Skip to content

KEYSTORE_PASSWORD & ELASTIC_PASSWORD do not work together with docker #98115

New issue
New issue
Closed
#126729
Closed
KEYSTORE_PASSWORD & ELASTIC_PASSWORD do not work together with docker#98115
#126729
Labels
:Core/Infra/CLICLI utilities, scripts, and infrastructure:Delivery/CloudCloud-specific packaging and deployment>bugTeam:Core/InfraMeta label for core/infra teamTeam:DeliveryMeta label for Delivery team
@toughcoding

Description

@toughcoding
toughcoding
opened on Aug 1, 2023

Elasticsearch Version

8.9.0

Installed Plugins

No response

Java Version

bundled

OS Version

ubuntu:20.04 Linux 753c3b2604ff 5.15.49-linuxkit-pr #1 SMP PREEMPT Thu May 25 07:27:39 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

Problem Description

When starting Elasticsearch as a docker container with KEYSTORE_PASSWORD and ELASTIC_PASSWORD set and keystore being password secured, it does not working properly as bootstrap.password is not setup correctly.
When checking value of bootstrap.password it is returning empty string. Thus command line 54
(echo "$COMMANDS" | elasticsearch-keystore add -x 'bootstrap.password')

is not causing bootstrap.password entry being created although running these commands manually in the container are successfull.

In Contrary Running with non-encrypted keystore making bootstrap.password to be setup properly like below

docker run --rm \
-d \
-e ELASTIC_PASSWORD="123456" \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0

Steps to Reproduce

Create container only to make encrypted keystore

docker run --rm \
--name elk \
-d \
-v esconf:/usr/share/elasticsearch/config \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0

Run command to setup password for already created keystore setting password as 123456
docker exec -it elk elasticsearch-keystore passwd

docker exec -it elk elasticsearch-keystore list  
Enter password for the elasticsearch keystore : 
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

Stop container
docker stop elk

Start another container with password variables

docker run --rm \
--name elk \
-d \
-v esconf:/usr/share/elasticsearch/config \
-e ELASTIC_PASSWORD="987654" \
-e KEYSTORE_PASSWORD="123456" \
docker.elastic.co/elasticsearch/elasticsearch:8.9.0

Checking if bootstrap password entry got created

docker exec -it elk elasticsearch-keystore list
Enter password for the elasticsearch keystore : 
bootstrap.password
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password

Run command to display bootstrap.password that normally should be equal to ELASTIC_PASSWORD
docker exec -it elk elasticsearch-keystore show bootstrap.password

BUT it is returning empty string thus bug.

Logs (if relevant)

Beginning of logs after starting second container. Script asking twice for keystore password.
docker run --rm
--name elk
-v esconf:/usr/share/elasticsearch/config
-e ELASTIC_PASSWORD="123456"
-e KEYSTORE_PASSWORD="123456"
docker.elastic.co/elasticsearch/elasticsearch:8.9.0
Enter password for the elasticsearch keystore : Enter password for the elasticsearch keystore : {"@timestamp":"2023-08-01T19:08:33.302Z", "log.level": "INFO",

Metadata

Metadata

Assignees

No one assigned

    Labels

    :Core/Infra/CLICLI utilities, scripts, and infrastructure:Delivery/CloudCloud-specific packaging and deployment>bugTeam:Core/InfraMeta label for core/infra teamTeam:DeliveryMeta label for Delivery team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions