By Adrian | September 12, 2019
Its upgrading time!
Its been a while since ive visited TheHive and version 3.4.0 has been released. The astute reader will noticed that when I originally stood up my instance of TheHive I opted for version 3.3.1 and yes, that will be getting an upgrade, but the reason for this post is that this is a test run for the instance upgrade at work and thats what were using, so thats what im testing about. The install is identical to the 3.3.1 guide I wrote.
So here we are pre-upgrade. There are the whole of 2 test cases.
Backup
The first step is to perform a backup of the Elasticsearch indices, which requires some additional configuration. Create a backup folder location with the following command:
mkdir /opt/backup
# For some reason the 'other' group needed xx7 permission to the folder and im sure theres a tighter way to control this
chmod 777 /opt/backup
Edit the /etc/elasticsearch/elasticsearch.yml
file and include the following line:
path.repo: ["/opt/backup"]
Now you will need to restart the Elasticsearch service so this change is in effect:
sudo service elasticsearch restart
To perform the backup we need to get the index details, you do this by performing a web request to your Elasticsearch instance which may or may not be same box. Note the index
in this case is the_hive_14
. The number refers to the schema version.
curl 'localhost:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open the_hive_14 qf4EdQqgRDOTWVHKbpTo3A 5 1 39 0 110.2kb 110.2kb
To register a snapshot use this command.
curl -XPUT 'http://localhost:9200/_snapshot/the_hive_backup' -d '{
"type": "fs",
"settings": {
"location": "/opt/backup",
"compress": true
}
}'
# Output if successful:
{"acknowledged":true}
# One potential error scenario - Check the permissions on /opt/backup in this case
{"error":{"root_cause":[{"type":"exception","reason":"failed to create blob container"}],"type":"exception","reason":"failed to create blob container","caused_by":{"type":"access_denied_exception","reason":"/opt/backup/tests-q0DQmMtDQo-zC2GZAcqHlQ"}},"status":500}
And finally we can create a backup by using this command (replace <INDEX>
with the index identified earlier, in this case it will be the_hive_14
):
curl -XPUT 'http://localhost:9200/_snapshot/the_hive_backup/snapshot_1?wait_for_completion=true&pretty' -d '{
"indices": "<INDEX>"
}'
# Output
{
"snapshot" : {
"snapshot" : "snapshot_1",
"uuid" : "wOHULukYTia5lUny7Yyyug",
"version_id" : 5061699,
"version" : "5.6.16",
"indices" : [
"the_hive_14"
],
"state" : "SUCCESS",
"start_time" : "2019-09-12T09:16:11.456Z",
"start_time_in_millis" : 1568279771456,
"end_time" : "2019-09-12T09:16:12.087Z",
"end_time_in_millis" : 1568279772087,
"duration_in_millis" : 631,
"failures" : [ ],
"shards" : {
"total" : 5,
"failed" : 0,
"successful" : 5
}
}
}
Upgrade to 3.4.0
With the backup out of the way, we can go about upgrading TheHive to 3.4.0 now.
Stop thehive
service
service thehive stop
Import the PGP key for the-hive (Optional but do it)
sudo wget https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY
gpg-import PGP-PUBLIC-KEY
# Output
gpg: /home/thehive/.gnupg/trustdb.gpg: trustdb created
gpg: key 3D99BB18562CBC1C: public key "TheHive Project (TheHive release key) <support@thehive-project.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
Download and Verify TheHive
cd /opt
sudo wget http://dl.bintray.com/thehive-project/binary/thehive-3.4.0-1.zip
sudo wget http://dl.bintray.com/thehive-project/binary/thehive-3.4.0-1.zip.asc
# Verify the signature file against the download to ensure integrity, cause supply chain thats why
gpg --verify thehive-3.4.0-1.zip.asc thehive-3.4.0-1.zip
# Output
gpg: Signature made Thu 05 Sep 2019 12:45:58 PM UTC
gpg: using RSA key 3D99BB18562CBC1C
gpg: Good signature from "TheHive Project (TheHive release key) <support@thehive-project.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0CD5 AC59 DE5C 5A8E 0EE1 3849 3D99 BB18 562C BC1C
Extract TheHive files
sudo unzip thehive-3.4.0-1.zip
After extracting, you should have the following:
Now we break the Symbolic link thehive
and point it at our new 3.4.0 instance.
sudo rm thehive
sudo ln -s thehive-3.4.0-1 thehive
The new file listing should look like this:
Now we need to copy over the existing application.conf file and make a change to it. Pay particular attention to the port number change (from 9300
to 9200
), and the line parameter changes from host =
to uri =
sudo cp /opt/thehive-3.2.1-1/conf/application.conf /opt/thehive/conf/
sudo nano /opt/thehive/conf/application.conf
# Modify the line "host = ["127.0.0.1:9300"] to be the following:
uri = "http://127.0.0.1:9200"
Now restart thehive service and ensure there are no errors.
sudo service thehive start
sudo service thehive status
Post upgrade steps
Once the service has restarted and had a few moments to settle, Fire up your browser and navigate to TheHive url. You get the Database upgrade prompt. The upgrade could take some time depending on the number of cases you have.
Afterwards, you are prompted to create an admin login and password
And once you login again, you have a shiny upgraded version
To confirm the Elasticsearch side, you can run this command (Note there are now 2 indexes):
curl 'localhost:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open the_hive_15 wnFAuxgST3uGxhys8XdIdw 5 1 42 0 86kb 86kb
yellow open the_hive_14 qf4EdQqgRDOTWVHKbpTo3A 5 1 39 0 110.2kb 110.2kb
Now there is an elasticsearch component to the upgrade, but I need to test that out before I write it up.
References: