Skip to content

Add a rollover policy to the setup plugin #269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 11 commits into
base: 6.0.0
Choose a base branch
from
Draft

Add a rollover policy to the setup plugin #269

wants to merge 11 commits into from

Conversation

f-galland
Copy link
Member

Description

This PR is meant as a proof of concept that a rollover policy can be set up from a plugin, outside the Index Management plugin itself.
It does so by writing a policy json to the .opendistro-ism-config much like the Index Management plugin itself would do.

Issues Resolved

#435

@f-galland f-galland self-assigned this Feb 7, 2025
@f-galland
Copy link
Member Author

Policy Document

The setup plugin has been modified to index a document to the .opendistro-ism-config index which look as follows:

{
  "policy": {
    "policy_id": "wazuh_rollover_policy",
    "description": "Example rollover policy.",
    "last_updated_time": 1738947466825,
    "schema_version": 21,
    "error_notification": null,
    "default_state": "rollover",
    "states": [
      {
        "name": "rollover",
        "actions": [
          {
            "retry": {
              "count": 3,
              "backoff": "exponential",
              "delay": "1m"
            },
            "rollover": {
              "min_doc_count": 1,
              "copy_alias": false
            }
          }
        ],
        "transitions": []
      }
    ],
    "ism_template": [
      {
        "index_patterns": [
          "test-index-*"
        ],
        "priority": 100,
        "last_updated_time": 1738947466825
      }
    ],
    "user": {
      "name": "admin",
      "backend_roles": [
        "admin"
      ],
      "roles": [
        "own_index",
        "all_access"
      ],
      "custom_attribute_names": [],
      "user_requested_tenant": null
    }
  }
}

@f-galland
Copy link
Member Author

Index Management index template

During testing we found out that our plugin was quicker to load than the Index Management one, so a template must be set up for the .opendistro-ism-config index before creation.

We took the mappings from it from here:

@f-galland
Copy link
Member Author

Trigger the job

An index needs to be written, which matches the index pattern the policy expects, while also being set up as the write index for the rollover alias:

curl -XPUT http://localhost:9200/test-index-0000 -H 'Content-Type: application/json' -d '{"aliases":{"test-alias":{"is_write_index":true}}}'

@f-galland
Copy link
Member Author

Check that indices are being rotated

In order to speed up execution of the rollover policy, the following command can be issued:

curl -XPUT http://localhost:9200/_cluster/settings?pretty=true -H'Content-Type: application/json' -d '{"persistent": {"plugins.index_state_management.job_interval":1}}'

Now we can index new commands pointing towards our index alias:

curl -XPOST http://localhost:9200/test-alias/_doc -H 'Content-Type: application/json' -d '{"field":"value"}'

@f-galland
Copy link
Member Author

Check the policy is reckoned

We can now check whether the ISM plugin is recognizing our policy and will apply it to the right index

$ curl 'http://localhost:9200/_plugins/_ism/explain?pretty'
{
  "test-index-0000" : {
    "index.plugins.index_state_management.policy_id" : "wazuh_rollover_policy",
    "index.opendistro.index_state_management.policy_id" : "wazuh_rollover_policy",
    "index" : "test-index-0000",
    "index_uuid" : "v6dYvuxlS9mJ3DE_78-IyA",
    "policy_id" : "wazuh_rollover_policy",
    "enabled" : true
  },
  "total_managed_indices" : 1
}

@f-galland f-galland mentioned this pull request Feb 7, 2025
Closed
4 tasks
@mcasas993 mcasas993 self-assigned this Mar 11, 2025
@mcasas993
Copy link
Contributor

When changing the OpenSearch version from 2.18.0 to 2.19.1 the solution stops working.

At first the template was not configured in .opendistro-ism-config and generated problems with the mapping. Configuring the mapping directly in the .opendistro-ism-config index creation solves that problem. Although when the mapping started working the wazuh-command index and the wazuh-alerts index stopped being managed by the previously created policy.

I think probably the problem is associated with the cluster reload process and this logs:

[2025-03-13T11:45:26,172][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Performing ISM template migration.
[2025-03-13T11:45:26,173][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Doing ISM template migration 1 time.
[2025-03-13T11:45:26,174][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Use 2025-03-13T13:44:26.162Z as migrating ISM template last_updated_time
[2025-03-13T11:45:26,174][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] ISM templates: {}
[2025-03-13T11:45:26,175][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Policies to update: []
[2025-03-13T11:45:26,179][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Failure experienced when migrating ISM Template and update ISM policies: {}
[2025-03-13T11:45:26,189][DEBUG][o.o.c.c.Coordinator      ] [integTest-0] initialized PublicationContext using class: class org.opensearch.cluster.coordination.PublicationTransportHandler$PublicationContext
[2025-03-13T11:45:26,190][DEBUG][o.o.c.c.C.CoordinatorPublication] [integTest-0] publishing version 44 to [PublicationTarget{discoveryNode={integTest-0}{Id2z15qKTuqYX8kKx1ZwwA}{sQ_WrKBKSQWN9zVIOEHYSg}{127.0.0.1}{127.0.0.1:9300}{dimr}{testattr=test, shard_indexing_pressure_enabled=true}, state=NOT_STARTED, ackIsPending=true}]
[2025-03-13T11:45:26,190][DEBUG][o.o.c.c.PublicationTransportHandler] [integTest-0] received diff cluster state version [44] with uuid [9p89_bUYQXiX5cFna-Ny4w], diff size [200]
[2025-03-13T11:45:26,191][DEBUG][o.o.c.c.Coordinator      ] [integTest-0] handlePublishRequest: handling version [44] from [{integTest-0}{Id2z15qKTuqYX8kKx1ZwwA}{sQ_WrKBKSQWN9zVIOEHYSg}{127.0.0.1}{127.0.0.1:9300}{dimr}{testattr=test, shard_indexing_pressure_enabled=true}]
[2025-03-13T11:45:26,218][INFO ][o.o.c.s.ClusterSettings  ] [integTest-0] updating [plugins.index_state_management.template_migration.control] from [0] to [-1]
[2025-03-13T11:45:26,220][DEBUG][o.o.c.c.C.CoordinatorPublication] [integTest-0] publication ended successfully: Publication{term=1, version=44}
[2025-03-13T11:45:26,222][WARN ][o.o.c.r.a.AllocationService] [integTest-0] Falling back to single shard assignment since batch mode disable or multiple custom allocators set
[2025-03-13T11:45:26,225][INFO ][o.o.i.i.m.ISMTemplateService] [integTest-0] Successfully update template migration setting
[2025-03-13T11:46:26,165][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Performing move cluster state metadata.
[2025-03-13T11:46:26,165][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Doing metadata migration 2 time.
[2025-03-13T11:46:26,165][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Corrupt managed indices with outdated index uuid in metadata: []
[2025-03-13T11:47:26,166][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Performing move cluster state metadata.
[2025-03-13T11:47:26,167][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Doing metadata migration 3 time.
[2025-03-13T11:47:26,167][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Corrupt managed indices with outdated index uuid in metadata: []
[2025-03-13T11:48:26,167][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Performing move cluster state metadata.
[2025-03-13T11:48:26,167][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Doing metadata migration 4 time.
[2025-03-13T11:48:26,167][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Corrupt managed indices with outdated index uuid in metadata: []
[2025-03-13T11:48:26,168][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Move Metadata succeed, set finish flag to true. Indices failed to get indexed: {}
[2025-03-13T11:48:26,175][DEBUG][o.o.c.c.Coordinator      ] [integTest-0] initialized PublicationContext using class: class org.opensearch.cluster.coordination.PublicationTransportHandler$PublicationContext
[2025-03-13T11:48:26,176][DEBUG][o.o.c.c.C.CoordinatorPublication] [integTest-0] publishing version 45 to [PublicationTarget{discoveryNode={integTest-0}{Id2z15qKTuqYX8kKx1ZwwA}{sQ_WrKBKSQWN9zVIOEHYSg}{127.0.0.1}{127.0.0.1:9300}{dimr}{testattr=test, shard_indexing_pressure_enabled=true}, state=NOT_STARTED, ackIsPending=true}]
[2025-03-13T11:48:26,177][DEBUG][o.o.c.c.PublicationTransportHandler] [integTest-0] received diff cluster state version [45] with uuid [eV6iMtDJSNyld5tQuIiJyw], diff size [219]
[2025-03-13T11:48:26,178][DEBUG][o.o.c.c.Coordinator      ] [integTest-0] handlePublishRequest: handling version [45] from [{integTest-0}{Id2z15qKTuqYX8kKx1ZwwA}{sQ_WrKBKSQWN9zVIOEHYSg}{127.0.0.1}{127.0.0.1:9300}{dimr}{testattr=test, shard_indexing_pressure_enabled=true}]
[2025-03-13T11:48:26,205][INFO ][o.o.c.s.ClusterSettings  ] [integTest-0] updating [plugins.index_state_management.metadata_migration.status] from [0] to [1]
[2025-03-13T11:48:26,205][INFO ][o.o.i.i.ManagedIndexCoordinator] [integTest-0] Canceling metadata moving job because of cluster setting update.
[2025-03-13T11:48:26,206][DEBUG][o.o.c.c.C.CoordinatorPublication] [integTest-0] publication ended successfully: Publication{term=1, version=45}
[2025-03-13T11:48:26,207][WARN ][o.o.c.r.a.AllocationService] [integTest-0] Falling back to single shard assignment since batch mode disable or multiple custom allocators set
[2025-03-13T11:48:26,208][INFO ][o.o.i.i.MetadataService  ] [integTest-0] Successfully metadata template migration setting to 1
[2025-03-13T11:49:26,028][INFO ][o.o.j.s.JobSweeper       ] [integTest-0] Running full sweep
[2025-03-13T11:49:26,167][INFO ][o.o.i.i.PluginVersionSweepCoordinator] [integTest-0] Canceling sweep ism plugin version job

@f-galland f-galland force-pushed the 591-rollover-policy branch from feb8ef2 to 06f9a1d Compare April 7, 2025 15:19
@f-galland
Copy link
Member Author

After the latest changes, the policy is properly loaded into the ism plugin:

Check the plugin's index was created

 
fede@tyner:~
$ curl -s 'http://localhost:9200/.opendistro-ism-config/_settings' | jq
{
  ".opendistro-ism-config": {
    "settings": {
      "index": {
        "replication": {
          "type": "DOCUMENT"
        },
        "refresh_interval": "5s",
        "hidden": "true",
        "number_of_shards": "1",
        "provided_name": ".opendistro-ism-config",
        "creation_date": "1744039677274",
        "number_of_replicas": "0",
        "uuid": "wOv6F4feRai9fUWAxQ7HGg",
        "version": {
          "created": "136407927"
        }
      }
    }
  }
}

Trigger the job

 
fede@tyner:~
$ curl -XPUT http://localhost:9200/test-index-0000 -H 'Content-Type: application/json' -d '{"aliases":{"test-alias":{"is_write_index":true}}}'
{"acknowledged":true,"shards_acknowledged":true,"index":"test-index-0000"}

Check the policy was processed

 
fede@tyner:~
$ curl 'http://localhost:9200/_plugins/_ism/explain?pretty'
{
  "test-index-0000" : {
    "index.plugins.index_state_management.policy_id" : "wazuh_rollover_policy",
    "index.opendistro.index_state_management.policy_id" : "wazuh_rollover_policy",
    "index" : "test-index-0000",
    "index_uuid" : "ejlCKdBhS5yW9cHYl0nSRg",
    "policy_id" : "wazuh_rollover_policy",
    "enabled" : true
  },
  "total_managed_indices" : 1
}

@f-galland
Copy link
Member Author

Index rotation works:

fede@tyner:~
$ curl http://localhost:9200/_cat/indices?s=index
yellow open .opendistro-job-scheduler-lock   B8LqoLW1RlqQWjX06X1XUg 1 1  3 21 34.3kb 34.3kb
green  open test-index-0000                  ejlCKdBhS5yW9cHYl0nSRg 1 0 14  0  7.5kb  7.5kb
green  open test-index-000001                CQOn5rezQxytyhsQUa_myQ 1 0 16  0  7.5kb  7.5kb
green  open test-index-000002                un3eTVgaRSWfTm7I_eagWA 1 0 14  0    4kb    4kb
green  open test-index-000003                e4TqINtKTDKBduiNdoNaNg 1 0  0  0   208b   208b
green  open wazuh-agents                     1DLMbNV4Rmuuh5QQgd4_iw 1 0  0  0   208b   208b
green  open wazuh-alerts-5.x-0001            yczOfTs8R5qvJA51AlW_2A 1 0  0  0   208b   208b
green  open wazuh-commands                   SBYfmNdhTAGrbnamLx0HnA 1 0  0  0   208b   208b
green  open wazuh-custom-users               wDWHbqfqS6W_7YWX4S-YEw 1 0  0  0   208b   208b
green  open wazuh-cve                        WGjYE2YOREe5o8-iqqS9Dg 1 0  0  0   208b   208b
green  open wazuh-internal-users             Cd31StxfSpi21wmFtUsUPQ 1 0  0  0   208b   208b
green  open wazuh-states-fim                 GyZn2GhuTN2tq4G-_T6hsQ 1 0  0  0   208b   208b
green  open wazuh-states-inventory-hardware  uIq8geHjSHCiQi_IVoo1vw 1 0  0  0   208b   208b
green  open wazuh-states-inventory-hotfixes  LKNc70gpSnCo37IKGw99LA 1 0  0  0   208b   208b
green  open wazuh-states-inventory-networks  n9v1Vl79QBC5nIDJ4BMaGg 1 0  0  0   208b   208b
green  open wazuh-states-inventory-packages  ETEkYdXMQxGGUKsLJoaOZg 1 0  0  0   208b   208b
green  open wazuh-states-inventory-ports     4J-RDoAoQhK9R4ihxygzKw 1 0  0  0   208b   208b
green  open wazuh-states-inventory-processes AqrPreE8Ruix5kGGIgYOvw 1 0  0  0   208b   208b
green  open wazuh-states-inventory-system    4s6GT6U6Sl2W1dqOtpB0xw 1 0  0  0   208b   208b
green  open wazuh-states-sca                 jTFKx-_7SSiE_CovTAcOkQ 1 0  0  0   208b   208b
green  open wazuh-states-vulnerabilities     AxOD1r_9QR6Ygy5ia5MbPw 1 0  0  0   208b   208b
fede@tyner:~

@f-galland
Copy link
Member Author

I've been trying to get integration tests working in order to properly test this "hack" in order to catch future breaks.

Unfortunately, the integTest gradle task seem to get hold of a separate namespace, where it cannot access the plugin's created indices.
I know the plugin is loaded properly, because I can see the logs in build/testclusters/integTest-0/logs/integTest.log, but when trying to list the indices from within the tests like so:

log.info(Arrays.toString(client().admin().indices().prepareGetIndex().addIndices("*").get().indices()))

I get an empty list.

I tried overriding nodePlugins() to get access to the SetupPlugin class:

@Override
protected Collection<Class<? extends Plugin>> nodePlugins() {
    return Collections.singletonList(SetupPlugin.class);
}

But when I had this loaded, the tests would fail with a ResourceDuplicatedException, indicating the index creation was executed twice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mcasas993 mcasas993

@f-galland f-galland

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Spike - Viability analysis of creating ISM policies within a plugin
2 participants
@f-galland @mcasas993