.xz decompression fills up /var/ partition and breaks install-process on Debian 12

[johays]

System: Debian 12
Install-method: Wazuh installation assistant (found at https://packages.wazuh.com/4.9/wazuh-install.sh)

Trying to run the installer on different debian-systems, I encounter the same problem:

Installer stops at Dashboard-install INFO: Updating the internal users., then fails and aborts (or loops, not getting anywhere past this step).

journalctl displays "no space left on device" errors for /var/ partition.

When investigating disk-usage on /var/ I can see that the file /var/ossec/tmp/vd_1.0.0_vd_4.8.0.tar grows to over 4GB until partition fills up.

To me, this look like some de-compressing error: There is a 193 mb vd_1.0.0_vd_4.8.0.tar.xz file, and it is being decompressed into over 4GB?

ls -Ahl /var/ossec/tmp
total 4.2G
-rw-r--r-- 1 root  root  4.0G Dec  3 15:31 vd_1.0.0_vd_4.8.0.tar
-rw-r----- 1 wazuh wazuh 193M Oct 28 16:31 vd_1.0.0_vd_4.8.0.tar.xz

Current df -h output before install:

Filesystem                      Size  Used Avail Use% Mounted on
udev                            7.8G     0  7.8G   0% /dev
tmpfs                           1.6G  2.2M  1.6G   1% /run
/dev/mapper/myhostname--vg-root   23G  3.2G   19G  15% /
tmpfs                           7.8G   80K  7.8G   1% /dev/shm
tmpfs                           5.0M     0  5.0M   0% /run/lock
/dev/mapper/myhostname--vg-tmp   1.8G   68K  1.7G   1% /tmp
/dev/sda2                       456M  113M  319M  27% /boot
/dev/mapper/myhostname--vg-var   9.1G  4.4G  4.3G  51% /var
/dev/mapper/myhostname--vg-home  198G   24M  188G   1% /home
/dev/sda1                       511M  5.9M  506M   2% /boot/efi
tmpfs                           100K     0  100K   0% /var/lib/lxd/shmounts
tmpfs                           100K     0  100K   0% /var/lib/lxd/devlxd
tmpfs                           1.6G     0  1.6G   0% /run/user/1000

[rauldpm]

Hello @johays, yes, this is correct, the tar included in the xz file weighs a total of 5.6G, the xz compression allows us to make the file lighter.

This is the output you should be able to see with enough disk space.

-rw-r--r-- 1 root  root  5.6G Dec  3 19:57 vd_1.0.0_vd_4.8.0.tar
-rw-r----- 1 wazuh wazuh 193M Oct 28 15:31 vd_1.0.0_vd_4.8.0.tar.xz

Seeing that you get a disk space error, you will need to increase the disk size or free up space on the partition where the /var/ossec directory is located to complete the installation process successfully.

Note that those files are temporal, and only exist while the Wazuh manager is processing the data for the Vulnerability Detection module, after a while, those files should disappear, returning that space to the disk.

[johays]

Managed to finish the install by temporarily mounting /var/ossec to another partition with more space
mount --bind /mnt/some-big-partition/ossec /var/ossec.
This is quite an ugly fix, as wazuh then depends on the mount being present at all times, until /var partition has been grown into decent size and the folder has been transferred.

However, the partitioning scheme shown in the original post with a rather small /var partition is quite normal for default installs of both Ubuntu and Debian with encryped LVM, so I think this problem should be addressed by the installer.

Suggestion: to put a check in the install-script to check if /var partition has sufficient space for the complete install, and otherwise abort installation without changing anything on the system.

[rauldpm]

This issue should currently be addressed for Wazuh version 5.0.0 with the following development #56

Please note that the problem presented in this issue can be easily reproduced by installing only the Wazuh manager on a partition that does not have enough space.

Also keep in mind that in the future you will need more space to store Wazuh data (alerts, backups, indexes, etc.) so a /var partition of that size may quickly run out of space depending on the use you give to the deployment

In the documentation (https://documentation.wazuh.com/current/quickstart.html#hardware), we set an initial and approximate storage size, but this may change depending on the Wazuh configuration and the final use.