Error in Elasticsearch cluster on Openshift after restarting nodes

Elastic Stack Elasticsearch
1

Hi there, I have an Elasticsearch cluster 7.13.2 :

  • 2 data nodes
  • 3 master nodes
  • 2 client nodes

all of them deployed on Openshift with minimal security enabled.
TLS security is not enabled, is not necessary in our case, and we don't want to enable.

elasticsearch.yml is set with:
xpack:
security.enabled: "true"

At first time all is working fine, but if a master o data node are restarted, the node gets the following error:

2021-07-29T18:35:42,762][INFO ][o.e.b.BootstrapChecks    ] [es-master-0] bound or publishing to a non-loopback address, enforcing bootstrap checks
ERROR: [1] bootstrap checks failed. You must address the points described in the following [1] lines before starting Elasticsearch.
bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
ERROR: Elasticsearch did not exit normally - check the logs at /elasticsearch/pv1/logs/elasticsearch.log
[2021-07-29T18:35:43,365][INFO ][o.e.n.Node               ] [es-master-0] stopping ...
[2021-07-29T18:35:43,366][DEPRECATION][o.e.d.c.s.Settings       ] [es-master-0] [node.data] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
.....
.....
.....
[2021-07-29T18:35:43,869][INFO ][o.e.n.Node               ] [es-master-0] stopped
[2021-07-29T18:35:43,869][INFO ][o.e.n.Node               ] [es-master-0] closing ...

Restarting nodes without security enabled works fine.

Do I'm missing some security configuration for minimal security (not TLS) ?.

2

Did you try doing either of the two things the message tells you to do?

Unfortunately these are your only options, you can't use security without transport TLS.

3

Thank you David for you answer.
But, why the cluster works fine with minimal security until a node is restarted ?. We really don't need to enable TLS security because the cluster is already secured in Openshift. Also the procedure in order to enable TLS it's very long and complex, even more in Openshift.

I'll really appreciate any complementary comment about how to face this issue!.

4

Enabling TLS is required in order to enable security in a multi-node cluster. You can not get around this requirement.

5

It's complicated. At some point in the past we permitted a superficially-similar config, and we care about avoiding breaking changes so we can't just reject it. The trouble is that we can't tell if we're in the legacy setup or not until we join the cluster for the first time, so we have to let you get away with the bad setup on the first start.

Enabling TLS is fairly straightforward in most environments. Maybe there's something special about Openshift that makes it unusually difficult? I'm guessing that satisfying hostname verification might be the tricky bit, but if you really don't care about security you can set xpack.security.transport.ssl.verification_mode: certificate to bypass that.

6

I added the

"xpack.security.transport.ssl.verification_mode: certificate"

entry to the elasticsearch.yml file, but I'm still getting the same error when the node is restarted.

Do I have to set something else in order to avoid TLS security ?.

7

We have an open issue for this. But as suggested above, the recommended approach is to enable TLS for transport.

Enable TLS on transport involves more than just this single setting. You can refer to the instruction for setting up basic security

8

Thank you Yang, I was trying to make it work without TLS. But I understand you are telling me that this is not possible.

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.