Running Elasticsearch as docker container with
does not setup password for elasticsearch keystore. Although I am successfull with Elasticsearch password itself
--env ELASTIC_PASSWORD_FILE=/run/secrets/bootstrap_password \
I cannot get keystore password protected from the start. Permissions for secrets are 400.
I noticed in logs it looks ok but does not work
Setting ELASTIC_PASSWORD from ELASTIC_PASSWORD_FILE at /run/secrets/bootstrap_password
Setting KEYSTORE_PASSWORD from KEYSTORE_PASSWORD_FILE at /run/secrets/bootstrap_password
Created elasticsearch keystore in /usr/share/elasticsearch/config/elasticsearch.keystore
Tried also variables without _FILE suffix and same result - working as elastic bootstrap password but does not as keystore. Any idea guys?
I think the docs might have been unclear. The
KEYSTORE_PASSSWORD or its file variation is used to provide password to an already encrypted password. It does not create a new keystore with it. The keystore is always created with no password. Quote from the docs
If you’ve already created the keystore and don’t need to update it, you can bind-mount the
elasticsearch.keystore file directly. You can use the
KEYSTORE_PASSWORD environment variable to provide the keystore password to the container at startup
Indeed documentation is confusing
You can use the contents of a file to set the value of the
KEYSTORE_PASSWORD environment variables, by suffixing the environment variable name with
_FILE. This is useful for passing secrets such as passwords to Elasticsearch without specifying them directly.
So the only solution is the precreate keystore using custom startup script. and then use KEYSTORE_PASSWORD_FILE for further accessing that keystore. Is it right?
Tried workaround with precreated keystore but does not work. I think this is bug. Created entry for it
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.