elasticsearch icon indicating copy to clipboard operation
elasticsearch copied to clipboard
verified publisher icon sous-chefs

Rights on configuration files don't match when installing through this cookbook vs manually

Open karsthammer opened this issue 7 years ago • 2 comments

When installing Elasticsearch on CentOS manually through the repository as documented here: https://www.elastic.co/guide/en/elasticsearch/reference/6.2/rpm.html all configuration files in /etc/elasticsearch are owned by user root and group elasticsearch.

After installing the x-pack plugin, the file /etc/elasticsearch/elasticsearch.keystore also is owned by root with group elasticsearch.

When I try to setup elasticsearch using cookbook version 4.0.1 with the following snippet:

elasticsearch_user 'elasticsearch'
elasticsearch_install 'elasticsearch' do
  type 'repository'
  version '6.2.4'
  action :install
end
elasticsearch_configure 'elasticsearch'
elasticsearch_plugin 'x-pack'
elasticsearch_service 'elasticsearch'

Starting up elasticsearch fails because the keystore is owned by root/root, while all other configuration files are owned by elasticsearch/elasticsearch.

karsthammer avatar Jun 07 '18 16:06 karsthammer

Also seeing this on Ubuntu

msg-q avatar Jun 11 '18 19:06 msg-q

Hi there -- we'd been operating under the assumptions here: https://www.elastic.co/guide/en/elasticsearch/plugins/2.1/plugin-management.html

If Elasticsearch was installed using the deb or rpm package then run bin/plugin as root so it can write to the appropriate files on disk. Otherwise run bin/plugin as the user that owns all of the Elasticsearch files.

It looks like they've re-written this recently:

If Elasticsearch was installed using the deb or rpm package then run /usr/share/elasticsearch/bin/elasticsearch-plugin as root so it can write to the appropriate files on disk. Otherwise run bin/elasticsearch-plugin as the user that owns all of the Elasticsearch files.

We're definitely choosing the user based on how it was installed -- when installing x-pack manually, can you confirm you're running the installer as root, as the documentation describes above? I'm wondering if the installer doesn't actually set the group on the keystore correctly, and should be.

We'll also need to review the deb and rpm and see what updates they've made to that, to see if that's involved in what's happening. In the mean time, you should be change the permission of that file using Chef, before defining the elasticsearch_service.

martinb3 avatar Aug 20 '18 17:08 martinb3