Elasticsearch Keystore not being created

ANUBHAV_GUPTA · August 18, 2023, 5:55pm

Hi there,
So, I am trying to run a simple ES single-node cluster.
Here is the Dockerfile:-

FROM elasticsearch:8.7.0
COPY . . #this copies the start_es.sh
ENTRYPOINT ["./start_es.sh"]

The start_es.sh contains nothing but the entrypoint "bin/elasticsearch" only.

But when I am running the following command:-

sudo docker run -it --pull=always --privileged -p 9200:9200 -p 9300:9300 -e discovery.type=single-node -e xpack.ml.enabled=false -e ES_JAVA_OPTS="-Xms1g -Xmx1g" -e ELASTIC_PASSWORD=elastic es_image:latest

The issue is, there is no Elasticsearch keystore created to store the password that i am setting explicitly. Instead it is ignoring the password that I am providing and creating a randomized password similar to what it creates when we run with just xpack.security.enabled=true.

But when i am running with the official ES images it does create the Elasticsearch keystore as expected like this:-

Created elasticsearch keystore in /usr/share/elasticsearch/config/elasticsearch.keystore

I am doing nothing but just running the ES entrypoint from within a shell script and that's it.
All other env variables are working fine but the elasticsearch keystore is not working.

Could someone please help me here to understand the problem or What I am doing wrong?

Thanks in advance!

dadoonet · August 18, 2023, 7:52pm

Why do you want to provide your own startup script instead of using the default behavior?

If you really want to do it, have a look at this:

github.com

elastic/elasticsearch/blob/001fcfb931454d760dbccff9f4d1b8d113f8708c/distribution/docker/src/docker/bin/docker-entrypoint.sh#L4


      
          #!/bin/bash
          set -e
          
          # Files created by Elasticsearch should always be group writable too
          umask 0002
          
          # Allow user specify custom CMD, maybe bin/elasticsearch itself
          # for example to directly specify `-E` style parameters for elasticsearch on k8s
          # or simply to run /bin/bash to check the image
          if [[ "$1" == "eswrapper" || $(basename "$1") == "elasticsearch" ]]; then
            # Rewrite CMD args to remove the explicit command,
            # so that we are backwards compatible with the docs
            # from the previous Elasticsearch versions < 6
            # and configuration option:

ANUBHAV_GUPTA · August 19, 2023, 4:14am

thanks for the response @dadoonet .
Actually I want to set vm.max_map_count=262144 and max file descriptors during the startup.
Because I have some unavoidable limitation where I cannot set this value from the host VM itself.
therefore I am trying to run a script like this in as an ENTRYPOINT in Dockerfile:-

For your reference here is the script.

#!/bin/bash
new_value=262144
#Check if running as root
if [[ $(id -u) -ne 0 ]]; then
echo "This script must be run as root or with sudo."
exit 1
else
echo "vm.max_map_count = $new_value" >> /etc/sysctl.conf
echo "elasticsearch - nofile 65535" >> /etc/security/limits.conf
sysctl -p
su -c "bin/elasticsearch" elasticsearch #running with elasticsearch user
fi

Kindly suggest if am doing something wrong here.

dadoonet · August 19, 2023, 5:30am

I believe that this is covered in the documentation. See Install Elasticsearch with Docker | Elasticsearch Guide [8.9] | Elastic

DavidTurner · August 19, 2023, 6:25am

I don't think that covers it @dadoonet, the docs say how to set this up on the host but the OP can't do that for some reason and wants to set it in the Dockerfile instead.

The ENTRYPOINT script doesn't pass any arguments to bin/elasticsearch. If you want to pass command line arguments to Elasticsearch, you need to add them there.

ANUBHAV_GUPTA · August 19, 2023, 6:42am

thanks for the reply @DavidTurner !
As suggested by @dadoonet , I am using the docker-entrypoint.sh script.
As below where, I running 2 script from a 3rd script passed in entrypoint. like below:-

#!/bin/bash
#Run the script to set the kernel parameters with root priviledge
./set_kernel_parameters.sh
#Run the docker-entrypoint.sh with elasticsearch user
su -c "./docker-entrypoint.sh" elasticsearch

But here I am getting the following error:-

vm.max_map_count = 262144
./entrypoint.sh: line 44: elasticsearch-keystore: command not found

From above output it says, the kernel parameters are set successfully from ./set_kernel_parameters.sh but docker-entrypoint.sh is having some issue.

I think we are very close to get this solved.
Any help is appreciated!

thanks

DavidTurner · August 19, 2023, 7:23am

Try using an absolute path instead, maybe /usr/share/elasticsearch/bin/elasticsearch-keystore?

ANUBHAV_GUPTA · August 19, 2023, 9:00am

I substituted elasticsearch-keystore with /usr/share/elasticsearch/bin/elasticsearch-keystore in the docker-entrypoint.sh and it worked.

Thanks a lot @DavidTurner !

DavidTurner · August 19, 2023, 10:36am

Great. I opened docker-entrypoint.sh uses a mix of absolute and relative/implied paths · Issue #98643 · elastic/elasticsearch · GitHub to ask whether we consider that a bug or not.

ANUBHAV_GUPTA · August 19, 2023, 12:36pm

hey @DavidTurner, Now I am getting this error:-

Created elasticsearch keystore in /usr/share/elasticsearch/config/elasticsearch.keystore

ERROR: Missing logging config file at /usr/share/elasticsearch/config/log4j2.properties

Path also matches from the docker-entrypoint.sh

What could be the issue here?

This is occurring when I am mounting my self signed certificates into usr/share/elasticsearch/config
and but working fine when I am mounting them to usr/share/elasticsearch/config/certificates.

thanks in advance!

DavidTurner · August 19, 2023, 7:35pm

It says that the file it needs is missing, but unfortunately I don't know any more about this. I think you must not be creating your container image correctly.

ANUBHAV_GUPTA · August 20, 2023, 4:30am

I have created a "certificates" directory in /usr/sahre/elasticsearch/config/. It is working fine now.
Is this what you are referring to?

system · September 17, 2023, 4:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.