KEYSTORE_PASSWORD_FILE

toughcoding · July 30, 2023, 6:22pm

Running Elasticsearch as docker container with
--env KEYSTORE_PASSWORD_FILE=/run/secrets/keystore_password

does not setup password for elasticsearch keystore. Although I am successfull with Elasticsearch password itself
--env ELASTIC_PASSWORD_FILE=/run/secrets/bootstrap_password \

I cannot get keystore password protected from the start. Permissions for secrets are 400.
I noticed in logs it looks ok but does not work

Setting ELASTIC_PASSWORD from ELASTIC_PASSWORD_FILE at /run/secrets/bootstrap_password
Setting KEYSTORE_PASSWORD from KEYSTORE_PASSWORD_FILE at /run/secrets/bootstrap_password
Created elasticsearch keystore in /usr/share/elasticsearch/config/elasticsearch.keystore

Tried also variables without _FILE suffix and same result - working as elastic bootstrap password but does not as keystore. Any idea guys?

Yang_Wang · July 31, 2023, 5:58am

I think the docs might have been unclear. The KEYSTORE_PASSSWORD or its file variation is used to provide password to an already encrypted password. It does not create a new keystore with it. The keystore is always created with no password. Quote from the docs

If you’ve already created the keystore and don’t need to update it, you can bind-mount the elasticsearch.keystore file directly. You can use the KEYSTORE_PASSWORD environment variable to provide the keystore password to the container at startup

toughcoding · July 31, 2023, 9:51am

Indeed documentation is confusing

You can use the contents of a file to set the value of the ELASTIC_PASSWORD or KEYSTORE_PASSWORD environment variables, by suffixing the environment variable name with _FILE. This is useful for passing secrets such as passwords to Elasticsearch without specifying them directly.

So the only solution is the precreate keystore using custom startup script. and then use KEYSTORE_PASSWORD_FILE for further accessing that keystore. Is it right?

toughcoding · August 1, 2023, 7:27pm

Tried workaround with precreated keystore but does not work. I think this is bug. Created entry for it

github.com/elastic/elasticsearch

KEYSTORE_PASSWORD & ELASTIC_PASSWORD do not work together with docker

opened 07:26PM - 01 Aug 23 UTC

toughcoding

>bug needs:triage

### Elasticsearch Version 8.9.0 ### Installed Plugins _No response_ ### Java… Version _bundled_ ### OS Version ubuntu:20.04 Linux 753c3b2604ff 5.15.49-linuxkit-pr #1 SMP PREEMPT Thu May 25 07:27:39 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux ### Problem Description When starting Elasticsearch as a docker container with **KEYSTORE_PASSWORD** and **ELASTIC_PASSWORD** set and keystore being password secured, it does not working properly as **bootstrap.password** is not setup correctly. When checking value of bootstrap.password it is returning empty string. Thus command line [54](https://github.com/elastic/dockerfiles/blob/8.9/elasticsearch/bin/docker-entrypoint.sh) `(echo "$COMMANDS" | elasticsearch-keystore add -x 'bootstrap.password')` is not causing bootstrap.password entry being created although running these commands manually in the container are successfull. In Contrary Running with non-encrypted keystore making bootstrap.password to be setup properly like below ``` docker run --rm \ -d \ -e ELASTIC_PASSWORD="123456" \ docker.elastic.co/elasticsearch/elasticsearch:8.9.0 ``` ### Steps to Reproduce Create container only to make encrypted keystore ``` docker run --rm \ --name elk \ -d \ -v esconf:/usr/share/elasticsearch/config \ docker.elastic.co/elasticsearch/elasticsearch:8.9.0 ``` Run command to setup password for already created keystore setting password as 123456 `docker exec -it elk elasticsearch-keystore passwd` ``` docker exec -it elk elasticsearch-keystore list Enter password for the elasticsearch keystore : keystore.seed xpack.security.http.ssl.keystore.secure_password xpack.security.transport.ssl.keystore.secure_password xpack.security.transport.ssl.truststore.secure_password ``` Stop container `docker stop elk` Start another container with password variables ``` docker run --rm \ --name elk \ -d \ -v esconf:/usr/share/elasticsearch/config \ -e ELASTIC_PASSWORD="987654" \ -e KEYSTORE_PASSWORD="123456" \ docker.elastic.co/elasticsearch/elasticsearch:8.9.0 ``` Checking if bootstrap password entry got created ``` docker exec -it elk elasticsearch-keystore list Enter password for the elasticsearch keystore : bootstrap.password keystore.seed xpack.security.http.ssl.keystore.secure_password xpack.security.transport.ssl.keystore.secure_password xpack.security.transport.ssl.truststore.secure_password ``` Run command to display bootstrap.password that normally should be equal to ELASTIC_PASSWORD `docker exec -it elk elasticsearch-keystore show bootstrap.password` BUT it is returning empty string thus bug. ### Logs (if relevant) Beginning of logs after starting second container. Script asking twice for keystore password. docker run --rm \ --name elk \ -v esconf:/usr/share/elasticsearch/config \ -e ELASTIC_PASSWORD="123456" \ -e KEYSTORE_PASSWORD="123456" \ docker.elastic.co/elasticsearch/elasticsearch:8.9.0 Enter password for the elasticsearch keystore : Enter password for the elasticsearch keystore : {"@timestamp":"2023-08-01T19:08:33.302Z", "log.level": "INFO",

system · August 29, 2023, 7:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.