Running elasticsearch as daemon from shell script with password-protected keystore file

dzyubanv · January 3, 2021, 3:07am

Issue - elasticsearch doesn't start when running it as daemon from shell script. Details:

I installed elasticsearch version 7.9.3 from archive on RHEL
Configured 2 nodes cluster with TLS/SSL in elasticsearch.yml
Protected elastic-certificates.p12 and http.p12 with passwords and added these passwords in elasticsearch.keystore file
I'm starting es nodes from shell script start_es.sh and testing two use cases

1st - elasticsearch.keystore file is Not password-protected and elasticsearch nodes started, up and running successfully as follows

ES_JAVA_OPTS="-Xms2g -Xmx2g" bin/elasticsearch -d -p /path_to_pid_file/es_pid > /dev/null 2>&1 &

2nd - elasticsearch.keystore file is password-protected and its password is in my_pwd_file.tmp file. I'm starting elasticsearch nodes from shell script start_es.sh as follows

ES_JAVA_OPTS="-Xms2g -Xmx2g ES_KEYSTORE_PASSPHRASE_FILE=/path_to_passphrase_file/my_pwd_file.tmp" bin/elasticsearch -d -p /path_to_pid_file/es_pid > /dev/null 2>&1 &

I tried also start nodes with the following start_es.sh

ES_KEYSTORE_PASSPHRASE_FILE="/path_to_passphrase_file/my_pwd_file.tmp" ES_JAVA_OPTS="-Xms2g -Xmx2g" bin/elasticsearch -d -p /path_to_pid_file/es_pid > /dev/null 2>&1 &

Elasticsearch nodes failed to start, log file even has not been created.

The doc at https://www.elastic.co/guide/en/elasticsearch/reference/7.9/targz.html#setup-installation-daemon says "If you have password-protected the Elasticsearch keystore, you will be prompted to enter the keystore's password. See Secure settings for more details" and advises to provide password when prompted while starting es as daemon manually from command line, but the doc says nothing about how to provide password when starting es as daemon from shell script.

Is there any way to properly pass the password or file with password of password-protected elasticsearch.keystore file when starting es as daemon from shell script ? (in my case start_es.sh), or may be using some attributeds in jvm.options file somehow or anything else ?

stephenb · January 4, 2021, 4:47am

Interesting.... hmm, it looks that the ./bin/elasticsearch script is requiring the keystore password input from stdin

If you look at the actual script that starts ./bin/elasticsearch you can see why.

From the script

# get keystore password before setting java options to avoid
# conflicting GC configurations for the keystore tools
unset KEYSTORE_PASSWORD
KEYSTORE_PASSWORD=
if [[ $CHECK_KEYSTORE = true ]] \
    && bin/elasticsearch-keystore has-passwd --silent
then
  if ! read -s -r -p "Elasticsearch keystore password: " KEYSTORE_PASSWORD ; then
    echo "Failed to read keystore password on console" 1>&2
    exit 1
  fi
fi

I did get this to work...

export ES_KEYSTORE_PASSPHRASE_FILE="/Users/sbrown/workspace/elastic-install/7.9.1/elasticsearch-7.9.1/pwd.txt"

cat $ES_KEYSTORE_PASSPHRASE_FILE | ./bin/elasticsearch -d -p ./pid.txt

or this

.bin/elasticsearch -d -p ./pid.txt <<< `cat $ES_KEYSTORE_PASSPHRASE_FILE`

Or you could write your own... or alter ./bin/elasticsearch it is a bash script, but then you would need to maintain changes.

Of course you will need to protect that keyword password file.

Perhaps someone else will have a better answer.

dzyubanv · January 4, 2021, 11:10pm

It worked
Thank you very much Stephen

system · February 1, 2021, 11:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.