         |      at org.elastic4play.IndexNotFoundException$.<clinit>(Errors.scala)
cortex_1         |      at org.elastic4play.database.DBConfiguration.$anonfun$execute$2(DBConfiguration.scala:145)
cortex_1         |      at scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:307)
cortex_1         |      at scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:41)
cortex_1         |      at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64)
cortex_1         |      at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)
cortex_1         |      at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)
cortex_1         |      at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
cortex_1         |      at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:85)
cortex_1         |      at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)
thehive_1        | [error] o.e.d.DBConfiguration - ElasticSearch request failure: POST:/the_hive_15/_search?
thehive_1        | StringEntity({"query":{"match":{"relations":{"query":"user"}}},"size":0},Some(application/json))
thehive_1        |  => ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,List(ElasticError(index_not_found_exception,no such index,Some(_na_),Some(the_hive_15),None,null,None)),None)
thehive_1        | [info] o.e.ErrorHandler - GET /api/stream/yOFqxsWI8csB5B7SkIRD returned 401
thehive_1        | org.elastic4play.AuthenticationError: Authentication header not found
thehive_1        |      at org.elastic4play.controllers.Authenticated.$anonfun$getFromApiKey$1(Authenticated.scala:143)
thehive_1        |      at scala.Option.fold(Option.scala:158)
thehive_1        |      at org.elastic4play.controllers.Authenticated.getFromApiKey(Authenticated.scala:143)
thehive_1        |      at controllers.StreamCtrl.$anonfun$get$1(StreamCtrl.scala:99)
thehive_1        |      at play.api.mvc.ActionBuilderImpl.invokeBlock(Action.scala:488)
thehive_1        |      at play.api.mvc.ActionBuilderImpl.invokeBlock(Action.scala:486)
thehive_1        |      at play.api.mvc.ActionBuilder$$anon$10.apply(Action.scala:425)
thehive_1        |      at play.api.mvc.Action.$anonfun$apply$2(Action.scala:97)
thehive_1        |      at play.api.libs.streams.StrictAccumulator.$anonfun$mapFuture$4(Accumulator.scala:183)
thehive_1        |      at scala.util.Try$.apply(Try.scala:209)

[milesflo]

PR: #1144