elasticsearch
elasticsearch copied to clipboard
sous-chefs
Plugins requiring extra java permissions fail to install properly
When using the plugin provider to install plugins, those requiring additional java permissions don't appear to install correctly.
If I run manually:
$ sudo ./elasticsearch-plugin install discovery-ec2
-> Downloading discovery-ec2 from elastic
[=================================================] 100%
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission getClassLoader
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Continue with installation? [y/N]y
-> Installed discovery-ec2
elasticsearch-plugin does have a flag for batch mode (-b), however this isn't used in the chef provider:
def action_install
return if plugin_exists(new_resource.plugin_name)
# since install can take a URL argument instead
url_or_name = new_resource.url || new_resource.plugin_name
manage_plugin("install #{url_or_name}")
end # action
In function manage_plugin:
cmd_str = "#{es_conf.path_bin}/elasticsearch-plugin #{arguments.chomp(' ')} #{new_resource.options}".chomp(' ')
So that's running the plugin with install and the name/url but without batch mode.
The net result: a half install plugin that doesn't get the required permissions.
Suspected fix: add "-b" in the 'manage_plugin()' call within action_install.
Will dig further and try and pop up a PR later. The question will be is batch mode acceptable by default?
Oh I forgot how I got here in the first place. Elasticsearch refused to start and bombed out because of the following:
[2017-09-14T15:39:00,879][ERROR][o.e.b.Bootstrap ] Exception
java.lang.IllegalArgumentException: unknown setting [cloud.aws.region] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:293) ~[elasticsearch-5.5.3.jar:5.5.3]
Because the discovery_ec2 plugin hadn't loaded in my case, it couldn't understand the cloud.aws.region key.
Also impacts 5.6.0.
Hi there -- I'll have to be sure that batch mode is supported in all of the versions we're testing against. In the mean time, you can specify options '-b' to the plugin resource if you'd like to bypass this, by providing specific options to run.
Thanks Martin. Looking back, clearly had a very blind day yesterday - I even pasted the "options" option in my output above, which would happily fix this! That fixes my immediate problem without changes - whether -b should be a default therefore becomes less of an issue and not a blocker.
Based on your response, that suggested fix may not need to be compulsory - depends if you guys think this should be just smoother, and if all the current supported versions support -b, as you said.
Thanks again, much appreciated!
bump
any update on this issue? Would be great for it to work out of the box.
elasticsearch_plugin 'repository-s3' do
options '--batch'
end
Worked for me for ES6 - I strongly recommend adding that to the examples at the very least.
