Getting plugins behind a proxy


(Jim Hendrick) #1

The current model of running "plugin -i" is not going to work well in organizations that are leery about changes directly from the Internet.

Please consider making everything available as a static download with some form of validation (hash values, public key signatures, etc.) so that environments where servers do not (and should never) have access to the Internet can get the deployments after sufficient testing by the user.

Thanks!


(Nik Everett) #2

I'm not sure there is much point to this. We're one of those organizations
that doesn't allow internet access from the production cluster and we
also have a standard mechanism for deploying blobs like the plugin jars.
I guess I'm saying that many organizations which doesn't allow internet
access from the cluster are already going to have a blob deployment setup
anyway and will want to use that instead of the Elasticsearch plugin
installer.

That's just my suspicion given my experience though.


(Jim Hendrick) #3

Hmmm - I think I am asking for the same thing. I want to be able to download the code as a file (blob, tgz, zip, whatever) and validate that Elastic created it (somehow).
Then test it in a non-prod environment and finally push it to prod.

While most elasticsearch plugins are available this way, not all are and even the ones that are are often quite hard to find.

I'm just asking that all available files be offered as easily available downloads somewhere.


(David Pilato) #4

Plugin manager supports --url option which might help in that case.


(Nik Everett) #5

Ah! I get it, yeah. We do this all the time, but its true that there isn't
a single place where the plugins live.

For the most part we get plugins from maven central and we just validate
the checksums there before we push them to prod using our own proxy system.

If you run the installer in verbose mode you should be able to see where it
gets the file. Normally those places have some way to recheck the checksums.

Do you think Elasticsearch should have something else?


(Jim Hendrick) #6

OK - couple things:

  1. If the location of plugin download files (with checksums or sigs) were more easily found on the site, that would help a lot.

  2. I know about how to install with "plugin -url" once I have the file (but thanks)

  3. If I use "plugin -v" I need to run it with the permissions that could write to the directory and then hit Ctrl-C really fast so I don't actually write anything.

Would it be possible to add a "-n" option that says "don't actually do this, just tell me what you would do"?
So:
plugin -inv would output
-> Installing elasticsearch/
Trying http://download.elasticsearch.org/elasticsearch/.zip...
Quitting - as you told me not to actually do anything

Or maybe a "-d" option that would "Download only" the file to (say) the current directory ?

Just thoughts,
Jim


(Nik Everett) #7

+1 for -d

I usually run it on my laptop and let it fetch the files so a -n option
isn't a big deal for me. But -d would dovetail nicely with --url.


(David Pilato) #8

Lot of things are going to change for the plug manager. https://github.com/elastic/elasticsearch/pull/9998 https://github.com/elastic/elasticsearch/pull/9998

It might open the road from other changes as well.


(system) #9