Skip to content

KEYSTORE_PASSWORD & ELASTIC_PASSWORD do not work together with docker #98115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
toughcoding opened this issue Aug 1, 2023 · 11 comments · Fixed by #126729
Closed

KEYSTORE_PASSWORD & ELASTIC_PASSWORD do not work together with docker #98115

toughcoding opened this issue Aug 1, 2023 · 11 comments · Fixed by #126729
Labels
>bug :Core/Infra/CLI CLI utilities, scripts, and infrastructure :Delivery/Cloud Cloud-specific packaging and deployment Team:Core/Infra Meta label for core/infra team Team:Delivery Meta label for Delivery team

Comments

@toughcoding
Copy link

Elasticsearch Version

8.9.0

Installed Plugins

No response

Java Version

bundled

OS Version

ubuntu:20.04 Linux 753c3b2604ff 5.15.49-linuxkit-pr #1 SMP PREEMPT Thu May 25 07:27:39 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

Problem Description

When starting Elasticsearch as a docker container with KEYSTORE_PASSWORD and ELASTIC_PASSWORD set and keystore being password secured, it does not working properly as bootstrap.password is not setup correctly.
When checking value of bootstrap.password it is returning empty string. Thus command line 54
(echo "$COMMANDS" | elasticsearch-keystore add -x 'bootstrap.password')

is not causing bootstrap.password entry being created although running these commands manually in the container are successfull.

In Contrary Running with non-encrypted keystore making bootstrap.password to be setup properly like below

docker run --rm \
-d \
-e ELASTIC_PASSWORD="123456" \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0

Steps to Reproduce

Create container only to make encrypted keystore

docker run --rm \
--name elk \
-d \
-v esconf:/usr/share/elasticsearch/config \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0

Run command to setup password for already created keystore setting password as 123456
docker exec -it elk elasticsearch-keystore passwd

docker exec -it elk elasticsearch-keystore list  
Enter password for the elasticsearch keystore : 
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

Stop container
docker stop elk

Start another container with password variables

docker run --rm \
--name elk \
-d \
-v esconf:/usr/share/elasticsearch/config \
-e ELASTIC_PASSWORD="987654" \
-e KEYSTORE_PASSWORD="123456" \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0

Checking if bootstrap password entry got created

docker exec -it elk elasticsearch-keystore list
Enter password for the elasticsearch keystore : 
bootstrap.password
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

Run command to display bootstrap.password that normally should be equal to ELASTIC_PASSWORD
docker exec -it elk elasticsearch-keystore show bootstrap.password

BUT it is returning empty string thus bug.

Logs (if relevant)

Beginning of logs after starting second container. Script asking twice for keystore password.
docker run --rm
--name elk
-v esconf:/usr/share/elasticsearch/config
-e ELASTIC_PASSWORD="123456"
-e KEYSTORE_PASSWORD="123456"
docker.elastic.co/elasticsearch/elasticsearch:8.9.0
Enter password for the elasticsearch keystore : Enter password for the elasticsearch keystore : {"@timestamp":"2023-08-01T19:08:33.302Z", "log.level": "INFO",
@toughcoding toughcoding added >bug needs:triage Requires assignment of a team area label labels Aug 1, 2023
@toughcoding
Copy link
Author

There was related discussion for it on forum.
https://discuss.elastic.co/t/keystore-password-file/339627/4

@astefan astefan added the :Distributed Coordination/Allocation All issues relating to the decision making around placing a shard (both master logic & on the nodes) label Aug 2, 2023
@elasticsearchmachine elasticsearchmachine added Team:Distributed (Obsolete) Meta label for distributed team (obsolete). Replaced by Distributed Indexing/Coordination. and removed needs:triage Requires assignment of a team area label labels Aug 2, 2023
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-distributed (Team:Distributed)

@astefan astefan added :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts needs:triage Requires assignment of a team area label :Delivery/Cloud Cloud-specific packaging and deployment Team:Distributed (Obsolete) Meta label for distributed team (obsolete). Replaced by Distributed Indexing/Coordination. and removed :Distributed Coordination/Allocation All issues relating to the decision making around placing a shard (both master logic & on the nodes) Team:Distributed (Obsolete) Meta label for distributed team (obsolete). Replaced by Distributed Indexing/Coordination. :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts needs:triage Requires assignment of a team area label labels Aug 2, 2023
@elasticsearchmachine elasticsearchmachine added the Team:Delivery Meta label for Delivery team label Aug 2, 2023
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-delivery (Team:Delivery)

@elasticsearchmachine elasticsearchmachine removed the Team:Distributed (Obsolete) Meta label for distributed team (obsolete). Replaced by Distributed Indexing/Coordination. label Aug 2, 2023
@mark-vieira
Copy link
Contributor

@elastic/es-security I'm having issues even trying to reproduce this. If I create a password-protected keystore, then bind mount it into the container and attempt to start ES it blows up during security auto-configuration. Is this a known issue?

Enter password for the elasticsearch keystore : Exception in thread "main" java.nio.file.FileSystemException: /usr/share/elasticsearch/config/elasticsearch.keystore.tmp -> /usr/share/elasticsearch/config/elasticsearch.keystore: Device or resource busy
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixFileSystem.move(UnixFileSystem.java:874)
	at java.base/sun.nio.fs.UnixFileSystemProvider.move(UnixFileSystemProvider.java:309)
	at java.base/java.nio.file.Files.move(Files.java:1429)
	at org.elasticsearch.common.settings.KeyStoreWrapper.save(KeyStoreWrapper.java:514)
	at org.elasticsearch.common.settings.KeyStoreWrapper.save(KeyStoreWrapper.java:428)
	at org.elasticsearch.xpack.security.cli.AutoConfigureNode.execute(AutoConfigureNode.java:582)
	at org.elasticsearch.server.cli.ServerCli.autoConfigureSecurity(ServerCli.java:165)
	at org.elasticsearch.server.cli.ServerCli.execute(ServerCli.java:86)
	at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.Command.main(Command.java:50)
	at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)
	Suppressed: java.lang.UnsupportedOperationException: Unsupported copy option
		at java.base/sun.nio.fs.UnixFileSystem$Flags.fromMoveOptions(UnixFileSystem.java:500)
		at java.base/sun.nio.fs.UnixFileSystem.move(UnixFileSystem.java:861)
		at java.base/sun.nio.fs.UnixFileSystemProvider.move(UnixFileSystemProvider.java:309)
		at java.base/java.nio.file.Files.move(Files.java:1429)
		at org.elasticsearch.xpack.security.cli.AutoConfigureNode.execute(AutoConfigureNode.java:587)

@ywangd
Copy link
Member

ywangd commented Aug 24, 2023

I think this is related to #76124

The issue is not with docker. It's a bug for adding string value to a password protected ES keystore. Assuming the keystore password is 123456, it can be reproduced with

COMMANDS="$(printf "%s\n%s" "123456" "abcdefg")"
echo "$COMMANDS" | ./bin/elasticsearch-keystore add -x 'foo'

# The following command shows empty for `foo`
./bin/elasticsearch-keystore show foo

Basically the terminal reader for keystore password eagerly reads everything and leaves nothing for the actual content.
I think it needs attention from @elastic/es-core-infra
Also ping @albertzaharovits since he was the author of the linked PR.

@toughcoding
Copy link
Author

@elastic/es-security I'm having issues even trying to reproduce this. If I create a password-protected keystore, then bind mount it into the container and attempt to start ES it blows up during security auto-configuration. Is this a known issue?

Enter password for the elasticsearch keystore : Exception in thread "main" java.nio.file.FileSystemException: /usr/share/elasticsearch/config/elasticsearch.keystore.tmp -> /usr/share/elasticsearch/config/elasticsearch.keystore: Device or resource busy
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixFileSystem.move(UnixFileSystem.java:874)
	at java.base/sun.nio.fs.UnixFileSystemProvider.move(UnixFileSystemProvider.java:309)
	at java.base/java.nio.file.Files.move(Files.java:1429)
	at org.elasticsearch.common.settings.KeyStoreWrapper.save(KeyStoreWrapper.java:514)
	at org.elasticsearch.common.settings.KeyStoreWrapper.save(KeyStoreWrapper.java:428)
	at org.elasticsearch.xpack.security.cli.AutoConfigureNode.execute(AutoConfigureNode.java:582)
	at org.elasticsearch.server.cli.ServerCli.autoConfigureSecurity(ServerCli.java:165)
	at org.elasticsearch.server.cli.ServerCli.execute(ServerCli.java:86)
	at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.Command.main(Command.java:50)
	at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)
	Suppressed: java.lang.UnsupportedOperationException: Unsupported copy option
		at java.base/sun.nio.fs.UnixFileSystem$Flags.fromMoveOptions(UnixFileSystem.java:500)
		at java.base/sun.nio.fs.UnixFileSystem.move(UnixFileSystem.java:861)
		at java.base/sun.nio.fs.UnixFileSystemProvider.move(UnixFileSystemProvider.java:309)
		at java.base/java.nio.file.Files.move(Files.java:1429)
		at org.elasticsearch.xpack.security.cli.AutoConfigureNode.execute(AutoConfigureNode.java:587)

To make it work like you wish I am running first container with mounted volume into config and generate password protected keystore. Then secondly I am stopping that container and starting new container with mounted config catalog not just keystore file. So I am using volumes therefore not bind mounts. Elastic team do not recommend to bind mount keystore file mentioning it can cause issues.

@toughcoding
Copy link
Author

I think this is related to #76124

The issue is not with docker. It's a bug for adding string value to a password protected ES keystore. Assuming the keystore password is 123456, it can be reproduced with

COMMANDS="$(printf "%s\n%s" "123456" "abcdefg")"
echo "$COMMANDS" | ./bin/elasticsearch-keystore add -x 'foo'

# The following command shows empty for `foo`
./bin/elasticsearch-keystore show foo

Basically the terminal reader for keystore password eagerly reads everything and leaves nothing for the actual content. I think it needs attention from @elastic/es-core-infra Also ping @albertzaharovits since he was the author of the linked PR.

Yes it is not due to docker itself but on high level running docker does not work as you might expect from documentation.

@rjernst
Copy link
Member

rjernst commented Aug 28, 2023

I was positive we had keystore tests for this exact scenario. However, upon closer inspection I found that the tests are bogus for a variety of reasons. Unfortunately there are a couple places where we use buffered readers which break this. Fixing it is non trivial; the internal Terminal abstraction needs more work to cleanup how we handle raw input.

@mark-vieira mark-vieira added the :Core/Infra/CLI CLI utilities, scripts, and infrastructure label Aug 28, 2023
@elasticsearchmachine elasticsearchmachine added the Team:Core/Infra Meta label for core/infra team label Aug 28, 2023
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@da1910
Copy link

da1910 commented Dec 4, 2023

Its been a little while but I think I'm seeing this same issue when trying to use a precreated keystore, we're providing the password to the keystore in the KEYSTORE_PASSWORD environment variable, but the entrypoint continues to prompt for a password.

If I exec into a running container I can see the variable is set, and if I then run /bin/elasticsearch and enter the keystore password things proceed. But it's not respecting the environment variable as far as I can see. Is there a workaround in the mean time?

@toughcoding
Copy link
Author

@da1910 You can check my article about this. Maybe you will find some inspiration from commands. Otherwise let's wait for Elastic to come back with suggestions.

@rjernst rjernst mentioned this issue Jan 8, 2024
Closed
@h3xcat h3xcat mentioned this issue Nov 20, 2024
Closed
rjernst added a commit to rjernst/elasticsearch that referenced this issue Apr 11, 2025
@rjernst
Use terminal reader in keystore add command
6ddcf0b 
When reading a string value from stdin the keystore add command
currently looks directly at stdin. However, stdin may also be consumed
while reading the keystore password. This commit changes the add command
to use the reader from the termainl instead of looking at stdin
directly.

closes elastic#98115
@rjernst rjernst mentioned this issue Apr 11, 2025
Merged
@rjernst rjernst mentioned this issue Apr 16, 2025
Merged
rjernst added a commit to rjernst/elasticsearch that referenced this issue Apr 16, 2025
@rjernst
Use terminal reader in keystore add command (elastic#126729)
8dbe067 
When reading a string value from stdin the keystore add command
currently looks directly at stdin. However, stdin may also be consumed
while reading the keystore password. This commit changes the add command
to use the reader from the termainl instead of looking at stdin
directly.

closes elastic#98115
rjernst added a commit to rjernst/elasticsearch that referenced this issue Apr 16, 2025
@rjernst
Use terminal reader in keystore add command (elastic#126729)
5c4f257 
When reading a string value from stdin the keystore add command
currently looks directly at stdin. However, stdin may also be consumed
while reading the keystore password. This commit changes the add command
to use the reader from the termainl instead of looking at stdin
directly.

closes elastic#98115
@rjernst rjernst mentioned this issue Apr 16, 2025
Merged
rjernst added a commit to rjernst/elasticsearch that referenced this issue Apr 16, 2025
@rjernst
Use terminal reader in keystore add command (elastic#126729)
1fa11a9 
When reading a string value from stdin the keystore add command
currently looks directly at stdin. However, stdin may also be consumed
while reading the keystore password. This commit changes the add command
to use the reader from the termainl instead of looking at stdin
directly.

closes elastic#98115
@rjernst rjernst mentioned this issue Apr 16, 2025
Merged
elasticsearchmachine pushed a commit that referenced this issue Apr 16, 2025
@rjernst
Use terminal reader in keystore add command (#126729) (#126965)
963361c 
When reading a string value from stdin the keystore add command
currently looks directly at stdin. However, stdin may also be consumed
while reading the keystore password. This commit changes the add command
to use the reader from the termainl instead of looking at stdin
directly.

closes #98115
elasticsearchmachine pushed a commit that referenced this issue Apr 17, 2025
@rjernst @elasticmachine
Use terminal reader in keystore add command (#126729) (#126963)
09a5c67 
When reading a string value from stdin the keystore add command
currently looks directly at stdin. However, stdin may also be consumed
while reading the keystore password. This commit changes the add command
to use the reader from the termainl instead of looking at stdin
directly.

closes #98115

Co-authored-by: Elastic Machine <[email protected]>
elasticsearchmachine pushed a commit that referenced this issue Apr 17, 2025
@rjernst @elasticmachine
Use terminal reader in keystore add command (#126729) (#126964)
09075ac 
When reading a string value from stdin the keystore add command
currently looks directly at stdin. However, stdin may also be consumed
while reading the keystore password. This commit changes the add command
to use the reader from the termainl instead of looking at stdin
directly.

closes #98115

Co-authored-by: Elastic Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>bug :Core/Infra/CLI CLI utilities, scripts, and infrastructure :Delivery/Cloud Cloud-specific packaging and deployment Team:Core/Infra Meta label for core/infra team Team:Delivery Meta label for Delivery team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use terminal reader in keystore add command rjernst/elasticsearch
8 participants
@rjernst @astefan @ywangd @williamrandolph @mark-vieira @da1910 @elasticsearchmachine @toughcoding