Okay, so I performed the following surgery:
PUT .fleet-policies-7/_settings
{
"index": {
"blocks.read_only": true
}
}
POST .fleet-policies-7/_shrink/.fleet-policies-smol
{
"settings": {
"index.routing.allocation.require._name": null,
"index.blocks.write": null
}
}
PUT .fleet-policies-7/_settings
{
"index": {
"blocks.read_only": false
}
}
DELETE .fleet-policies-7
POST .fleet-policies-smol/_clone/.fleet-policies-7
POST /_aliases
{
"actions": [
{
"add": {
"index": ".fleet-policies-7",
"alias": ".fleet-policies",
"is_write_index": true
}
}
]
}
(again for the .fleet-actions index.)
after that, I'm getting the following on the fleet server:
{"log.level":"info","index":".fleet-policies","ctx":"index monitor","error.message":"elastic fail 400:status_exception:number of checkpoints must equal number of shards. [shard count: 1, checkpoint count: 2]","@timestamp":"2021-06-16T20:26:07.228Z","message":"failed on waiting for global checkpoints advance"}
... but a fleet server restart solves this.
I can now perform live queries, and the results almost come back immediately. It's like magic!
I will try to weigh in on the Github issues that i found with my story here, so that we may get some system index protection from rogue templates in the future.