We already have an ES cluster running WITHOUT authentication and TLS. We are trying to enable the security feature. Is it possible to achieve this with zero down time?

Hello, I have encountered the problem mentioned above.
I encountered it during the rolling upgrade of elasticsearch 6.8.1 to 7.8.1.
Because my 6.8.1 did not configure xpack related configuration, but I want to configure this function in 7.8.1.
My approach is this:

  1. On the basis that the cluster is 6.8.1, first offline a datanode node
  2. Upgrade this node to 7.8.1, and configure xpack in elasticsearch.yml, and then start it
  3. But it is found that it cannot join the current cluster, and the error reported in the log is consistent with your example 1.
    So I want to ask how to solve it?
    Our cluster does not want to stop the service, so it must be upgraded on a rolling basis
    Thank you very much。
    I saw this issue mentioned in 2019, so I would like to ask if it has been resolved now?

Welcome to our community! :smiley:

You cannot enable TLS without a cluster wide outage.
If you want zero downtime, you might need to setup a new cluster with TLS, run a snapshot+restore or remote reindex, then point your clients to the new cluster.

Ok, thanks a lot. But I would like to ask again, will this problem be solved in the future, such as 8.x version or even 9.x version? Because there are 80 machines in our cluster at present, we have no budget to buy machines, and the data volume is also large, so it is not easy to back up

The limitation is that the entire cluster needs to be on TLS comms or not to communicate with itself. I don't know if there are plans to change this.

OK,thanks again :smile:

Please note that you must first upgrade to the latest 6.8 version (6.8.13 I think) before doing a rolling upgrade to 7.x.

You should pick the 7.10.1 version BTW as your target version as this is the latest.

Thank you very much for your advice. I didn't think about it before, and I think what you said is quite reasonable

I'm sorry to bother you again. Because when upgrading ElasticSearch, ELK Statck related products need to be upgraded together. So should I first upgrade ElasticSearch to the corresponding version and then upgrade Logstash and Kibana related products?

Yep that is the best path.

Yes. And please look at the stack upgrade documentation