Cannot figure out how to set a username and password with X-Pack in docker

weskerfoot · June 17, 2019, 7:24pm

The documentation here https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html#set-built-in-user-passwords

States that we can use "bin/x-pack/setup-passwords interactive" to set a password.

I am trying to use this to set the password for the builtin "elastic" user.

However, when I exec into one of my containers (I am running this in docker swarm).

There is no "setup-password" tool.

[root@7dc2db93c29f elasticsearch]# ls bin/                                                                                                                                                
elasticsearch           elasticsearch-cli       elasticsearch-enve      elasticsearch-node           elasticsearch-setup-passwords  elasticsearch-sql-cli-7.1.1.jar  x-pack-env           
elasticsearch-certgen   elasticsearch-croneval  elasticsearch-keystore  elasticsearch-plugin         elasticsearch-shard            elasticsearch-syskeygen          x-pack-security-env
elasticsearch-certutil  elasticsearch-env       elasticsearch-migrate   elasticsearch-saml-metadata  elasticsearch-sql-cli          elasticsearch-users              x-pack-watcher-env

How do I set these passwords?

Additionally, I have tried setting environment variables in my docker-compose.yml file with "ELASTIC_PASSWORD" and "ELASTIC_USERNAME" and those do not work either.

I cannot set it with curl because I cannot authenticate at all with XPack security enabled.

I am using a trial license but I have a platinum license that I haven't applied yet. Does this feature work differently somehow?

The documentation seems very confusing and I can't tell which features are supported in docker, which aren't, or how any of this is supposed to even work in docker.

Please help.

weskerfoot · June 17, 2019, 7:30pm

I just noticed the "elasticsearch-setup-passwords" tool does exist (which is not the same as the documentation), but when I run it I get this

[root@7dc2db93c29f elasticsearch]# ./bin/elasticsearch-setup-passwords interactive

SSL connection to https://10.0.24.15:9200/_security/_authenticate?pretty failed: No subject alternative names matching IP address 10.0.24.15 found
Please check the elasticsearch SSL settings under xpack.security.http.ssl.

ERROR: Failed to establish SSL connection to elasticsearch at https://10.0.24.15:9200/_security/_authenticate?pretty. 
[root@7dc2db93c29f elasticsearch]#

Is there a way to make it respect TLS?

I have

xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/ca/ca.crt" ]

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/ca/ca.crt" ]

In my elasticsearch.yml that the docker image is built with, and then

  - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/esmaster/esmaster.key
  - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/esmaster/esmaster.crt
  - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/esmaster/esmaster.key
  - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/esmaster/esmaster.crt

For all of the different nodes in my docker-compose.yml (with different key names for each node)

These certificates are all generated and baked into the docker image. As far as I can tell TLS is working properly because I can connect (after clicking through the warnings about self signed certificates) but then I obviously don't have a valid username/password to actually do anything.

weskerfoot · June 17, 2019, 7:40pm

Finally got it to work with

./bin/elasticsearch-setup-passwords auto -u "https://localhost:9200"

It would be great if this were somewhere in the documentation about how to set things up with docker. I could not find it easily.

My confusion was that "https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html#set-built-in-user-passwords" implies it is current documentation, but it apparently is NOT the most up-to-date documentation. And when you click through to the "current" documentation you just get a table of contents.

alchy · June 21, 2019, 3:33pm

If you are putting together cluster with docker and x-pack, is there some step by step somewhere? are the cerificates created while docker deployement and you need to have them transferred manually to other nodes, or how does it work?

MiTschMR · June 24, 2019, 12:11pm

Hi @alchy

If you are looking for an example with Docker-Compose then you can follow this guide here.

If you are looking for an example with Docker Swarm, I assume there is no official documentation, not even on other sites. I got it to run on a Docker Swarm cluster with two nodes with little changes to the config files listed on the above linked website.

Hope this helps.

MiTschMR

Topic		Replies	Views
Unable to setup elastic stack in docker with tls enabled Elasticsearch	8	1541	January 18, 2020
Change x-pack password in docker container at initialisation Elasticsearch	2	1633	May 18, 2017
Reset elastic user password in docker container Elasticsearch elastic-stack-security , docker	4	5057	September 8, 2022
Setting password via x-pack Elasticsearch	3	656	February 16, 2019
Unable to set password for elastic (7.1.1) Elasticsearch elastic-stack-security	6	5272	July 18, 2019

Cannot figure out how to set a username and password with X-Pack in docker

Related topics