Add Default Container Environment Variables + Wazuh Agent Installation#250
Merged
runleveldev merged 10 commits intomainfrom Mar 23, 2026
Merged
Add Default Container Environment Variables + Wazuh Agent Installation#250runleveldev merged 10 commits intomainfrom
runleveldev merged 10 commits intomainfrom
Conversation
Introduce Wazuh agent first-boot enrollment and system-wide default container environment variables. - create-a-container: Use Setting in container creation to load a JSON 'default_container_env_vars' and inject WAZUH_MANAGER (hostname from wazuh_api_url) and WAZUH_REGISTRATION_PASSWORD (if set). Merge priority: image defaults < system defaults < per-container values. - UI: Add settings UI to manage default container env vars and Wazuh settings (API URL + enrollment password). Password is not echoed back; only an indicator is shown. Validate Wazuh API URL and serialize env var entries before saving to settings. - Server: Expose wazuh_api_url to authenticated views so a sidebar link appears when configured. - Images: Update base image Dockerfile to include and enable wazuh-enroll.service and wazuh-enroll.sh. - New files: Add systemd unit (wazuh-enroll.service) and enrollment script (wazuh-enroll.sh) which installs the Wazuh agent, uses /etc/machine-id as agent name, optionally writes and then purges the enrollment password, waits for enrollment, and writes a sentinel to avoid rerunning. These changes allow the cluster manager to automatically provide Wazuh connection details to new containers and offer a management UI for defaults and enrollment credentials.
Switch default_container_env_vars to an array of {key,value,description} while still supporting the old flat-object {KEY: value} format. create-container now parses either format (ignoring descriptions when injecting container envs), updates log messaging, and removes automatic Wazuh API/password injection. The settings router/read/save flow was updated to persist an array, convert legacy objects to the new shape, and build the saved entries from the form. The settings view adds a Description column and UI inputs for descriptions and removes the Wazuh integration form and header link. server.js no longer exposes the Wazuh URL middleware. A new seeder adds WAZUH_MANAGER and WAZUH_REGISTRATION_PASSWORD to default_container_env_vars if missing.
Update the Settings model to use DataTypes.TEXT for the value field and add a Sequelize migration (create-a-container/migrations/20260320000000-change-settings-value-to-text.js) to alter the existing column to TEXT. The migration includes an up (to TEXT) and down (back to STRING) to allow storing longer setting values while preserving rollback capability.
runleveldev
requested changes
Mar 20, 2026
Centralize parsing of default_container_env_vars by adding Setting.getDefaultContainerEnvVars() and updating callers in create-container and the settings router to use it (handles both current array and legacy flat-object formats). Pre-install the wazuh-agent in the base image so containers don't need network access on first boot, and simplify enrollment: adjust wazuh-enroll.service to trigger only when the agent has never enrolled (checks client.keys), add EnvironmentFile support, and remove build-time service enablement. Rewrite wazuh-enroll.sh to write /var/ossec/etc/ossec.conf at runtime, start the agent, and wait for client.keys (with a warning on timeout); remove runtime package installation and post-enrollment cleanup/ sentinel creation. These changes reduce runtime network dependencies and centralize env-var handling.
…ce-server into cmyers_wazuh-int
runleveldev
reviewed
Mar 23, 2026
runleveldev
reviewed
Mar 23, 2026
runleveldev
requested changes
Mar 23, 2026
Make the first-boot enrollment more reliable and ensure the enrollment helper is executable. Changes: - Dockerfile: update comment to reflect using ConditionFileNotEmpty and COPY the enroll script with --chmod=0755 so it is executable in the image. - systemd unit: replace ConditionPathExists with ConditionFileNotEmpty (negated) so the service runs when /var/ossec/etc/client.keys is missing or empty — this avoids skipping re-enrollment after a failed attempt because the agent may create client.keys even on failure. - enroll script: write an <enrollment><agent_name> entry into ossec.conf and use systemctl restart wazuh-agent (instead of start) so the agent picks up the updated configuration even if a stale instance is running. These changes ensure re-enrollment can occur after failed attempts and that the enrollment script runs with correct permissions.
Collaborator
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new system for managing default environment variables for containers, with a focus on supporting Wazuh agent enrollment out-of-the-box. It adds a UI for editing default environment variables, updates the backend and database schema to store them as structured data, and seeds initial Wazuh-related variables. Additionally, it integrates a first-boot Wazuh agent enrollment service into the base container image.
Default Container Environment Variables Management:
settings/index.ejsfor managing default environment variables, allowing users to add, edit, and remove variables with descriptions. These are injected into every new container. [1] [2]settings.jsto support storing and retrieving these variables as an array of{key, value, description}objects, with migration support for the old flat-object format. [1] [2] [3]Settings.valuedatabase column type fromSTRINGtoTEXTto accommodate larger/structured data and updates the model accordingly. [1] [2]Wazuh Agent Enrollment Integration:
default_container_env_varswith Wazuh agent variables (WAZUH_MANAGER,WAZUH_REGISTRATION_PASSWORD), including migration logic to merge with existing values.wazuh-enroll.shscript andwazuh-enroll.servicesystemd unit, which automatically enrolls the agent if the relevant environment variables are set, and securely cleans up credentials after enrollment. [1] [2] [3]These changes make it easier to centrally manage environment variables for containers and enable secure, automated Wazuh agent enrollment for improved monitoring and security.