Create keystore on package install #28928
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit removes the ability to specify that a plugin requires the keystore and instead creates the keystore on package installation or when Elasticsearch is started for the first time. The reason that we opt to create the keystore on package installation is to ensure that the keystore has the correct permissions (the package installation scripts run as root as opposed to Elasticsearch running as the elasticsearch user) and to enable removing the keystore on package removal if the keystore is not modified.
jasontedor
added
review
:Delivery/Packaging
|
run packaging tests |
|
FYI @elastic/es-core-infra. |
rjernst
approved these changes
Mar 7, 2018
| /usr/share/elasticsearch/bin/elasticsearch-keystore create | ||
| chown root:elasticsearch "$ES_PATH_CONF"/elasticsearch.keystore | ||
| chmod 660 "$ES_PATH_CONF"/elasticsearch.keystore | ||
| md5sum "$ES_PATH_CONF"/elasticsearch.keystore > "$ES_PATH_CONF"/elasticsearch.keystore.md5sum |
There was a problem hiding this comment.
Maybe name this something to indicate it is only the "initial" md5 sum? Otherwise someone might look at it and expect it to be kept up to date as changes are made to the keystone?
There was a problem hiding this comment.
It could also have "install" in the name instead of "initial" (or anything to indicate is is only for the version created at install time).
|
run packaging tests |
rjernst
approved these changes
Mar 7, 2018
| @@ -95,6 +95,11 @@ verify_package_installation() { | |||
| assert_file "$ESHOME/bin/elasticsearch-translog" f root root 755 | |||
| assert_file "$ESHOME/lib" d root root 755 | |||
| assert_file "$ESCONFIG" d root elasticsearch 2750 | |||
| assert_file "$ESCONFIG/elasticsearch.keystore" f root elasticsearch 660 | |||
|
|
|||
| sudo -u elasticsearch "$ESHOME/bin/elasticsearch-keystore" list | grep "keystore.seed" | |||
There was a problem hiding this comment.
Is this keystore list command meant to be checked? Is this run with set -e somewhere?
There was a problem hiding this comment.
All commands in the packaging tests are run with set -e (unless explicitly flipped, which we do not currently do anywhere).
|
run packaging tests |
* master: [TEST] AwaitsFix QueryRescorerIT.testRescoreAfterCollapse Decouple XContentType from StreamInput/Output (elastic#28927) Remove BytesRef usage from XContentParser and its subclasses (elastic#28792)
|
run packaging tests |
|
test this please |
|
run packaging tests |
jasontedor
force-pushed
the
package-create-keystore
branch
from
df95dcf to
d2f8fa9
Compare
|
run packaging tests |
1 similar comment
|
run packaging tests |
jasontedor
added a commit
that referenced
this pull request
Mar 12, 2018
This commit removes the ability to specify that a plugin requires the keystore and instead creates the keystore on package installation or when Elasticsearch is started for the first time. The reason that we opt to create the keystore on package installation is to ensure that the keystore has the correct permissions (the package installation scripts run as root as opposed to Elasticsearch running as the elasticsearch user) and to enable removing the keystore on package removal if the keystore is not modified.
|
@jasontedor This item appears in the Breaking changes section of the release notes, but I don't think I see it in the "Breaking Changes" page. Should we add info there? |
jkakavas
added a commit
to jkakavas/elasticsearch
that referenced
this pull request
Aug 23, 2021
Elasticsearch's keystore initial md5sum was added in elastic#28928 with the intention to allow us to remove the elasticsearch.keystore file upon package removal, if this hadn't been altered after installation. At that time this decision made perfect sense as the elasticsearch keystore only contains transient data by default ( keystore.seed ) that is meant to be useful for bootstrap related actions, and doesn't need to survive re-installations. With Security ON by default, we will be storing additional settings in the keystore upon installation(namely, the passwords for the PKCS#12 keystores used for TLS) and these have a more persistent nature. Since `remove` doesn't delete the configuration directories and files where said PKCS#12 keystores are stored, it makes sense to also not delete the elasticsearch.keystore which stores the passwords.
jkakavas
added a commit
that referenced
this pull request
Aug 23, 2021
Elasticsearch's keystore initial md5sum was added in #28928 with the intention to allow us to remove the elasticsearch.keystore file upon package removal, if this hadn't been altered after installation. At that time this decision made perfect sense as the elasticsearch keystore only contains transient data by default ( keystore.seed ) that is meant to be useful for bootstrap related actions, and doesn't need to survive re-installations. With Security ON by default, we will be storing additional settings in the keystore upon installation(namely, the passwords for the PKCS#12 keystores used for TLS) and these have a more persistent nature. Since `remove` doesn't delete the configuration directories and files where said PKCS#12 keystores are stored, it makes sense to also not delete the elasticsearch.keystore which stores the passwords.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit removes the ability to specify that a plugin requires the keystore and instead creates the keystore on package installation or when Elasticsearch is started for the first time. The reason that we opt to create the keystore on package installation is to ensure that the keystore has the correct permissions (the package installation scripts run as root as opposed to Elasticsearch running as the elasticsearch user) and to enable removing the keystore on package removal if the keystore is not modified.