I'm trying to setup the elk stack with docker-compose, however Logstash cannot read the mounted certs directory, I'm guessing this is a permissions issue however I struggle to see why Elasticsearch, Kibana and Filebeat can all read the mounted certs while Logstash cannot.
The certs are created in roughly the same way as Running the Elastic Stack ("ELK") on Docker | Getting Started [8.1] | Elastic and mount correctly with everything else. When I attach a shell to Filebeat I am able to ls the directory for the certs but doing the same with Logstash results in permission denied. I am also able to run filebeat test output and the connection to Elasticsearch is successful.
Running groups on the instances within elk gives different responses
Elasticsearch -> user elasticsearch belongs to group root only
Logstash -> user logstash belongs to group logstash only
Kibana -> user kibana belongs to groups kibana and root
As the getting started setup command chowns the certs to root:root this would explain why Logstash can't access them. Changing the setup command to chown as 1000:0 results in the certs being accessible for all instances.
My question would be why is there so much disparity between the users and groups in the docker images and why is the logstash user not a member of the root group in the Logstash image.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.