Hi, everyone. I encounter an upgrade problem and really don't know how to deal with it.
The thing is that we need to upgrade es 6.2.4 to es 6.3.0, the cluster is build on some VM machines and the os is Ubuntu 16.04, there are master node, data node and client node in the cluster. We use security function and monitor function of x-pack in es 6.2.4 to According to the official guide, we can use rolling up upgrading to upgrade 6.2 to es 6.3. Here are my steps on master node:
First, disable the shard allocation and enable flush_sync:
PUT _cluster/settings
{
"persistent": {
"cluster.routing.allocation.enable": "primaries"
}
}
POST _flush/synced
Download es 6.3.0 and cover the config file with old es 6.2.4's config. According to official guide line, x-pack is a build in module in es from 6.3 so I comment the x-pack config in the config file:
config in 6.2.4 about x-pack:
Then I started es 6.3.0, there is no error message and the process seems to start up normally, but the node just cannot join the old cluster. It seems it even doesn't know the other master nodes' exist, and from the old cluster it also has nothing about this new node in log.
First I think it may be because of the security thing, so I copy the config/certs dir of es 6.2 to es 6.3 and uncomment the following config:
When I started es 6.3 again, some error log was found:
Caused by: java.io.IOException: keystore password was incorrect
...
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
...
It seems that es6.3 cannot use the es 6.2's certificate file. The certificate file is a global one and all nodes in es6.2 are the same. I started a new node with es6.2.4 use this cert is OK, the node join the cluster normally.
As this is a live cluster, so we cannot just stop the cluster and start a new one.
Now I really don't know what to do. Can some help? Thank you so much!
The fact that x-pack is built in, doesn't mean that you don't need to configure it You need to keep all the config you had in the previous elasticsearch.yml
Please, always share the full stack trace and not just small parts of this. This is really important for people trying to assist. If you don't give us all the information, we won't be able to help you.
The error is self-explanatory:
Caused by: java.io.IOException: keystore password was incorrect
xpack.security.transport.ssl.keystore.secure_password and xpack.security.transport.ssl.truststore.secure_password are stored in the elasticsearch keystore ( you can check with bin/elasticsearch-keystore list in an old node.
in the config file, and I do find a elasticsearch.keystore file in config dir. I think this is what you said
``xpack.security.transport.ssl.keystore.secure_passwordandxpack.security.transport.ssl.truststore.secure_passwordare stored in the elasticsearch keystore
But when I ran same command in new node I only got
keystore.seed
I may know what happened but I still don't know how to add the same key-store to the new node. I copy the elasticsearch.keystore file to the new node but it seems no help. Should I ran bin/elasticsearch-keystore create to create a new one? I wonder if the new created one is the same with the old?
Yes, I just find this in security guide line. But I don't know the password and the guy who build up this cluster has already gone. Is there another way to get the password or can I change the old password without stopping the cluster service? Many thanks!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
You need to keep all the config you had in the previous elasticsearch.yml