toughcoding
(toughcoding by Tom D)
August 1, 2023, 7:27pm
4
Tried workaround with precreated keystore but does not work. I think this is bug. Created entry for it
opened 07:26PM - 01 Aug 23 UTC
>bug
needs:triage
### Elasticsearch Version
8.9.0
### Installed Plugins
_No response_
### Java… Version
_bundled_
### OS Version
ubuntu:20.04 Linux 753c3b2604ff 5.15.49-linuxkit-pr #1 SMP PREEMPT Thu May 25 07:27:39 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
### Problem Description
When starting Elasticsearch as a docker container with **KEYSTORE_PASSWORD** and **ELASTIC_PASSWORD** set and keystore being password secured, it does not working properly as **bootstrap.password** is not setup correctly.
When checking value of bootstrap.password it is returning empty string. Thus command line [54](https://github.com/elastic/dockerfiles/blob/8.9/elasticsearch/bin/docker-entrypoint.sh)
`(echo "$COMMANDS" | elasticsearch-keystore add -x 'bootstrap.password')`
is not causing bootstrap.password entry being created although running these commands manually in the container are successfull.
In Contrary Running with non-encrypted keystore making bootstrap.password to be setup properly like below
```
docker run --rm \
-d \
-e ELASTIC_PASSWORD="123456" \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0
```
### Steps to Reproduce
Create container only to make encrypted keystore
```
docker run --rm \
--name elk \
-d \
-v esconf:/usr/share/elasticsearch/config \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0
```
Run command to setup password for already created keystore setting password as 123456
`docker exec -it elk elasticsearch-keystore passwd`
```
docker exec -it elk elasticsearch-keystore list
Enter password for the elasticsearch keystore :
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password
```
Stop container
`docker stop elk`
Start another container with password variables
```
docker run --rm \
--name elk \
-d \
-v esconf:/usr/share/elasticsearch/config \
-e ELASTIC_PASSWORD="987654" \
-e KEYSTORE_PASSWORD="123456" \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0
```
Checking if bootstrap password entry got created
```
docker exec -it elk elasticsearch-keystore list
Enter password for the elasticsearch keystore :
bootstrap.password
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password
```
Run command to display bootstrap.password that normally should be equal to ELASTIC_PASSWORD
`docker exec -it elk elasticsearch-keystore show bootstrap.password`
BUT it is returning empty string thus bug.
### Logs (if relevant)
Beginning of logs after starting second container. Script asking twice for keystore password.
docker run --rm \
--name elk \
-v esconf:/usr/share/elasticsearch/config \
-e ELASTIC_PASSWORD="123456" \
-e KEYSTORE_PASSWORD="123456" \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0
Enter password for the elasticsearch keystore : Enter password for the elasticsearch keystore : {"@timestamp":"2023-08-01T19:08:33.302Z", "log.level": "INFO",