I'm currently responsible for technology at Peaks.
khezen / docker-elasticsearch Goto Github PK
View Code? Open in Web Editor NEWElasticsearch Docker image including search-guard
License: MIT License
Elasticsearch Docker image including search-guard
License: MIT License
I'm currently responsible for technology at Peaks.
Unchanged configuration file, at startup:
elasticsearch | [2017-04-03T00:48:47,536][WARN ][o.e.d.z.UnicastZenPing ] [ezwfxYV] failed to resolve host [['127.0.0.1']
elasticsearch | java.lang.IllegalArgumentException: Invalid bracketed host/port range: ['127.0.0.1'
elasticsearch | at org.elasticsearch.transport.TcpTransport.parse(TcpTransport.java:831) ~[elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at org.elasticsearch.transport.TcpTransport.addressesFromString(TcpTransport.java:812) ~[elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at org.elasticsearch.transport.TransportService.addressesFromString(TransportService.java:665) ~[elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at org.elasticsearch.discovery.zen.UnicastZenPing.lambda$null$0(UnicastZenPing.java:212) ~[elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_121]
elasticsearch | at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:544) [elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_121]
elasticsearch | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_121]
elasticsearch | at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
elasticsearch | [2017-04-03T00:48:47,570][WARN ][o.e.d.z.UnicastZenPing ] [ezwfxYV] failed to resolve host ['[::1]']]
elasticsearch | java.lang.IllegalArgumentException: IPv6 addresses must be bracketed: '[::1]']
elasticsearch | at org.elasticsearch.transport.TcpTransport.parse(TcpTransport.java:846) ~[elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at org.elasticsearch.transport.TcpTransport.addressesFromString(TcpTransport.java:812) ~[elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at org.elasticsearch.transport.TransportService.addressesFromString(TransportService.java:665) ~[elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at org.elasticsearch.discovery.zen.UnicastZenPing.lambda$null$0(UnicastZenPing.java:212) ~[elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_121]
elasticsearch | at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:544) [elasticsearch-5.3.0.jar:5.3.0]
elasticsearch | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_121]
elasticsearch | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_121]
elasticsearch | at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
I am running the docker image on openshift cluster, and am getting exactly the same error as #15 . I wonder what was the solution for that ?
Hello,
I upgraded elasticsearch from version 5.5.0 to 6.0 using docker image https://hub.docker.com/r/khezen/elasticsearch/tags/ and I get this error in the log:
/run/entrypoint.sh: line 16: gosu: command not found
/run/entrypoint.sh: line 17: gosu: command not found
/run/entrypoint.sh: line 22: gosu: command not found
Stalling for Elasticsearch...
gosu
command is used
https://github.com/khezen/docker-elasticsearch/blob/master/src/entrypoint.sh#L16
but seems that it has not installed yet. Please help me to confirm.
thanks a lot
Using the example docker-compose file in the readme. Works well with version 5, but stalls on version 6
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.2.jar:6.2.2]
elasticsearch_1 | at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.2.jar:6.2.2]
elasticsearch_1 | ... 6 more
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
Hello!
First of all, thank you for this repo, @khezen. This project is great!
Well, I could not up the environment with the following docker compose.
It throws this error:
Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]];
(...)
Unable to read /usr/share/elasticsearch/config/searchguard/ssl/d21ee5e02672-keystore.jks
(...)
Please make sure this files exists and is readable regarding to permissions];
When I list the keystore on container he have another name 5f3a9c3d072d-keystore.jks
. I really dont know why this happens, because the entrypoint.sh is executed when the container up. So:
Moment | HostName |
---|---|
Error log | d21ee5e02672 |
File | 5f3a9c3d072d |
Container | 4ff518b865da |
Do you have a hit?
version: '2'
services:
elasticsearch:
build: ../
environment:
ELASTIC_PWD: changeme
KIBANA_PWD: changeme
volumes:
- /data/elasticsearch:/usr/share/elasticsearch/data
- /etc/elasticsearch:/usr/share/elasticsearch/config
ports:
- "9200:9200"
- "9300:9300"
network_mode: bridge
restart: always
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | [2017-06-05T15:33:34,847][INFO ][o.e.n.Node ] [d21ee5e02672] initializing ...
elasticsearch_1 | [2017-06-05T15:33:35,048][INFO ][o.e.e.NodeEnvironment ] [d21ee5e02672] using [1] data paths, mounts [[/usr/share/elasticsearch/data (tmpfs)]], net usable_space [835.8mb], net total_space [990.1mb], spins? [no], types [tmpfs]
elasticsearch_1 | [2017-06-05T15:33:35,048][INFO ][o.e.e.NodeEnvironment ] [d21ee5e02672] heap size [1007.3mb], compressed ordinary object pointers [true]
elasticsearch_1 | [2017-06-05T15:33:35,050][INFO ][o.e.n.Node ] [d21ee5e02672] node name [d21ee5e02672], node ID [z4lJ0LIhQMOzsNrm47L1tw]
elasticsearch_1 | [2017-06-05T15:33:35,051][INFO ][o.e.n.Node ] [d21ee5e02672] version[5.4.0], pid[15], build[780f8c4/2017-04-28T17:43:27.229Z], OS[Linux/4.9.27-moby/amd64], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/1.8.0_131/25.131-b11]
elasticsearch_1 | [2017-06-05T15:33:36,203][INFO ][c.f.s.SearchGuardPlugin ] Clustername: elasticsearch-default
elasticsearch_1 | [2017-06-05T15:33:36,253][INFO ][c.f.s.SearchGuardPlugin ] Node [d21ee5e02672] is a transportClient: false/tribeNode: false/tribeNodeClient: false
elasticsearch_1 | [2017-06-05T15:33:36,260][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available
elasticsearch_1 | [2017-06-05T15:33:36,275][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSL
elasticsearch_1 | [2017-06-05T15:33:36,279][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_131
elasticsearch_1 | [2017-06-05T15:33:36,279][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
elasticsearch_1 | [2017-06-05T15:33:36,280][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
elasticsearch_1 | [2017-06-05T15:33:36,280][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
elasticsearch_1 | [2017-06-05T15:33:36,281][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
elasticsearch_1 | [2017-06-05T15:33:36,281][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: OpenJDK 64-Bit Server VM
elasticsearch_1 | [2017-06-05T15:33:36,282][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
elasticsearch_1 | [2017-06-05T15:33:36,282][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
elasticsearch_1 | [2017-06-05T15:33:36,282][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
elasticsearch_1 | [2017-06-05T15:33:36,283][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
elasticsearch_1 | [2017-06-05T15:33:36,283][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
elasticsearch_1 | [2017-06-05T15:33:36,283][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
elasticsearch_1 | [2017-06-05T15:33:36,284][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 4.9.27-moby
elasticsearch_1 | [2017-06-05T15:33:36,444][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 82 ciphers for https [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
elasticsearch_1 | [2017-06-05T15:33:36,451][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 82 ciphers for transport [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
elasticsearch_1 | [2017-06-05T15:33:36,454][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /usr/share/elasticsearch/config/, from there the key- and truststore files are resolved relatively
elasticsearch_1 | [2017-06-05T15:33:36,564][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [d21ee5e02672] uncaught exception in thread [main]
elasticsearch_1 | org.elasticsearch.bootstrap.StartupException: ElasticsearchException[Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]]; nested: InvocationTargetException; nested: ElasticsearchException[Unable to read /usr/share/elasticsearch/config/searchguard/ssl/d21ee5e02672-keystore.jks (/usr/share/elasticsearch/config/searchguard/ssl/d21ee5e02672-keystore.jks) Please make sure this files exists and is readable regarding to permissions];
elasticsearch_1 | at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:127) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | Caused by: org.elasticsearch.ElasticsearchException: Failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
elasticsearch_1 | at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:430) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | ... 6 more
elasticsearch_1 | Caused by: java.lang.reflect.InvocationTargetException
elasticsearch_1 | at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
elasticsearch_1 | at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
elasticsearch_1 | at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
elasticsearch_1 | at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
elasticsearch_1 | at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | ... 6 more
elasticsearch_1 | Caused by: org.elasticsearch.ElasticsearchException: Unable to read /usr/share/elasticsearch/config/searchguard/ssl/d21ee5e02672-keystore.jks (/usr/share/elasticsearch/config/searchguard/ssl/d21ee5e02672-keystore.jks) Please make sure this files exists and is readable regarding to permissions
elasticsearch_1 | at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkStorePath(DefaultSearchGuardKeyStore.java:690) ~[?:?]
elasticsearch_1 | at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:203) ~[?:?]
elasticsearch_1 | at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:150) ~[?:?]
elasticsearch_1 | at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:205) ~[?:?]
elasticsearch_1 | at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
elasticsearch_1 | at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
elasticsearch_1 | at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
elasticsearch_1 | at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_131]
elasticsearch_1 | at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:419) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:383) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:139) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]
elasticsearch_1 | ... 6 more
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
elasticsearch_1 | Stalling for Elasticsearch...
This script runs forever if es is not configured, I believe it should have a limit of trials, after which the whole container should fail. This needs also some changes in the entrypoint.sh.
Doing https at ES level might not the best the idea, even more with a self signed SSL cert.
I'm running a https://docs.traefik.io/ in front of it. Which do a better job of secure with SSL (using real letsencrypt cert).
There should be an environment variable to not bind https on port 9200.
Hi,
It might be that i don't understand something how TLS should work in general.
I am setting up a production cluster on dockers in GCE (google cloud) with the gce discovery plugin. Every node on the startup generates all he certificates. So no node would connect with another failing on SSL and unknown_certificate exception.
I did resolve that issue where I am generating all the certificates in the docker image which is stored than i our private google container repository. So the node comes up and does not have to generate anything.
The question here is did i misunderstood something about security and the means how searchguard should work in general ?
I also think there is bug in the issue-31.yml thats a snippet from it.
es-data:
build: ../
environment:
SYSCTL_KEY: vm.max_map_count
SYSCTL_VALUE: '262144'
HEAP_SIZE: 1g
CLUSTER_NAME: condor-es
HOSTS: es-master
NODE_DATA: 'true'
NODE_INGEST: 'false'
NODE_MASTER: 'false'
NODE_NAME: ''
ELASTIC_PWD: changeme
KIBANA_PWD: changeme
LOGSTASH_PWD: changeme
BEATS_PWD: changeme
CA_PWD: changeme
TS_PWD: changeme
KS_PWD: changeme
HOSTS: 0.0.0.0, [::3]
HOSTS
is repeated twice and last value overrides the actual es-master
so i ran that example and didnt see that the nodes actually connect with each other.
EDIT:
I actually improved that a little bit.
I removed the node certificate generation from the gen_all.sh
which is run inside the Dockerfile , and the node certificate generation running it on the node startup. The node are able to communicate with each other and each node has a different certificate
Hi,
When I run docker-compose up from the Test folder. It complains that there is no manifest for elasticsearch:5.4.1
[root@container01 test]# docker-compose up
Building elasticsearch
Step 1/15 : FROM elasticsearch:5.4.1
ERROR: Service 'elasticsearch' failed to build: manifest for elasticsearch:5.4.1 not found
If I edit the Docker file to build from docker.elastic.co/elasticsearch/elasticsearch:5.4.1 instead I get a bunch of other errors with regards to permissions.
Hi,
first: thanks to the author for great work for all of us.
However :) - we tried to follow your instruction on debian to run the ELK. Kibama seems to be working fine, however I'm not able to connect to elastic. Neither from kibana nor code. From kibana it says "no permissions for indices:data/read/search".
We found some alerts in logs. Can it cause the problem? (we left all credentials in default)
elastalert_1 | Dload Upload Total Spent Left Speed
100 340 100 340 0 0 6210 0 --:--:-- --:--:-- --:--:-- 6296
elastalert_1 | { "name" : "ab199d2af982", "cluster_name" : "elasticsearch-default", "cluster_uuid" : "Wn5FGOtUS6ObiU5aoQM3iQ", "version" : { "number" : "5.4.0", "build_hash" : "780f8c4", "build_date" : "2017-04-28T17:43:27.229Z", "build_snapshot" : false, "lucene_version" : "6.5.0" }, "tagline" : "You Know, for Search" }
elastalert_1 | Traceback (most recent call last):
elastalert_1 | File "/usr/local/bin/elastalert-create-index", line 6, in
elastalert_1 | from pkg_resources import load_entry_point
elastalert_1 | File "build/bdist.linux-x86_64/egg/pkg_resources/init.py", line 3019, in
elastalert_1 | File "build/bdist.linux-x86_64/egg/pkg_resources/init.py", line 3003, in _call_aside
elastalert_1 | File "build/bdist.linux-x86_64/egg/pkg_resources/init.py", line 3032, in _initialize_master_working_set
elastalert_1 | File "build/bdist.linux-x86_64/egg/pkg_resources/init.py", line 657, in _build_master
elastalert_1 | File "build/bdist.linux-x86_64/egg/pkg_resources/init.py", line 670, in _build_from_requirements
elastalert_1 | File "build/bdist.linux-x86_64/egg/pkg_resources/init.py", line 854, in resolve
elastalert_1 | pkg_resources.ContextualVersionConflict: (requests 2.4.3 (/usr/lib/python2.7/dist-packages), Requirement.parse('requests>=2.10.0'), set(['jira']))
elastalert_1 | $@
elastalert_1 | Traceback (most recent call last):
elastalert_1 | File "/elastalert/elastalert/elastalert.py", line 18, in
elastalert_1 | import kibana
elastalert_1 | File "/elastalert/elastalert/kibana.py", line 4, in
elastalert_1 | from util import EAException
elastalert_1 | File "/elastalert/elastalert/util.py", line 8, in
elastalert_1 | from auth import Auth
elastalert_1 | File "/elastalert/elastalert/auth.py", line 3, in
elastalert_1 | import boto3
elastalert_1 | File "/usr/local/lib/python2.7/dist-packages/boto3-1.4.4-py2.7.egg/boto3/init.py", line 16, in
elastalert_1 | from boto3.session import Session
elastalert_1 | File "/usr/local/lib/python2.7/dist-packages/boto3-1.4.4-py2.7.egg/boto3/session.py", line 17, in
elastalert_1 | import botocore.session
elastalert_1 | ImportError: No module named botocore.session
340 0 0 6503 0 --:--:-- --:--:-- --:--:-- 6538
elastalert_1 | { "name" : "ab199d2af982", "cluster_name" : "elasticsearch-default", "cluster_uuid" : "Wn5FGOtUS6ObiU5aoQM3iQ", "version" : { "number" : "5.4.0", "build_hash" : "780f8c4", "build_date" : "2017-04-28T17:43:27.229Z", "build_snapshot" : false, "lucene_version" : "6.5.0" }, "tagline" : "You Know, for Search" }
kibana_1 | {"type":"response","@timestamp":"2017-05-16T07:21:16Z","tags":[],"pid":34,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"localhost:5601","user-agent":"Links (2.8; Linux 3.16.0-4-amd64 x86_64; GNU C 4.9.1; text)","accept":"/","accept-language":"en,;q=0.1","accept-encoding":"gzip,deflate,bzip2,lzma,lzma2","accept-charset":"us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,ISO-8859-5,ISO-8859-6,ISO-8859-7,ISO-8859-8,ISO-8859-9,ISO-8859-10,ISO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,windows-1250,windows-1251,windows-1252,windows-1256,windows-1257,cp437,cp737,cp850,cp852,cp866,x-cp866-u,x-mac,x-mac-ce,x-kam-cs,koi8-r,koi8-u,koi8-ru,TCVN-5712,VISCII,utf-8","connection":"keep-alive"},"remoteAddress":"172.18.0.1","userAgent":"172.18.0.1"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET / 302 2ms - 9.0B"}
kibana_1 | {"type":"response","@timestamp":"2017-05-16T07:21:16Z","tags":[],"pid":34,"method":"get","statusCode":200,"req":{"url":"/searchguard/login?nextUrl=%2F","method":"get","headers":{"host":"localhost:5601","user-agent":"Links (2.8; Linux 3.16.0-4-amd64 x86_64; GNU C 4.9.1; text)","accept":"/","accept-language":"en,;q=0.1","accept-encoding":"gzip,deflate,bzip2,lzma,lzma2","accept-charset":"us-ascii,ISO-8859-1,ISO-8859-2,ISO-8859-3,ISO-8859-4,ISO-8859-5,ISO-8859-6,ISO-8859-7,ISO-8859-8,ISO-8859-9,ISO-8859-10,ISO-8859-13,ISO-8859-14,ISO-8859-15,ISO-8859-16,windows-1250,windows-1251,windows-1252,windows-1256,windows-1257,cp437,cp737,cp850,cp852,cp866,x-cp866-u,x-mac,x-mac-ce,x-kam-cs,koi8-r,koi8-u,koi8-ru,TCVN-5712,VISCII,utf-8","connection":"keep-alive"},"remoteAddress":"172.18.0.1","userAgent":"172.18.0.1"},"res":{"statusCode":200,"responseTime":7,"contentLength":9},"message":"GET /searchguard/login?nextUrl=%2F 200 7ms - 9.0B"}
Thank you for any hints. I'm quite new in linux/docker/elk.
M.C.
2017-05-09T11:56:56.287447766Z [2017-05-09T11:56:56,287][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [elasticsearch-logging-v1-0r56b] Someone (/10.32.0.8:37386) speaks http plaintext instead of ssl, will close the channel
2017-05-09T11:56:56.701588059Z Contacting elasticsearch cluster 'kubernetes-logging' and wait for YELLOW clusterstate ...
2017-05-09T11:56:56.782818999Z Clustername: kubernetes-logging
2017-05-09T11:56:56.782857932Z Clusterstate: GREEN
2017-05-09T11:56:56.783265435Z Number of nodes: 1
2017-05-09T11:56:56.783325131Z Number of data nodes: 1
2017-05-09T11:56:58.212625742Z searchguard index does not exists, attempt to create it ... [2017-05-09T11:56:58,212][INFO ][o.e.c.m.MetaDataCreateIndexService] [elasticsearch-logging-v1-0r56b] [searchguard] creating index, cause [api], templates [], shards [1]/[1], mappings []
Do you have solutions?
Thanks a lot!
After cloning the repo from the master branch:
[root@host docker]# git clone https://github.com/khezen/docker-elasticsearch.git
Then running copying the docker-compose.yml file to the the command on the repo folder using the default docker-compose.yml but with your image khezen/elasticsearch:6.5.4
[root@host docker-elasticsearch]# cp examples/docker-compose.yml .
I made the following alterations to the docker-compose.yml file:
version: '2'
services:
es-master:
build: .
environment:
NODE_NAME: master
ELASTIC_PWD: changeme
KIBANA_PWD: changeme
CLUSTER_NAME: es-sg-cluster
#HTTP_SSl: 'false'
volumes:
- /data/elasticsearch:/elasticsearch/data
- /etc/elasticsearch:/elasticsearch/config
ports:
- "9202:9200"
- "9302:9300"
network_mode: bridge
restart: always
I stumbled upon an error after the end of the configuration of searchguard. The following error messages were displayed:
es-master_1 | Stalling for Elasticsearch...
es-master_1 | Exception in thread "main" java.nio.file.NoSuchFileException: /elasticsearch/config/jvm.options
es-master_1 | at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
es-master_1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
es-master_1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
es-master_1 | at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
es-master_1 | at java.nio.file.Files.newByteChannel(Files.java:361)
es-master_1 | at java.nio.file.Files.newByteChannel(Files.java:407)
es-master_1 | at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
es-master_1 | at java.nio.file.Files.newInputStream(Files.java:152)
es-master_1 | at org.elasticsearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:60)
es-master_1 | Stalling for Elasticsearch...
es-master_1 | Stalling for Elasticsearch...
es-master_1 | Stalling for Elasticsearch...
SOLUTION: add the jvm.options to the defined default /etc/elasticsearch/ folder where the volume is stored and then rerun the command docker-compose up
I guess you are deleting the file somewhere in the process, wich I have not been able to find in the Dockerfile.
Thank you.
Is this still active? What about support for later Elasticsearch versions?
You have to read the Elastic web page carefully, X-Pack is NOT under Apache 2.0 license, it's Elastic license! This means only some (More or less basic monitoring) features of X-Pack is in free tire: https://www.elastic.co/subscriptions
Security and auth is NOT in free tire! So this image will stay important for users who want to use Search guard with ES 6.3!
It has to be 'hosts' not 'host'. if we do not have this correctly, you may land up deleting other indices of other users.
Please see Search guard code..
https://github.com/floragunncom/search-guard/blob/master/src/main/java/com/floragunn/searchguard/configuration/PrivilegesEvaluator.java#L1068
Thanks.
Jalaja
$HOSTNAME is not defined in dockerfile as ENV
No matter what I do, I get:
standard_init_linux.go:190: exec user process caused "no such file or directory"
I am running Docker on Windows 10
docker run -p 9200:9200 -p 9300:9300 -e ELASTIC_PWD=changeme -e KIBANA_PWD=changeme khezen/elasticsearch:latest
in an Active Directory environment with shared drives enabled. I cloned the official Git repo. I loaded Docker as administrator and Powershell as administrator.
Why is this not working and how can this be fixed?
Describe the bug
Not able to run on an openshift cluster
To Reproduce
Steps to reproduce the behavior:
Follow exact procedure to deploy an app from a docker hub image
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
Get a response from elasticsearch cluster
Desktop (please complete the following information):
Smartphone (please complete the following information):
Not applicable
Additional context
None
ERROR Could not register mbeans java.security.AccessControlException: access denied ("javax.management.MBeanTrustPermission" "register")
But I already created a PR for this issue... see #28
Hello,
I'm trying to deploy this across a 4-host cluster where I have it setup with 3 master nodes, 1 ingest node, 1 tribe node, and 2 data nodes. The problem is that it's not clear how this should all work in a setup like this. I keep the data volume local to each host for each node type and I share a nfs volume with each host for /elasticsearch/config/searchguard/ssl so that each node can sign their certificate with the same CA root.
The problem is several layers deep:
cd /elasticsearch/config/searchguard/ssl && NODE_NAME=$HOSTNAME /run/auth/certificates/gen_node_cert.sh
)Here is my compose file (I use Rancher so some of it might be non-standard - I also use my own images which just pull from yours and adds a two ingest plugins, please ignore any mention of x-pack, that plugin is NOT installed):
version: '2'
volumes:
elasticsearch-config:
external: true
driver: rancher-nfs
es-storage-volume:
driver: local
per_container: true
services:
es-storage:
image: rawmind/alpine-volume:0.0.2-2
environment:
SERVICE_GID: '1000'
SERVICE_UID: '1000'
SERVICE_VOLUME: /elasticsearch/data
network_mode: none
volumes:
- es-storage-volume:/elasticsearch/data
labels:
io.rancher.container.start_once: 'true'
es-data:
mem_limit: 2147483648
cap_add:
- IPC_LOCK
image: someone1/elasticsearch-searchguard-xpack
environment:
HEAP_SIZE: 1g
CLUSTER_NAME: condor-es
HOSTS: es-master
NODE_DATA: 'true'
NODE_INGEST: 'false'
NODE_MASTER: 'false'
NODE_NAME: ''
ELASTIC_PWD: <removed>
KIBANA_PWD: <removed>
LOGSTASH_PWD: <removed>
BEATS_PWD: <removed>
CA_PWD: <removed>
TS_PWD: <removed>
KS_PWD: <removed>
ulimits:
memlock:
hard: -1
soft: -1
nofile:
hard: 65536
soft: 65536
volumes:
- elasticsearch-config:/elasticsearch/config/searchguard/ssl
volumes_from:
- es-storage
command:
- -Ebootstrap.memory_lock=true
- -Esearch.remote.connect=false
labels:
io.rancher.scheduler.affinity:host_label: esready=true
io.rancher.sidekicks: es-storage,es-sysctl
io.rancher.container.hostname_override: container_name
io.rancher.container.pull_image: always
io.rancher.scheduler.global: 'true'
es-sysctl:
privileged: true
image: rawmind/alpine-sysctl:0.1
environment:
SYSCTL_KEY: vm.max_map_count
SYSCTL_VALUE: '262144'
network_mode: none
labels:
io.rancher.container.start_once: 'true'
es-ingest:
mem_limit: 1073741824
cap_add:
- IPC_LOCK
image: someone1/elasticsearch-searchguard-xpack
environment:
HEAP_SIZE: 512m
CLUSTER_NAME: condor-es
HOSTS: es-master
NODE_DATA: 'false'
NODE_INGEST: 'true'
NODE_MASTER: 'false'
NODE_NAME: ''
ELASTIC_PWD: <removed>
KIBANA_PWD: <removed>
LOGSTASH_PWD: <removed>
BEATS_PWD: <removed>
CA_PWD: <removed>
TS_PWD: <removed>
KS_PWD: <removed>
ulimits:
memlock:
hard: -1
soft: -1
nofile:
hard: 65536
soft: 65536
volumes:
- elasticsearch-config:/elasticsearch/config/searchguard/ssl
volumes_from:
- es-storage
command:
- -Ebootstrap.memory_lock=true
- -Esearch.remote.connect=false
labels:
io.rancher.scheduler.affinity:container_label_soft_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
io.rancher.sidekicks: es-storage,es-sysctl
io.rancher.container.hostname_override: container_name
io.rancher.container.pull_image: always
es-tribe:
mem_limit: 1073741824
cap_add:
- IPC_LOCK
image: someone1/elasticsearch-searchguard-xpack
environment:
CLUSTER_NAME: condor-es
HOSTS: es-master
NODE_DATA: 'false'
NODE_INGEST: 'false'
NODE_MASTER: 'false'
NODE_NAME: ''
HEAP_SIZE: 512m
ELASTIC_PWD: <removed>
KIBANA_PWD: <removed>
LOGSTASH_PWD: <removed>
BEATS_PWD: <removed>
CA_PWD: <removed>
TS_PWD: <removed>
KS_PWD: <removed>
ulimits:
memlock:
hard: -1
soft: -1
nofile:
hard: 65536
soft: 65536
volumes:
- elasticsearch-config:/elasticsearch/config/searchguard/ssl
volumes_from:
- es-storage
ports:
- 9200:9200/tcp
command:
- -Ebootstrap.memory_lock=true
- -Esearch.remote.connect=false
labels:
io.rancher.scheduler.affinity:container_label_soft_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
io.rancher.sidekicks: es-storage,es-sysctl
io.rancher.container.hostname_override: container_name
io.rancher.container.pull_image: always
es-master:
mem_limit: 1073741824
cap_add:
- IPC_LOCK
image: someone1/elasticsearch-searchguard-xpack
environment:
HEAP_SIZE: 512m
CLUSTER_NAME: condor-es
MINIMUM_MASTER_NODES: '2'
HOSTS: es-master
NODE_DATA: 'false'
NODE_INGEST: 'false'
NODE_MASTER: 'true'
NODE_NAME: ''
ELASTIC_PWD: <removed>
KIBANA_PWD: <removed>
LOGSTASH_PWD: <removed>
BEATS_PWD: <removed>
CA_PWD: <removed>
TS_PWD: <removed>
KS_PWD: <removed>
ulimits:
memlock:
hard: -1
soft: -1
nofile:
hard: 65536
soft: 65536
volumes:
- elasticsearch-config:/elasticsearch/config/searchguard/ssl
volumes_from:
- es-storage
command:
- -Ebootstrap.memory_lock=true
- -Esearch.remote.connect=false
labels:
io.rancher.scheduler.affinity:container_label_soft_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
io.rancher.sidekicks: es-storage,es-sysctl
io.rancher.container.hostname_override: container_name
io.rancher.container.pull_image: always
Any help/guidance getting this to work would be much appreciated!
I am running Docker on an Ubuntu 18 server.
docker run -d --name elasticsearch --security-opt apparmor=unconfined -v /data/elasticsearch-data:/elasticsearch/data -v /data/elasticsearch-config:/elasticsearch/config -p 9200:9200 -p 9300:9300 -e ELASTIC_PWD=changeme -e KIBANA_PWD=changeme khezen/elasticsearch:latest
Before running the above command I created
on the host machine having user:docker rights (where the docker group has write rights also). However, I am getting this error:
Stalling for Elasticsearch...
Exception in thread "main" java.nio.file.NoSuchFileException: /elasticsearch/config/jvm.options
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
at java.nio.file.Files.newByteChannel(Files.java:361)
at java.nio.file.Files.newByteChannel(Files.java:407)
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
at java.nio.file.Files.newInputStream(Files.java:152)
at org.elasticsearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:60)
Stalling for Elasticsearch...
Not sure where the problem is. The setup looks OK to me. I also did a "chown 1000:1000" in the container" for the shared folders without any success. Does anyone have an idea?
Hi,
There is plan to add the management api ?
https://github.com/floragunncom/search-guard-rest-api
https://github.com/floragunncom/search-guard-docs/blob/master/managementapi.md
add search-guard integration to replace x-pack shield.
Seems the SSL certificate for ELK v5.6 is only certify 2 years long, and now it is expired.
I try to modify the signing_ca.conf, but seems is not working.
Would you please help to extend the SSL certificate(suggest for 10 yrs or 20 yrs long..), or provide the method to me to create a new SSL certificate?
Error msg provided as below FYI:
[2020-12-01T02:19:01,517][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [NODE-1] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_141]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141]
[2020-12-01T02:19:02,079][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [NODE-1] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_141]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141]
02:19:02.079 [elasticsearch[_client_][transport_client_boss][T#4]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:1.8.0_141]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_141]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_141]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_141]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_141]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_141]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_141]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_141]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_141]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_141]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
... 18 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362) ~[?:1.8.0_141]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) ~[?:1.8.0_141]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_141]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_141]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_141]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_141]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_141]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_141]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_141]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
... 18 more
Caused by: java.security.cert.CertPathValidatorException: **timestamp check failed**
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:1.8.0_141]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223) ~[?:1.8.0_141]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:1.8.0_141]
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:1.8.0_141]
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_141]
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357) ~[?:1.8.0_141]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) ~[?:1.8.0_141]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_141]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_141]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_141]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_141]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_141]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_141]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_141]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
... 18 more
Caused by: java.security.cert.CertificateExpiredException: **NotAfter: Sat Nov 28 02:24:52 UTC 2020**
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) ~[?:1.8.0_141]
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629) ~[?:1.8.0_141]
at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:190) ~[?:1.8.0_141]
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:1.8.0_141]
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:1.8.0_141]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223) ~[?:1.8.0_141]
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) ~[?:1.8.0_141]
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) ~[?:1.8.0_141]
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) ~[?:1.8.0_141]
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357) ~[?:1.8.0_141]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270) ~[?:1.8.0_141]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_141]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_141]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_141]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_141]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_141]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_141]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_141]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_141]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
... 18 more
Hey,
I didn't have much time to test it, but it looks like the HTTP_SSL
is not covered at this line:
If I turn off the SSL on port 9200 that script will try to use SSL anyway which will fail.
So installed 6.1.1 fine with ElasticSearch and Kibana, but when I tried to create a Index Pattern it just sits there and does nothing. I reverted back to version 6.0.0 and there it works fine.
Looking around I found this issue in the searchguard git hub:
https://github.com/floragunncom/search-guard/issues/444
and they said the following about the issue:
This is not an error in Search Guard. We used the the original repos you mentioned above and after configuring multi tenancy everything works as expected.
However, the Dockerfiles and the especially the SG configuration in this repo is not correct:
Multi tenancy is not enabled in sg_config
The Kibana server user that is configured in kibana.yml is not configured in sg_config
There is only one Kibana role, usually you should use two, one for the Kibana serve user, one for regular Kibana users
The permissions for the Kibana server user are not correct. They especially lack the indices:admin/template* permission
the "sgtenant" HTTP header is not whitelisted in kibana.yml
After fixing all these configuration errors in the Dockerfile everything works as expected. If you need further assistance in settup up MT, please ask on the Google Groups: https://groups.google.com/forum/#!forum/search-guard
Not sure if this is something you are aware of.
Hi, I have error with version 5, docker container exit with code 1
We just aquired enterprise liscence for Search Guard. I have got few questions below for you consideration.
I have a persistent volume on my openshift cluster (I can share yaml file for this) /usr/share/elasticsearch/data. I am running elasticsearch version 6.1.4. If I use the docker image (based on 6.1.4 and 22.3 SG version) from this repo with SG enterprise features enabled and point volume (/elasticsearch/data) to same persistant storage would this work ?
if the above will work based on a new version of elasticsearch and SG enterprise ?
Hi khezen,
I notice wait_until_started.sh and index_level_settings.sh can only work on the http://localhost:9200
. shoud we use environment for the http or https
, localhost
, 9200
?
HI,
I am running the latest image using command:
docker run -d -p 9200:9200 -p 9300:9300 -e ELASTIC_PWD=admin -e KIBANA_PWD=admin khezen/elasticsearch:latest
When I try to access it on https://localhost:9200 , it asks for username password
I am giving, username: admin and password:admin, in dialog box.
But, i can't login into it.
In logs it says :
[2019-05-07T10:54:01,742][WARN ][c.f.s.a.BackendRegistry ] [NODE-1] Authentication finally failed for admin from 172.17.0.1:53408
[2019-05-07T10:55:06,934][WARN ][c.f.s.a.BackendRegistry ] [NODE-1] Authentication finally failed for admin from 172.17.0.1:53408
Expected : Json output after login
Hi,
I have successfully installed elasticsearch and kibana with searchguard.
I am now trying to add logstash, and I get unauthorized-401 error.
Here is my output config of my logstash.conf file :
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "waziup_all_sensors-%{+YYYY.MM.dd}"
user => logstash
password => logstash
ssl => true
ssl_certificate_verification => false
truststore => "/var/docker/es_config/searchguard/ssl/truststore.jks"
truststore_password => pass
}
I have set ssl certificate verification to false, otherwise it says that it is not the correct host set into the certificate (elasticsearch). But with localhost I get connection refused.
Here is my docker-compose.yml file :
version: '2'
services:
elasticsearch:
image: khezen/elasticsearch
environment:
ELASTIC_PWD: ***
KIBANA_PWD: ***
TS_PWD: pass
volumes:
- /var/docker/es_data:/elasticsearch/data
- /var/docker/es_config:/elasticsearch/config
ports:
- "9200:9200"
- "9300:9300"
networks:
- elk
restart: always
kibana:
links:
- elasticsearch
image: khezen/kibana
environment:
KIBANA_PWD: ***
ELASTICSEARCH_HOST: elasticsearch
ELASTICSEARCH_PORT: 9200
volumes:
- /var/docker/kibana_config:/opt/kibana-6.1.1-linux-x86_64/config
- /var/docker/es_config:/etc/elasticsearch
ports:
- "5601:5601"
networks:
- elk
restart: always
logstash:
links:
- elasticsearch
image: docker.elastic.co/logstash/logstash-oss:6.1.2
environment:
LOGSTASH_PWD: logstash
TS_PWD: pass
ELASTICSEARCH_HOST: elasticsearch
ELASTICSEARCH_PORT: 9200
volumes:
- /var/docker/logstash_pipeline:/usr/share/logstash/pipeline
- /var/docker/es_config:/var/docker/es_config
ports:
- "55555:55555"
networks:
- elk
restart: always
networks:
elk:
driver: bridge
And here is the error :
logstash_1` | [2018-01-25T09:54:04,604][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://logstash:xxxxxx@elasticsearch:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'https://elasticsearch:9200/'"}
Any help ?
Thanks
I made 3 separate master/client/data nodes - each of them using the Dockerfile.
The client node has the following config:
Name: es-client
Namespace: default
CreationTimestamp: Sat, 06 May 2017 13:10:27 +0530
Labels: component=elasticsearch
role=client
Annotations: deployment.kubernetes.io/revision=1
kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"extensions/v1beta1","kind":"Deployment","metadata":{"annotations":{},"labels":{"component":"elasticsearch","role":"client"},"name":"es-c...
Selector: component=elasticsearch,role=client
Replicas: 1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 1 max unavailable, 1 max surge
Pod Template:
Labels: component=elasticsearch
role=client
Init Containers:
sysctl:
Image: busybox
Port:
Command:
sysctl
-w
vm.max_map_count=262144
Environment: <none>
Mounts: <none>
Containers:
es-client:
Image: es-sg:latest
Ports: 9200/TCP, 9300/TCP
Environment:
NAMESPACE: (v1:metadata.namespace)
NODE_NAME: (v1:metadata.name)
CLUSTER_NAME: elasticsearch
NODE_MASTER: false
NODE_DATA: false
HTTP_ENABLE: true
ES_JAVA_OPTS: -Xms256m -Xmx256m
Mounts:
/data from storage (rw)
Volumes:
storage:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
Conditions:
Type Status Reason
---- ------ ------
Available True MinimumReplicasAvailable
OldReplicaSets: <none>
NewReplicaSet: <none>
Events: <none>
and the log for this client:
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:260) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1167) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1080) ~[?:?]
... 17 more
I havent changed much in the Dockerfile except for setting a few environment variables - so I'm not sure how the certificate path is causing problems.
Hi,
Using here tag 5
and docker-compose. If I set HTTP_SSL: "false"
in the yaml file, I get Stalling for Elasticsearch...
forever. If I remove HTTP_SSL
env variable from the file, it works as expected.
This is the docker compose file to reproduce the error:
version: '3'
services:
elasticsearch:
container_name: elastic
image: khezen/elasticsearch:5
environment:
ELASTIC_PWD: changeme
KIBANA_PWD: changeme
HEAP_SIZE: 1g
LOG_LEVEL: DEBUG
HTTP_SSL: "false"
volumes:
- ./es/data:/elasticsearch/data
- ./es/config:/elasticsearch/config
ports:
- "9200:9200"
- "9300:9300"
network_mode: bridge
restart: always
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.