Elasticsearch 8.0 RPM Install error when adding new node

I'm installing Elasticsearch 8.0 on a new 3-node cluster on Amazon Linux 2. I have Elasticsearch running on the first node. I created a new enrollment key on this node. When I try to enroll the 2nd node I get the following error:

# /usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token redacted_token

This node will be reconfigured to join an existing cluster, using the enrollment token that you provided.
This operation will overwrite the existing configuration. Specifically: 
  - Security auto configuration will be removed from elasticsearch.yml
  - The [certs] config directory will be removed
  - Security auto configuration related secure settings will be removed from the elasticsearch.keystore
Do you want to continue with the reconfiguration process [y/N]y

ERROR: Skipping security auto configuration because this node is configured to bootstrap or to join a multi-node cluster, which is not supported.

The Elasticsearch.yml on node 1 is:

cluster.name: esprod
node.name: esdata1.example.com
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 0.0.0.0
discovery.seed_hosts: ["esdata1.example.com", "esdata2.example.com", "esdata3.example.com"]


xpack.security.enabled: true

xpack.security.enrollment.enabled: true

xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["esdata1.example.com","esdata2.example.com","esdata3.example.com"]

http.host: [_local_, _site_]

The Elasticsearch.yml on node2 prior to running the enrollment command was:

cluster.name: esprod
node.name: esdata2.example.com
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 0.0.0.0
discovery.seed_hosts: ["esdata1.example.com", "esdata2.example.com", "esdata3.example.com"]


xpack.security.enabled: true

xpack.security.enrollment.enabled: true

xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["esdata1.example.com","esdata2.example.com","esdata3.example.com"]

http.host: [_local_, _site_]

After the failed attempt to enroll the node, the security configuration block at the end of Elasticsearch.yml has been removed.

Elasticsearch was never started before attempting the enrollment and /var/lib/Elasticsearch remains empty.

Any help would greatly appreciated.

If you had run this on node 2 immediately after installation, there wouldn’t be this line in the file. This is either added by running the reconfigure node tool or you added it yourself.

Can you please try this again on node two after you purge and reinstall the package ?

I edited the file and added it. I'm accustomed to the old install methods prior to 8.0 and thought that would be required.

Do I not modify the Elasticsearch.yml file at all before trying the enrollment? Sorry, the documentation for this new security on by default model isn't really clear.

Thank you for the feedback! We’ll do our best to make this more clear in the docs , have you read Install Elasticsearch with RPM | Elasticsearch Guide [master] | Elastic and specifically the Install Elasticsearch with RPM | Elasticsearch Guide [master] | Elastic section ?

Yes, the idea is that if you follow the enrollment process , you don’t even have to touch configuration files !
However, you can still configure everything in the same way you are used to in previous versions. The enrollment flow is an additional easy way to get started, it doesn’t take away anything from what you can already use

Thank you for your help. I have all nodes of the cluster online now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.