Can't create a cluster if node's domain points to the localhost in /etc/hosts

Elastic Stack Elasticsearch
1

Hi,

if /etc/hosts/ is configured as follows:

127.0.0.1 node01.com
127.0.0.1 localhost

and if you set elasticsearch.yml to:

network.host: ["_enp1s0_", "_local_"]                                                                                                                                                                                                       
network.bind_host: ["_enp1s0_", "_local_"]                                                                                                                                                                                                  
network.publish_host: ["node01.com"]

you won't be able to create a cluster because node will advertise itself as node01.com/127.0.0.1 and every other node with similar config of /etc/hosts/ and elasticsearch.yml will try to connect to other nodes with a correct domain but on own localhost. If I change /etc/hosts to 127.0.0.1 node01 it will work flawlessly.

Is there any way to set the domain with an address of a network interface? Something like node01.com/_enp1s0_ ?

Best regards

Steps to Reproduce

  1. set your domain in /etc/hosts to resolve to 127.0.0.1
  2. set elasticsearch.yml as presented in the problem description using only special values and a domain name
  3. restart cluster
2

Do you want this? If not, can you expand on why it doesn't work for you?

network.publish_host: ["_enp1s0_"]

3

Hi David!

Thanks a lot for a quick response.

I have tried the config You propose. If I set network.publish_host: ["_enp1s0_"] all nodes will try to connect each other using IP addresses instead of FQDN and as my certificate is wildcard I can not put IPs in it.

4

You can use wildcard certificates from a well-known CA for your HTTP traffic, but it's a bad idea for transport traffic. See these docs for more information:

For the transport layer, we recommend using a separate, dedicated CA instead of an existing, possibly shared CA so that node membership is tightly controlled. Use the elasticsearch-certutil tool to generate a CA for your cluster.

1 Like
5

Thanks a lot for this good practice tip. I will consider it.

However it is still a bit misleading for me that setting only a domain in the network.publish_host will have a result depending on the content of /etc/hosts i.e. domain/localhost if domain points to localhost in /etc/hosts or domain/global_ip otherwise.

6

In general we expect these things to yield the same results so it doesn't matter, but if you set up your DNS to give different answers depending on who is asking then this sort of problem will arise. I'll try and clarify this in the docs.

1 Like
7

Clarifying this in the docs would be great (and time saving for next time :D)! Thank you in advance :slight_smile:

Do you think it could be possible to somehow take into account only DNS (without hosts file)?

img

8

The JVM is just using something from libc like gethostbyname() under the hood, so you can control its behaviour via nsswitch.conf and friends (or whatever your system equivalent is). Or you could remove the bogus entry from /etc/hosts - that's what I'd do at least.

9

TIL: there is something like nsswitch.conf :+1:

I ended up editing /etc/hosts. Thanks a lot for all your help!

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.