#199 update and customized for TheHive only

TheHive-Project · Oct 24, 2020 · 43cddb2 · 43cddb2
1 parent 8a76e74
commit 43cddb2
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 56 deletions.
diff --git a/admin/upgrade_to_thehive_3_5_and_es_7_x.md b/admin/upgrade_to_thehive_3_5_and_es_7_x.md
@@ -1,4 +1,4 @@
-# Migration from Elasticsearch 6.8.2 to ES 7.8.1
+# Migration from Elasticsearch 6.8.2 to ES 7.x
 
 ---
 ⚠️ IMPORTANT NOTE
@@ -14,25 +14,25 @@
 
 The software `jq` is required to manipulate JSON and create new indexes. More information at [https://stedolan.github.io/jq/](). 
 
-## How to identify if your index should be reindexed
+## Identify if your index should be reindexed
 
 You can easily identify if indexes should be reindexed or not. On the index named `the_hive_15` run the following command: 
 
 ```
 curl -s http://127.0.0.1:9200/the_hive_15?human | jq '.the_hive_15.settings.index.version.created'
 ```
 
-if the output is similar to `"5.x.x"`  then reindexing is required, you should follow this guide. 
+if the output is similar to `"5xxxxxx"`  then reindexing is required, you should follow this guide. 
 
-If it is   `"6.x.x"` then the index can be read by Elasticsearch 7.8.x. Upgrade Elasticsearch, and TheHive-3.5.0-RC1 or Cortex 3.1.0-RC1.
+If it is   `"6xxxxxx"` then the index can be read by Elasticsearch 7.8.x. Upgrade Elasticsearch, and TheHive-3.5.0.
 
-### Migration guide
+## Migration guide
 
-## Current status
+### Current status
 
 Current context is: 
 - Elasticsearch 6.8.2
-- TheHive 3.4.2 and/or Cortex 3.0.1
+- TheHive 3.4.2
 
 All up and running. 
 
@@ -50,18 +50,17 @@ green  open   the_hive_15     Oap-I61ySgyv6EAI1ZUTFQ   5   0      30977
 ```
 
 
-The index name is `the_hive_15`. Record this somewhere. (default index for Cortex is `cortex_4`)
+The index name is `the_hive_15`. Record this somewhere.
 
-## Stop services
+### Stop services
 
 Before starting updating the database, lets stop applications:
 
 ```
 sudo service thehive stop 
-sudo service cortex stop
 ```
 
-## Create a new index
+### Create a new index
 
 
 The First operation lies in creating a new index named `new_the_hive_15` with settings from current index `the_hive_15` (ensure to keep index version, needed for future upgrade).
@@ -95,7 +94,7 @@ yellow open   new_the_hive_15 A2KLoZPpSXygutlfy_RNCQ   5   1          0
 green  open   the_hive_15     Oap-I61ySgyv6EAI1ZUTFQ   5   0      30977           36     33.2mb         33.2mb
 ```
 
-## Proceed to Reindex 
+### Proceed to Reindex 
 
 Next operation lies in running the reindex command in the newly created index:
 
@@ -135,7 +134,7 @@ After a moment, you should get a similar output:
 }
 ```
 
-## Ensure new index has been created
+### Ensure new index has been created
 
 Run the following command, and ensure the new index is like the current one (size can vary):
 
@@ -151,7 +150,7 @@ green  open   new_the_hive_15 GV-3Y8QjTjWw0F-p2sjW6Q   5   0      30977
 green  open   the_hive_15     Oap-I61ySgyv6EAI1ZUTFQ   5   0      30977           36     33.2mb         33.2mb
 ```
 
-## Delete old indices
+### Delete old indices
 
 This is the thrilling part. 
 Now the new index `new_the_hive_15` is created and similar the_hive_15,  older indexes **should be completely deleted** from the database. To delete index named `the_hive_15`, run the following command:  
@@ -162,7 +161,7 @@ curl -XDELETE http://localhost:9200/the_hive_15
 
 Run the same command for older indexes if exist (the_hive_14, the_hive_13....). Elasticsearch 7.x cannot run with index created with Elasticsearch 5.x.
 
-## Create an alias 
+### Create an alias 
 
 Before stopping Elasticsearch service, let’s create an alias to keep index names in the future.  
 
@@ -201,10 +200,6 @@ The output should look like:
 ```
 
 
-## Run the same operations for Cortex index
-
-If you are using the same Elasticsearch database for Cortex, run same operations for cortex index (for example, named `cortex_4`). 
-
 ## Stop Elasticsearch version 6.8.2
 
 ```bash
@@ -222,29 +217,34 @@ http.host: 127.0.0.1
 discovery.type: single-node
 cluster.name: hive
 script.allowed_types: inline
-# thread_pool.index.queue_size: 100000   # ES 6
-thread_pool.search.queue_size: 100000    # ES 7
-# thread_pool.bulk.queue_size: 100000    # ES 6
-thread_pool.write.queue_size: 10000      # ES 7
-path.repo: backup
+thread_pool.search.queue_size: 100000
+thread_pool.write.queue_size: 10000    
 ```
 
 Now, upgrade Elasticsearch to version 7.x following the documentation for your Operating System, and ensure the service start successfully.
 
-## Install or update to TheHive 3.5.0-RC1 (or Cortex 3.1.0-RC1)
+## Install or update to TheHive 3.5.0
 
 ### DEB package
 
 If using Debian based Linux operating system, configure it to follow our beta repository:
 
 ```bash
 curl https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY | sudo apt-key add -
-echo 'deb https://deb.thehive-project.org beta main' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list
+echo 'deb https://deb.thehive-project.org stable main es7' | sudo tee -a /etc/apt/sources.list.d/thehive-project.list
 sudo apt-get update
-sudo apt-get install thehive
 ```
+Then install it by running:
+
+```bash
+sudo apt install thehive
+```
+
+or
 
-or `sudo apt-get install cortex` if updating Cortex.
+```bash
+sudo apt install thehive=3.5.0-1
+```
 
 ### RPM
 
@@ -255,60 +255,46 @@ Setup your system to connect the RPM repository. Create and edit the file  `/etc
 enabled=1
 priority=1
 name=TheHive-Project RPM repository
-baseurl=http://rpm.thehive-project.org/beta/noarch
+baseurl=http://rpm.thehive-project.org/stable/es7
 gpgcheck=1
 ```
 
-Then you will able to install the package using yum:
+Then install it by running:
 
 ```bash
 sudo yum install thehive
 ```
 
-or  `sudo yum install cortex` if updating Cortex.
+or 
+
+```bash
+sudo yum install thehive-3.5.0-1
+```
 
 ### Install binaries
 
 ```bash
 cd /opt
-wget https://download.thehive-project.org/thehive-beta-latest.zip
-unzip thehive-beta-latest.zip
-ln -s thehive-x.x.x thehive
-
+wget https://download.thehive-project.org/thehive-3.5.0-1.zip
+unzip thehive-3.5.0-1.zip
+ln -s thehive-3.5.0-1 thehive
 ```
 
-
-
 ### Docker images
 
 Docker images are also provided on Dockerhub. 
 
-#### TheHive
-
-```bash
-docker pull thehiveproject/thehive:3.5.0-RC1
-```
-
-#### Cortex
-
 ```bash
-docker pull thehiveproject/cortex:3.1.0-0.2RC1
+docker pull thehiveproject/thehive:3.5.0-1
 ```
 
-
-
-⚠️  Starting from this version, docker image doesn't contain analyzers anymore. _Analyzers__/__Responders_ and Cortex have different life-cycles, their update including their dependencies should not be correlated to Cortex update. 
-
-It is recommended to use docker version of analyzers : this can be done by binding docker service docket inside cortex container (run with `-v /var/run/docker.sock:/var/run/docker.sock`).
-
-
 ### Update Database
 
-Connect to TheHive (and Cortex), the maintenance page should ask to update. 
+Connect to TheHive, the maintenance page should ask to update. 
 
 ![](/images/thehive-first-access_screenshot.png)
 
-Once updated, ensure a new index named `the_hive_16` has been created (or `cortex_5` for Cortex).
+Once updated, ensure a new index named `the_hive_16` has been created.
 
 
 ```bash

diff --git a/installation/install-guide.md b/installation/install-guide.md
@@ -1,4 +1,5 @@
 # Installation Guide
+
 Before installing TheHive, you need to choose the installation option which suits your environment as described below. Once you have a chosen an option and installed the software, read the [Configuration Guide](../admin/configuration.md). We also advise reading the [Administration Guide](../admin/admin-guide.md).
 
 ## Table of Contents

diff --git a/migration-guide.md b/migration-guide.md
@@ -1,7 +1,66 @@
 # Migration guide
 
 
-## from 3.3.x to 3.4.0
+## From 3.4.x to 3.5.0
+
+Taking into account the EoL of version 6.x. of Elasticsearch, TheHive 3.5.0 is the first version to support Elasticsearch 7.x. This version introduce breaking changes.  This time,  we had no choice, we were not able to make TheHive support smoothly the ES upgrade. 
+
+TheHive 3.5.0 supports Elasticsearch 7.x **ONLY**.
+
+This first steps before starting the upgrade process are: 
+
+- Identify the version of Elasticsearch which created your index
+- Stop TheHive service
+- Stop Elasticsearch service
+
+### How to identify the version of Elasticsearch which created your database index ?
+
+---
+
+The software `jq` is required to manipulate JSON and create new indexes. More information at [https://stedolan.github.io/jq/](). 
+
+---
+
+Run the following command : 
+
+```bash
+curl -s http://127.0.0.1:9200/the_hive_15?human | jq '.the_hive_15.settings.index.version.created'
+```
+
+- if the output is similar to `"5xxxxxx"`  then your database index has been created with Elasticsearch 5.x  reindexing is required, you should follow [a dedicated process to upgrade](../admin/upgrade_to_thehive_3_5_and_es_7_x.md). 
+- If it is   `"6xxxxxx"` then your database has been created with Elasticsearch 6.
+
+### Your database was created with Elasticsearch 5.x or earlier
+
+This is where things might be complicated. This upgrade progress  requires handling the database index by updating parameters, and reindex before updating Elasticsearch, and updating TheHive.
+
+Read carefully [the dedicated documentation](../admin/upgrade_to_thehive_3_5_and_es_7_x.md). It should help you run this specific actions on your Elasticsearch database, and also install or update application whether you are using DEB, RPM or binary packages, and even docker images.
+
+### Your database was created with Elasticsearch 6.x
+
+If you started using TheHive with Elasticsearch 6.x, then you just need to update the configuration of Elasticsearch to reflect this one: 
+
+```
+[..]
+http.host: 127.0.0.1
+discovery.type: single-node
+cluster.name: hive
+script.allowed_types: inline
+thread_pool.search.queue_size: 100000
+thread_pool.write.queue_size: 10000
+```
+
+Following parameters **are not accepted anymore* by Elasticsearch 7: 
+
+- `thread_pool.index.queue_size`
+- `thread_pool.bulk.queue_size` 
+
+With TheHive service stopped, ensure the new version of Elasticsearch starts.
+
+If everything is ok, then TheHive 3.5.0 can be installed. To run this operation successfully, you need to **update your repository configuration**  if you are using DEB and RPM packages, or specify the right version to install if using docker. Read carefully the [installation guide](../installation/install-guide.md). 
+
+
+## From 3.3.x to 3.4.0
 Starting from version 3.4.0-RC1, TheHive supports Elasticsearch 6 and will continue to work with Elasticsearch 5.x.
 
 TheHive 3.4.0-RC1 and later versions communicate with Elasticsearch using its HTTP service (9200/tcp by default) instead of its legacy binary protocol (9300/tcp by default). If you have a firewall between TheHive and Elasticsearch, you probably need to update its rules to change to the new port number.