Hi there, I have an Elasticsearch cluster 7.13.2 :
2 data nodes
3 master nodes
2 client nodes
all of them deployed on Openshift with minimal security enabled.
TLS security is not enabled, is not necessary in our case, and we don't want to enable.
elasticsearch.yml is set with:
xpack:
security.enabled: "true"
At first time all is working fine, but if a master o data node are restarted, the node gets the following error:
2021-07-29T18:35:42,762][INFO ][o.e.b.BootstrapChecks ] [es-master-0] bound or publishing to a non-loopback address, enforcing bootstrap checks
ERROR: [1] bootstrap checks failed. You must address the points described in the following [1] lines before starting Elasticsearch.
bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]
ERROR: Elasticsearch did not exit normally - check the logs at /elasticsearch/pv1/logs/elasticsearch.log
[2021-07-29T18:35:43,365][INFO ][o.e.n.Node ] [es-master-0] stopping ...
[2021-07-29T18:35:43,366][DEPRECATION][o.e.d.c.s.Settings ] [es-master-0] [node.data] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
.....
.....
.....
[2021-07-29T18:35:43,869][INFO ][o.e.n.Node ] [es-master-0] stopped
[2021-07-29T18:35:43,869][INFO ][o.e.n.Node ] [es-master-0] closing ...
Restarting nodes without security enabled works fine.
Do I'm missing some security configuration for minimal security (not TLS) ?.
Thank you David for you answer.
But, why the cluster works fine with minimal security until a node is restarted ?. We really don't need to enable TLS security because the cluster is already secured in Openshift. Also the procedure in order to enable TLS it's very long and complex, even more in Openshift.
I'll really appreciate any complementary comment about how to face this issue!.
It's complicated. At some point in the past we permitted a superficially-similar config, and we care about avoiding breaking changes so we can't just reject it. The trouble is that we can't tell if we're in the legacy setup or not until we join the cluster for the first time, so we have to let you get away with the bad setup on the first start.
Enabling TLS is fairly straightforward in most environments. Maybe there's something special about Openshift that makes it unusually difficult? I'm guessing that satisfying hostname verification might be the tricky bit, but if you really don't care about security you can set xpack.security.transport.ssl.verification_mode: certificate to bypass that.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.