Open Distro for ElasticSearch[edit]

Generating Certificates[edit]

If security is enabled, each node will require a set of certificate and private key and the root CA. These can be generated by running:

# openssl genrsa -out root-ca-key.pem 4096 
# openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -subj "/C=CA/ST=Alberta/O=ITSO"
# openssl genrsa -out admin-key-temp.pem 2048
# openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
# openssl req -new -key admin-key.pem -out admin.csr -subj "/C=CA/ST=Alberta/O=ITSO"
# openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem

When deploying with Helm, map the following files to the chart:

  • esnode.pem => admin.pem
  • esnode-key.pem => admin-key.pem
  • rootca.pem => root-ca.pem


Troubleshooting[edit]

Docker Image Crashloops[edit]

The container will crashloop after complaining about supervisord being unable to access /usr/share/supervisord/supervisord.log:

OpenDistro for Elasticsearch Security Demo Installer
 ** Warning: Do not use on production or public reachable systems **
Basedir: /usr/share/elasticsearch
Elasticsearch install type: rpm/deb on CentOS Linux release 7.6.1810 (Core) 
Elasticsearch config dir: /usr/share/elasticsearch/config
Elasticsearch config file: /usr/share/elasticsearch/config/elasticsearch.yml
Elasticsearch bin dir: /usr/share/elasticsearch/bin
Elasticsearch plugins dir: /usr/share/elasticsearch/plugins
Elasticsearch lib dir: /usr/share/elasticsearch/lib
Detected Elasticsearch Version: x-content-7.0.1
Detected Open Distro Security Version: 1.0.0.2
/usr/share/elasticsearch/config/elasticsearch.yml seems to be already configured for Security. Quit.
Traceback (most recent call last):
  File "/usr/bin/supervisord", line 9, in <module>
    load_entry_point('supervisor==4.0.4', 'console_scripts', 'supervisord')()
  File "/usr/lib/python2.7/site-packages/supervisor-4.0.4-py2.7.egg/supervisor/supervisord.py", line 358, in main
    go(options)
  File "/usr/lib/python2.7/site-packages/supervisor-4.0.4-py2.7.egg/supervisor/supervisord.py", line 368, in go
    d.main()
  File "/usr/lib/python2.7/site-packages/supervisor-4.0.4-py2.7.egg/supervisor/supervisord.py", line 70, in main
    self.options.make_logger()
  File "/usr/lib/python2.7/site-packages/supervisor-4.0.4-py2.7.egg/supervisor/options.py", line 1472, in make_logger
    backups=self.logfile_backups,
  File "/usr/lib/python2.7/site-packages/supervisor-4.0.4-py2.7.egg/supervisor/loggers.py", line 417, in handle_file
    handler = RotatingFileHandler(filename, 'a', maxbytes, backups)
  File "/usr/lib/python2.7/site-packages/supervisor-4.0.4-py2.7.egg/supervisor/loggers.py", line 212, in __init__
    FileHandler.__init__(self, filename, mode)
  File "/usr/lib/python2.7/site-packages/supervisor-4.0.4-py2.7.egg/supervisor/loggers.py", line 159, in __init__
    self.stream = open(filename, mode)
IOError: [Errno 13] Permission denied: '/usr/share/supervisor/supervisord.log'

This only happens when deployed using the ElasticSearch helm chart which drops all privileges on the container. The container from Open Distro requires root to function properly and this issue was fixed by allowing the container to run as UID 0.