Running elasticsearch as daemon from shell script with password-protected keystore file

Issue - elasticsearch doesn't start when running it as daemon from shell script. Details:

I installed elasticsearch version 7.9.3 from archive on RHEL
Configured 2 nodes cluster with TLS/SSL in elasticsearch.yml
Protected elastic-certificates.p12 and http.p12 with passwords and added these passwords in elasticsearch.keystore file
I'm starting es nodes from shell script and testing two use cases

1st - elasticsearch.keystore file is Not password-protected and elasticsearch nodes started, up and running successfully as follows

ES_JAVA_OPTS="-Xms2g -Xmx2g" bin/elasticsearch -d -p /path_to_pid_file/es_pid > /dev/null 2>&1 &

2nd - elasticsearch.keystore file is password-protected and its password is in my_pwd_file.tmp file. I'm starting elasticsearch nodes from shell script as follows

ES_JAVA_OPTS="-Xms2g -Xmx2g ES_KEYSTORE_PASSPHRASE_FILE=/path_to_passphrase_file/my_pwd_file.tmp" bin/elasticsearch -d -p /path_to_pid_file/es_pid > /dev/null 2>&1 &

I tried also start nodes with the following

ES_KEYSTORE_PASSPHRASE_FILE="/path_to_passphrase_file/my_pwd_file.tmp" ES_JAVA_OPTS="-Xms2g -Xmx2g" bin/elasticsearch -d -p /path_to_pid_file/es_pid > /dev/null 2>&1 &

Elasticsearch nodes failed to start, log file even has not been created.

The doc at says "If you have password-protected the Elasticsearch keystore, you will be prompted to enter the keystore's password. See Secure settings for more details" and advises to provide password when prompted while starting es as daemon manually from command line, but the doc says nothing about how to provide password when starting es as daemon from shell script.

Is there any way to properly pass the password or file with password of password-protected elasticsearch.keystore file when starting es as daemon from shell script ? (in my case, or may be using some attributeds in jvm.options file somehow or anything else ?

Interesting.... hmm, it looks that the ./bin/elasticsearch script is requiring the keystore password input from stdin

If you look at the actual script that starts ./bin/elasticsearch you can see why.

From the script

# get keystore password before setting java options to avoid
# conflicting GC configurations for the keystore tools
if [[ $CHECK_KEYSTORE = true ]] \
    && bin/elasticsearch-keystore has-passwd --silent
  if ! read -s -r -p "Elasticsearch keystore password: " KEYSTORE_PASSWORD ; then
    echo "Failed to read keystore password on console" 1>&2
    exit 1

I did get this to work...

export ES_KEYSTORE_PASSPHRASE_FILE="/Users/sbrown/workspace/elastic-install/7.9.1/elasticsearch-7.9.1/pwd.txt"

cat $ES_KEYSTORE_PASSPHRASE_FILE | ./bin/elasticsearch -d -p ./pid.txt

or this

.bin/elasticsearch -d -p ./pid.txt <<< `cat $ES_KEYSTORE_PASSPHRASE_FILE` 

Or you could write your own... or alter ./bin/elasticsearch it is a bash script, but then you would need to maintain changes.

Of course you will need to protect that keyword password file.

Perhaps someone else will have a better answer.

1 Like

It worked
Thank you very much Stephen

1 Like