Now I've tried a number of different things to change the password of the "elastic" user to start setting up the Minimal Security, but they don't seem to work for me for building the container. These containers are going to be ran on a Kubernetes cluster
For example, I've tried updating the Dockerfile like so from this thread:
FROM docker.elastic.co/elasticsearch/elasticsearch:8.12.2
COPY config/elasticsearch.yml config/
WORKDIR /usr/share/elasticsearch/
RUN printf "elk-testing" | ./bin/elasticsearch-keystore add "bootstrap.password" -x -f
But that didn't seem to update the password as I had thought it would. I've also tried to build this Dockerfile, that I also saw from the same post, this seemed like it would accomplish what I needed but couldn't get it to complete the Docker build:
FROM docker.elastic.co/elasticsearch/elasticsearch:8.12.2
COPY config/elasticsearch.yml config/
WORKDIR /usr/share/elasticsearch/
RUN printf "elk-testing" | ./bin/elasticsearch-reset-password -b -i -u elastic
I also came across this API documentation but couldn't get it to work as I need to authenticate as the "elastic" user which we haven't set up a password for yet.
Thank you for the welcome! Oh sorry about that, that's a Copy/Paste typo as I was editing, I do in fact have xpack.security.enabled: true, I'll edit the original post. Looks like I can no longer edit the original post. This is what I currently have:
Thank you for the Documentation link! That's the same documentation I was following, but was having difficulty importing those changes into a Dockerfile to be used as a Docker Container with the Minimal Security setup.
Does your node preserve its data directory between restarts (hopefully it does, or you'll lose all your data every time).
If it does, and you already have a password for the elastic user (which may have been auto generated) then setting bootstrap.password won't help you - security has already been bootstrapped.
It's hard to give useful advice because I don't understand your current state very well.
There are several options for configuring security on docker because docker is used for a wide variety of use cases from throw away test containers to long-running development instances, to mission critical production workloads. There will be an option that suits you, but you'll need to decide which one it is.
If you want to start a brand new container (with no existing data) with a known password for the elastic user, then you can set ELASTIC_PASSWORD to the value of the password. That's not ideal because it leaves the password in clear text in the environment variable and inside the node's keystore. But for a throwaway / dev instance that's super easy.
For more security you can do the above, and then change the password via the API after the cluster has formed.
You can run an interactive container (-i -t) and the randomly generated elastic password will be provided in the console. That's good for local manual setup, but not so good for scripted setup.
You can enter the docker container and run reset-password
You can configure a file realm user as part of your initial set up so that you have a separate superuser with a password under your control.
Does your node preserve its data directory between restarts
This is a great point! Right now we do have an external mount that the Pods can use to persist data, we'll have to make sure to use it for the Elastic Pods as well!
For the first option of setting ELASTIC_PASSWORD, will the following work (We're using kubernetes configmap for the value of elasticsearch.hosts: in the kibana yaml config file)?
FROM docker.elastic.co/kibana/kibana:8.12.2
COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml
RUN ./bin/kibana-keystore create
RUN printf "test-kibana-pass" | ./bin/kibana-keystore add elasticsearch.password --stdin
RUN ./bin/kibana
So I deployed the following Dockerfile, the same as above but removed the Kibana Password, for the Elasticsearch container:
FROM docker.elastic.co/elasticsearch/elasticsearch:8.12.2
COPY config/elasticsearch.yml config/
ENV ELASTIC_PASSWORD test-elastic-pass
When I dropped into the Pod to test the password using the command curl -X GET "localhost:9200/_cluster/health?pretty" I get the following authentication error:
Sorry, the correct command I used was: curl -X GET "localhost:9200/_cluster/health?pretty" -u elastic:test-elastic-pass passing in the password set in the Dockerfile ENV to "elastic" user which resulted in:
Thank you Tim! Looks like there might be something else in our environment preventing this from working since you were able to get it working with the same Dockerfile and config file.
Appreciate all the help! I can go ahead and close this topic as we have to do additional troubleshooting that's not related to Elastic at the moment. Thanks again!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.