Cannot figure out how to set a username and password with X-Pack in docker

weskerfoot · June 17, 2019, 7:24pm

The documentation here https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html#set-built-in-user-passwords

States that we can use "bin/x-pack/setup-passwords interactive" to set a password.

I am trying to use this to set the password for the builtin "elastic" user.

However, when I exec into one of my containers (I am running this in docker swarm).

There is no "setup-password" tool.

[root@7dc2db93c29f elasticsearch]# ls bin/                                                                                                                                                
elasticsearch           elasticsearch-cli       elasticsearch-enve      elasticsearch-node           elasticsearch-setup-passwords  elasticsearch-sql-cli-7.1.1.jar  x-pack-env           
elasticsearch-certgen   elasticsearch-croneval  elasticsearch-keystore  elasticsearch-plugin         elasticsearch-shard            elasticsearch-syskeygen          x-pack-security-env
elasticsearch-certutil  elasticsearch-env       elasticsearch-migrate   elasticsearch-saml-metadata  elasticsearch-sql-cli          elasticsearch-users              x-pack-watcher-env

How do I set these passwords?

Additionally, I have tried setting environment variables in my docker-compose.yml file with "ELASTIC_PASSWORD" and "ELASTIC_USERNAME" and those do not work either.

I cannot set it with curl because I cannot authenticate at all with XPack security enabled.

I am using a trial license but I have a platinum license that I haven't applied yet. Does this feature work differently somehow?

The documentation seems very confusing and I can't tell which features are supported in docker, which aren't, or how any of this is supposed to even work in docker.

Please help.

weskerfoot · June 17, 2019, 7:30pm

I just noticed the "elasticsearch-setup-passwords" tool does exist (which is not the same as the documentation), but when I run it I get this

[root@7dc2db93c29f elasticsearch]# ./bin/elasticsearch-setup-passwords interactive

SSL connection to https://10.0.24.15:9200/_security/_authenticate?pretty failed: No subject alternative names matching IP address 10.0.24.15 found
Please check the elasticsearch SSL settings under xpack.security.http.ssl.

ERROR: Failed to establish SSL connection to elasticsearch at https://10.0.24.15:9200/_security/_authenticate?pretty. 
[root@7dc2db93c29f elasticsearch]#

Is there a way to make it respect TLS?

I have

xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/ca/ca.crt" ]

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/certs/ca/ca.crt" ]

In my elasticsearch.yml that the docker image is built with, and then

  - xpack.security.transport.ssl.key=/usr/share/elasticsearch/config/certs/esmaster/esmaster.key
  - xpack.security.transport.ssl.certificate=/usr/share/elasticsearch/config/certs/esmaster/esmaster.crt
  - xpack.security.http.ssl.key=/usr/share/elasticsearch/config/certs/esmaster/esmaster.key
  - xpack.security.http.ssl.certificate=/usr/share/elasticsearch/config/certs/esmaster/esmaster.crt

For all of the different nodes in my docker-compose.yml (with different key names for each node)

These certificates are all generated and baked into the docker image. As far as I can tell TLS is working properly because I can connect (after clicking through the warnings about self signed certificates) but then I obviously don't have a valid username/password to actually do anything.

weskerfoot · June 17, 2019, 7:40pm

Finally got it to work with

./bin/elasticsearch-setup-passwords auto -u "https://localhost:9200"

It would be great if this were somewhere in the documentation about how to set things up with docker. I could not find it easily.

My confusion was that "https://www.elastic.co/guide/en/x-pack/current/setting-up-authentication.html#set-built-in-user-passwords" implies it is current documentation, but it apparently is NOT the most up-to-date documentation. And when you click through to the "current" documentation you just get a table of contents.

alchy · June 21, 2019, 3:33pm

If you are putting together cluster with docker and x-pack, is there some step by step somewhere? are the cerificates created while docker deployement and you need to have them transferred manually to other nodes, or how does it work?

MiTschMR · June 24, 2019, 12:11pm

Hi @alchy

If you are looking for an example with Docker-Compose then you can follow this guide here.

If you are looking for an example with Docker Swarm, I assume there is no official documentation, not even on other sites. I got it to run on a Docker Swarm cluster with two nodes with little changes to the config files listed on the above linked website.

Hope this helps.

MiTschMR

system · July 22, 2019, 12:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Reset elastic user password in docker container Elasticsearch elastic-stack-security , docker	4	3796	September 8, 2022
Change x-pack password in docker container at initialisation Elasticsearch	2	1596	May 18, 2017
Elasticsearch build-in users config in docker-compose Elasticsearch docker	4	753	February 26, 2020
How to set elasticsearch user "elastic" password in Dockerfile Elasticsearch docker	4	14056	April 30, 2020
Unable to set password for elastic (7.1.1) Elasticsearch elastic-stack-security	6	5167	July 18, 2019

Cannot figure out how to set a username and password with X-Pack in docker

Related topics