honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-04-05 14:59:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/server/src/main/java/org/elasticsearch/bootstrap/BootstrapChecks.java

717 lines
27 KiB
Java
Raw Normal View History

Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
/*
* Licensed to Elasticsearch under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.elasticsearch.bootstrap;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.lucene.util.Constants;
import org.elasticsearch.common.SuppressForbidden;
import org.elasticsearch.common.io.PathUtils;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
Disable bootstrap checks for single-node discovery While there are use-cases where a single-node is in production, there are also use-cases for starting a single-node that binds transport to an external interface where the node is not in production (for example, for testing the transport client against a node started in a Docker container). It's tricky to balance the desire to always enforce the bootstrap checks when a node might be in production with the need for the community to perform testing in situations that would trip the bootstrap checks. This commit enables some flexibility for these users. By setting the discovery type to "single-node", we disable the bootstrap checks independently of how transport is bound. While this sounds like a hole in the bootstrap checks, the bootstrap checks can already be avoided in the single-node use-case by binding only HTTP but not transport. For users that are genuinely in production on a single-node use-case with transport bound to an external use-case, they can set the system property "es.enable.bootstrap.checks" to force running the bootstrap checks. It would be a mistake for them not to do this. Relates #23598
2017-04-04 09:39:04 -04:00
import org.elasticsearch.discovery.DiscoveryModule;
Enable avoiding mmap bootstrap check (#32421) The maximum map count boostrap check can be a hindrance to users that do not own the underlying platform on which they are executing Elasticsearch. This is because addressing it requires tuning the kernel and a platform provider might now allow this, especially on shared infrastructure. However, this bootstrap check is not needed if mmapfs is not in use. Today we do not have a way for the user to communicate that they are not going to use mmapfs. This commit therefore adds a setting that enables the user to disallow mmapfs. When mmapfs is disallowed, the maximum map count bootstrap check is not enforced. Additionally, we fallback to a different default index store and prevent the explicit use of mmapfs for an index.
2018-08-21 11:02:25 -04:00
import org.elasticsearch.index.IndexModule;
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
import org.elasticsearch.monitor.jvm.JvmInfo;
import org.elasticsearch.monitor.process.ProcessProbe;
import org.elasticsearch.node.NodeValidationException;
import java.io.BufferedReader;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
Forbid granting the all permission in production Running with the all permission java.security.AllPermission granted is equivalent to disabling the security manager. This commit adds a bootstrap check that forbids running with this permission granted. Relates #27548
2017-11-27 16:05:27 -05:00
import java.security.AllPermission;
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.function.Predicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
Enable explicitly enforcing bootstrap checks This commit adds a system property that enables end-users to explicitly enforce the bootstrap checks, independently of the binding of the transport protocol. This can be useful for single-node production systems that do not bind the transport protocol (and thus the bootstrap checks would not be enforced). Relates #23585
2017-03-15 10:36:17 -07:00
* We enforce bootstrap checks once a node has the transport protocol bound to a non-loopback interface or if the system property {@code
* es.enforce.bootstrap.checks} is set to {@true}. In this case we assume the node is running in production and all bootstrap checks must
* pass.
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
*/
final class BootstrapChecks {
private BootstrapChecks() {
}
Enable explicitly enforcing bootstrap checks This commit adds a system property that enables end-users to explicitly enforce the bootstrap checks, independently of the binding of the transport protocol. This can be useful for single-node production systems that do not bind the transport protocol (and thus the bootstrap checks would not be enforced). Relates #23585
2017-03-15 10:36:17 -07:00
static final String ES_ENFORCE_BOOTSTRAP_CHECKS = "es.enforce.bootstrap.checks";
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
/**
Enable explicitly enforcing bootstrap checks This commit adds a system property that enables end-users to explicitly enforce the bootstrap checks, independently of the binding of the transport protocol. This can be useful for single-node production systems that do not bind the transport protocol (and thus the bootstrap checks would not be enforced). Relates #23585
2017-03-15 10:36:17 -07:00
* Executes the bootstrap checks if the node has the transport protocol bound to a non-loopback interface. If the system property
* {@code es.enforce.bootstrap.checks} is set to {@code true} then the bootstrap checks will be enforced regardless of whether or not
* the transport protocol is bound to a non-loopback interface.
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
*
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
* @param context the current node bootstrap context
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
* @param boundTransportAddress the node network bindings
*/
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
static void check(final BootstrapContext context, final BoundTransportAddress boundTransportAddress,
List<BootstrapCheck> additionalChecks) throws NodeValidationException {
final List<BootstrapCheck> builtInChecks = checks();
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
final List<BootstrapCheck> combinedChecks = new ArrayList<>(builtInChecks);
combinedChecks.addAll(additionalChecks);
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
check( context,
enforceLimits(boundTransportAddress, DiscoveryModule.DISCOVERY_TYPE_SETTING.get(context.settings)),
Logging: Make node name consistent in logger (#31588) First, some background: we have 15 different methods to get a logger in Elasticsearch but they can be broken down into three broad categories based on what information is provided when building the logger. Just a class like: ``` private static final Logger logger = ESLoggerFactory.getLogger(ActionModule.class); ``` or: ``` protected final Logger logger = Loggers.getLogger(getClass()); ``` The class and settings: ``` this.logger = Loggers.getLogger(getClass(), settings); ``` Or more information like: ``` Loggers.getLogger("index.store.deletes", settings, shardId) ``` The goal of the "class and settings" variant is to attach the node name to the logger. Because we don't always have the settings available, we often use the "just a class" variant and get loggers without node names attached. There isn't any real consistency here. Some loggers get the node name because it is convenient and some do not. This change makes the node name available to all loggers all the time. Almost. There are some caveats are testing that I'll get to. But in *production* code the node name is node available to all loggers. This means we can stop using the "class and settings" variants to fetch loggers which was the real goal here, but a pleasant side effect is that the ndoe name is now consitent on every log line and optional by editing the logging pattern. This is all powered by setting the node name statically on a logging formatter very early in initialization. Now to tests: tests can't set the node name statically because subclasses of `ESIntegTestCase` run many nodes in the same jvm, even in the same class loader. Also, lots of tests don't run with a real node so they don't *have* a node name at all. To support multiple nodes in the same JVM tests suss out the node name from the thread name which works surprisingly well and easy to test in a nice way. For those threads that are not part of an `ESIntegTestCase` node we stick whatever useful information we can get form the thread name in the place of the node name. This allows us to keep the logger format consistent.
2018-07-31 10:54:24 -04:00
Collections.unmodifiableList(combinedChecks));
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
/**
Enable explicitly enforcing bootstrap checks This commit adds a system property that enables end-users to explicitly enforce the bootstrap checks, independently of the binding of the transport protocol. This can be useful for single-node production systems that do not bind the transport protocol (and thus the bootstrap checks would not be enforced). Relates #23585
2017-03-15 10:36:17 -07:00
* Executes the provided checks and fails the node if {@code enforceLimits} is {@code true}, otherwise logs warnings. If the system
* property {@code es.enforce.bootstrap.checks} is set to {@code true} then the bootstrap checks will be enforced regardless of whether
* or not the transport protocol is bound to a non-loopback interface.
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
*
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
* @param context the current node boostrap context
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
* @param enforceLimits {@code true} if the checks should be enforced or otherwise warned
* @param checks the checks to execute
*/
static void check(
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
final BootstrapContext context,
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
final boolean enforceLimits,
Logging: Make node name consistent in logger (#31588) First, some background: we have 15 different methods to get a logger in Elasticsearch but they can be broken down into three broad categories based on what information is provided when building the logger. Just a class like: ``` private static final Logger logger = ESLoggerFactory.getLogger(ActionModule.class); ``` or: ``` protected final Logger logger = Loggers.getLogger(getClass()); ``` The class and settings: ``` this.logger = Loggers.getLogger(getClass(), settings); ``` Or more information like: ``` Loggers.getLogger("index.store.deletes", settings, shardId) ``` The goal of the "class and settings" variant is to attach the node name to the logger. Because we don't always have the settings available, we often use the "just a class" variant and get loggers without node names attached. There isn't any real consistency here. Some loggers get the node name because it is convenient and some do not. This change makes the node name available to all loggers all the time. Almost. There are some caveats are testing that I'll get to. But in *production* code the node name is node available to all loggers. This means we can stop using the "class and settings" variants to fetch loggers which was the real goal here, but a pleasant side effect is that the ndoe name is now consitent on every log line and optional by editing the logging pattern. This is all powered by setting the node name statically on a logging formatter very early in initialization. Now to tests: tests can't set the node name statically because subclasses of `ESIntegTestCase` run many nodes in the same jvm, even in the same class loader. Also, lots of tests don't run with a real node so they don't *have* a node name at all. To support multiple nodes in the same JVM tests suss out the node name from the thread name which works surprisingly well and easy to test in a nice way. For those threads that are not part of an `ESIntegTestCase` node we stick whatever useful information we can get form the thread name in the place of the node name. This allows us to keep the logger format consistent.
2018-07-31 10:54:24 -04:00
final List<BootstrapCheck> checks) throws NodeValidationException {
check(context, enforceLimits, checks, Loggers.getLogger(BootstrapChecks.class));
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
/**
Enable explicitly enforcing bootstrap checks This commit adds a system property that enables end-users to explicitly enforce the bootstrap checks, independently of the binding of the transport protocol. This can be useful for single-node production systems that do not bind the transport protocol (and thus the bootstrap checks would not be enforced). Relates #23585
2017-03-15 10:36:17 -07:00
* Executes the provided checks and fails the node if {@code enforceLimits} is {@code true}, otherwise logs warnings. If the system
* property {@code es.enforce.bootstrap.checks }is set to {@code true} then the bootstrap checks will be enforced regardless of whether
* or not the transport protocol is bound to a non-loopback interface.
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
*
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
* @param context the current node boostrap context
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
* @param enforceLimits {@code true} if the checks should be enforced or otherwise warned
* @param checks the checks to execute
* @param logger the logger to
*/
static void check(
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
final BootstrapContext context,
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
final boolean enforceLimits,
final List<BootstrapCheck> checks,
final Logger logger) throws NodeValidationException {
final List<String> errors = new ArrayList<>();
final List<String> ignoredErrors = new ArrayList<>();
Enable explicitly enforcing bootstrap checks This commit adds a system property that enables end-users to explicitly enforce the bootstrap checks, independently of the binding of the transport protocol. This can be useful for single-node production systems that do not bind the transport protocol (and thus the bootstrap checks would not be enforced). Relates #23585
2017-03-15 10:36:17 -07:00
final String esEnforceBootstrapChecks = System.getProperty(ES_ENFORCE_BOOTSTRAP_CHECKS);
final boolean enforceBootstrapChecks;
if (esEnforceBootstrapChecks == null) {
enforceBootstrapChecks = false;
} else if (Boolean.TRUE.toString().equals(esEnforceBootstrapChecks)) {
enforceBootstrapChecks = true;
} else {
final String message =
String.format(
Locale.ROOT,
"[%s] must be [true] but was [%s]",
ES_ENFORCE_BOOTSTRAP_CHECKS,
esEnforceBootstrapChecks);
throw new IllegalArgumentException(message);
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
if (enforceLimits) {
Only bind loopback addresses when binding to local * Only bind loopback addresses when binding to local Today when binding to local (the default) we bind to any address that is a loopback address, or any address on an interface that declares itself as a loopback interface. Yet, not all addresses on loopback interfaces are loopback addresses. This arises on macOS where there is a link-local address assigned to the loopback interface (fe80::1%lo0) and in Docker services where virtual IPs of the service are assigned to the loopback interface (docker/libnetwork#1877). These situations cause problems: - because we do not handle the scope ID of a link-local address, we end up bound to an address for which publishing of that address does not allow that address to be reached (since we drop the scope) - the virtual IPs in the Docker situation are not loopback addresses, they are not link-local addresses, so we end up bound to interfaces that cause the bootstrap checks to be enforced even though the instance is only bound to local We address this by only binding to actual loopback addresses, and skip binding to any address on a loopback interface that is not a loopback address. This lets us simplify some code where in the bootstrap checks we were skipping link-local addresses, and in writing the ports file where we had to skip link-local addresses because again the formatting of them does not allow them to be connected to by another node (to be clear, they could be connected to via the scope-qualified address, but that information is not written out). Relates #28029
2018-01-02 07:04:09 -05:00
logger.info("bound or publishing to a non-loopback address, enforcing bootstrap checks");
Enable explicitly enforcing bootstrap checks This commit adds a system property that enables end-users to explicitly enforce the bootstrap checks, independently of the binding of the transport protocol. This can be useful for single-node production systems that do not bind the transport protocol (and thus the bootstrap checks would not be enforced). Relates #23585
2017-03-15 10:36:17 -07:00
} else if (enforceBootstrapChecks) {
logger.info("explicitly enforcing bootstrap checks");
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
for (final BootstrapCheck check : checks) {
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
final BootstrapCheck.BootstrapCheckResult result = check.check(context);
if (result.isFailure()) {
Enable explicitly enforcing bootstrap checks This commit adds a system property that enables end-users to explicitly enforce the bootstrap checks, independently of the binding of the transport protocol. This can be useful for single-node production systems that do not bind the transport protocol (and thus the bootstrap checks would not be enforced). Relates #23585
2017-03-15 10:36:17 -07:00
if (!(enforceLimits || enforceBootstrapChecks) && !check.alwaysEnforce()) {
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
ignoredErrors.add(result.getMessage());
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
} else {
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
errors.add(result.getMessage());
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
}
}
if (!ignoredErrors.isEmpty()) {
ignoredErrors.forEach(error -> log(logger, error));
}
if (!errors.isEmpty()) {
final List<String> messages = new ArrayList<>(1 + errors.size());
Improve bootstrap checks error messages When multiple bootstrap checks fail, it's not clear where one error message begins and the next error message ends. This commit numbers the bootstrap check error messages so they are easier to read. Relates #24548
2017-05-08 12:32:57 -04:00
messages.add("[" + errors.size() + "] bootstrap checks failed");
for (int i = 0; i < errors.size(); i++) {
messages.add("[" + (i + 1) + "]: " + errors.get(i));
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
final NodeValidationException ne = new NodeValidationException(String.join("\n", messages));
errors.stream().map(IllegalStateException::new).forEach(ne::addSuppressed);
throw ne;
}
}
static void log(final Logger logger, final String error) {
logger.warn(error);
}
/**
* Tests if the checks should be enforced.
*
* @param boundTransportAddress the node network bindings
Fix Javadocs for BootstrapChecks#enforceLimits This commit adds a description for a parameter that was added to BootstrapChecks#enforceLimits(BoundTransportAddress, String) without the Javadocs having been updated.
2017-04-04 09:42:19 -04:00
* @param discoveryType the discovery type
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
* @return {@code true} if the checks should be enforced
*/
Disable bootstrap checks for single-node discovery While there are use-cases where a single-node is in production, there are also use-cases for starting a single-node that binds transport to an external interface where the node is not in production (for example, for testing the transport client against a node started in a Docker container). It's tricky to balance the desire to always enforce the bootstrap checks when a node might be in production with the need for the community to perform testing in situations that would trip the bootstrap checks. This commit enables some flexibility for these users. By setting the discovery type to "single-node", we disable the bootstrap checks independently of how transport is bound. While this sounds like a hole in the bootstrap checks, the bootstrap checks can already be avoided in the single-node use-case by binding only HTTP but not transport. For users that are genuinely in production on a single-node use-case with transport bound to an external use-case, they can set the system property "es.enable.bootstrap.checks" to force running the bootstrap checks. It would be a mistake for them not to do this. Relates #23598
2017-04-04 09:39:04 -04:00
static boolean enforceLimits(final BoundTransportAddress boundTransportAddress, final String discoveryType) {
Only bind loopback addresses when binding to local * Only bind loopback addresses when binding to local Today when binding to local (the default) we bind to any address that is a loopback address, or any address on an interface that declares itself as a loopback interface. Yet, not all addresses on loopback interfaces are loopback addresses. This arises on macOS where there is a link-local address assigned to the loopback interface (fe80::1%lo0) and in Docker services where virtual IPs of the service are assigned to the loopback interface (docker/libnetwork#1877). These situations cause problems: - because we do not handle the scope ID of a link-local address, we end up bound to an address for which publishing of that address does not allow that address to be reached (since we drop the scope) - the virtual IPs in the Docker situation are not loopback addresses, they are not link-local addresses, so we end up bound to interfaces that cause the bootstrap checks to be enforced even though the instance is only bound to local We address this by only binding to actual loopback addresses, and skip binding to any address on a loopback interface that is not a loopback address. This lets us simplify some code where in the bootstrap checks we were skipping link-local addresses, and in writing the ports file where we had to skip link-local addresses because again the formatting of them does not allow them to be connected to by another node (to be clear, they could be connected to via the scope-qualified address, but that information is not written out). Relates #28029
2018-01-02 07:04:09 -05:00
final Predicate<TransportAddress> isLoopbackAddress = t -> t.address().getAddress().isLoopbackAddress();
Disable bootstrap checks for single-node discovery While there are use-cases where a single-node is in production, there are also use-cases for starting a single-node that binds transport to an external interface where the node is not in production (for example, for testing the transport client against a node started in a Docker container). It's tricky to balance the desire to always enforce the bootstrap checks when a node might be in production with the need for the community to perform testing in situations that would trip the bootstrap checks. This commit enables some flexibility for these users. By setting the discovery type to "single-node", we disable the bootstrap checks independently of how transport is bound. While this sounds like a hole in the bootstrap checks, the bootstrap checks can already be avoided in the single-node use-case by binding only HTTP but not transport. For users that are genuinely in production on a single-node use-case with transport bound to an external use-case, they can set the system property "es.enable.bootstrap.checks" to force running the bootstrap checks. It would be a mistake for them not to do this. Relates #23598
2017-04-04 09:39:04 -04:00
final boolean bound =
Only bind loopback addresses when binding to local * Only bind loopback addresses when binding to local Today when binding to local (the default) we bind to any address that is a loopback address, or any address on an interface that declares itself as a loopback interface. Yet, not all addresses on loopback interfaces are loopback addresses. This arises on macOS where there is a link-local address assigned to the loopback interface (fe80::1%lo0) and in Docker services where virtual IPs of the service are assigned to the loopback interface (docker/libnetwork#1877). These situations cause problems: - because we do not handle the scope ID of a link-local address, we end up bound to an address for which publishing of that address does not allow that address to be reached (since we drop the scope) - the virtual IPs in the Docker situation are not loopback addresses, they are not link-local addresses, so we end up bound to interfaces that cause the bootstrap checks to be enforced even though the instance is only bound to local We address this by only binding to actual loopback addresses, and skip binding to any address on a loopback interface that is not a loopback address. This lets us simplify some code where in the bootstrap checks we were skipping link-local addresses, and in writing the ports file where we had to skip link-local addresses because again the formatting of them does not allow them to be connected to by another node (to be clear, they could be connected to via the scope-qualified address, but that information is not written out). Relates #28029
2018-01-02 07:04:09 -05:00
!(Arrays.stream(boundTransportAddress.boundAddresses()).allMatch(isLoopbackAddress) &&
isLoopbackAddress.test(boundTransportAddress.publishAddress()));
Disable bootstrap checks for single-node discovery While there are use-cases where a single-node is in production, there are also use-cases for starting a single-node that binds transport to an external interface where the node is not in production (for example, for testing the transport client against a node started in a Docker container). It's tricky to balance the desire to always enforce the bootstrap checks when a node might be in production with the need for the community to perform testing in situations that would trip the bootstrap checks. This commit enables some flexibility for these users. By setting the discovery type to "single-node", we disable the bootstrap checks independently of how transport is bound. While this sounds like a hole in the bootstrap checks, the bootstrap checks can already be avoided in the single-node use-case by binding only HTTP but not transport. For users that are genuinely in production on a single-node use-case with transport bound to an external use-case, they can set the system property "es.enable.bootstrap.checks" to force running the bootstrap checks. It would be a mistake for them not to do this. Relates #23598
2017-04-04 09:39:04 -04:00
return bound && !"single-node".equals(discoveryType);
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// the list of checks to execute
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
static List<BootstrapCheck> checks() {
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
final List<BootstrapCheck> checks = new ArrayList<>();
checks.add(new HeapSizeCheck());
final FileDescriptorCheck fileDescriptorCheck
= Constants.MAC_OS_X ? new OsXFileDescriptorCheck() : new FileDescriptorCheck();
checks.add(fileDescriptorCheck);
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
checks.add(new MlockallCheck());
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
if (Constants.LINUX) {
checks.add(new MaxNumberOfThreadsCheck());
}
if (Constants.LINUX || Constants.MAC_OS_X) {
checks.add(new MaxSizeVirtualMemoryCheck());
}
Add max file size bootstrap check This commit adds a bootstrap check for the maximum file size, and ensures the limit is set correctly when Elasticsearch is installed as a service on systemd-based systems. Relates #25974
2017-07-31 21:01:47 +09:00
if (Constants.LINUX || Constants.MAC_OS_X) {
checks.add(new MaxFileSizeCheck());
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
if (Constants.LINUX) {
checks.add(new MaxMapCountCheck());
}
checks.add(new ClientJvmCheck());
checks.add(new UseSerialGCCheck());
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
checks.add(new SystemCallFilterCheck());
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
checks.add(new OnErrorCheck());
checks.add(new OnOutOfMemoryErrorCheck());
Add early-access check The OpenJDK project provides early-access builds of upcoming releases. These early-access builds are not suitable for production. These builds sometimes end up on systems due to aggressive packaging (e.g., Ubuntu). This commit adds a bootstrap check to ensure these early-access builds are not being used in production. Relates #23743
2017-03-24 14:52:50 -04:00
checks.add(new EarlyAccessCheck());
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
checks.add(new G1GCCheck());
Forbid granting the all permission in production Running with the all permission java.security.AllPermission granted is equivalent to disabling the security manager. This commit adds a bootstrap check that forbids running with this permission granted. Relates #27548
2017-11-27 16:05:27 -05:00
checks.add(new AllPermissionCheck());
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
return Collections.unmodifiableList(checks);
}
static class HeapSizeCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
final long initialHeapSize = getInitialHeapSize();
final long maxHeapSize = getMaxHeapSize();
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
if (initialHeapSize != 0 && maxHeapSize != 0 && initialHeapSize != maxHeapSize) {
final String message = String.format(
Locale.ROOT,
"initial heap size [%d] not equal to maximum heap size [%d]; " +
"this can cause resize pauses and prevents mlockall from locking the entire heap",
getInitialHeapSize(),
getMaxHeapSize());
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
long getInitialHeapSize() {
return JvmInfo.jvmInfo().getConfiguredInitialHeapSize();
}
// visible for testing
long getMaxHeapSize() {
return JvmInfo.jvmInfo().getConfiguredMaxHeapSize();
}
}
static class OsXFileDescriptorCheck extends FileDescriptorCheck {
Upgrade checkstyle to version 7.5 This commit upgrades the checkstyle configuration from version 5.9 to version 7.5, the latest version as of today. The main enhancement obtained via this upgrade is better detection of redundant modifiers. Relates #22960
2017-02-03 09:46:44 -05:00
OsXFileDescriptorCheck() {
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
// see constant OPEN_MAX defined in
// /usr/include/sys/syslimits.h on OS X and its use in JVM
// initialization in int os:init_2(void) defined in the JVM
// code for BSD (contains OS X)
super(10240);
}
}
static class FileDescriptorCheck implements BootstrapCheck {
private final int limit;
FileDescriptorCheck() {
this(1 << 16);
}
protected FileDescriptorCheck(final int limit) {
if (limit <= 0) {
throw new IllegalArgumentException("limit must be positive but was [" + limit + "]");
}
this.limit = limit;
}
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public final BootstrapCheckResult check(BootstrapContext context) {
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
final long maxFileDescriptorCount = getMaxFileDescriptorCount();
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
if (maxFileDescriptorCount != -1 && maxFileDescriptorCount < limit) {
final String message = String.format(
Locale.ROOT,
"max file descriptors [%d] for elasticsearch process is too low, increase to at least [%d]",
getMaxFileDescriptorCount(),
limit);
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
long getMaxFileDescriptorCount() {
return ProcessProbe.getInstance().getMaxFileDescriptorCount();
}
}
static class MlockallCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
if (BootstrapSettings.MEMORY_LOCK_SETTING.get(context.settings) && !isMemoryLocked()) {
return BootstrapCheckResult.failure("memory locking requested for elasticsearch process but memory is not locked");
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
boolean isMemoryLocked() {
return Natives.isMemoryLocked();
}
}
static class MaxNumberOfThreadsCheck implements BootstrapCheck {
// this should be plenty for machines up to 256 cores
Make a few class level fields static This commit converts some final constant instance fields to class fields.
2017-05-12 04:44:31 +02:00
private static final long MAX_NUMBER_OF_THREADS_THRESHOLD = 1 << 12;
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
if (getMaxNumberOfThreads() != -1 && getMaxNumberOfThreads() < MAX_NUMBER_OF_THREADS_THRESHOLD) {
final String message = String.format(
Locale.ROOT,
"max number of threads [%d] for user [%s] is too low, increase to at least [%d]",
getMaxNumberOfThreads(),
BootstrapInfo.getSystemProperties().get("user.name"),
MAX_NUMBER_OF_THREADS_THRESHOLD);
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
long getMaxNumberOfThreads() {
return JNANatives.MAX_NUMBER_OF_THREADS;
}
}
static class MaxSizeVirtualMemoryCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
if (getMaxSizeVirtualMemory() != Long.MIN_VALUE && getMaxSizeVirtualMemory() != getRlimInfinity()) {
final String message = String.format(
Locale.ROOT,
"max size virtual memory [%d] for user [%s] is too low, increase to [unlimited]",
getMaxSizeVirtualMemory(),
BootstrapInfo.getSystemProperties().get("user.name"));
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
long getRlimInfinity() {
return JNACLibrary.RLIM_INFINITY;
}
// visible for testing
long getMaxSizeVirtualMemory() {
return JNANatives.MAX_SIZE_VIRTUAL_MEMORY;
}
}
Add max file size bootstrap check This commit adds a bootstrap check for the maximum file size, and ensures the limit is set correctly when Elasticsearch is installed as a service on systemd-based systems. Relates #25974
2017-07-31 21:01:47 +09:00
/**
* Bootstrap check that the maximum file size is unlimited (otherwise Elasticsearch could run in to an I/O exception writing files).
*/
static class MaxFileSizeCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
Add max file size bootstrap check This commit adds a bootstrap check for the maximum file size, and ensures the limit is set correctly when Elasticsearch is installed as a service on systemd-based systems. Relates #25974
2017-07-31 21:01:47 +09:00
final long maxFileSize = getMaxFileSize();
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
if (maxFileSize != Long.MIN_VALUE && maxFileSize != getRlimInfinity()) {
final String message = String.format(
Locale.ROOT,
"max file size [%d] for user [%s] is too low, increase to [unlimited]",
getMaxFileSize(),
BootstrapInfo.getSystemProperties().get("user.name"));
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Add max file size bootstrap check This commit adds a bootstrap check for the maximum file size, and ensures the limit is set correctly when Elasticsearch is installed as a service on systemd-based systems. Relates #25974
2017-07-31 21:01:47 +09:00
}
long getRlimInfinity() {
return JNACLibrary.RLIM_INFINITY;
}
long getMaxFileSize() {
return JNANatives.MAX_FILE_SIZE;
}
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
static class MaxMapCountCheck implements BootstrapCheck {
Enable avoiding mmap bootstrap check (#32421) The maximum map count boostrap check can be a hindrance to users that do not own the underlying platform on which they are executing Elasticsearch. This is because addressing it requires tuning the kernel and a platform provider might now allow this, especially on shared infrastructure. However, this bootstrap check is not needed if mmapfs is not in use. Today we do not have a way for the user to communicate that they are not going to use mmapfs. This commit therefore adds a setting that enables the user to disallow mmapfs. When mmapfs is disallowed, the maximum map count bootstrap check is not enforced. Additionally, we fallback to a different default index store and prevent the explicit use of mmapfs for an index.
2018-08-21 11:02:25 -04:00
static final long LIMIT = 1 << 18;
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
@Override
Enable avoiding mmap bootstrap check (#32421) The maximum map count boostrap check can be a hindrance to users that do not own the underlying platform on which they are executing Elasticsearch. This is because addressing it requires tuning the kernel and a platform provider might now allow this, especially on shared infrastructure. However, this bootstrap check is not needed if mmapfs is not in use. Today we do not have a way for the user to communicate that they are not going to use mmapfs. This commit therefore adds a setting that enables the user to disallow mmapfs. When mmapfs is disallowed, the maximum map count bootstrap check is not enforced. Additionally, we fallback to a different default index store and prevent the explicit use of mmapfs for an index.
2018-08-21 11:02:25 -04:00
public BootstrapCheckResult check(final BootstrapContext context) {
// we only enforce the check if mmapfs is an allowed store type
if (IndexModule.NODE_STORE_ALLOW_MMAPFS.get(context.settings)) {
if (getMaxMapCount() != -1 && getMaxMapCount() < LIMIT) {
final String message = String.format(
Locale.ROOT,
"max virtual memory areas vm.max_map_count [%d] is too low, increase to at least [%d]",
getMaxMapCount(),
LIMIT);
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
long getMaxMapCount() {
return getMaxMapCount(Loggers.getLogger(BootstrapChecks.class));
}
// visible for testing
long getMaxMapCount(Logger logger) {
final Path path = getProcSysVmMaxMapCountPath();
Upgrade checkstyle to version 7.5 This commit upgrades the checkstyle configuration from version 5.9 to version 7.5, the latest version as of today. The main enhancement obtained via this upgrade is better detection of redundant modifiers. Relates #22960
2017-02-03 09:46:44 -05:00
try (BufferedReader bufferedReader = getBufferedReader(path)) {
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
final String rawProcSysVmMaxMapCount = readProcSysVmMaxMapCount(bufferedReader);
if (rawProcSysVmMaxMapCount != null) {
try {
return parseProcSysVmMaxMapCount(rawProcSysVmMaxMapCount);
} catch (final NumberFormatException e) {
Remove type casts in logging in server component (#28807) This commit removes type-casts in logging in the server component (other components will be done later). This also adds a parameterized message test which would catch breaking-changes related to lambdas in Log4J.
2018-03-23 07:35:50 -04:00
logger.warn(() -> new ParameterizedMessage("unable to parse vm.max_map_count [{}]", rawProcSysVmMaxMapCount), e);
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
}
} catch (final IOException e) {
Remove type casts in logging in server component (#28807) This commit removes type-casts in logging in the server component (other components will be done later). This also adds a parameterized message test which would catch breaking-changes related to lambdas in Log4J.
2018-03-23 07:35:50 -04:00
logger.warn(() -> new ParameterizedMessage("I/O exception while trying to read [{}]", path), e);
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
return -1;
}
@SuppressForbidden(reason = "access /proc/sys/vm/max_map_count")
private Path getProcSysVmMaxMapCountPath() {
return PathUtils.get("/proc/sys/vm/max_map_count");
}
// visible for testing
BufferedReader getBufferedReader(final Path path) throws IOException {
return Files.newBufferedReader(path);
}
// visible for testing
String readProcSysVmMaxMapCount(final BufferedReader bufferedReader) throws IOException {
return bufferedReader.readLine();
}
// visible for testing
long parseProcSysVmMaxMapCount(final String procSysVmMaxMapCount) throws NumberFormatException {
return Long.parseLong(procSysVmMaxMapCount);
}
}
static class ClientJvmCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
if (getVmName().toLowerCase(Locale.ROOT).contains("client")) {
final String message = String.format(
Locale.ROOT,
"JVM is using the client VM [%s] but should be using a server VM for the best performance",
getVmName());
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
String getVmName() {
return JvmInfo.jvmInfo().getVmName();
}
}
/**
* Checks if the serial collector is in use. This collector is single-threaded and devastating
* for performance and should not be used for a server application like Elasticsearch.
*/
static class UseSerialGCCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
if (getUseSerialGC().equals("true")) {
final String message = String.format(
Locale.ROOT,
"JVM is using the serial collector but should not be for the best performance; " +
"either it's the default for the VM [%s] or -XX:+UseSerialGC was explicitly specified",
JvmInfo.jvmInfo().getVmName());
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
String getUseSerialGC() {
return JvmInfo.jvmInfo().useSerialGC();
}
}
/**
* Bootstrap check that if system call filters are enabled, then system call filters must have installed successfully.
*/
static class SystemCallFilterCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
if (BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.get(context.settings) && !isSystemCallFilterInstalled()) {
final String message = "system call filters failed to install; " +
"check the logs and fix your configuration or disable system call filters at your own risk";
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
Refer to system call filter instead of seccomp Today in the codebase we refer to seccomp everywhere instead of system call filter even if we are not specifically referring to Linux. This commit is a purely mechanical change to refer to system call filter where appropriate instead of the general seccomp, and only leaves seccomp in place when actually referring to the Linux implementation. Relates #22243
2016-12-16 18:30:19 -05:00
boolean isSystemCallFilterInstalled() {
return Natives.isSystemCallFilterInstalled();
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
}
abstract static class MightForkCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
if (isSystemCallFilterInstalled() && mightFork()) {
return BootstrapCheckResult.failure(message(context));
} else {
return BootstrapCheckResult.success();
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
abstract String message(BootstrapContext context);
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
// visible for testing
Refer to system call filter instead of seccomp Today in the codebase we refer to seccomp everywhere instead of system call filter even if we are not specifically referring to Linux. This commit is a purely mechanical change to refer to system call filter where appropriate instead of the general seccomp, and only leaves seccomp in place when actually referring to the Linux implementation. Relates #22243
2016-12-16 18:30:19 -05:00
boolean isSystemCallFilterInstalled() {
return Natives.isSystemCallFilterInstalled();
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
abstract boolean mightFork();
@Override
public final boolean alwaysEnforce() {
return true;
}
}
static class OnErrorCheck extends MightForkCheck {
@Override
boolean mightFork() {
final String onError = onError();
return onError != null && !onError.equals("");
}
// visible for testing
String onError() {
return JvmInfo.jvmInfo().onError();
}
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
String message(BootstrapContext context) {
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
return String.format(
Locale.ROOT,
"OnError [%s] requires forking but is prevented by system call filters ([%s=true]);" +
" upgrade to at least Java 8u92 and use ExitOnOutOfMemoryError",
onError(),
Rename bootstrap.seccomp to bootstrap.system_call_filter We try to install a system call filter on various operating systems (Linux, macOS, BSD, Solaris, and Windows) but the setting (bootstrap.seccomp) to control this is named after the Linux implementation (seccomp). This commit replaces this setting with bootstrap.system_call_filter. For backwards compatibility reasons, we fallback to bootstrap.seccomp and log a deprecation message if bootstrap.seccomp is set. We intend to remove this fallback in 6.0.0. Note that now is the time to make this change it's likely that most users are not making this setting anyway as prior to version 5.2.0 (currently unreleased) it was not necessary to configure anything to enable a node to start up if the system call filter failed to install (we marched on anyway) but starting in 5.2.0 it will be necessary in this case. Relates #22226
2016-12-16 18:20:11 -05:00
BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.getKey());
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
}
static class OnOutOfMemoryErrorCheck extends MightForkCheck {
@Override
boolean mightFork() {
final String onOutOfMemoryError = onOutOfMemoryError();
return onOutOfMemoryError != null && !onOutOfMemoryError.equals("");
}
// visible for testing
String onOutOfMemoryError() {
return JvmInfo.jvmInfo().onOutOfMemoryError();
}
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
String message(BootstrapContext context) {
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
return String.format(
Locale.ROOT,
"OnOutOfMemoryError [%s] requires forking but is prevented by system call filters ([%s=true]);" +
" upgrade to at least Java 8u92 and use ExitOnOutOfMemoryError",
onOutOfMemoryError(),
Rename bootstrap.seccomp to bootstrap.system_call_filter We try to install a system call filter on various operating systems (Linux, macOS, BSD, Solaris, and Windows) but the setting (bootstrap.seccomp) to control this is named after the Linux implementation (seccomp). This commit replaces this setting with bootstrap.system_call_filter. For backwards compatibility reasons, we fallback to bootstrap.seccomp and log a deprecation message if bootstrap.seccomp is set. We intend to remove this fallback in 6.0.0. Note that now is the time to make this change it's likely that most users are not making this setting anyway as prior to version 5.2.0 (currently unreleased) it was not necessary to configure anything to enable a node to start up if the system call filter failed to install (we marched on anyway) but starting in 5.2.0 it will be necessary in this case. Relates #22226
2016-12-16 18:20:11 -05:00
BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.getKey());
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
}
Add early-access check The OpenJDK project provides early-access builds of upcoming releases. These early-access builds are not suitable for production. These builds sometimes end up on systems due to aggressive packaging (e.g., Ubuntu). This commit adds a bootstrap check to ensure these early-access builds are not being used in production. Relates #23743
2017-03-24 14:52:50 -04:00
/**
* Bootstrap check for early-access builds from OpenJDK.
*/
static class EarlyAccessCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
final String javaVersion = javaVersion();
if ("Oracle Corporation".equals(jvmVendor()) && javaVersion.endsWith("-ea")) {
final String message = String.format(
Locale.ROOT,
"Java version [%s] is an early-access build, only use release builds",
javaVersion);
return BootstrapCheckResult.failure(message);
} else {
return BootstrapCheckResult.success();
}
Add early-access check The OpenJDK project provides early-access builds of upcoming releases. These early-access builds are not suitable for production. These builds sometimes end up on systems due to aggressive packaging (e.g., Ubuntu). This commit adds a bootstrap check to ensure these early-access builds are not being used in production. Relates #23743
2017-03-24 14:52:50 -04:00
}
String jvmVendor() {
return Constants.JVM_VENDOR;
}
String javaVersion() {
return Constants.JAVA_VERSION;
}
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
/**
* Bootstrap check for versions of HotSpot that are known to have issues that can lead to index corruption when G1GC is enabled.
*/
static class G1GCCheck implements BootstrapCheck {
@Override
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
public BootstrapCheckResult check(BootstrapContext context) {
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
if ("Oracle Corporation".equals(jvmVendor()) && isJava8() && isG1GCEnabled()) {
final String jvmVersion = jvmVersion();
// HotSpot versions on Java 8 match this regular expression; note that this changes with Java 9 after JEP-223
final Pattern pattern = Pattern.compile("(\\d+)\\.(\\d+)-b\\d+");
final Matcher matcher = pattern.matcher(jvmVersion);
final boolean matches = matcher.matches();
assert matches : jvmVersion;
final int major = Integer.parseInt(matcher.group(1));
final int update = Integer.parseInt(matcher.group(2));
// HotSpot versions for Java 8 have major version 25, the bad versions are all versions prior to update 40
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
if (major == 25 && update < 40) {
final String message = String.format(
Locale.ROOT,
"JVM version [%s] can cause data corruption when used with G1GC; upgrade to at least Java 8u40", jvmVersion);
return BootstrapCheckResult.failure(message);
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
Refactor bootstrap check results and error messages This commit refactors the bootstrap checks into a single result object that encapsulates whether or not the check passed, and a failure message if the check failed. This simpifies the checks, and enables the messages to more easily be based on the state used to discern whether or not the check passed. Relates #26637
2017-09-13 21:30:27 -04:00
return BootstrapCheckResult.success();
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
// visible for testing
String jvmVendor() {
return Constants.JVM_VENDOR;
}
// visible for testing
boolean isG1GCEnabled() {
assert "Oracle Corporation".equals(jvmVendor());
return JvmInfo.jvmInfo().useG1GC().equals("true");
}
// visible for testing
String jvmVersion() {
assert "Oracle Corporation".equals(jvmVendor());
return Constants.JVM_VERSION;
}
// visible for testing
boolean isJava8() {
assert "Oracle Corporation".equals(jvmVendor());
return JavaVersion.current().equals(JavaVersion.parse("1.8"));
}
}
Forbid granting the all permission in production Running with the all permission java.security.AllPermission granted is equivalent to disabling the security manager. This commit adds a bootstrap check that forbids running with this permission granted. Relates #27548
2017-11-27 16:05:27 -05:00
static class AllPermissionCheck implements BootstrapCheck {
@Override
public final BootstrapCheckResult check(BootstrapContext context) {
if (isAllPermissionGranted()) {
return BootstrapCheck.BootstrapCheckResult.failure("granting the all permission effectively disables security");
}
return BootstrapCheckResult.success();
}
boolean isAllPermissionGranted() {
final SecurityManager sm = System.getSecurityManager();
assert sm != null;
try {
sm.checkPermission(new AllPermission());
} catch (final SecurityException e) {
return false;
}
return true;
}
}
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
}
Reference in New Issue Copy Permalink