ES 6.3.2 Elasticsearch keystore creation and usage

Hi Elastic Team,

One of the breaking changes from 6.2 to 6.3 is now the keystore gets created alongside elasticsearch.yml if the keystore doesn't exist yet.

Our elasticsearch.yml is stored on a read only filesystem (configured using path.conf setting) therefore the keystore creation fails.

The plan we have is to manually create a keystore, then put it on the same readonly filesystem alongside with elasticsearch.yml

There is one worry about this approach is whether Elasticsearch needs to modify the keystore at any point during its runtime? Because if it does it wouldn't be able to do the modification due to the filesystem being readonly.

I tried checking the docs by the docs don't have this information whether ES needs to modify keystore at any point - could you please advise?


If you've already created the keystore manually, a running Elasticsearch instance will not modify it. Only the elasticsearch-keystore cli will change it. Note, however, that the installation scriptlets for rpm/deb depend on there being a checksum of the initially created keystore, so that we can know whether it has been changed and can be deleted upon package removal.

1 Like

Thanks Ryan

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.