Setting up passwords with elasticsearch-setup-passwords interactive

Im having an issue with enabling security on my cluster when Im trying to add the passwords to the bulit in users:

I have 6 nodes

atl-deves01.com
atl-deves02.com
atl-deves03.com
met-deves01.com
met-deves02.com
met-deves03.com

deves01

cluster.name: dev-elastic7

node.name: atl-deves01
node.master: true
node.data: true

path.data: /data_store
path.logs: /var/log/elasticsearch

network.host: 0.0.0.0
http.port: 9500

discovery.seed_hosts: ["atl-deves01", "atl-deves02", "atl-deves03", "atl-devls01", "atl-devls02", "met-deves01", "met-deves02", "met-deves03", "met-devls01", "met-devls02"]

cluster.initial_master_nodes: ["atl-deves01:9500", "met-deves02:9500"]

discovery.zen.minimum_master_nodes: 3
discovery.zen.fd.ping_timeout: 30s
discovery.zen.fd.ping_interval: 3s
discovery.zen.fd.ping_retries: 5

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

When I type in this command I get this:

Failed to determine the health of the cluster running at http://10.88.0.221:9500
Unexpected response code [503] from calling GET http://10.88.0.221:9500/_cluster/health?pretty
Cause: master_not_discovered_exception

It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-password s.
It is very likely that the password changes will fail when run against an unhealthy cluster.

Do you want to continue with the password setup process [y/N]n

Hi @Archie_Crawford ! Your cluster has not formed successfully and you can't / shouldn't attempt to setup the password of the built-in users until that happens. see Bootstrapping a cluster | Elasticsearch Reference [master] | Elastic

You probably need to change cluster.initial_master_nodes and remove the http port from it. This setting should contain the node name and the port number is not part of the name.

Also, do not set xpack.security.transport.ssl.enabled: true without specifiying what key and certificate should be used for TLS. See this section in our docs Encrypting communications in Elasticsearch | Elasticsearch Reference [master] | Elastic.

When your cluster is healthy , you will be able to run elasticsearch-setup-passwords in one of your 6 nodes and set the password of the built-in users.

Hope this helps!

When I take out xpack.security.transport.ssl.enabled: true then it fails for other reasons :

[1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]

I tired to see if I could add the master nodes in this way and got this error:

bin/elasticsearch -Ecluster.initial_master_nodes=atl-deves01,met-deves02
Exception in thread "main" java.lang.RuntimeException: starting java failed with [1]
output:
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 12884901888 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /var/log/elasticsearch/hs_err_pid178846.log
error:
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00000004c0000000, 12884901888, 0) failed; error='Not enough space' (errno=12)
        at org.elasticsearch.tools.launchers.JvmErgonomics.flagsFinal(JvmErgonomics.java:126)
        at org.elasticsearch.tools.launchers.JvmErgonomics.finalJvmOptions(JvmErgonomics.java:88)
        at org.elasticsearch.tools.launchers.JvmErgonomics.choose(JvmErgonomics.java:59)
        at org.elasticsearch.tools.launchers.JvmOptionsParser.jvmOptions(JvmOptionsParser.java:137)
        at org.elasticsearch.tools.launchers.JvmOptionsParser.main(JvmOptionsParser.java:95)

Yes, in order to make use of security, then you need to also enable transport SSL.
However, @ikakavas's point is that you can't simply set enabled: true
Configuring SSL requires additional steps that are explained in the documentation that he linked to.